[Cryptography] The Laws (was the principles) of secure information systems design

[Kent Borg]

On 07/15/2016 10:31 PM, Rick Smith, Cryptosmith wrote:
> For comparison, take a look at this article:
>
>   https://cryptosmith.com/2013/10/19/security-design-principles/

Very interesting. (I like "open design" as a simple term-of-art, gotta 
start over-using that.)

What I think is still missing among the interesting details of the trees 
is the idea of being explicit about the forest and understanding its 
definition and boundaries.

Seems a bit like talking about tactics and strategies of war, without 
explicitly discussing particulars of lines of control. (I don't remember 
Sun Tsu addressing the five-fold-nature-of-battle-lines, was it there?) 
Leaving this as an individual exercise for your officers and soldiers 
seems inefficient. Similarly, leaving this unspoken in terms of computer 
security seems lacking.

-kb, the Kent who has never been in the military and freely admits he is 
tossing out a metaphor he doesn't understand.


P.S. Heck, if nothing else the scene in the old war movie with big map, 
a contained buzz of quiet activity including calm subordinates using 
rakes to adjust tiny model armies and armadas, is such a powerful 
visual. What with all the movies involving cyber-intrigue these days, 
Hollywood needs this metaphor to make us better entertainment. I'm 
getting sick of meaningless monospaced ASCII whizzing by too fast 
indicating "important computer stuff you wouldn't understand".

P.P.S. My earlier rant on this, if anyone missed it and doesn't know 
what I am talking about: 
http://www.metzdowd.com/pipermail/cryptography/2016-July/029750.html