Why Proper Security is Not a Reality

Now, here is an interesting point.
From a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs and as long as the illusory results of penetration teams are accepted as demonstrations of a computer system security, proper security will not be a reality.
But, wait! That's from "Preliminary Notes on the Design of Secure Military Computer Systems," presented by Roger Schell, USAF, in 1973! (I was a senior in high school. Some of you weren't alive then.) We do keep talking about the same old stuff, one of my top 6 reasons that I hate computer and network security.

I found this quoted by spaf in a presentation from 2002. That presentation starts with a slide that states
First of all these are not new concerns. Some of us have been trying to warn people for decades. There is a body of established principles, largely ignored and a small population of practitioners. We know how to fix many of the problems without new research
Which is also another example of my thesis.

And the beat goes on. La-dee-da-dee-dee. La-dee-da-dee-da. (Yes, I've quoted those lyrics before in another blog, but repetition doesn't seem to bother us, nor does it seem to be efficacious.)

No comments: