Related link: http://www.securityfocus.com/print/columnists/334
While everybody and their dog already blogged about it, here it is: a fun interview with Marcus Ranum on security.
You know, I always had trouble understanding what the word “curmudgeon” means (not matter how many times I type “define: curmudgeon” in Google :-)), but this piece really explains it. Plentiful examples include: “whole RFC process is obsolete”, “I see very little that’s new and even less that’s interesting [in security]”, “I believe we’re making zero progress in computer security, and have been making zero progress for quite some time”, “If the CTOs of 10 FORTUNE 500 firms announced that they were deferring further purchases…”
So, is “everything good” in security already invented? No! I think nowadays it is not about “inventing 100% protection” (which is indeed already invented - by Ranum), which Ranum talks about, but rather about “how to I get exactly the right amount of protection while sacrifing a minimum acceptable amount of usability/efficiency”…