Slashdot Mirror
Do We Really Need a Security Industry?
netbuzz noted that Bruce Schneir's latest column
discusses the security industry where he points out that "The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
At least spell his name correctly: Schneier.
I want to drag this out as long as possible. Bring me my protractor.
The article assumes security is static: "..if computers were designed to not be susceptible to virii.."
If it's not virri or worms or buffer-overflows then it would be something else. Human intellect has this uncanny ability to grow and adapt.
Website Hosting
And if our buildings and public places were built securely, we wouldn't need police, right?
If murderers just stopped wanting to kill us. If drivers just wouldn't have accidents. If kids just didn't wander into swimming pools and drowned..........
Utopia is a pretty cool place. I'd like to go there too.
I mean they only exist because cars aren't built perfectly.
The primary reason we need law enforcement is because people don't always follow laws. If people always followed the law there wouldn't be any need for law enforcement. If bad people weren't allowed out of childhood no one would bother buying guns or even locks on their doors. If everyone was generally nice we wouldn't have to spend billions every year enforcing the law.
If a frog had wings he wouldn't bump his as ass it hopped.
Nothings perfect, those imperfections can be exploited. There will always be a need for security products.
"I use a Mac because I'm just better than you are."
its kinda like saying that someone who gets raped is responsible because they didn't have martial arts skills, and wouldn't need mace or a stun gun in the first place if only judo was taught as schools or something crazy like that. Where does the blame game end?
you wanna know who's fault it is? its the person breaking the law, breaking the systems. but you know what you can do about that? next to crap.
If if's and but's were candy and nuts, then what a wonderful world it would be!
Curb CO2 emissions: Kill yourself today!
In a perfect world software would meet it's requirements perfectly. But because of politics, timing, money, or just overlooking a single character in the source, bugs do and will happen. Just the way the world works. Same thing goes for anything. If your TV breaks, you take it to be repaired or get a new one.
Sure, why not? You don't rely on the contractors who build your house to provide all the security you could ever need, but you do expect them to install windows and doors that lock. Windows and doors that lock aren't inherently "impenetrable", though. If you want to go beyond that, you call ADT or someone similar and let them take it to the next level.
If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. ...
And if pigs flew out of my arse, I wouldn't need to go to the supermarket to buy bacon. What's his point?
!#@%*)anks for hanging up the phone, dear.
As long as there is a human behind the computer, there *will* be a possibility of exploiting a vulnerability on the system... the human being.
Ubuntu is an African word meaning 'I can't configure Debian'
I've really been saying this for years. It's like digging a hole then putting a piece of wood over it so you can cross the hole. Why not just never dig the hole in the first place?
If an officer ever threatens to taze you, say you have a pacemaker.
Clearly, computer security is overrat
If people would just behave themselves, buy better locks, and gets some guns, we wouldn't need the police. If politicians would act 100% in line with the will of the people and the constitution, we wouldn't need the courts. If...
Humans act as fractures of a whole; it's called society. A person does what that person does best and others make up for the failings. This extends to our software as well. When we try to consolidate too much, we get monocultures with which problems being to become transparent to their creators.
Demented But Determined.
we wouldn't need vaults!
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
And if humans weren't susceptible to cancer, we wouldn't need oncology.
And if humans weren't always metabolizing away their energy store, we wouldn't need the food industy.
The point being that the computer is susceptible to these unfortunate side effects for the same reason that they're so successful in the first place - being part of an open ecosystem, being able to adapt, being able to interconnect, being able to hide information from users so that they can attend to value-add tasks.
Not that we couldn't minimize the exposure by operating more effectively, but eliminating them via design could eliminate the very utility that's allowed the computer and the networks to be so successful.
...and if the human body was immune to germs, we'd never get sick. If food didn't go bad, we wouldn't need refrigerators. If we all had unicorns, we wouldn't need cars. If glass didn't break, we could all throw stones.
Seriously, what?
"I think any time you expose vulnerabilities it's a good thing." -Attorney General Janet Reno
If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
If people didn't make mistakes, we would not neet policemen, most firemen, lawyers, judges, parents, or teachers. But they do, and will continue to, make mistakes.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
So the reason we have a security industry is because lazy programmers can't see all edge cases in a virtually infinite system. That's like saying that if only we lived in sterile white rooms all our lives, we wouldn't need health insurance.
I'm in the hole of the broadband donut.
"The primary reason separation of powers exists is because government powers and services aren't naturally protective of your right. If politician were already respectful of your right, there wouldn't be any need for checks against abuse of power. If corrupt congressmen couldn't be used to sell out your rights to the highest bidder, no one would bother with congressional oversight or independent counsels. If there were no more unconstitutional laws or executive overreach, no one would need a Supreme Court much less the Second Amendement to protect themselves. If angels were to govern men, neither external nor internal controls on government would be necessary."
The Rise and Fall of Online Community
What kind of rubbish is this? Ah yes, the "utopian" future where security isn't needed because everything is already built so secure that nobody could possibly penetrate the defenses. Jeez... where have I heard this drivel before...?
As long as human beings are involved with something, there will always be "good" humans, and "evil bad" humans trying to undermine the "good" ones. It's as simple as that. To think otherwise is folly.
Also, do not forget that an Internet connection allows anonymous attackers to assault your systems 24/7/52.
Having a firewall may not force the workstation software providers to improve their security. But the firewall provides a single point where you can focus intensive monitoring efforts.
We live in a world where people will trade their password for a bar of chocolate.
Over time the technology WILL get better. We're already seeing some of that. But in the end, even with perfect software security, we will still have problems because PEOPLE will be using the systems.
To put it another way, we wouldn't need seatbelts if only we didn't have road accidents, and we wouldn't need lawyers if we didn't have arguments, we wouldn't need police if only people would stop breaking the darn law, and we wouldn't need Slashdot mods if only all of us here acted nice and smart all the time.
Slashdot Burying Stories About Slashdot Media Owned
If we just had Star Trek's teleporters we wouldn't need cars. If we had world peace, we wouldn't need weapons of war. There are a lot of needs that wouldn't need to be filled, just if...
Secure out of the box doesn't matter. Secure after I have installed the many third party programs I require to run my business matters. Secure after my clients install the latest OS 'update' matters.
There is no way to absolutely positively guarantee any complex product can remain safe over a period of time as the environment it runs in will change through both vendor and user additions to that environment. And anyways, the market does not want to wait for 'secure.' The market hardly waits for 'workable.'
Bruce's question is interesting on some levels, but seems shallow in a number of ways. That being said I read him all the time.
Regards.
...or I'd be unemployed! :)
But seriously. Yes, we do. Of course, in a perfect world, we don't need it. In a perfect world, we could also do without a fire department, even without a police. If there's nobody breaking the law and if accidents don't happen, there's no need for either.
Yes, a secure system would make security easier. Duh. But perfect security doesn't exist. Perfect security would be a perfectly secure system AND (and that's the part TFA doesn't bother to see) a perfectly secure user.
As long as computers are all purpose tools, they can run all kind of software and yes, also malicious software. Yes, a good user and privilege management can solve quite a few issues. But all that would accomplish is that the way into a user's computer becomes harder and requires more social engineering rather than just technical know how.
Imagine a perfectly secure system. Let's say some Linux. I hope we can agree that a well patched Linux machine is mostly secure, provided the normal user has not too many privileges. Let's put the average cluebrick in front of it. Cluebrick gets a mail, containing some greeting card from his admirer (it's Valentine's day and all that). Ok, cluebrick clicks. Oh, it needs a certain superspecial displaying tool that can only be installed as root. Please download from here and "sudo..."
