I pulled all the individual recipients out of the To: and put it back to
> In my opinion, Mr Ranum represents the practical viewpoint, discussing
> real (documented, exploited, ...) threats, while Dr Cohen represents
> the theoretical viewpoint.
Marcus always has good ideas. I'm a little surprised at his apparent
dislike of testing, and suspect his vehemence in this case has more to
do with past history of the two gentlemen than his real feelings about
testing. I empathise with this, I've been irritated by this particular
I disagree that Dr. Cohen's arguments are just theoretical, it's fairly
well accepted in software engineering that stress testing is important,
and further I've seen many case of my software failing in fairly surprising
ways under stress testing. Some of these failures had security implications.
As I understood it, all Dr. Cohen said was that you don't know if you have
problems like that unless you test. Fair enough. I don't have a testing
mentality, REAL testers almost always embarrass me when I pass what I
consider well designed, well thought out, and well tested, (by me;)
software to them.
Does anyone disagree with the point that stress testing (among other types
of testing,) is important in software we rely on for security? That's the
whole idea behind assurance. You don't just tell people what your software
does for them, you show them the test results that prove it. I'm surprise
at how much security software sells without assurance.
> While both views are important, I think that the theoretical writings
> from Dr Cohen could benefit from some practical examples or discussions
> about practical relevance. I have found the firewalls mailing list to
> be very useful and informative, mostly in a clearly practical and
> "real" way.
It sounds like you're saying that the firewalls list is useful, so Cohen's
ideas somehow have less merit?
> Personally, I've also always found it easier to respect and learn from
> theoretical discussions if they are related to practical and real
I don't see how you can get more practical then his assertion that testing's
a good idea.
Does anyone think that testing's not a good idea? Are there any of you out
there that never write bugs into your code? I've put non-obvious bugs into
five line programs <wince;> It's embarrassing but true. Also, I've seen
kernel problems under stress a lot. Wouldn't we want to know this?
/ These opinions are mine, and not Amdahl's (except by coincidence;). \
| (\ |
| Patrick J. Horgan Amdahl Corporation \\ Have |
| patrick @
com 1250 East Arques Avenue \\ _ Sword |
| Phone : (408)992-2779 P.O. Box 3470 M/S 316 \\/ Will |
| FAX : (408)773-0833 Sunnyvale, CA 94088-3470 _/\\ Travel |