> Marcus J. Ranum wrote:
> > For the last 15 years we've been presented with a constant litany of
> > important agencies, sites, and systems that have been hacked into
> > because people don't believe that doing security right is practical.

> By the way, I'm not saying it _IS_ practical.
> That's the point. Sometimes "practical" doesn't enter into the picture.
> If your systems need to be secure then it's not a matter of practicality;
> they either are secure or they aren't. Actually securing systems is
> hard brain-work and is definitely going to affect the user experience
> in various inconvenient ways. "So what?"
> We've seen where "practical" has gotten us.

We've also seen where failing to take the user experience into account
has gotten us - it's fine to say "make the user experience suck" - but
that's one of the sure, documented ways to make sure that the user -will-
find ways to bypass security (whether technical or layer 9).

If nothing else, we can learn from the military, where the user experience
is sometimes dramatically sucky - but there's usually a well understood
threat model and process associated with the suck.

================================================== ========================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
firewall-wizards mailing list