> Marcus J. Ranum wrote:
> > For the last 15 years we've been presented with a constant litany of
> > important agencies, sites, and systems that have been hacked into
> > because people don't believe that doing security right is practical.
>
> By the way, I'm not saying it _IS_ practical.
>
> That's the point. Sometimes "practical" doesn't enter into the picture.
> If your systems need to be secure then it's not a matter of practicality;
> they either are secure or they aren't. Actually securing systems is
> hard brain-work and is definitely going to affect the user experience
> in various inconvenient ways. "So what?"
>
> We've seen where "practical" has gotten us.
We've also seen where failing to take the user experience into account
has gotten us - it's fine to say "make the user experience suck" - but
that's one of the sure, documented ways to make sure that the user -will-
find ways to bypass security (whether technical or layer 9).
If nothing else, we can learn from the military, where the user experience
is sometimes dramatically sucky - but there's usually a well understood
threat model and process associated with the suck.
cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Aug 29 2006
Intro
