[cap-talk] the prize
iang at systemics.com
Mon Oct 25 10:15:02 EDT 2004
Ben Laurie wrote:
> Surely not. I can implement networked capabilities on a machine with no
> internal security _at all_.
I tend to write statements like this off. It lacks
any depth by which it can be analysed, and is better
off thrown in the bucket of useless net talk.
For example, what machine? What OS? What language?
These are both issues that have circulated in recent
weeks, and as they are obviously key to the discussion,
it's necessary to see these assumptions stated.
For further example, what is "internal security" ?
Is it security within a machine, but not against any
outside attacks? Or security from outside, but not
from inside attacks? Is it "advisory" or "audited"
(and by extension, what do I mean by those terms...) ?
"I can implement..." means presumably "can be implemented"
with what costs and what efficiencies? Is this something
that can be done only if one assumes one application, one
user, and no network? I think Microsoft already covered
that when they got their Common Criteria certification...
In short, unless a claim is made that has some foundation,
it's as if nothing is claimed.
More information about the cap-talk