On Sat, 3 Aug 2024 22:05:49 -0400 Bill Bogstad <bogs...@pobox.com> wrote:
> I think it is basically because the industry has convinced itself > that bugs are inevitable and there is no way to mitigate those bugs > becoming security problems. Back in the 90s, I found security > fascinating; but when I realized that nobody had any interest in > actually doing anything more than dealing with this week's problem, I > decided that wasn't a career path I wanted to follow. It's not that nobody has that interest. It's that perfect security is impossible either in the physical world or the digital realm: the attacker always has the advantage over the defender. We do what we can think of to prevent compromise but we understand that the attackers can try all of the things we *didn't* think of or the tiniest of mistakes we make. So we also do what we can to detect, contain and mitigate compromise. It's very much whack-a-mole, solving the endless string of this week's problem. Sometimes it takes a catastrophe like the Titanic disaster or the XZ tools disaster to get problems addressed. What is most important is that we learn from the mistakes that lead to these disasters, and build on top of that knowledge. -- \m/ (--) \m/ _______________________________________________ Discuss mailing list Discuss@driftwood.blu.org https://driftwood.blu.org/mailman/listinfo/discuss
