-----BEGIN PGP SIGNED MESSAGE-----
Such secondary procedures are okay in the banking world, where you can
out transactions that an audit reveals are fraudulent after the fact. The
same does not apply to letting persons across a border where you can't
retroactively deny them entry after they've killed a bunch of people (and,
most likely, martyred themselves). It's the same problem with voting
systems, actually: the anonymity requirements mean all security hinges on
making sure only authorized people vote, and only once at that; you can't
back out fraudulent votes after they're cast, which is why all of the
attacks are on the authorization system and being undetected in an audit
It does matter.
Unfortunately, find ourselves in a position where easy business
decisions allow people to make very bad technical decisions, and
put the integrity of their network security directly in the path of
"Test" is not a good business decision, because if there is
a possibility where things can be compromised, generally they will be.
We (collectively) have done a very fine job of delivering
functionality first, and security secondly.
That puts most of us in the position of the 'Little Dutch Boy',
with our finger in the security dike.
So, having said all that, it's pretty difficult to figure out
where the problems and solutions actually meet.
We're actually at a very difficult cross-roads right now.
- - ferg