Slashdot Mirror
Do We Really Need a Security Industry?
netbuzz noted that Bruce Schneir's latest column
discusses the security industry where he points out that "The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
At least spell his name correctly: Schneier.
I want to drag this out as long as possible. Bring me my protractor.
The article assumes security is static: "..if computers were designed to not be susceptible to virii.."
If it's not virri or worms or buffer-overflows then it would be something else. Human intellect has this uncanny ability to grow and adapt.
Website Hosting
And if our buildings and public places were built securely, we wouldn't need police, right?
If murderers just stopped wanting to kill us. If drivers just wouldn't have accidents. If kids just didn't wander into swimming pools and drowned..........
Utopia is a pretty cool place. I'd like to go there too.
I mean they only exist because cars aren't built perfectly.
The primary reason we need law enforcement is because people don't always follow laws. If people always followed the law there wouldn't be any need for law enforcement. If bad people weren't allowed out of childhood no one would bother buying guns or even locks on their doors. If everyone was generally nice we wouldn't have to spend billions every year enforcing the law.
its kinda like saying that someone who gets raped is responsible because they didn't have martial arts skills, and wouldn't need mace or a stun gun in the first place if only judo was taught as schools or something crazy like that. Where does the blame game end?
you wanna know who's fault it is? its the person breaking the law, breaking the systems. but you know what you can do about that? next to crap.
If if's and but's were candy and nuts, then what a wonderful world it would be!
Curb CO2 emissions: Kill yourself today!
In a perfect world software would meet it's requirements perfectly. But because of politics, timing, money, or just overlooking a single character in the source, bugs do and will happen. Just the way the world works. Same thing goes for anything. If your TV breaks, you take it to be repaired or get a new one.
Sure, why not? You don't rely on the contractors who build your house to provide all the security you could ever need, but you do expect them to install windows and doors that lock. Windows and doors that lock aren't inherently "impenetrable", though. If you want to go beyond that, you call ADT or someone similar and let them take it to the next level.
If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. ...
And if pigs flew out of my arse, I wouldn't need to go to the supermarket to buy bacon. What's his point?
!#@%*)anks for hanging up the phone, dear.
As long as there is a human behind the computer, there *will* be a possibility of exploiting a vulnerability on the system... the human being.
Ubuntu is an African word meaning 'I can't configure Debian'
And if humans weren't susceptible to cancer, we wouldn't need oncology.
And if humans weren't always metabolizing away their energy store, we wouldn't need the food industy.
The point being that the computer is susceptible to these unfortunate side effects for the same reason that they're so successful in the first place - being part of an open ecosystem, being able to adapt, being able to interconnect, being able to hide information from users so that they can attend to value-add tasks.
Not that we couldn't minimize the exposure by operating more effectively, but eliminating them via design could eliminate the very utility that's allowed the computer and the networks to be so successful.
Also, do not forget that an Internet connection allows anonymous attackers to assault your systems 24/7/52.
Having a firewall may not force the workstation software providers to improve their security. But the firewall provides a single point where you can focus intensive monitoring efforts.
We live in a world where people will trade their password for a bar of chocolate.
Over time the technology WILL get better. We're already seeing some of that. But in the end, even with perfect software security, we will still have problems because PEOPLE will be using the systems.
Secure out of the box doesn't matter. Secure after I have installed the many third party programs I require to run my business matters. Secure after my clients install the latest OS 'update' matters.
There is no way to absolutely positively guarantee any complex product can remain safe over a period of time as the environment it runs in will change through both vendor and user additions to that environment. And anyways, the market does not want to wait for 'secure.' The market hardly waits for 'workable.'
Bruce's question is interesting on some levels, but seems shallow in a number of ways. That being said I read him all the time.
Regards.
I say just build an unbelievably simple AIS that has zero functionality. Thats right: no user interfaces, no applications, no storage of information, not even a keyboard. Then we wouldn't have to worry about all that nasty malicious code, and keystroke loggers and... Oh crap someone just walked in and stole my do-nothing non-functional system. Guess I still need physical security.
I have the utmost respect for Bruce, but that statement is fairly ridiculous. Its like saying if we built automobiles that could never crash then we wouldn't need road rules. Basically you can sub anything into that statement. If we made food that wasn't unhealthy we would need Jared and annoying Subway commercials...
News Reporters Make Tasty Polar Bear Treats!
The problem here is that 99% of software purchasers simply don't have the ability to evaluate a product on the merits of its security. They do have the ability to evaluate products (1) on the merits of their prices.
The companies that develop software know that (2) doing security properly is extremely expensive, and requires hiring skilled specialists, and inegrating those specialists at all levels of the development process.
When you take points (1) and (2) into consideration, you realize that there is a lot more ROI in developing cheap insecure software than there is in developing expensive secure software.
