> Seeking perfect correctness as an approach to security is a fool's
> errand. Security is designing systems that can tolerate imperfect software.
Exactly. On "Curb Your Enthusiasm" this happened recently. Larry David was frantically looking for a DVD case, but could not find it.
LD: "I don't know what happened. I have a system. I put the DVD in the player, and I put the case on top of the player. But now it is gone."
Friend: "That's not a system. A system is - you buy a bunch of empty DVD cases and put them next to the player."
Brian Snow puts this another way:
How do we get high assurance in commercial gear?
a) How can we trust, or
b) If we cannot trust, how can we safely use, security gear of unknown quality?
Note the difference in the two characterizations above: how we phrase the question may be important.
And of course this among the biggest challenges we have in distributed systems security today.