[cap-talk] "Immutable Law" #1 is alive and well at Microsoft
Mark Miller
erights at gmail.com
Fri Oct 5 20:15:22 EDT 2007
On 10/5/07, Ka-Ping Yee <cap-talk at zesty.ca> wrote:
> I don't understand -- how do these not count?
> http://blogs.msdn.com/larryosterman/archive/2007/09/21/threat-modeling-again-threat-modeling-rules-of-thumb.aspx
> http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
>
> Are you saying that it doesn't matter if Scott Culp and Larry Osterman
> quote Law #1 because they don't count as world-class experts?
Ok, I was conflating two issues: 1) MarcS' claim that
> > On 10/5/07, Stiegler, Marc D <marc.d.stiegler at hp.com> wrote:
> > > [...] At MS, [...] you are surrounded by worldclass top
> > > experts in security [...] who will tell you the immutable law is true.
Regarding this issue, I've never heard of Scott Culp and Larry
Osterman before, but I admit I'm not an expert at who counts as an
expert. I'm sure there are many very accomplished people I've never
heard of before. Do these two count as experts? I have no idea, but
I'd be curious. Anyone?
2) I was incorrectly saying that if we don't find such experts, e.g.,
if these two don't count, then we should stop beating this straw man.
I was indeed wrong to tie these issues together. Even if Scott Culp is
as renown as Butler Lampson, I still think we should stop beating this
straw man. Anytime the "law" comes up, just say "What about
Javascript?" and be done with it. Let's not try to make the case for
POLA by making a big deal of a silly statement that's so trivially
refuted.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list