Lest we forget: http://domino.watson.ibm.com/library/cyberdig.nsf/papers/FDEFBEBC9DD3E35485256C2C004B0F0D/$File/RC22534.pdf
This just appeared on Slashdot today. It's the classic Multics vulnerability analysis, prefaced by Karger and Schell's paper to be delivered at ACSAC this year. It speaks pretty directly to this discussion, particularly the need to design a system for security from the ground up. Adam