Bet you 10:1 he will do it.
We have people now that download zips, calculate some password out of the accompanying mail (because modern mailscanners actually try to use the words in the message as passwords), uses that password to decrypt the zip file and executes the content. We're there already! And people do that! Yes, they are stupid enough to help the attacker, going out of their way to make the infection possible!
So yes, we will need AV tools and firewalls and whatnot in the future. NO matter how secure the system gets, it seems to me that the smarter the system become, the dumber the users get.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I say just build an unbelievably simple AIS that has zero functionality. Thats right: no user interfaces, no applications, no storage of information, not even a keyboard. Then we wouldn't have to worry about all that nasty malicious code, and keystroke loggers and... Oh crap someone just walked in and stole my do-nothing non-functional system. Guess I still need physical security.
I have the utmost respect for Bruce, but that statement is fairly ridiculous. Its like saying if we built automobiles that could never crash then we wouldn't need road rules. Basically you can sub anything into that statement. If we made food that wasn't unhealthy we would need Jared and annoying Subway commercials...
News Reporters Make Tasty Polar Bear Treats!
The problem here is that 99% of software purchasers simply don't have the ability to evaluate a product on the merits of its security. They do have the ability to evaluate products (1) on the merits of their prices.
The companies that develop software know that (2) doing security properly is extremely expensive, and requires hiring skilled specialists, and inegrating those specialists at all levels of the development process.
When you take points (1) and (2) into consideration, you realize that there is a lot more ROI in developing cheap insecure software than there is in developing expensive secure software.
This is an example of capitalism failing due to poorly-informed consumers. But I can think of no way to solve the problem (a security quantifier???), so the industry will continue along as it does today: cheap software and band-aid security.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
and people inside were fed from tubes from the ceiling, and no money or physical objects ever entered or left the premises, then there would be no need for security guards.
then again, maybe IT security guards should be making 10 dollars an hour and normal security guards should be making the same (it would be a raise)
I didn't RTFA, but wouldn't we still have to spend billions every year making the software secure? Apparently its not second nature to naturally write secure code. To me it seems easier to have a handful of security companies than have all software companies doing the same job. Plus a lot of times you can use the same security tools on several different products. For example, a hardware firewall protecting windows machines, linux machines, mac machines, IP cameras, etc, etc.
"The primary reason the IT security industry exists is because IT products and services aren't naturally secure."
Which is like saying that the primary reason the physical security industry exists is because buildings aren't naturally secure.
That simply isn't true. It exists becasue people are sneaky little bastards who naturally want what other people have. You cannot make something secure enough to keep everyone out - physically or digitally.
Here will be an old abusing of God's patience and the king's English.
Do we really need locksmiths? If buildings were naturally secure (aka didn't have doors or windows), we wouldn't need locksmiths.
However, people need to get in to and out of buildings, so we need doors. And sometimes we need to control which people are going in to and out of a building. So we need locksmiths.
So, if your IT systems are powered down, unplugged, encased in carbonite, and buried at the bottom of the sea, then the answer is no, you do not need a security industry. Or, at the other end, if all your IT doors and windows are open, and you don't care who comes in and out, then again, you do not really a security industry.
But if you want some people to have access to your computer, but not others. Or you want to control the level of access people have, then yes, you do need a security industry.
There's an aweful lot of "Ifs..." in what he's saying..
His logic is as simplistic as "If people stopped commiting crimes we wouldn't need to be secure...." Does anyeone else read anything in there thats the least bit insightful? Rather then whining about "if this" or "if that" how about talking about what needs to be done to make it secure? A long time ago, (in the 8-bit world) 64 bit encryption was thought to be "secured" cause at the time, the computing power would require months of analysis. Now it can be done on a single laptop to break a wireless network. In 10 years, I can imaging the same would be said for 128 bit encryption. What we need really are ideas on how to design, write and develop securely not whining about "what ifs".
You'd eat bacon from your own ass pigs? Remind me not to come to your house for BLTs.
Bruce Schneier proved the infinitude of primes...by enumeration.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
and how do we call the people who make computers, networks, etc. "naturally secure"? aren't they "security industry"?
Do not. Touch. Down.
Thank you Microsoft.
This doesn't make sense:
If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.
If they are secure out of the box, then effort and money will have gone into making them secure out of the box. Thus a security industry will still be necessary, just more integrated with the development of a product.
Vote Libertarian
While the software industry has substantial room for improvement, look at cars. Most cars are fairly secure out of the box (far more than most software), but LoJack still finds a decent market.
Degaussing scares the bad magnetism out of the monitor and fills it with good karma.
I could rule the world. Better yet, we need a computer "lock box" to protect our computer stuff.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
The only way to completely secure a computer is to turn it off.
0 of%20plyers%20and%20a%20blow%20torch
Instead of paying $39.95/year for a virus scanner license, $29.99/year for a firewall subscription, and $9.98/year for a spam filter, I think it would be far more effective for everyone to pool their money and hire hitmen to track down the 'bad people' and do 'bad things' to them. I bet you'd see the need for more secure computing go down. As it is now, they're not afraid of anything.
http://www.imdb.com/Find?select=Quotes&for=pair%2
1. Pulp Fiction (1994)
Marsellus: What now? Let me tell you what now. I'ma call a coupla hard, pipe-hittin' niggers, who'll go to work on the homes here with a pair of pliers and a blow torch. You hear me talkin', hillbilly boy? I ain't through with you by a damn sight. I'ma get medieval on your ass.
Now that's what I'm talking about.
No sig for you. YOU GET NO SIG!
The whole TCP/IP stack was NOT designed taking security under consideration. Therefore, we either need an external security mechenism (such as firewalls, IDSs, IT department, etc.), OR we need to design new secure network protocols and change every single node in The Internet. Now, obviously we can't change every single node in The Internet, can we?
As long as humans use computers.... Yes.
Wtf? Did this blurb totally overlook social hacking?
"All great things are simple & expressed in a single word: freedom, justice, honor, duty, mercy, hope." --Churchill
... you wouldn't need to push him over.
Then we would be spending billions of dollars on these products so they can afford to make them secure...sounds like a wash to me...
jeezus.
Otherwise, who's going to guard my porn while I'm out?
http://twitter.com/OLDTELEGRAM
Now, take a default installation of Ubuntu Feisty Fawn. Even if you hook it straight into the Internet WITHOUT an external firewall (or running any firewall software) you'll still be very secure.
That's because, by default, there aren't any open ports. There's no way for any worms to attack your system. That's just basic security practice.
Now, there are other ways to crack a default Ubuntu installation. But they require that the admin have done something to make it LESS secure (or you can physically access the box).
Your example is about the physical world. And the problem there is that physical access is already assumed. We can take steps to REDUCE the physical access, but that still leaves social engineering attacks.
You will always need police just as you will always need sysadmins who will READ THE SECURITY LOGS. No matter how secure you are.
There are many things you can do to avoid the need for such things as Anti-virus software, anti-spyware, anti-worm, etc. ad infanatum. The very simplest is to perform the following simple procedure:
Step 1. Log off/out of your applications and operating system software
Step 2. Power-down your computer, monitor, and all other peripherals
Step 3. Unplug or otherwise disconnect computer from mains, and all peripherals
Step 4. Take computer, all peripherals, all computer software and books in your posession, and place them in a neat stack directly in front of your home, in the viscinity of where the public garbage collection picks up your trash. If you live in an apartment, place said items adjacent to the communal dumpster, trash collection area, etc. If you are homeless, live on the street, or in a public shelter, why do you have any of these items in your possession?
