Michael Silk wrote:
I don't think that analogy quite fits :) If the 'grunts' aren't doing
their job, then yes - let's blame them. Or at least help them find
ways to do it better.
If they're not doing their job, no need to blame them - they're
critically injured, captured, or dead. ...or in the
So you blame the grunts in the trenches if you lose the war? I mean,
that thinking worked out so well with Vietnam and all... ;-)
regards,
-dsp
I couldn't agree more! This is my whole point. Security isn't 'one
thing', but it seems the original article [that started this
discussion] implied that
Michael Silk wrote:
Ed,
[...]
Back to the bridge or house example, would you allow the builder to
leave off 'security' of the structure? Allow them to introduce some
design flaws to get it done earlier? Hopefully not ... so why is it
allowed for programming? Why can people cut out 'security' ?
Joel Kamentz wrote:
Re: bridges and stuff.
I'm tempted to argue (though not with certainty) that it seems that the bridge
analogy is flawed
in another way --
that of the environment. While many programming languages have similarities
and many things apply
to all programming,
there are many
And I couldn't disagree more with your perspective, except for your
inclusion of managers in parenthesis.
Developers take direction and instruction from management, they are not
autonomous entities. If management doesn't make security a priority,
then only so much secure/defensive code can be
Following the logic in the original post...
God is love.
Love is blind.
Ray Charles was blind.
Ray Charles was god.
The origins of security problems are simply based in the designers of the
systems. Humans, on the whole, are a fallible lot. We're not perfect and
when we design systems, it's
A couple key phrases come to mind when reading this:
1) conflict of interest (he's selling a solution)
2) inappropriate comparison (embedded OS vs. general OS)
I have no problems with someone pointing out flaws in XYZ product when compared to ABC
product, provided:
a) they're an independent,
a few notes..
-Original Message-
From: jnf [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 31, 2004 11:23 AM
To: Dave Paris
Cc: Serban Gh. Ghita; [EMAIL PROTECTED]
Subject: RE: [SC-L] virtual server - security
[...]
What's the point of the exercise if you're passing plaintext
http://www.dean.usma.edu/socs/ir/ss478/General%20Gordon%20Bio.pdf
What John Gordon is doing giving a keynote at the RSA conference is utterly
and completely beyond my ability to comprehend. If you read his bio at the
link above, you'll find he has absolutely zero background in software or