Justin Young wrote: > For the record everyone is throwing around this word secure as if it > pertains to our industry. Nothing can ever be secure as that would be it > could never be compromised. If anyone feels that your systems, networks, > programs can never be compromised your sadly mistaken. The proper term that > you should be using is TRUSTED. Uh, no. "Trusted" is a specific, technical term that means that a product has been through a formal evaluation procedure. It is "trusted" because some folks who (allegedly) know something about security have inspected it, and say that it can be trusted. It is meaningless to say that a program is "trusted" without also specifying which kind of formal evaluation it has passed, e.g. C2, common criteria, etc. "Secure" means "can't be hacked." Trusted software *probably* is secure, but not necessarily. You're right that nothing can ever be "secure", but that doesn't mean we can't discuss the concept. It's like "infiinity": you can't get there, but it is a very useful abstraction. There was a very interesting thread a while back (I think on on vuln-dev) about what "secure" means as compared to "reliable. I quite like the results: * Reliable: a program that does what it is supposed to. * Secure: a program that does what it is supposed to, and *nothing* *else*. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org
This archive was generated by hypermail 2b30 : Thu May 03 2001 - 14:11:02 PDT