Step 5. Resolve never again to purchase any form of electronic data-processing equipment, to include communications gear containing transistor-based electronics, etc.
Step 6. (Optional) Move to the mountains, raise sheep, yaks, etc. Enjoy freedom from modern world and attendant headaches.
Or as an alternative, you can pay AV "protection money" and smile. Remember that when you pay taxes, its much the same way. The fact is, unless you can protect yourself and what is "yours" from all comers, don't be too grumpy about pooling your money with all the others who are unable to protect themselves to hire a few toughs to do it for you. Or in the case of computer security, a few nerds.
~Hal.
It's not like we're digging holes deliberately.
It's more like we're making multi-story buildings, and flooring is so complex & costly that we only put flooring where we expect people to walk - then someone has the blindness, gall and/or malice to wander somewhere nobody was meant to go and obviously shouldn't, and ends up where they shouldn't.
Utopian totally-secure software is extremely costly to create.
The imperative is to create software that does what it's supposed to (which is hard & expensive enough already); making it work perfectly under all unintended conditions (errors, mistakes, and/or malice) is far more expensive.
It's hard enough to build software that works, without out-thinking those who deliberately & maliciously exploit weaknesses.
Can we get a "-1 Wrong" moderation option?
As long as machines are designed by imperfect beings such as ourselves, so to will they continue to be imperfect and subject to the same failings as their creators. Primarily, the lack of the ability to accurately predict the future...
From TFA article:
"As IT fades into the background and becomes just another utility, users will simply expect it to work -- and the details of how it works won't matter."
Will his next article be titled "Do we really need battery backups and auxillary generators?"
The market has determined it's willing to deal with poor stability and security for new features.
We will always need a IT security. Because just like almost anything else out there in the technology field there are always ways around things and ways to break things. Take example the encryption techniques for HD-DVD etc. While some may argue that they implemented flawed security, the movie industry must have had some level of confidence in the security mechanisms when they first rolled the systems out. Same is true for almost everything else. I do though feel that if companies did do more quality control there would be a significantly less of a need for IT security and the amount they would spend making their product safer, would far be cheaper than what it costs to fix their problems.
30% Troll, 50% Underrated, 10% Interesting
Score:5, Troll
I like Bruce, but what the hell is he on about? Personal computers are designed to execute arbitrary code. If they weren't, we'd hack them so they would be (TP?). If you can execute code, you can find a way to wreck a system. Sure, it can be hard, but there will ALWAYS be a need for security specialists, and security software. Sure, virus scanners may one day disappear, but rootkit scanners, phishing lists, etc will take their place. Just because your computer engineering is perfect doesn't mean your social engineering isn't flawed.
I don't think I've ever seen so many separate comments each with their own analogies before.
One thing that hasn't been brought up (that I saw anyway), is that even if software security issues were mostly eliminated and the industry found itself without a consumer market for anti-virus products and firewalls etc. there will always be a niche market for specific applications where that little bit of extra security is needed. Intrusion detection systems, forensics software etc. will always have a market. And particularly any product that caters to securing users. Other people have already said it. Statistically most compromises are accomplished by people who had access to the compromised data without having to exploit a software bug (disgruntled employees, people betraying their employers for profit etc.)
I guess what I'm saying is that as long as there's reason to be paranoid there will be a market for products that ease that paranoia. Even if all software were somehow made to be inherently "secure".
One other thing, even software that is inherently "secure" can still be configured to be "not secure". Configuration errors can cause just as many problems.
Sounds like a good reason to implement the Evil Bit for all IP traffic from now on. (Of course, if you own stock in a firewall distributor or other security company, better diversify before they implement this RFC.)
Where to begin...
For most people, getting the job done is the point of connecting to a network, buying computers and running software.
For most vendors, accomplishing the task in a reliable way is already a challenge.
To expect application vendors to make their applications secure, when the computer and the operating system are not designed to be secure is laughable.
The issue is it is not a priority and possibly not financially beneficial for Intel, AMD, MicroSoft and others to actually make their systems secure and reliable.
Computers and software have designed in obsolescence meaning that they are design to slowly deteriorate such that customers are foreced to buy or upgrade. Software decrepitude is provided by leaving the system exposed to malicious code and by using lousy algorithms which slow down when loaded with data (the Windows Registry for example).
When we all decide that having a sustainable software infrastructure which is good enough for our long term needs is more important than stupid, useless new features, then the infrastructure on which software is built will necessarily need to be reliable and therefore inpenetrable to attack. The software I use today is really almost identical to the software I used ten years ago and stagnation has long set in. Software gets bigger and more bloated to consume the vast resources that modern machines provide, yet the user experience gets slower and slower...
Just some thoughts from an engineer who wrote a vertical whole business automation application that runs 7/24 23 years ago that is still runnning with no data loss and no down time ever... The biggest problem is that the last time I made any money from that application was 16 years ago when I modified it for multi-user and made it Y2k compliant. Software that is too good needs no maintenance and produces no ongoing revenue for the developers.
SimBuddha
Following this logic, if we all just behaved well and followed the rules than there would be no need for police officers. Moreover, if all the different countries could just get along then we would not need to have armies and we would have world peace. This is the most brain dead article I came across in a long time.
here's one:
/.
If the submitter was getting laid, there would be less stupid articles on
If people were perfectly peaceful, we wouldn't need laws or governance
If everybody washed their bums correctly and cooked meat well every time, nobody would have to worry about butt-worms
If people were perfectly courteous and attentive on the road, there would be no need for auto-insurance
So now let us imagine what it would take to get to a point where we no longer need people specialized in securing and maintaining the integrity of data. Do We Really Need a Security Industry? YES! We most definitely do, and always will! Is there room for improvement? Yes, vasts, and there always will be!
As long as it's run by electricity and chips, and is built by humans.. it will be vulnerable to hacks. It would have to be so complex that not even humans could understand it.. in order for it to not be hacked by them. Something like my 2 year old.
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
Demented But Determined.
Good job! Now solve the problem.
Ain't so simple after all huh?
If people didn't commit crimes there wouldn't be a need for police.
Put down that analogy; you're liable to cut yourself. 8^)
Security in buildings and public places represents an utterly different problem set from software security. They have virtually nothing in common. Suggesting that software security today is like (heh) a walk in the park is wildly wrong.
I hate analogies, because they cloud things more than they clarify them. But if I were to use yours, I would say that if our buildings and public spaces were better policed, we wouldn't need to pay for personal, individual security guards who pat down and disarm even our friends before they allow us to so much as look at one another.
Schneier's point is valid. In a healthy, heterogeneous software environment, the threats are fundamentally different from those we face today. We could move from trying to protect ourselves from clicking on tainted image and document files(!) to creating secure site configurations tailored to our particular needs. I too dream about the day when we have configurations that are not so draconian that people are precluded by fear from taking advantage of some of the Internet's greatest advantages: the end to end network.
