MarkM wrote:
> At 07:04 AM 11/11/99 , shapj@us.ibm.com wrote:
>>First, I caution that your statement betrays a fairly complete lack of
>>familiarity with the serious security literature.
>
> More later, but I want to respond to this in real time.
>
> I freely and openly admit this lack of familiarity.
I just wanted to take this opportunity to observe that I'm learning an *astonishing* (to me, anyway) amount simply by virtue of subscribing to this list.
I have to say in particular, however, that MarkM's efforts, the best example of which I feel is the Ode, have both summarized the issues and, where possible, their resolutions in such a way that a hopfully-non-naive but nevertheless non-crypto/security/OS/language-expert such as myself can not merely grasp but be inspired by.
Like many people at the juncture of the use of the web and its more technical aspects, I'm in awe of the putative possibilities but painfully aware of the troubling technical and social hurdles to be overcome before the more rich and compelling of those possibilities can be realized. I find that I spend a disheartening amount of time wincing when a Staples issues a five-digit "coupon" for $20 to select customers and then wonders why they're getting ripped off blind and have to shut the promotion down, or rolling my eyes when someone writes a JavaScript trojan horse that gathers user IDs and passwords and is able to upload it to eBay. I won't even go into Microsoft Outlook viruses that can read your address book and spread simply by sending themselves to your friends while pretending to be you.
I suppose what I'm driving at is, to paraphrase a quote I once heard that really stuck with me, "security is too important to be left to the security experts." (The original version of this, which I unfortunately don't know to whom to attribute, is "Theology is too important to be left to the theologians," which dovetails nicely with my Lutheranism. ;-)
All of this is a long, rambling way of saying thanks to MarkM for the Ode and other wonderfully succinct, clear expository work, and also to the rest of the list for keeping each other honest and maintaining an extraordinarily high signal:noise ratio (which, I'm embarrassed to realize, I'm in the process of damaging).
Best,
Paul
-- Please reply to <mailto:psnively@earthlink.net> using PGP. My public key can be found at <http://pgpkeys.mit.edu:11371>. PGP can be found at <http://web.mit.edu/network/pgp.html>. Beginning 11/1/1999, unenciphered e-mail will be immediately deleted unread. Thank you.