Gary S. Terhune said:
Are you ready for a major "the way I see it" speech? Here it is--"The Way I See It", by Hugh Candlin.
Fair's fair, <s>.
HC: Sorry, Gary. Tired. Lazy. Grumpy. Pick any 3 from 3.
Security isn't something you dink around with, "solving" one problem at a time,
until you get it right, because you are never going to get it right that way.
Ummm, Hugh... How long do you think folks are going to sit around and wait for this perfect OS to be developed?
HC: However long it takes. It is essential and inevitable. It isn't a question of IF.
It is merely 2 questions. When? And Who? Personal Computing has long
outgrown the pioneering, fly-by-night-and-the-seat-of-your-pants,
don't-bother-with-that-just-shove-the-product-out-the-door-and-sit-back-
and-look-cool-and-let-the-cash-roll-in-and-how-are-our-options-doing environment.
The only corporate entity that doesn't understand the enterprise, that doen't put the
customer first, that STILL thinks that THEIR way is THE way is, guess who?
Solving one problem at a time is what computer science is all about.
HC: No, no, no, no, no. A thousand times no. A billion times no.
Never, never, never, never, never. It is essential that the driving force
be capable of seeing the big picture and of conceiving, developing
and executing a plan of action accordingly, to address the relevant issues.
A computer system, secure or not, is worthless if
HC: If a computer system is not secure, it is worthless. That needs no qualification.
it can't also perform tasks that are requested of it, using the technology available,
HC: The technology is available.
and within the environment that is currently extant.
HC: You mean that Microsoft has a vested interest in maintaining the marketability
of the current cose base? It is obsolete. It is irrelevant. It is incompetent.
We all have perfectly secure systems available to us. Pull the plug and you got one
sitting right in front of you (so long as you can keep anyone else from plugging it back in.)
I do not know of *one_single* perfectly secure computer system in the entire world
that actually does anything or contains any data worth keeping "secure".
So long as there is an interface with that data, it is not secure, almost by definition.
HC: I agree here. A system administrator is a security risk. That is a given.
However, I am not demanding perfection. Just better. Much, much better.
Security should be integrated into the product to the extent that Security
is the base component of the product, and the features of the product
are built upon and around that solid, secure, transparent foundation.
Dream on. "Solid, Secure, Transparent." Mutually exclusive conditions.
HC: No, there are not. That is a defeatist attitude to which I will not subscribe.
There is NO other way, and NO other way should be considered.
ANY suggestion that this cannot be done is baseless and irresponsible.
I do not consider myself irresponsible or lacking a base, and I categorically refute
your premise. It CANNOT be done.
HC: Hold on there, cowboy. Let's disassociate the ideas from the proponents.
While we obviously disagree on the level of perfection to be attained by "it',
rest assured that "it' will be done. "It" is necessary. We are spending billions
upon billions of dollars, pounds, francs, marks, whatever, running around
like chickens, ping-ponging from one crisis to another. Chicken Run is OVER!!
I actually see a parallel here with standard application production support.
Visualize this. A bug in an application program creates a database problem.
Support personnel are given the task of fixing the issue. Let's say that it is
a hosed up order for the new Update CD. They do what they have to do.
Before they get done, another error pops up. Again, they fix it. Another
one pops up. And another. And another. Before they know it, they are
spinning their wheels, trying to keep the business running by getting the
orders fixed, one by one, while the error continues to cause problems.
The obvious correct course of action is finally forced upon them. They stop
the remedial activity on the data, and fix the application to stop the torrent
of errors. There is no other way, unless you have sufficient staff to do both
at the same time, which is ideal.
It CAN be done. It WILL be done. It MUST be done.
If the current market leader cannot and/or will not accept that fact,
then the market will turn away from them to someone who will.
There is no such system.
HC: That is painfully obvious.
Not even possible on paper.
HC: I'll just quietly bite my tongue here.
Thus there can be no such person or corporation, now or ever.
HC: We shall see.
Many years ago, Bill Gates publicly agonized over the possibility,
that Microsoft would follow the normal corporate bell curve to oblivion.
Or was it probability?
Probability, based upon simple understanding of business dynamics.
Also irrelevant to the subject at hand.
HC: We disagree here. Big time. Microsoft will stay in the driver's seat
only as long as they steer the wheels in the correct direction.
If they insist on taking their shortcuts against the wishes of the
majority, then the majority will seek another mode of transportation.
I could add a disclaimer here that, despite the probability that this missive will be
perceived as a diatribe against Microsoft, nothing could be further from the truth.
Diatribe, yes.
HC: No, it isn't. It just sounds like one when you are philosophically opposed
to the advocated change, regardless of the magnitude of the change.
One which I suspect is born of understandable frustration.
But if you insist on speaking in absolutes, you put most realistic discussion beyond the pale.
HC: I do not speak in absolutes. I just refuse to limit my vision.
I am perfectly OK with Microsoft maintaining its position as the supplier
of the #1 desktop operating system. But right now, that position is up for grabs,
and if Microsoft doesn't learn to innovate and think outside the box they are in,
then change is inevitable.
Change is always inevitable.
HC: Normally, yes.
But I see nothing even remotely resembling your dream OS anywhere on the horizon
HC: Maybe I can see over the horizon, then.
(which I guess is to be expected, since it's a mathematical impossibility.)
HC: Perfect security? Yes. What I envision? No. I do not conceive
mathematical impossibilities. That isn't how my imagination operates.
Yup, the position is up for grabs, and always has been. And I don't see any better candidates for an even reasonably "Secure
System", anywhere. Not any that are also even remotely within the realm of mass-production with braod consumer appeal.
HC: Perhaps.
If you could, I suspect you would. But can you at least establish some reasonable discussion points?
HC: "Reasonable" is a matter of personal opinion, is it not?
It is easier to criticize me for being analytical than it is to address the fundamental flaws
that need to be addressed. And they WILL be addressed.
It simply remains to be seen, by whom.
I see no real analysis, only diatribe.
HC: I said that that would happen.
Sorry, Hugh. I like and respect you, but we've found your blind spot.
Yes, systems that are more secure will be developed, and paradigms will change,
particularly those involving the definition and practice of computer security.
HC: We are not as far apart as you might think, after all.
What we have here is a failure to communicate fully and completely.
But in the end, the PC world is as close to being purely democratic
as anything else I can think of
HC: The PC world is an anarchistic, back-stabbing, dog-eat-dog
maelstrom where anything goes and anyone is fair game.
--and you know what they say about democracy.
HC: The art of choosing between the disastrous and the unpalatable?
-------------------------------------------------------------------------
What you do is of little significance, but it is very important that you do it.
Mahatma Gandhi
-------------------------------------------------------------------------
..
-
Gary S. Terhune
MS MVP for Windows 9x