There are some who will say that software is inherently insecure, and that it cannot be secured. There are some who say that people using 'safe' technologies and processes are only safe by virtue of the fact that there are easier targets in abundance. They are wrong. And this is Schneier's point: Whatever inherent problems there may be in software security, the vast majority of Windows users - let's call a spade a spade - work in an environment that is so utterly flawed that there is a quantum difference between the security issues they face and the vastly more limited security issues they could be facing, if only the manufacturers would cease to treat security as a cost centre external to their core business.
Crumb's Corollary: Never bring a knife to a bun fight.
The scariest part is the "security industry" is filling up with green newbies fresh out of college.
They have all the right credentials and certifications. Only silver lining is if they don't screw up too badly, they may last long enough to get some real experience.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
It's always human error. Technical security flaws are now quite uncommon compared to social engineering and whatnot. Perfect software will never happen because some programmers are stupid, illiterate and incompetent, and those are just the ones I've worked with. Seriously expecting secure software is like expecting Jesus to descend from the heavens and fix all our software bugs. I would not hold my breath if I were you.
From Wikipedia, your source for all things accurate.
We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
The sad truth is that it DOES all exist.
My copy of Zone Alarm(not the only app I use, either), has logged 1,640,000 attempts to get into my computer in the last SIX months.
We sure as hell do need such an industry. I'm not trusting that the hackers will go away when I see levels like that.
"If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
If my aunt had balls, she'd be my uncle!
"The primary reason slashdot exists is because inane articles can't be published elsewhere. If IT journalism wasn't so crap, there wouldn't be any need for slashdot. If shill journalists were simple killed at birth, no one would bother loading the slashdot front page. If there were no articles with 2 paragraphs per page and 20 pages of ads, slashdot's content would disappear. If the IT reporting industry was fixed, we wouldn't have to visit this site anymore."
Virii isn't a word. It's not the Latin plural of "virus". It would be the plural of "virius", if that were a word, which it isn't. Quite plainly, "virus" has no Latin plural. "Viri" is the plural of "vir", which means 'man'. In Latin, it was a catch-all for "poison". It has no plural in the same way the English word "everyone" has no plural.
There are entire wikipedia articles on this issue. What you're doing is wrong, and I've modded you down for being an idiot. The correct plural is "viruses". Start using it. It's in your own best interest, after all. Anyone who knows the most basic amount of real Latin will laugh at you the moment you utter the word.
Shouldn't code be able to debug itself? Do we still need auditors? Why? Shouldn't our training and processes be up to snuff by now. See the point of a 'security industry' is not because things should work this way or that way but because they in fact DO work this way or that way. That's why they call it engineering, because it's engineered and that means it's imperfect.
And if my aunt had balls she'd be my uncle. It's not like there's some big conspiracy with all the app/OS programmers to keep their techie buddies in jobs here. People make mistakes, users are stupid, hackers are smart and sometimes evil.
Who do you think is going to make it secure "in the first place"?
All you're doing is shifting the industry closer to the OS vendors, it's still very necessary.
Of course if Microsoft bought up all the AV, Firewall, IDS and other security vendors with this goal in mind, many people would shit a brick and twitter's head would explode.
and if homes could be made impregnable and clothing made into invincible armor, we wouldn't need police either...
/. to post inane articles...
and if cars could be made to run perfectly, we wouldn't need mechanics
and if humans could be made to perform at 100% efficiency, we wouldn't need
A better question is: Do we really need columnist like Bruce Schneir telling us what a perfect world might look like?
[[ the only 15 letter word that is spelled without repeating a letter is uncopyrightable: it may soon be, however. ]]
Erroneous "insights" such as these are pretty common in any context you can think of where hysteresis is inherent, and the observer is inside the hysteresis loop.
Circular thought process:
1) Gosh, it takes so much extra stuff to make my insecure system secure!
2) Why don't we just make the system secure in the first place, thereby eliminating the need?
3) Gosh, my newly secure system is really hard to use, practically useless!
4) Why don't I go back to the more usable system, since my recent experience has been so secure?
5) Gosh, my box has been owned!
6) Why don't I buy the newest extra security stuff to make my usable system more secure?
7) GOTO (1)
You could switch that with (to name a couple):
hot-cold/overdressed-underdressed
flush-tapped/skinflint-spendthrift
Our country is going through a particularly painful part of the freedom-tyranny/insecure-secure hysteresis loop right now.
These aren't concepts for which there is a solution, because separating oneself from the axes on which they lie is impossible and/or undesirable; you can't eliminate basic properties of a system without consequences.
If homes were already secure against burglars, there wouldn't be any need for home security products. If bad drivers wouldn't be allowed to drive cars, no one would bother with traffic cops. If there were no more office shootings, no one would have to buy products to protect against their effects. If the society we lived in were secure out of the box, we wouldn't have to spend billions every year making it secure.
http://www.bynarystudio.com
The officers of the company are the ones who can be held criminally liable for the actions of the corporation.
Talk to the CIO/CTO/CEO, and say that you won't install pirated software without authorization to do so in writing.
If you request this, I doubt you will ever have to install pirated software. An officer won't sign off on this kind of thing with his/her own ass on the line.
... and still have their malformed, misguided, assumption-based view...
(at least a large part of) the article is about security being mainly an "add on" process to the current IT process.
Security should ideally be an iterative process, through each part of the development cycle of a product and through each stage in a deployment roll-out. This generally doesn't happen though.
The "Security Industry" (e.g. anti-virus companies) is a necessity because security policies are lax, and further because no-one or nothing is ever perfect. If products and policies were perfect, there would still be a security industry, albeit a smaller ones. The weakest link will always be the end user.
Even without any 'technical holes' there will still be bad people doing bad things
..
Might not need as large of a industry, but it wouldn't just go poof
---- Booth was a patriot ----
... to see someone make such an absurd conclusion, but the trick isn't quite like the comparisons slashdotters seem to be making (although you're not far off). I think it's a legitimate failure on the columnist's part to realize that as big as the IT Security industry is, the other side is even bigger. The number of malicious code writers, and their system of distribution is staggering. Viruses, Tojans, Worms, Malware, Spyware, Adware, Grayware, Scareware, etc etc ad nauseum. The list is endless. The war is endless. We can no more stop malicious code proliferating through the internet than we can stop terrorism, or the drug industry. Because, like the drug industry, like the terrorists, it is a society that causes it, not poorly written code. People CHOOSE to write viruses. They CHOOSE to break into a network and cause harm. Having a sword, and wielding it against someone are two very different things.
PS- Not that I'm comparing crackers to terrorists, far from it, but the effort to stop them has parallels. And besides, how long will it really be at this rate until hackers are labeled terrorists? It only takes one person to screw it up for everyone.
A couple I know went on a skiing trip last year with their son. Said son told his buddies at school he was going on a trip. The house was protected by ADT. What did the buddies (or friends of buddies) do? Day 1 of the trip - sneak into the back yard of the place, cut the exposed phoneline, then watched what happened. Nothing - the house had a 'dumb' alarm system which called ADT *over the phone line* if an intrusion occured. Day 2 - the buddies cleaned out the place, including 2 very expensive cars (hell, the keys were in the house!). The point of this story is: the thieves first cased the joint to discover that that ADT system was passive (rather than active, which cost more per month), and then cleaned up. As Bruce says, we'll never see total security in our lifetimes.
All the "..and if..." replies really miss the point here. Its not that he's stating the obvious, he's saying the glory days of IT security as an aftermarket industry are over. The focus of IT security is shifting from point products that deal only with the threat du jour, to integrated infrastructure. Security as a service, if you will.
