[cap-talk] "Immutable Law" #1 is alive and well at Microsoft
Ka-Ping Yee
cap-talk at zesty.ca
Fri Oct 5 02:10:52 EDT 2007
On Thu, 4 Oct 2007, Mark Miller wrote:
> As stated, no one actually believes this "law".
But then why do Microsoft security people still call it "Immutable
Law #1"? What do they mean when they say this?
> Normal users regularly
> browse untrusted sites with Javascript turned on.
I'm not convinced that "users don't act consistently with 'Law' #1"
implies "programmers don't believe 'Law' #1". There are plenty of
security beliefs out there that are widely ignored by users, but
programmers take this as evidence that users are stupid, not that
the beliefs are wrong.
JavaScript is an excellent, and devastating, counterexample. And
yet i'm afraid it isn't necessarily safe to assume that just because
something has an obvious counterexample, people will disbelieve it.
I imagine many people don't have JavaScript in mind when quoting,
teaching, using, or hearing "Law" #1, and will take "Law" #1 as an
immutable law until they are faced with the counterexample and take
the time to reconsider what they were taught.
-- ?!ng
More information about the cap-talk
mailing list