Thus spake gary flynn:
> I think computers should be easy to use and you shouldn't have to
> know anything about them to use them effectively.
> Security products, in particular, should not require people
> to know anything about security, protocols, application
> design, or risk/cost/benefit analysis.
Dissent: A word processor can make it easier for you to write a
report. It can make sure that the spelling is `correct' and perhaps
even the grammar. And it can certainly make your report look
prettier. But, no matter how well designed the word processor, it
_cannot_ make sure that your report says what you meant it to say. It
can't catch you saying `he was deluded' when you mean `he was
deluged': both are grammatically and orthographically correct.
The concept of a given configuration being `secure' all the time,
every time is, to me, not worth discussion. A firewall can possibly
make sure you enforce _a_ security policy, but so can a segment of
ethernet. It doesn't matter how good the firewall's UI is, or how
much forethought the designers put into it, only you (should) know
what your security policy requires.
If you're going to by a security product so that you can have a
security product (CYAWall(tm)), then you don't need to know the first
thing about that silly `security' stuff. If, on the other hand, you
want to _use_ a security product to make your network more secure,
you'll have to know something about security and the like. It doesn't
matter if your `security product' is a shrinkwrapped firewall or a
lead pipe for frightening your users.
(if you don't know where you're going, how do you know if you got there?)
#> Mike Shaver (shaver @
com) Ingenia Communications Corporation
#> Chief System Architect -- will tame sendmail(8) for food
#> "You are a very perverse individual, and I think I'd like to get to
#> know you better." --- eric @