This is an example of capitalism failing due to poorly-informed consumers. But I can think of no way to solve the problem (a security quantifier???), so the industry will continue along as it does today: cheap software and band-aid security.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
"The primary reason the IT security industry exists is because IT products and services aren't naturally secure."
Which is like saying that the primary reason the physical security industry exists is because buildings aren't naturally secure.
That simply isn't true. It exists becasue people are sneaky little bastards who naturally want what other people have. You cannot make something secure enough to keep everyone out - physically or digitally.
Here will be an old abusing of God's patience and the king's English.
Do we really need locksmiths? If buildings were naturally secure (aka didn't have doors or windows), we wouldn't need locksmiths.
However, people need to get in to and out of buildings, so we need doors. And sometimes we need to control which people are going in to and out of a building. So we need locksmiths.
So, if your IT systems are powered down, unplugged, encased in carbonite, and buried at the bottom of the sea, then the answer is no, you do not need a security industry. Or, at the other end, if all your IT doors and windows are open, and you don't care who comes in and out, then again, you do not really a security industry.
But if you want some people to have access to your computer, but not others. Or you want to control the level of access people have, then yes, you do need a security industry.
You'd eat bacon from your own ass pigs? Remind me not to come to your house for BLTs.
I suppose you're posting this comment via a snail-mail to http gateway.
Now, take a default installation of Ubuntu Feisty Fawn. Even if you hook it straight into the Internet WITHOUT an external firewall (or running any firewall software) you'll still be very secure.
That's because, by default, there aren't any open ports. There's no way for any worms to attack your system. That's just basic security practice.
Now, there are other ways to crack a default Ubuntu installation. But they require that the admin have done something to make it LESS secure (or you can physically access the box).
Your example is about the physical world. And the problem there is that physical access is already assumed. We can take steps to REDUCE the physical access, but that still leaves social engineering attacks.
You will always need police just as you will always need sysadmins who will READ THE SECURITY LOGS. No matter how secure you are.
I like Bruce, but what the hell is he on about? Personal computers are designed to execute arbitrary code. If they weren't, we'd hack them so they would be (TP?). If you can execute code, you can find a way to wreck a system. Sure, it can be hard, but there will ALWAYS be a need for security specialists, and security software. Sure, virus scanners may one day disappear, but rootkit scanners, phishing lists, etc will take their place. Just because your computer engineering is perfect doesn't mean your social engineering isn't flawed.
Sounds like a good reason to implement the Evil Bit for all IP traffic from now on. (Of course, if you own stock in a firewall distributor or other security company, better diversify before they implement this RFC.)
If people were perfectly peaceful, we wouldn't need laws or governance
If everybody washed their bums correctly and cooked meat well every time, nobody would have to worry about butt-worms
If people were perfectly courteous and attentive on the road, there would be no need for auto-insurance
So now let us imagine what it would take to get to a point where we no longer need people specialized in securing and maintaining the integrity of data. Do We Really Need a Security Industry? YES! We most definitely do, and always will! Is there room for improvement? Yes, vasts, and there always will be!
How did this get +3 Funny? He screwed the order up and didn't even bother to use the funnier colloquialism "bump it's ass a'hoppin'!" No imagination. Then again I could tell you an even funnier and more cliché quip, but then I'd have to kill ya! Ha!
Demented But Determined.
If people didn't commit crimes there wouldn't be a need for police.
Put down that analogy; you're liable to cut yourself. 8^)
Security in buildings and public places represents an utterly different problem set from software security. They have virtually nothing in common. Suggesting that software security today is like (heh) a walk in the park is wildly wrong.
I hate analogies, because they cloud things more than they clarify them. But if I were to use yours, I would say that if our buildings and public spaces were better policed, we wouldn't need to pay for personal, individual security guards who pat down and disarm even our friends before they allow us to so much as look at one another.
Schneier's point is valid. In a healthy, heterogeneous software environment, the threats are fundamentally different from those we face today. We could move from trying to protect ourselves from clicking on tainted image and document files(!) to creating secure site configurations tailored to our particular needs. I too dream about the day when we have configurations that are not so draconian that people are precluded by fear from taking advantage of some of the Internet's greatest advantages: the end to end network.
There are some who will say that software is inherently insecure, and that it cannot be secured. There are some who say that people using 'safe' technologies and processes are only safe by virtue of the fact that there are easier targets in abundance. They are wrong. And this is Schneier's point: Whatever inherent problems there may be in software security, the vast majority of Windows users - let's call a spade a spade - work in an environment that is so utterly flawed that there is a quantum difference between the security issues they face and the vastly more limited security issues they could be facing, if only the manufacturers would cease to treat security as a cost centre external to their core business.
Crumb's Corollary: Never bring a knife to a bun fight.
From Wikipedia, your source for all things accurate.
