On Wed, 6 Dec 1995, Marcus J. Ranum wrote:
> Mike Shaver writes:
> >I'm beginning to feel a little lonely, but am I _really_ the only one
> >who sees security as a feature?
> I do!!! Security is a feature (almost a side-effect) of a well
> designed system. But one of the important things about security is that
> you have to be able to make MONEY off it.
And be able to parlay it into good P.R.
> Vendors, at least in the UNIX space, would rather spend their
> R&D $$ making cool new chips, better graphics, faster disks, and
> cheaper boxes, than security. Because they lose money on security
> and they make money on faster disks, etc. This is yet another of
> the ways in which I believe the orange book has set back computer
> security's evolution: by making security a severe *expense* in the
> development cycle, it has done more than any other single thing to
> convince the vendors that security is something to stay the hell
> away from.
While the orange book is a guide, I do not believe the vendors are even
considering it in their design. Recently, I have been in discussion
with a few vendors on their attitude twoard security and their response
is "this is not what the users want. We have marketing surveys...."
Me, being a curious person, I ask who is being included in the
surveys, the CIO's, high level managers, those who haven't seen a line
of code in 10 years, or those of us in the trenches who have typer's
cramps from chasing down the problems vendors leave for us? That's
when the conversation stops? That question is usually a conversation
I call it the "Gee whiz" Syndrome. All these vendors want something in
their ads that will make these people go "gee whiz, that's neat" rather
than something that would actually work for the user. It seems the only
time most Unix vendors show an interest in security is when someone
issues a security alert about their system. In other words they're
reactive rather than proactive.
> In order to reverse the trend, we (the amalgamated union
> of security dweebs local #1024) need to position security as an
I like that name! :-)
> enabling technology. It's hard. It means telling people, "Hey!
> That cool thing you want to do? You couldn't do that unless the
> system supported these basic security services" or whatever. The
I was told when security hits the top 10 of desired features, then the
vendors will pay attention to it. Not before. It took how long for
automakers to stop offering shoulder straps as an option?
> brightest raw of sunshine I've seen for a while is Sun's success
> positioning Java as a bitchin' cool thing and that SECURITY is
> part of the bitchin' coolness of it. The fact that they accomplished
> a market sell on that fact is good news; it means that people are
> learning to ask for systems that are more than spit and glue and
> duct tape.
Sure... Sun did that AFTER its potential security problems were beaten
up here and on other mailing lists and newsgroups. Yes, I know they put
out their white paper on their security position. But Sun did not start
to advertise it with its security "feature" until AFTER the onslaught
from the union. Again, they were reactive rather than proactive.
To my knowledge only DEC and IBM have proactive groups (among Unix
vendors) solely concerned with security. Yes, I know DEC was first
(SEAL), but IBM has always been proactive with computing security (on
their mainframes) and now has extended that to their Unix offerings.
scott barman DISCLAIMER: I speak to anyone who will listen,
com and I speak only for myself.
"I don't know if security explains why the Win95 support Web servers run BSDI
2.0--an Intel-based Unix--rather than Windows NT, which Microsoft insists is
the ideal Web software solution. Does Redmond know something we don't know?"
-Robert X. Cringely, INFORWORLD, 9/11/95