Look at Cisco. More and more of the monitoring and mitigation systems we run are turning up as part of the switch in next generation gear.
Businesses want simple, cost effective systems that are built in to the infrastructure, don't get in the way of the money-making, and keep the bank and federal auditors happy.
Besides, the best security tools are free. And most of IT security is just plain common sense. You don't have to have been at it as long as I have to know that. The technology we use only works one way, so threats aren't that hard to figure out. The rule is to be aware of what runs on your network and keep an eye on what comes and goes. If in the years to come that's all built in, cool.
Recall what happened to a major spammer sometime last year?
Seems a lot of people thought it happened because of his spamming, and they were very happy about the results.
Can we get a "-1 Wrong" moderation option?
And despite that, last week an overpass in Oakland melted and failed because of a tanker truck fire.
The rate at which failures occur in engineered structures of all sorts built during modern times is very low. This is because every time something has failed in the past, we've established another data point or have learned another lesson.
What does this have to do with computer security? The same thing that the September 11th attacks have to do with civil engineering. The failures of the WTC towers may not have been preventable, but had the stairwells been protected against impact, many hundreds if not thousands of lives could have been saved. But there had never been a need to protect stairwells against impact. Now, we know better. Just as once upon a time, there had never been a need to protect SMTP servers from open-relay abuse. Now, we know better.
Software engineering is no different. It's just that it is a very young endeavor. Over the course of time, we'll get better at software engineering as a species just as we got better at mechanical and civil engineering. But even as our tools and methods improve, the world will always knock us for a loop with things we hadn't thought of before. Some of those will be new ways to attack existing infrastructure.
True, you can buy software packages. But it is not about the software (or it should not be about the software), it is about the service. Software never is 100% without faults. And those faults can be exploited. So, someone needs to tell the software user that there are faults and how to deal with it, untill there is a new version of the software. The IT securty service is like a nurse that puts a band aid on your bleeding knee untill the doctor has time to stitch it.
we wouldn't need the mafia!
Um, if windows were unbreakable and locks were unpickable I wouldn't need an alarm for my car or home, but they're not, so I do. What's the point?
Comment removed based on user account deletion
If my house weren't made of flamable materials, we wouldn't need a fire department. If we didn't have people breaking the law then we wouldn't need police officers. If all nations were buddies we wouldn't need armies. If friction didn't exist I wouldn't need to do maintenance on my car.
Nick
"A plan fiendishly clever in its intricacies"- Homer Simpson
If cars didn't break down, we wouldn't need automechanics!
If houses were fireproof we wouldn't need firefighters!
If people never got sick we wouldn't need doctors!
If stupid people didn't exist we wouldn't need steel toed boots!
NewslilySocial News. No lolcats allowed.
The point of this article is to bring attention to the racket that is the security industry. We are sold products that are inherently insecure and then need to have special software bought for them to prevent bots, spyware, viruses, etc. The OS/computer companies save money on shoddy RnD and the security companies make money selling us stuff to "fix" it.
I liken this to the financial institutions now selling us "Identity Theft Protection" which is basically insurance from themselves. They make it so damn easy to take out credit cards with just a few pieces of information....nobody has to see a picture ID, nothing is done in person....all so the credit card companies can save money by having everything done by mail. Then when identity theft becomes a huge problem, instead of changing the policy for getting a card, they decide to suck more money out of the consumer by offering "protection" from a problem that they created. Might as well be the mafia going door to door selling "protection"....
Tolerance does not tolerate intolerance, or hypocrisy.
If it ain't broke, don't fix it - unfortunately, the opposite has always seemed to be the case, at least with M$. If we were sold a secure OS out of the box, there would be no need for security fixes, and thus, no need of jobs for people who create the security fixes or anti-virii. Of course, no computer is idiot-proof, and anyone can be conned into messing something up - which is why there is tech support, yes? If everyone knew how to expertly use a computer, there would be no need to hire someone to hold computer illiterate people's hands to troubleshoot, install that new tax software, or even to turn the damned thing on. On the opposite end of the argument, it's nearly impossible (at conception) to be able to perceive every single possible security hole in a piece of software. Even a team of people working on a project will be working with the same mindset; just waiting for someone else to come along to find the one thing no one had thought about yet and poke a hole through it.
Cancel or Allow isn't secure?! Somebody warn the president! (Disclaimer: To whom it may apply: No Offense Intended)
~Vexed and loving it!
The point of the article is not that if computers were perfectly secure, we wouldn't need security add-ons. It's true, but it's unlikely to happen in the foreseeable future.
The point is that Windows and other systems should include any necessary security software, and Microsoft (and their contractors) should be responsible for maintaining that software. That way, users and IT departments don't have to be experts in security software to keep their networks secure. It would also hopefully be more efficient, as the security engineers and the original designers could work more closely together. That is, while Windows would be more expensive, you wouldn't have to by antivirus and antispyware tools. It would also be more secure for most people, because the guy configuring the system would know what he's doing.
This change would balance Microsoft's incentives by making them more responsible for the security of their products. It would balance security companies' incentives because they would gain less from having an insecure infrastructure, and (hopefully) gain more from securing that infrastructure.
It's not clear from the article how Microsoft could do this without raising antitrust issues, though.
I hereby place the above post in the public domain.
He's absolutely right--if all computer products were engineered 100% securely, with no flaws, then we wouldn't need a security industry. The bigger question, however, is whether or not this is even a remotely achievable goal. Even the very best of us, with the very best of intentions, still make mistakes. Now multiply the fact that errors are guaranteed to occur by the millions of lines of code that get written, the reality of deadlines, ship dates, and product launches, and what you get are a guaranteed set of flaws, even under the absolute best of circumstances.
Consider, for just a moment, how many virii, worms, and malware could be avoided if people would simply stop actively loading it onto their own systems. Email is no longer a new phenomenon, and every company I'm aware of has policies and reminders in place telling people not to open suspicious attachments or run unknown programs. Despite these facts, any number of people infect themselves by foolishly doing things they should've learned not to do by now. The fact that we haven't managed to convince people not to follow even the most basic of security protocols ten years after email began to go "mainstream" for your average corporate employee tells me that absolutely yes, we need a security industry, if for no other purpose than to protect us from the unwashed masses.
The resourceful, ethical, technological elite might be a match for the resourceful, unethical, technological elite in a theoretical, free-market arrangement where one side is tasked with building a perfectly secure product and the other is tasked with tearing it apart, but there's simply no way any relatively small group of programmers can compete with the number of stupid people out there using their products.
had a beard, I would call her daddy...
morcego
ANY mechanism, that is CREATED, is exploitable. That has been as such during the course of history.
ANYTHING that you can create in binaries in a binary world, can be reverse engineered, tweaked, harmed, changed, modified.
If something is done, it can be undone, changed, exploited in the same way.
People should lean back and ponder principles of basic interaction of man-made creations during the course of history. Then s/he can avoid posting/writing articles that propose such stupid and clueless concepts.
Read radical news here
Did you learn English from the Police Academy movies?
"I know this is a utopian vision that I probably won't see in my lifetime, but the IT services market is pushing us in this direction. As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies. Service customers -- whether home users or multinational corporations -- care less and less about the specifics of security technologies, and increasingly expect their IT to be integrally secure."