We figured out a long time ago that it's easier to elect seven judges than to elect 132 legislators.
Virii isn't a word. It's not the Latin plural of "virus". It would be the plural of "virius", if that were a word, which it isn't. Quite plainly, "virus" has no Latin plural. "Viri" is the plural of "vir", which means 'man'. In Latin, it was a catch-all for "poison". It has no plural in the same way the English word "everyone" has no plural.
There are entire wikipedia articles on this issue. What you're doing is wrong, and I've modded you down for being an idiot. The correct plural is "viruses". Start using it. It's in your own best interest, after all. Anyone who knows the most basic amount of real Latin will laugh at you the moment you utter the word.
Shouldn't code be able to debug itself? Do we still need auditors? Why? Shouldn't our training and processes be up to snuff by now. See the point of a 'security industry' is not because things should work this way or that way but because they in fact DO work this way or that way. That's why they call it engineering, because it's engineered and that means it's imperfect.
A better question is: Do we really need columnist like Bruce Schneir telling us what a perfect world might look like?
[[ the only 15 letter word that is spelled without repeating a letter is uncopyrightable: it may soon be, however. ]]
All the "..and if..." replies really miss the point here. Its not that he's stating the obvious, he's saying the glory days of IT security as an aftermarket industry are over. The focus of IT security is shifting from point products that deal only with the threat du jour, to integrated infrastructure. Security as a service, if you will.
Look at Cisco. More and more of the monitoring and mitigation systems we run are turning up as part of the switch in next generation gear.
Businesses want simple, cost effective systems that are built in to the infrastructure, don't get in the way of the money-making, and keep the bank and federal auditors happy.
Besides, the best security tools are free. And most of IT security is just plain common sense. You don't have to have been at it as long as I have to know that. The technology we use only works one way, so threats aren't that hard to figure out. The rule is to be aware of what runs on your network and keep an eye on what comes and goes. If in the years to come that's all built in, cool.
I am personally obligated to post this link every time I see "Zone Alarm" and some phrase describing 'hack attempts' and 'logs' posted on the internet.
/. gets this, I post for user #1018050. Sir, please read this short article:
While most (read: all) of
http://samspade.org/d/firewalls.html
Beware of the Leopard.
I think some of his points are good:
"Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure."
All the commercial anti-virus software I've ever used has been full of FUD, displaying big red crosses and popup balloons telling me that my system is at risk because I haven't purchased some additional product or upgrade. I see the same companies rolling out stats about virus attacks and in mainstream media warning of the next big threat, doom saying wherever possible.
Personally, as a programmer, I think the weaknesses in software will be fixed and operating systems changed such that deep probing virus checkers are obsoleted. I'd happily see this whole FUD spreading portion of the security industry die.
Some of his points may however be too general:
"The whole IT security industry is an accident -- an artifact of how the computer industry developed."
There are still places where a security industry will always be needed, such as authentication though RSA tokens/smart-cards/biometrics and the associated infrastructure.
In general I think he's about right though. Over time software will improve and things will be built in such a way that common failures of today are obsoleted just like other engineering disciplines have improved methodologies e.g. airplanes are not built with square windows anymore - http://en.wikipedia.org/wiki/De_Havilland_Comet.
-- Mike
My take on this article is that it is a bad thing to seperate "IT Operations" from "Security". It annoys me every time I see a company that has a "Chief Security Officer". Security is a fairly unique problem and can't be handled the same way as getting the lawn cut.
You can always create a "Groundkeeping Crew" and then no one else in the entire company would have to worry about the grass. However, the day you create an "IT Security Task Force", everyone else lets down their guard. Products like personal firewalls and anti-spyware have allowed application and OS developers to sell insecure software without retribution. If security were forced back to the source where the problem is easiest to solve, we would be in better shape today.
Instead, I see a security team trying to lock down the network and application architecture teams trying to get as much data through as possible. Since everyone's goals are 180 degrees from each other, things go much more smoothly when they keep the other side in the dark.
What Schneier is saying is that security won't be an add-on, after-the-fact product that people buy to protect their computing infrastructure. It will be integrated into the design of every program that a 'utility' runs, because the best way to assure your customers they'll have five nines of reliability is to build every piece of the system to be as secure as possible from the ground up.
(Insert folk tale of the impracticality of retrieving scattered livestock vs. maintaining the structural integrity of their enclosure and preventing their escape in the first place.)
[100% ISO 646 Compliant]
SVM, ERGO MONSTRO.
The core argument of the analogy is:
If people behaved properly, we wouldn't need an entire field of work to clean up after them.
If people coded properly, we wouldn't need security products.
If people obeyed the law, we wouldn't need cops.
In other words, "No kidding, Schneier. Welcome to the real world, where people don't act ln an ideal manner."
You're reading things far too literally (focusing on the details in the difference in security modesl) to get the core message.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").