Why Capabilities and Persistence are Essential

Paul Snively psnively@earthlink.net
Thu, 11 Nov 1999 09:19:50 -0800

MarkM wrote:

> At 07:04 AM 11/11/99 , shapj@us.ibm.com wrote:
>>First, I caution that your statement betrays a fairly complete lack of
>>familiarity with the serious security literature.
> More later, but I want to respond to this in real time.
> I freely and openly admit this lack of familiarity.

I just wanted to take this opportunity to observe that I'm learning an
*astonishing* (to me, anyway) amount simply by virtue of subscribing to this

I have to say in particular, however, that MarkM's efforts, the best example
of which I feel is the Ode, have both summarized the issues and, where
possible, their resolutions in such a way that a hopfully-non-naive but
nevertheless non-crypto/security/OS/language-expert such as myself can not
merely grasp but be inspired by.

Like many people at the juncture of the use of the web and its more
technical aspects, I'm in awe of the putative possibilities but painfully
aware of the troubling technical and social hurdles to be overcome before
the more rich and compelling of those possibilities can be realized. I find
that I spend a disheartening amount of time wincing when a Staples issues a
five-digit "coupon" for $20 to select customers and then wonders why they're
getting ripped off blind and have to shut the promotion down, or rolling my
eyes when someone writes a JavaScript trojan horse that gathers user IDs and
passwords and is able to upload it to eBay. I won't even go into Microsoft
Outlook viruses that can read your address book and spread simply by sending
themselves to your friends while pretending to be you.

I suppose what I'm driving at is, to paraphrase a quote I once heard that
really stuck with me, "security is too important to be left to the security
experts." (The original version of this, which I unfortunately don't know to
whom to attribute, is "Theology is too important to be left to the
theologians," which dovetails nicely with my Lutheranism. ;-)

All of this is a long, rambling way of saying thanks to MarkM for the Ode
and other wonderfully succinct, clear expository work, and also to the rest
of the list for keeping each other honest and maintaining an extraordinarily
high signal:noise ratio (which, I'm embarrassed to realize, I'm in the
process of damaging).

Please reply to <mailto:psnively@earthlink.net> using PGP. My public key can
be found at <http://pgpkeys.mit.edu:11371>. PGP can be found at
<http://web.mit.edu/network/pgp.html>. Beginning 11/1/1999, unenciphered
e-mail will be immediately deleted unread. Thank you.