This is the 6th paragraph, out of 11. If you look at this paragraph, you see that the first five are more or less teasers. Schneier then goes on how security becomes more and more integrated into the package (we see this with linux and windows incorporating firewalls as well). Also, as a Java developer and linux user, I know that it _can_ be pretty easy to make products more secure. Buffer overruns and SQL injection can be easily avoided, and I still don't need no virusscanner on my linux machine. Yet about 70% keeps japping about the first few paragraphs, even though Bruce clearly does not see the industry disappear overnight.
I presume this is progress. At least, it's now RTFSHOTA (read the f***ing second half of the article).
If somebody were to RTFA (yes, I must be new here), that person would find out that Bruce Schneier was actually saying something intelligent. Of course, TFSs today don't seem to aim at being informative about TFAs.
Right now, to oversimplify, there's companies that make stuff, and companies that come along afterwards and make the stuff more secure. Microsoft makes an operating system with about as many holes as a large chunk of pumice, and other people busily start selling security patches.
Now, Bruce asks, what if companies tried to make secure stuff in the first place? They won't completely succeed (even OpenBSD is running more than one security issue per decade), but how would things change? What would the new market dynamics be?
If Slashdotters would discuss that question instead of the ridiculous one (yes, I must be new here), the comments might actually be worth reading.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
I had an instructor at the college I graduated from who tried to put a damper on us Security students by telling us that the Security industry was on a dying road. He claimed that as computers become more and more secure, and people begin to be security-aware, that their will be less and less of a need for Security professionals. I'm not sure I would totally agree with him, but he did have a valid point.
"If you can't dazzle them with brilliance, baffle them with bullshit."
You're right: if we spent billions making computer products secure off the shelf, we wouldn't need to spend billions making them secure after the fact. Assuming nothing ever evolved, we always knew all forms of possible attack, and there wasn't someone on the inside making sure he and his buddies had back doors into everything.
(Let me guess- I spelled that wrong?)
The lion's share of IT is Microsoft; it's the default. We can't count on them to secure it (see also a host of AV/antispam software, as well as their history) and the silly little dance we do swings between trusting Microsoft ('cause they don't know any better) to hiring a sysadmin to do all manner of stupid things in hopes of nailing it down.
Yeah, I'd like to see an actual, honest-to-goodness security company who does constant monitoring and attempting intrustions, but these days it's hard to push a service that, when it works, nothing happens. And when it doens't work, the whole place goes to hell.
Business tries to spend as little on security as they feel comfortable with; so until everyone's running Linux with a part of their tribe always watching over every step and releasing patches, it'll be this way.
There's also an incovenient truth to the IT industry: selling MS solutions will keep you on the jobsite. Here, I've seen a dozen sites that need Linux help once a year, and someone's literally on site each and every month for some kind of problem related to Microsoft. We have to be aware of the "Maytag repairman" aspect of Linux; some people don't want to push it, because they LIKE their expensive cars and vacations.
Ugly to say, I know...but it's true.
And as long as there are third parties with promises, and security-contractors have what seem to be large bills, you won't see a change anytime soon.
--- For a good time mail uce@ftc.gov
Security is nothing but a dance between accessibility and privacy. You want easy access to your information but you dont want everyone else to have the same easy access. This is built into what it means to be human. As long as we have humans being human, we will have a security industry.
In fact, in the future, the security industry should be the only one to still exist since there is a technical solution to all other IT problems.
Most people are attacking his article based on the perception he is advocating a utopia of perfection. I think that is far from the actual truth, perhaps there was better language he could have used but after reading his books and blog for years his ideas are very simple and I think valid. He is saying our entire focus currently is on pushing out products that are insecure and only revisiting their security at a later date, or passing the problem off to a third party. There is an example where we hold car makers responsible if their brakes are faulty, with fines and safety regulations. I have not seen any judgments against software vendors that held them liable for security problems that allowed an attack to impact it's functionality. The de facto stance in IT is that software will always be horribly insecure and we need to mitigate it with security products. We could easily, and should demand that software vendors are accountable for providing far more secure products. Perfect security is impossible, but the current state is abysmal. We expect that all our computers are inherently insecure, we do not question it just accept it and mitigate the consequences as best as possible. Why should this be the best method to produce products? Fixing the products at the source, the vendor, is a less expensive and smarter option. It increases security without a third party layer, without having to even stack further layers to cover those vulnerabilities. Do it right the first time, (as best as you can) and we will all benefit greatly. In functionality, productivity and as a society. Anything that hurts our society, slows our innovation and hurts us all. Our tasks are boring, highly technical, and seem mundane... but always remember how the things we do ultimately enrich all our lives. Unless we are fearful of Skynet, and need a way to destroy it at a later date by deluging it with ILOVEYOU emails, we should strive for increasing computer security at the root levels.
You can't take the sky from me...
If buildings were fireproof we wouldn't need sprinklers. But people like to use paper and to have affordable buildings, so we have sprinklers.
Where Schneier's point comes in, as I see it, is that sprinklers are taken for granted as part of a building. Nobody expects to buy a building and then pay a separate sprinkler industry to install a fire supression system. Instead it's one payment to one contractor. He expects to see security incorporated into the infrastructure analogously to sprinkler systems.
if this guy would make a point we wouldn't have slashdot!!
I think some of his points are good:
"Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure."
All the commercial anti-virus software I've ever used has been full of FUD, displaying big red crosses and popup balloons telling me that my system is at risk because I haven't purchased some additional product or upgrade. I see the same companies rolling out stats about virus attacks and in mainstream media warning of the next big threat, doom saying wherever possible.
Personally, as a programmer, I think the weaknesses in software will be fixed and operating systems changed such that deep probing virus checkers are obsoleted. I'd happily see this whole FUD spreading portion of the security industry die.
Some of his points may however be too general:
"The whole IT security industry is an accident -- an artifact of how the computer industry developed."
There are still places where a security industry will always be needed, such as authentication though RSA tokens/smart-cards/biometrics and the associated infrastructure.
In general I think he's about right though. Over time software will improve and things will be built in such a way that common failures of today are obsoleted just like other engineering disciplines have improved methodologies e.g. airplanes are not built with square windows anymore - http://en.wikipedia.org/wiki/De_Havilland_Comet.
-- Mike
I think that a lot of the posts so far have been unreasonably hard on Bruce. I also think that a lot of posters may not have read down to the end of the article.
I think that the point is that the current situation is out of whack and that the computer security industry enjoys a higher prominence than it should (at least in comparison with other industries). For instance, most of the public have no idea what security measures are in place to protect the power grid - at the same time, Norton antivirus is a household name.
Many of the previous posts are correct in saying that security problems will just disppear. But can the situation be made better than it is now? I'd agree with Bruce that "aftermarket security is actually a very inefficient way to spend our security dollars".
Assuming that the computer industry moves towards more efficiency in this respect, we may very well see more security baked in to the development process. It would mean a reduction in prominence of the security industry as security problems become more of an industry issue than a universal issue.
friends don't let friends teleport drunk
We all want to live in a perfect world/universe where there are no problems which in reality is impossible. In our minds we think we can create this "perfect" world where we have absolute control but in reality we haven't discovered everything in the world so we can "perfect" or control it. We seem to have think that we have discovered everything in the world but in reality every generation "scratches through one inch of infinity of discovery". We seemed to have gotten the mind of Lord Kelvin in which he said "There is nothing new to be discovered in physics now, All that remains is more and more precise measurement.(1900)". We haven't discovered everything yet and nor will we in a very long time. Every new generation thinks it discovered everything in the world that can be discovered but to find out the next generation discover new things the older generation didn't. Will this discovering ever end? I doubt it even if the human race disappears for whatever reason there will be more discovery beyond our tiny world.
