At 10:13 AM 8/16/03 -0400, Roy M. Silvernail wrote:
Security, as Schneier says, is a process. It's also a mindset, and I
think
one either has the mindset or he doesn't. And for those that don't have it, it is *very* difficult to impart.
And you don't get any droid-demonstrable features for all your efforts. Whereas being able to control <whatever> from a network has gee-whiz sellability. And the customer has a hard time imagining the attack -how are they going to find the network, how are they going to guess the password. I had the pleasure ca 1997 of figuring out how to browser-enable a multiton industrial machine (the kind with big red "stop" buttons, rotating lights on it when it was operating, and stickers showing various forms of dismemberment possible) once. A password was the only access control. I hope anyone who installed this understood firewalling and air gapping... (Meanwhile, my garage door is "protected" merely by the number of possibilities, 256)