CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Spafford Quote Used In Security Article (CSOonline.com)

Spafford Quote Used In Security Article (CSOonline.com)
Fri, November 18, 2005CERIAS Media Citings

An article published at CSOonline.com has cited Professor Spafford’s description of a secure web server, which first appeared in Web Security & Commerce  (O’Reilly, 1997, S. Garfinkel & G. Spafford).

From the article: 

The Internet — on which the great majority of modern distributed systems are based — is, in a real sense, intrinsically insecure. In its early days (as the Advanced Research Projects Agency Network — ARPANET), all users were trusted, so it was never an objective to provide strong defenses against subversion from the inside. None of the changes made since, nor even Internet Protocol Version 6 (IPv6), have materially changed this situation. Moreover, there are so many different kinds of portable, pluggable, and embedded computer devices on the market that traditional perimeter defense using firewalls can no longer provide adequate levels of security. The resulting state of affairs has been memorably summed up by Gene Spafford, professor of computer science at Purdue University:

Secure Web servers are the equivalent of heavy armored cars. The problem is, they are being used to transfer rolls of coins and checks written in crayon by people on park benches to merchants doing business in cardboard boxes from beneath highway bridges. Further, the roads are subject to random detours, anyone with a screwdriver can control the traffic lights, and there are no police.


Professor Spafford keeps a collection of quotes at his homepage.

Get Your Degree with CERIAS