<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 02/06/2015 04:51 PM, Arnold Reinhold wrote:<br>
<blockquote cite="mid:D43EE5C7-BC38-435D-ACAE-6966E0678E4D@me.com"
type="cite">Sound like the start of a best practices guide. Yes
security is hard an yes we know more about why it’s hard than we
do about how to do it right. But is that a reason not to collect
what we do know in a form that implementers can avoid the grossest
mistakes?</blockquote>
<br>
Sure, collect it, write books about it, improve upon it, make it
better, make it more complete, toss out stupid bits, badmouth broken
things, praise good things, argue, win and lose arguments, repeat
all that.<br>
<br>
But "best practices" has a seductive sound suggesting "I'll take
that!", and be done.<br>
<br>
Any sentence that uses the term would be better off striking it and
substituting words that have actual meaning. <br>
<br>
Ah, but then one would have to stop and figure out what one is
trying to do...damn! Can't I just ask for Wholesome Apple Pie and be
done?<br>
<br>
No.<br>
<br>
<blockquote cite="mid:D43EE5C7-BC38-435D-ACAE-6966E0678E4D@me.com"
type="cite">
In the construction industry an early question when bidding a new
project is how far down do we have to dig to find competent bed
rock. Where is bedrock in computer security? How does one build
the simplest system that we can be sure will not be compromised?
There is no point to encryption if we don’t have a safe platform
to encrypt on. <br>
</blockquote>
<br>
Where is the bedrock in the analog world's anti-fraud industry?
Ain't no such thing. Bad guys keep innovating. And computers--moving
fast--provide so many new and <i>juicy</i> opportunities for nimble
bad guys. In the real world we all need to know about fraud,
starting with traditional bedtime stories for children. Computers
are part of the real world now.<br>
<br>
People want to use modern computer tools but don't want learn about
the properties or risks of those tools; they want to delegate to
some affordable expert, someone who won't rock any boats, who will
sell them a load of "best practices". <br>
<br>
-kb, the Kent who is sorry to say that, though civilians won't have
to learn esoteric design properties of block cyphers, they are
actually going to have to learn about larger systems and security
because they, and details of their behavior, are key components of
those systems.<br>
</body>
</html>