[E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins)

David Wagner daw@mozart.cs.berkeley.edu
24 Jan 2001 04:18:26 GMT


Marc Stiegler wrote:
>The bad news for the virtual world: For a given kind of wall, once someone
>has broken a wall of that kind, the cost of breaking that kind of wall goes
>approximately to zero.

This, of course, only increases the importance of defense in depth.

>The good news for the virtual world: mathematics tells us there are walls
>you can build that are "near-perfect and perfect", [...]

This may be true of crypto, but crypto is only a small piece of the
puzzle.  Steve Bellovin counted CERT advisories over the past decade
and found that at most 15% of them go away if you assume perfect crypto
deployed everywhere.  The rest is a matter of good systems design and
high quality software, and in that regime, our walls are decidedly
imperfect.  There's no magic bullet (no, not even capabilities!), and
that's redundant defenses can make a contribution.

You seem to suggest that we have a decision to make between defense in
depth with imperfect defenses or a single but perfect line of defense.
But that's not the choice we are given today.  If you start from the
premise that all of our defenses are imperfect---and this seems to be
hard to dispute---then it seems that adding multiple redundant lines of
defense can't hurt and can only help.