Re: [fw-wiz] How automate firewall tests

Marcus J. Ranum wrote:
For the last 15 years we've been presented with a constant litany of
important agencies, sites, and systems that have been hacked into
because people don't believe that doing security right is practical.

By the way, I'm not saying it _IS_ practical.

That's the point. Sometimes "practical" doesn't enter into the picture.
If your systems need to be secure then it's not a matter of practicality;
they either are secure or they aren't. Actually securing systems is
hard brain-work and is definitely going to affect the user experience
in various inconvenient ways. "So what?"

We've seen where "practical" has gotten us.

We've also seen where failing to take the user experience into account
has gotten us - it's fine to say "make the user experience suck" - but
that's one of the sure, documented ways to make sure that the user -will-
find ways to bypass security (whether technical or layer 9).

If nothing else, we can learn from the military, where the user experience
is sometimes dramatically sucky - but there's usually a well understood
threat model and process associated with the suck.

"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet. This is the defining metaphor of my life right now."
firewall-wizards mailing list