@@ -78,8 +78,8 @@ to mitigate such attacks.
7878
7979.. sidebar :: Picking Your Battles
8080
81- *Chapter 1 talked about trust and threats being two sides of the
82- same coin, but another way of thinking about it that every secure
81+ *In Chapter 1 we talked about trust and threats being two sides of the
82+ same coin, but another way to frame the discussion is that every secure
8383 system design starts with two lists: (1) those elements you trust,
8484 and so can build upon; and (2) those elements you do not trust, and
8585 so must treat as a threat that you defend against. But this is no
@@ -91,7 +91,7 @@ to mitigate such attacks.
9191 *One way in which security is unique is that over time you may
9292 discover that you need to move items from the first list to the
9393 second list, as new threats emerge. To reduce this possibility, it
94- is best to keep the first list as minimal as possible. On the other
94+ is best to keep the first list as small as possible. On the other
9595 hand, if you choose to trust nothing, you may end up "boiling the
9696 ocean" (i.e., having to solve so many problems that you are unable
9797 to make any progress). Every system must pick its battles. *
@@ -100,7 +100,11 @@ to mitigate such attacks.
100100 starts with a list of trusted elements that includes commodity
101101 servers and L2/L3 switches, and ignores (i.e., declares
102102 out-of-scope) all the vulnerabilities those elements face and the
103- countermeasures that go into securing them. *
103+ countermeasures that go into securing them. Of course, as soon as
104+ those elements are located outside our control, e.g., in some
105+ remote service provider's network, we have to assume that they
106+ are untrustworthy devices capable of snooping on, modifying or
107+ diverting traffic. *
104108
105109As a consequence of these three main requirements—confidentiality,
106110integrity, and availability—additional requirements are placed on the
0 commit comments