Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-14 Thread Dave Paris
Michael Silk wrote: I don't think that analogy quite fits :) If the 'grunts' aren't doing their job, then yes - let's blame them. Or at least help them find ways to do it better. If they're not doing their job, no need to blame them - they're critically injured, captured, or dead. ...or in the

Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-13 Thread Dave Paris
So you blame the grunts in the trenches if you lose the war? I mean, that thinking worked out so well with Vietnam and all... ;-) regards, -dsp I couldn't agree more! This is my whole point. Security isn't 'one thing', but it seems the original article [that started this discussion] implied that

Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-11 Thread Dave Paris
Michael Silk wrote: Ed, [...] Back to the bridge or house example, would you allow the builder to leave off 'security' of the structure? Allow them to introduce some design flaws to get it done earlier? Hopefully not ... so why is it allowed for programming? Why can people cut out 'security' ?

Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-11 Thread Dave Paris
Joel Kamentz wrote: Re: bridges and stuff. I'm tempted to argue (though not with certainty) that it seems that the bridge analogy is flawed in another way -- that of the environment. While many programming languages have similarities and many things apply to all programming, there are many

Re: [SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Dave Paris
And I couldn't disagree more with your perspective, except for your inclusion of managers in parenthesis. Developers take direction and instruction from management, they are not autonomous entities. If management doesn't make security a priority, then only so much secure/defensive code can be

RE: [SC-L] Origins of Security Problems

2004-06-16 Thread Dave Paris
Following the logic in the original post... God is love. Love is blind. Ray Charles was blind. Ray Charles was god. The origins of security problems are simply based in the designers of the systems. Humans, on the whole, are a fallible lot. We're not perfect and when we design systems, it's

RE: [SC-L] White paper: Many Eyes - No Assurance Against Many Spies

2004-04-30 Thread Dave Paris
A couple key phrases come to mind when reading this: 1) conflict of interest (he's selling a solution) 2) inappropriate comparison (embedded OS vs. general OS) I have no problems with someone pointing out flaws in XYZ product when compared to ABC product, provided: a) they're an independent,

RE: [SC-L] virtual server - security

2004-03-31 Thread Dave Paris
a few notes.. -Original Message- From: jnf [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 31, 2004 11:23 AM To: Dave Paris Cc: Serban Gh. Ghita; [EMAIL PROTECTED] Subject: RE: [SC-L] virtual server - security [...] What's the point of the exercise if you're passing plaintext

RE: [SC-L] Any software security news from the RSA conference?

2004-02-27 Thread Dave Paris What John Gordon is doing giving a keynote at the RSA conference is utterly and completely beyond my ability to comprehend. If you read his bio at the link above, you'll find he has absolutely zero background in software or