Hi andy (and everybody),

Indeed.  I vote for personal computer liberty over guaranteed iron clad 
security any day.  For amusing and shocking rants on this subject google up 
some classic Ross Anderson.  Or heck, I'll do it for you:

A related and more present worry I have is that Microsoft's messaging is going 
to morph on the security front from "software security" (good) to "software 
security features end-to-end yadda" (bad).  I chatted with Steve Lipner about 
this at the DHS software assurance thing this week and he does not seem to 
share my concerns.  Then again, he does worry about what the marketing people 
make up.  In my view, we US citizens have learned the hard way over the last 8 
years that security makes a great excuse to compromise integrity and personal 

I like the fact that Microsoft makes a big deal about software security and I 
hope they don't stop or lose focus and start somehow associating software 
security with "we own your computer and we'll do what's best for you".

Radically yours,



On 5/9/08 12:33 PM, "Andy Steingruebl" <[EMAIL PROTECTED]> wrote:

On Mon, May 5, 2008 at 10:24 AM, Gary McGraw <[EMAIL PROTECTED]> wrote:
> hi sc-l,
>  Here's an article about Mundie's keynote at RSA.  It's worth a read from a 
> software security perspective.  Somehow I ended up playing the foil in this 
> article...go figure.
>  http://reddevnews.com/features/article.aspx?editorialsid=2470
>  So what do you guys think?  Is this end-to-end trusted computing stuff going 
> to fly with developers?

I think you're both right.  I'm working on a longer writeup of the
ideas on the end-to-end paper but I think you've captured part of the
problem at the heart of things.  We're going to have to trade some
fundamental computing liberties to get the kind of security required
to actually have trusted relationships via computers.  Good or bad I
don't want to comment on right now.  If you've read "Code and other
laws of cyberspace" by Lessig you'll see some of the same ideas albeit
it from a more regulatory perspective than from a purely technical
one.  The updated "Code 2.0" book captures a lot of these same ideas.

I think Charny is missing the mark ever so slightly when he says the
security goals can be achieved without compromise on the part of
privacy, or functionality.  As Lessig clearly points out - the rules
of the networks, computers, etc. aren't real rules in any sense.  its
not like they are physical laws, the rules are determined by code.
This code, and the policy behind it, can change.

I think the real question isn't whether this is going to fly with
developers, its whether its going to fly with the public at large.
Are people (and their proxies - Governments) going to finally demand a
change in the the rules/game?

Andy Steingruebl

Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to