Re: IP: Re: -RE: GOVNET? Not the brightest idea.

[David Farber <dave () farber net>]

> X-Sender: waa@localhost
> X-Mailer: QUALCOMM Windows Eudora Version 5.1
> Date: Sat, 13 Oct 2001 14:07:25 -0400
> To: farber () cis upenn edu, shap () eros-os org
> From: Bill Arbaugh <waa () cs umd edu>
> Subject: Re: IP: Re: -RE: GOVNET? Not the brightest idea.
>
> Dave,
>
> I need to take issue with Shap's point.
>
>
> > > I am no defender of Microsoft, but the statement above is unfair in the
> > > extreme. Microsoft is indeed incompetent at security, but they haven't yet
> > > achieved a monopoly on incompetence. The fact that we have no secure
> > > commodity operating system is a direct result of fifteen years of Federal
> > > policy.
>
> The exact cause of why TCSEC rated systems died is debatable. While I'm 
> certain
> that export policy reduced the sales of these systems, it did not cause 
> their death.
> I used numerous TCSEC rated systems over the years, and I found them wanting
> in several ways:
>         1. They were way too expensive when compared to commodity goods.
>         2. They were unbelievably difficult to use and even worse to manage.
>         3. They used out of date technology and software.
>
> These are the reasons why TCSEC rated systems failed to be successful
> products. Their sales within the US DOD were dismal even though their use
> was mandated. They failed as a product because something else was always
> cheaper, faster, and easier to use.
>
> The reasons why these systems failed are the dual of why MS has succeeded,
> and to some degree why commodity software usually has security problems. 
> Vendors
> are trying to ride the wave of newer and cheaper technology. This creates 
> a rapid
> design and development process which introduces design and implementation 
> errors-
> sometimes security critical errors. These same vendors try (although some 
> may argue
> they don't succeed) to make their systems and software easy to use- ease 
> of use and
> security are typically at odds with each other.
>
> In short, the current process of designing, building, and even managing 
> systems are
> at odds with achieving a high degree of assurance. The question is: can we 
> find ways
> to develop systems and software rapidly such that they have a high 
> assurance and are
> easy to use and manage?
>
> It's easy to blame the usual suspects (Microsoft, and the Government) in 
> this situation.
> But, neither are at fault this time.
>
> Bill
>
> ----------------------------------------------------------------------------------------------------------------------------
> William A. 
> Arbaugh                                                        301.405.2774
> Asst. Prof., CS and 
> UMIACS                                  http://www.cs.umd.edu/~waa
> ----------------------------------------------------------------------------------------------------------------------------


For archives see: http://lists.elistx.com/archives/interesting-people/