[cap-talk] Any hope in RSA 2008?

Jed Donnelley capability at webstart.com
Fri Apr 4 06:28:18 EDT 2008 

At 02:41 AM 4/4/2008, Jonathan S. Shapiro wrote:
>On Wed, 2008-04-02 at 15:59 -0700, Jed Donnelley wrote:
> > It isn't just those areas.  The whole thrust of the conference
> > (mostly intrusion detection and configuration management on
> > the technology side) seems to suggest pursuing nonsense as
> > solutions...
>
>I can't speak to the conference per se, but these activities are not
>nonsense.

You're right.  Very bad word, "nonsense".  Sorry I didn't
catch myself there.

>These folk are trying to "solve" the problem in the sense of
>"what can I do in the next three weeks", not "how can I rebuild the
>world to be a better place".

Right.  However, I would think that by now since we've been
doing what we can for the next three weeks for the last 15 years
at least and it things haven't gotten better (they've gotten
worse) then it does seem pretty clear to me that this three
week horizon process is not making positive progress.

>In that light, methods for ensuring that processes are followed, and for
>knowing which systems need to be reviewed when a compromise in subsystem
>X is discovered, are very useful things.

Yes.  They are useful things, but clearly (by now) not solving
the problem.

So I still ask, is there any hope visible in RSA 2008?  Any
hope for real improvement over the long term.  That is, not just
imagined improvement over three weeks assuming that nothing
else changes - which of course it does.  Change three weeks
to three months or even three years and to me the answer seems
to be the same.  I don't see any hope in the technological approaches
that are being pursued.

This is what I was asking though - for somebody to point out
areas where there does appear to be hope for the long term.
I know the hope that I hold out for POLA mechanisms as with
capabilities, but what about other possibilities?  Most
people don't even consider POLA computing as a possible
"solution", so are there approaches that are being used
that have hope for the long run?  I'd like to investigate
any such possibilities as I well know what a long shot
POLA is, with or without capabilities.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list