But enough philosophy and back to our question of security. There is no such thing as absolute secure operating system or applications as long I have some means of access it I will have a way to break into it. Even it was electronically secure if I can physically get at it if I wanted to and steal it. Even with encryption on the hard drive if I really wanted to get at the data onto another drive and crack it. With enough time and resources the data will come out.
I think my mind is the most secure place in the world. I can't remember where I put my stupid keys?!
network and system design cannot keep up with the development of attacks. and if you think you can come up with a fool proof system.. well your the fool.
If you mod me down, I will become more powerful than you can imagine....
The primary reason the home security industry exists is because home construction/improvement products and services aren't naturally secure. If houses were already secure against burglars, there wouldn't be any need for locks. If city streets couldn't be used to break into homes, no one would bother buying a fence. If there were no more keyholes on locks, no one would have to buy products to protect against lock pickers. If the home improvement products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.
(Yeah, it's not quite right, but I trust most people will get the point)
"Alcohol, Tobacco, Firearms, and Explosives" should be a convenience store, not a government agency.
My take on this article is that it is a bad thing to seperate "IT Operations" from "Security". It annoys me every time I see a company that has a "Chief Security Officer". Security is a fairly unique problem and can't be handled the same way as getting the lawn cut.
You can always create a "Groundkeeping Crew" and then no one else in the entire company would have to worry about the grass. However, the day you create an "IT Security Task Force", everyone else lets down their guard. Products like personal firewalls and anti-spyware have allowed application and OS developers to sell insecure software without retribution. If security were forced back to the source where the problem is easiest to solve, we would be in better shape today.
Instead, I see a security team trying to lock down the network and application architecture teams trying to get as much data through as possible. Since everyone's goals are 180 degrees from each other, things go much more smoothly when they keep the other side in the dark.
Of course, there's always someone that will be trying to brake the rules and your system... You need to be prevented, there's never a perfect solution but at least there's solutions that will make you more prevented to anything...
ghostbar page.
Quit giving mod poits to posts that deconstruct the notion of "security" and get to the nitty gritty. The most prevalent operating system on the planet is the most insecure. Period. By design, not because it attracts the most attention for being the most widespread, i.e. not because hackers attack it most. It has the most vulnerabilities! You who have mod points to give are being suckers if you think it is intelligent to parse the meaning of "security."
(My vote for a better question).
Schneier's utopia may be a nice place to live in but the reality is that it is far cheaper and quicker to bring code to the market as we see it today.
If we resort to mathematical proofs of correctness and security for every product, the life cycle would be 4 years for each product, and something like WinZip will cost you $500 a copy.
What Schneier is saying is that security won't be an add-on, after-the-fact product that people buy to protect their computing infrastructure. It will be integrated into the design of every program that a 'utility' runs, because the best way to assure your customers they'll have five nines of reliability is to build every piece of the system to be as secure as possible from the ground up.
(Insert folk tale of the impracticality of retrieving scattered livestock vs. maintaining the structural integrity of their enclosure and preventing their escape in the first place.)
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
If computers were already secure against viruses, there wouldn't be any need for antivirus products.
I've had a lot of respect for Bruce Schneier and was unfortunately rather surprised by this column. My conjecture is that beer, late nights and column deadlines don't mix, as I know he's better than this perspective.
I work in information security risk management for one of the largest global financial processors. Our firewall budget alone exceeds the infosec budget for many Fortune 500 firms. Our IDS staff alone dwarfs the entire infosec staff at most firms. Subsequently, we've gotten rather effective in evaluating the risk and return of capital investments in various infosec systems. Just as you don't insure a $500 1978 Pinto at the expense of $2,000/year, you have to apply a quantified risk management approach to decision-making in even the largest, most targeted Internet-connected networks.
Bruce's column follows the dream inherent in many of us of perfection. Give me perfectly coded systems and perfectly designed networks, and infosec will be unnecessary. Thankfully many clueful slashdotters have already pointed the foundational assumption: Bruce's dream requires perfect people. With that recognized, we can quickly suspend further conjectures about any quest to create perfect technology. People lose badges, paste passwords under keyboards, fall prey to social engineering attacks, get stressed by deadlines and write sloppy code, get replaced by new-hires who don't follow the hardening procedures exactly, or god forbid, make a typo which renders things imperfect.
For those who have a statistical inclination, let me ask Bruce's question from the perspective of probability theory: what is the probability that exactly 100% of the system will be secure? That's Bruce's goal. The answer for those who drank their way through college stats (or haven't yet had the opportunity to do so) is exactly 0%. And worse yet, efforts to approach it tend to see the expense of the undertaking quickly approach the infinite. This is why businesses accept risk - to avoid it with 100% certainty is not only impossible, but darn expensive!
Consider this: how many of us have had a minor annoyance develop in our car or truck? Such as that minor shudder in the tires or alignment at 63 mph that goes away at 65 mph? Or the two or three times we heard the brakes squeak when we were braking hard? Why didn't we seek perfection and replace the car? Heck, most of us probably ignored the issue altogether or threw a container of instant tune-up fluid down the fuel tank. We don't incur significant costs until we're forced to, which causes us to frequently ignore risk until it becomes a much more expensive proposition. Bruce's model not only requires immediately replacement of anything observed to have the slightest defect, but realistically the employment of every computer expert in the world to review and verify the perfection of the system's security. Otherwise, if one person knows something the others don't causing it to be insecure, his quest for perfectly secure systems fails.
Can we make better software? Can we develop better systems? Can we engineer more secure networks? Of course, but we need to realize that this is an optimization strategy where he who over-optimizes wastes resources and energy that could have been more productively used and subsequently loses, and he who ignores risks and gets caught on it also loses. He who recognizes the right optimizing strategy is the one who prevails in the end.
*scoove*
The core argument of the analogy is:
If people behaved properly, we wouldn't need an entire field of work to clean up after them.
If people coded properly, we wouldn't need security products.
If people obeyed the law, we wouldn't need cops.
In other words, "No kidding, Schneier. Welcome to the real world, where people don't act ln an ideal manner."
You're reading things far too literally (focusing on the details in the difference in security modesl) to get the core message.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
A lovely idea, but no. I don't think he's even particularly expert in that area - at least, I've never seen any papers from him about it. He's a cryptographer.
)
http://en.wikipedia.org/wiki/Firewall_(networking
Xenu loves you!
duh!
assignment != equality != identity
If people were careful and more people actually know what they are doing, you would have been right, but : There's no patch to human stupidity.
Read and Comment at my BLOG
!!!
Well, it's not like we can take back guns, so yes. And in the same way, if crime exists, it makes sense to protect against it. If computer software were secure -- it was once, and now it's not, not because it got less secure, but people try harder now to break it.
stuff |
"If computers were secure, we wouldn't need to make them secure". OK, Einstein, how do they get to be secure in the first place.
this is just another article to riled up the masses. I guess with the same anology we can say that we don't need a military, a police force, or even a judicial system!
Absolutely. We just need one that works. The current security culture is focus'd on lack of trust. Security is just the oppposite, it's all about trust. Since the major security vendors still don't trust each other we are still in the land of completely incompatable security products. Thus security has not reached that point where it is easy to use and everyone know how to use it. I've been in the industry for a few decades and quite frankly security firms have completely and totally let me down. And yes you need security companies, because quite frankly it is impossible for each and every firm to be perfect at security all by them selves. Standards, audits and consulting can all be used to implement the security measures your corp may need far better than they can alone.
