Interesting People mailing list archives
Re: IP: Re: -RE: GOVNET? Not the brightest idea.
From: David Farber <dave () farber net>
Date: Sat, 13 Oct 2001 14:30:30 -0400
X-Sender: waa@localhost X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 13 Oct 2001 14:07:25 -0400 To: farber () cis upenn edu, shap () eros-os org From: Bill Arbaugh <waa () cs umd edu> Subject: Re: IP: Re: -RE: GOVNET? Not the brightest idea. Dave, I need to take issue with Shap's point.I am no defender of Microsoft, but the statement above is unfair in the extreme. Microsoft is indeed incompetent at security, but they haven't yet achieved a monopoly on incompetence. The fact that we have no secure commodity operating system is a direct result of fifteen years of Federal policy.The exact cause of why TCSEC rated systems died is debatable. While I'm certain that export policy reduced the sales of these systems, it did not cause their death.I used numerous TCSEC rated systems over the years, and I found them wanting in several ways: 1. They were way too expensive when compared to commodity goods. 2. They were unbelievably difficult to use and even worse to manage. 3. They used out of date technology and software. These are the reasons why TCSEC rated systems failed to be successful products. Their sales within the US DOD were dismal even though their use was mandated. They failed as a product because something else was always cheaper, faster, and easier to use. The reasons why these systems failed are the dual of why MS has succeeded,and to some degree why commodity software usually has security problems. Vendors are trying to ride the wave of newer and cheaper technology. This creates a rapid design and development process which introduces design and implementation errors- sometimes security critical errors. These same vendors try (although some may argue they don't succeed) to make their systems and software easy to use- ease of use andsecurity are typically at odds with each other.In short, the current process of designing, building, and even managing systems are at odds with achieving a high degree of assurance. The question is: can we find ways to develop systems and software rapidly such that they have a high assurance and areeasy to use and manage?It's easy to blame the usual suspects (Microsoft, and the Government) in this situation.But, neither are at fault this time. Bill ----------------------------------------------------------------------------------------------------------------------------William A. Arbaugh 301.405.2774 Asst. Prof., CS and UMIACS http://www.cs.umd.edu/~waa----------------------------------------------------------------------------------------------------------------------------
For archives see: http://lists.elistx.com/archives/interesting-people/
Current thread:
- IP: Re: -RE: GOVNET? Not the brightest idea. David Farber (Oct 13)
- <Possible follow-ups>
- Re: IP: Re: -RE: GOVNET? Not the brightest idea. David Farber (Oct 13)
- Fwd: Re: IP: Re: -RE: GOVNET? Not the brightest idea. David Farber (Oct 13)