Keith Brown just sent this out to one of the internal DevelopMentor mailing lists. He’s often said that security is about risk management. I agree; it’s not about making everything super tight, it’s about making everything tight enough.
I just found a great example of this. This company (mailinator.com) allows you to use them for temporary email addresses. You just tell someone to send mail to SOMETHING@mailinator.com (where SOMETHING is any string you want) and then you surf to mailinator.com, type in SOMETHING and press the button to read your mail. All mail is deleted after a few hours.
In their FAQ they have the following:
Q: This sounds pretty insecure. What if I send important emails with sensitive super-secret information in them to mailinator?
A: Then you are a stupid-head. That isn't what this is for.
I just about died laughing after reading that answer. It's a great example of security being all about risk management.
Apparently he heard about this over on Joel’s blog.