Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most security-oriented articles are written by extremely security-minded people. These people in my experience ignore the difficulties that a purely security-oriented approach imposes on users of the secure software. I always present security as a sliding scale. On one end "Secure", and on the other "Convenient". Purely Secure software design will almost never have any users (because it's too inconvenient), and purely Convenient software design will ultimately end up the same (because it's not secure enough).

That said, this is a good read for the most part. I heavily, heavily disagree with the notion that trying to write exploits or learn to exploit certain systems as a security professional is dumb (under "Hacking is C00L"). I learned more about security by studying vulnerabilities and exploits and trying to implement my own (white hat!) than I ever did by "studying secure design". As they say, "It takes one to know one." or something.



> These people in my experience ignore the difficulties that a purely security-oriented approach imposes on users

Your scale analogy is probably more approachable, but I'm a little more combative. I usually start out my arguments with security weenies with something along the lines of "the most secure thing would be to close up shop tomorrow, but we're probably not going to get sign-off on that." After we've had a little chuckle at that, we can discuss the compromise we're going to make.

I've also had some luck with changing the default position on them by asserting that if they tell me no, then I'll just do it without them, and it'll have whatever security I happen to give it. I can always find a way, but they're welcome to guide me to something secure. I try to avoid that though, because it tends to create animosity.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: