Comments on: Solving some of the Wrong Problems

By: Spaf

Spaf — Sat, 22 Dec 2007 23:17:20 +0000

Point noted (about cancer). However, I wasn’t arguing about research against cancer in general. My own mother died of lung cancer from smoking, and an uncle from bladder cancer, and so on. My point was more that we spend all way too much of our money trying to get around (some) things we know how to address or eliminate, but we don’t put any real effort into that elimination!

Breast cancer is terrible, and I’ve already had several friends and relatives affected by it. We need to find causes and treatments. My only hope is that if we find causes we can address we don’t simply ignore them and focus on treatments because people are unwilling to address those causes!

By: R. Austin

R. Austin — Sat, 22 Dec 2007 11:38:49 +0000

Dr. Spafford,

Your comments on research priorites and the general “ho hum” nature of much academic security research is right on but with all due respect, I have to take issue with you on the subject of cancer research.

I lost my wife to breast cancer and that had absolutely nothing to do with the tobacco lobby, second hand smoke,etc. So, I for one, am quite happy to see significant funding going into cancer research and could wish that we spent more.

Yeah, chemo sucks but on the other hand, it’s a welcome alternative to the rest “cures”, morphine, etc, that were breast cancer “treatment” not so very many years ago. And, unpleasant as it is, it has contributed to the survival of many women who would otherwise have had their lives cut short.

By: An Information Security Place » Blog Archive » There sure are a lot of "WTF are we doing?" posts going around

Fri, 19 Oct 2007 04:26:32 +0000

[...] then I see this one from Rich which is referencing this post (which came before mine, so there you go) and it is followed up by Hoff’s declaration [...]

By: 1 Raindrop

1 Raindrop — Thu, 18 Oct 2007 20:03:05 +0000

Sacred Cow Gored? Check….

As only a certified security high priest can do, Gene Spafford has started a linkfest o’ love spawning numerous backslapping from some of my favorite people in the blogosphere. I hate enjoy to be the contrarian, so while I agree with the general senit…

By: Joseph Crawford

Joseph Crawford — Thu, 18 Oct 2007 16:35:53 +0000

As the old General Contractor says, “We offer solutions that are fast, high quality, and inexpensive. But you may have only two of the three.”

Unfortunately, to provide truly secure (high quality) solutions it takes significant time and/or expense. Fast and cheap rules the day, especially in information technology. Band-aids for security are cheap and readily available; transplant surgery is expensive and painful.

The basics of market economics declare that while highly secure systems are the best option, the speed of evolution in the industry (mandating quick responses by developers) drives up the cost to the point where the customer will ultimately buy a less expensive solution - and normally the first-to-market offering at that (due to market share and percieved maturity factors).

By: An Optimistically Fatalistic View On The Futility Of Security | securosis.com

Wed, 17 Oct 2007 20:39:55 +0000

[...] one I support completely. Dr. Eugene Spafford, a seminal figure in information security, is also dedicating effort to the cause. I’m firmly in their camp and believe that while we don’t need an entirely new model [...]

By: Blog Tips #2

Blog Tips #2 — Wed, 17 Oct 2007 18:49:54 +0000

[...] ótimo post de Eugene Spafford a respeito dos investimentos financeiros e de tempo realizados em soluções de segurança do tipo [...]

By: Sicurezza, ICT ed altro » Blog Archive » Isoradio delle vulnerabilità (rant)

Mon, 15 Oct 2007 09:50:55 +0000

[...] Fra i vari feed che leggo, ovviamente che ne sono alcuni che riguardano le nuove vulnerabilità. Dato che al momento non sono impegnato in attività da sistemista, leggere questi interminabili elenchi di vulnerabilità mi fa l’effetto di ascoltare isoradio stando a casa: una serie di notizie sostanzialmente uguali tutti i giorni, cambiano i posti e i chilometri delle code, ma le cause sono sempre le stesse e in alcuni tratti a certe ore c’è sempre coda. Ha ragione (come sempre) Spafford, quando dice che passiamo il tempo a risolvere i problemi sbagliati. [...]

By: Andrew Patrick » Solving the wrong security problems and avoiding sacred cows

Fri, 12 Oct 2007 15:17:50 +0000

[...] Solving some of the Wrong Problems We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it. Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised. Share This Close [...]

By: Pick your poison. : everburning

Pick your poison. : everburning — Fri, 12 Oct 2007 04:29:03 +0000

[...] Stumbled across, well, it showed up in my blogroll, an interesting article on the Cerias blog about problem solving and our tendency to try to cure the symptoms instead of solving underlying issues. Mostly computer stuff but nothing technical and maps to pretty much any culture. As a result, we develop fragile monocultures that have a particular set of vulnerabilities, and then we need to spend a huge amount to protect them. ~ Solving Some of the Wrong Problems. [...]