Dana, Regarding your remarks about writing perfectly secure code... well put.
And your remarks about Ross Anderson... > Ross Anderson once said that secure software engineering is about > building systems to remain dependable in the face of malice, error, > or mischance. I think he has something there. If we build systems > to maintain confidentiality, integrity and availability, we have the > ability to fail gracefully in a manner to recover from unknown or > changing problems in our software without being detrimental to > the user, or their data. remined me of Anderson and Ralph Needham coining the phrase (hope I'm getting this right) that "security is like programming Satan's computer" in the sense that you have an evil extremely intelligent adversary with unlimited resources and time, etc. [http://www.cl.cam.ac.uk/ftp/users/rja14/satan.pdf] So there's a bumper sticker for you: Security: programming Satan's computer Of course, it's likely to be misunderstood by most. (Maybe we could attribute it to SNL's "church lady". Sorry Ross. ;-) BTW, does anyone besides me think that it's time to put this thread to rest? -kevin --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php