He wouldn't bump his ass when he hopped!
People are making analogies with real-world security, afterall what would /. without analogies be? (It probably would be like having, say, a car that has no... Oh, wait! ;)
.rpm and .deb regarding this issue is appealling... Thankfully there definitely is work going on regarding this issue at the moment, both on Linux and on other Un*xes). And everyone accepts it and consider it normal, well, nearly everyone ;)
One very important difference here is that a tiny proportion of lowlife can break havoc, due to the worldwide connected net that the Internet is.
As long as IPv4 and IPv6 and IPv6s "this-time-its-bullet-proof-from-a-security-point- of-view" allow attacks to be easily perpetrated there will be misbehavior.
I'm all for that perfectly secure IT world but that would mean in the first place that people clueful when it comes to security are the ones in charge of defining the new standards. This is not how it works. There's only one Bruce Schneier and only a few good cryptographers. Take an example: the Web. Kudos for making it a reality, but it's pathetic that attacks such as the "confused deputy" are working (XSRF) and considered to be "difficult for most Web developers to understand". Yet it would have been completely trivial to avoid, by simply defining standards a little more secure (moderators: do not mod anyone refuting this as "insightful": the standards defining the Web could have been way more secure and could have prevented many of today's security gigantic holes, this is a fact).
Email? FTP? Web? IPv4? IPv6?
Stop kidding us, these are nice but all designed by people completely clueless when it comes to security.
They simply do not get it. Then on top of these completely incomplete and insecure standards you've got lots of clueless companies and programmers spouting out their own interpretation of the standards and you end up with millions of boxes "r00ted" because someone puts an animated cursor in a web page. That is the state of the security world today.
Yet there's some hope: a few designers do understand security issues. Take the Java Virtual Machine, for example: not a single buffer overflow in more than 15 years. No matter how distorted your view of Java this is an outstanding achievement. Should a buffer overflow work in a JVM, it would be an error in the implementation of that particular JVM. It doesn't mean Java didn't have holes... There have been exploits... In C written libs (zlib to name one)! And then you can see some industries needing security (like the banking sector) switching en masse to Java. Remember, C fans, the only buffer overflow ever found in Java where not in the JVM but in third-party, C-written, libs. I am not trolling, I love C and don't mind a little C coding session once in a while (last time I hacked a little bit on X Window System). But it is food for thought.
How many developers are using notoriously insecure platforms to develop? How many Linux users use root privileges to install package that should be installable as non-root like, say, "The Gimp"? (the level of brokenness of
Little story about one of the very best programmer I know, ten years ago or so: I receive a new motherboard that allows to flash the BIOS without needing to move any jumper, this was supposed to be a "feature". I open the board, read the manual, and start spouting bad words about the fucktardiness of such a design... Comes a co-worker, a very smart dude, asking me what the problem is. And I explain him: "see, it won't be long before some lowlife writes a virus that clears the BIOS" and the guys answers "dude, you're paranoid, don't worry about that". A few months later such a virus was out. (oh, and btw, as a huge Sun fan, I'd like to point out that this has never been possible on any kind of Sun hardware. On the other hand from a s
If streets could be made safer we wouldn't need police... Seriously, if someone is determined they can get in no matter how secure a system (or physical location) is. All security mechanisms are merely deterrents whether it be a car alarm, a home security system, or a firewall. The more layers of security you have the more likely it is to deter breaches. You can improve security on individual products but you will always need someone to provide expertise on the integration of those products as well as monitor them for potential breaches. You can suggest that security is not cost effective for your organization but there are real-life cases where the systems/data being secured are too valuable to assume that the default security is sufficient. Case in point, auto manufacturers have theft protection built into the cars. It has a manufacturer's alarm and the doors are locked. You can park it in a garage that has cameras and secure entries/exits. Good security, right? Would you feel comfortable leaving a case of hundred dollar bills along with the keys sitting in the front seat?
At DNADMG (DNA Digital media Group), a Chicago company which has created promotional software for General Mills, Kellogg's and McDonald's, employees were told they weren't doing their jobs when they refused to install pirated versions of software. I'm given to understand this company, which primarily makes promotional games for children, also has their foot in the door of the pornography market, trying to market identical versions of their software, porno themed.
I'm not even going to read the article, the summary alone tells me how ridiculously out of touch with reality this guy is. I don't care how secure network traffic is, I'm not about to put my entire corporation out there for public access.
Yes, because there is no patch for human stupidity.
My consulting company recently added security as a service we offer. That made it a separate group within our company. Since that time all manner of security-related things have been pushed off onto this group. I see this as a very bad way of practicing security. We don't need a special group of people to come in and harden or servers & network after we deployed it. We need to utilize good security practices as we're building the infrastructure. A secure architecture isn't something you can tack on after the project is 99% complete. It's something that has to be designed into the project from day one. "How do we achieve our goal in a secure fashion?" or at the very least, "How do we achieve our goal with the minimal acceptable risk to our security" because everything has an implied security risk. I believe this new direction for us will ultimately lead to replication of work as the security people try to rebuild our product after the fact. This obviously increases the number of billable hours on a project. Inevitably since they aren't network engineers or systems engineers they will over-secure something to the point of not working. This in turn creates even more billable hours to the customer. Perhaps that's what my company is really after....
Eliminating or fixing windows ( lets face it, that is what this is all about ) would not make a system perfectly secure, and thus the security industry would still have a place in providing security as a service. It would change the security business model quite a bit, and the companies would probably get the main share of their revenue from developers rather than end users, but the need to audit code for flaws and vulnerabilities would still be there. The only way the security industry would not be needed would be if there were no attackers, and that is not about to happen any time soon.
we'd all be eating steak.
something tells me that working at someplace that is cheapin' out on software might not be someplace that will be best in the long run?
The same thing could be said about the home security industry.
If homes were secure, we wouldn't need them either.
The problem is not that computers are insecure by design or by flaw, but that *everything* in the universe is insecure AND there are always people looking to exploit that.
You can't make your computer completely secure any better than you can your home, or your car. Fact is, if somebody wants to badly enough, they are going to break into your home, or your car, or your computer, or your work, or whatever.
Its always a battle of staying ahead of the bad guys, and employing reasonable deterants for the situation.
We have security products for computers for the same reason why have locks on our doors, bars on the windows, entry alarms, security cameras, guards, policemen, etc etc.
You want to solve the problem? Get rid of all the bad people...
-- Senior Software Engineer, Attorney appearance services, locallawyerapp.com.
The fact of the matter is that outsourcing everything to $4-$8 hr programmers is responsible for a lot of the problems that we're seeing. First off, the entire country of India isn't in IT. Most of the IT people who are any good are already here on an H1. Many of the Indian companies are now sending work to places like Uzbekistan because they don't have the local staff to do the work, or because it's cheaper there. So you've got some guys who contract the job for $8 and they sub it out for $4. And then you wonder why you get what you pay for?
The guys that had 20 years of experience and who made $35/hr are long gone into other fields, taking their knowledge and experience with them. The guys who knew not to use class whatever or function whatever because it had "issues". Since the brain drain happened so rapidly, none of that got transferred to the new guys.
2 cents,
Queen B.
HDGary secures my bank