On Wednesday 07 May 2008, Corey Edwards wrote: > > I like to say that there are no degrees of insecurity. > > I disagree. Security is merely assessing risks and mitigating those that > are worth mitigating. Clearly some behaviors are riskier than others and > are therefore less secure. OTOH, some things are not worth securing > because the potential loss is less than the cost of the additional > security. > > So for example, at my company we routinely send passwords via email and > IM. The catch is that the servers are hosted entirely in house and > nothing goes over the Internet that's not on a VPN, so really it's not a > big deal. Sure, S/MIME or GPG would be more secure on top of it but I'm > not convinced the cost of implementing it would be worth it.
I would not consider that to be insecure--since the information never exits your control and never enters any area of external risk. I just mean to say that once something is insecure, that's it. It can't get any worse--so placing any type of degree on 'insecure' for me seems a misnomer. I won't deny that there are degrees of security, however. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
