Thou shalt have no other gods before the ANSI C standard 1439

If someone wants my financial data, they will find it simplest to drive over here, grab a log from the wood pile, toss it through the glbutt door over there, and take my computer home with them for analysis. They might also want the two drawers worth of paper documents from the next room.

And seem to keep harping on it. The "sufficient" condition is not hard to discern: that was decided much earlier in the project via cost benefit analysis. In the Alice and Bob world there is far too little analysis of the larger problem. Alice and Bob will in real life include considerations of time ("I only care to protect this for one day") and value ("I will not spend $1000 to protect $100") and convienience ("This is too hard to use, I will accept the risk of not using it"). Most of the scenarios I see in the literature only address the very simplest problems, leaving out the more interesting issues of context.

Software lives in a social environment. It is not sufficient to show that some bit of software might be compromised. In many cases that proof will result in a "so what?" response from the user. They may not care that the program will crash every few days, or that there is some small risk their $20 transaction on eBay is intercepted.

Not only is there no free lunch, there is no free perfect.

--

... Hank