I’ve found a very interesting article “Configuration: the forgotten side of security” on linux.com. The article confronts the ideas behind reactive measures and security architecture (i.e. security-aware configuration). While biased towards the proactive measures, the article makes a good point in showing up that every reactive measure has the inherent flaw that it can only catch already known problems. And it doesn’t stop there. The pitfalls of the proactive measures are discussed also, although in a somewhat too friendly manner. Advocates of secure configuration need to make the users responsible for their system security. Either by educating them or by cutting their rights (not in a legal sense of course). Herein grounds ultimately the optimism of these advocates. In order for the theory to work, users have to learn or adjust themselves to fit the new security principles. And they have to do this at least with the same speed as the software they use evolves. Unfortunately, the article is a bit short on this point.