Sorry, I will try NOT to make my words sharp enough to cut my own throat. Is there meaning in this? Yes! Can it be stated in words? No! I would like though, to be sure that it is NOT said about "Security", (as Al Capp said about abstract art), that it is a product of the untalented, sold by the unprincipled to the utterly bewildered. Most of the people in this group are the principled, talented ones. The rest of us are just bewildered. Progress isn't always new ideas, it's new ways of thing about old ideas. The only people we have left to educate is everyone. LP *-----Original Message----- *From: Roland Mueller [mailto:[EMAIL PROTECTED]] *Sent: Wednesday, November 29, 2000 8:01 PM *To: Larry Paul *Cc: Marcus J. Ranum; firewalls_list *Subject: Re: * * *somehow I did not want to get into that discussion but honestly, isn't *it the case that all of us have a lingo that might confuse the outside *world. Therefore, pls try to be helpful in arguments. That sounds like *flames! * *Roland * *Larry Paul wrote: *> *> I counted 60 acronyms in the first 2 pages of the functional *> requirements.(TOC) A short sample: *> FIA_AFL, TSF(FMT_MOF),FPR_ANO, FPT_ITC, TOE TSF, FRU_RSA, *FTA_MCS, FAU_GEN, *> FCO_NRR, FCS_CKM, FDP_ACF, etc. etc. Somone up there must LOVE *> abbreviations. *> *-----Original Message----- *> *From: [EMAIL PROTECTED] *> *[mailto:[EMAIL PROTECTED]]On Behalf Of Marcus J. Ranum *> *Sent: Tuesday, November 28, 2000 4:43 PM *> *To: [EMAIL PROTECTED] *> *Subject: Re: *> * *> * *> *Frederick M Avolio <[EMAIL PROTECTED]> writes: *> *>Yes I encourage anyone who thinks that the Common Criteria *sounds like a *> *>wonderful invention to skim at least a few of the documents *> * *> *That's cruel, Fred. That stuff's completely unreadable *> *gibberish and you know it. The only reason anyone should *> *read it is if they: *> * a) want an example of how _not_ to convey information effectively *> * b) are suffering from sleep disorder and wish to become unconscious *> * *> *Here's a fun common criteria story. ;) The names have been *> *left out, but the story is true <dum-dah-dum-dum> - about *> *a year after I stopped writing firewalls for a living ('95+) *> *I got a call from someone who'd been working on common criteria *> *profiles for firewalls. They worked for one of the agencies *> *that helped perpetuate the whole common criteria thing, and *> *were very seriously into the whole concept. The guy invited *> *me to review and comment on the profile for firewalls (I may *> *have some of the terminology wrong) and offered to send it. *> *At that time, I had been sharpening my fangs on ICSA's ankles, *> *and so the whole topic of certifying firewalls was "interesting" *> *to me. So I agreed. Then I got this - thing - that appeared *> *to have been written in its own language. As I studied it *> *more closely, I realized that it was written entirely in *> *code - every term that was in common use had been redefined *> *into another term. In fact, the whole document appeared to *> *be the output of an extended game of gnomic. It was the most *> *amazing pile of unreadable bureaucratese - for unreadability *> *it beat rijdael ciphertext quite easily. So I get on the *> *phone with the guy, not wanting to commit my comments to *> *E-mail and posterity: *> * M: "Hi, this is Marcus. I've been reviewing the stuff you *> * sent and I have a couple of questions about it." *> * ?: "OK, sure!" *> * M: "Alright: where's the executive summary?" *> * ?: "Huh?" *> * M: "You know, the 1 page summary that tells a manager *> * what it _means_ so they don't have to read the rest?" *> * ?: "We don't have those. That's not what this program *> * is about!" *> * M: "Ok, then, who do you expect to use these documents?" *> * ?: "Security officers who are seeing if products meet the *> * profile for deployment." *> * M: "Oh, so you mean this is written in the language of *> * a mysterious priesthood that nobody listens to, so that *> * other members of the mysterious priesthood will nod *> * sagely? Meanwhile everyone will base their product *> * deployments on what they read in 'Data Communications'?"* *> * ... *> * and it went downhill from there. I fear I lost a friend. *> * *> * The DOD-oids who are working on this formal security *> *stuff and common criteria are the most out-of-touch people *> *on earth, as far as I can tell. What good is a spec that *> *nobody can or will read? You can't even use it as a paperweight *> *because it's also paper! *> * *> *(* a great and sorely-missed journal that had some top-notch *> *product reviews that had real teeth) *> * *> *mjr. *> *----- *> * *> *Marcus J. Ranum *> *Chief Technology Officer, NFR Security, Inc. *> *Work: http://www.nfr.com *> *Personal: http://www.ranum.com *> * *> *- *> *[To unsubscribe, send mail to [EMAIL PROTECTED] with *> *"unsubscribe firewalls" in the body of the message.] *> * *> *> - *> [To unsubscribe, send mail to [EMAIL PROTECTED] with *> "unsubscribe firewalls" in the body of the message.] * - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
