Slashdot Mirror
How Security Companies Peddle Snake Oil
penciling_in writes: There are no silver bullets in Internet security, warns Paul Vixie in a co-authored piece along with Cyber Security Specialist Frode Hommedal: "Just as 'data' is being sold as 'intelligence', a lot of security technologies are being sold as 'security solutions' rather than what they really are: very narrow-focused appliances that, as a best case, can be part of your broader security effort." We have to stop playing "cops and robbers" and pretending that all of us are potential targets of nation-states, or pretending that any of our security vendors are like NORAD, warn the authors.
Vixie adds, "We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what's coming next. But rest assured that there is no end game — we put one bad guy in prison for every hundred or so new bad guys who come into the field each month. There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we."
Vixie adds, "We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what's coming next. But rest assured that there is no end game — we put one bad guy in prison for every hundred or so new bad guys who come into the field each month. There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we."
"pretending that all of us are potential targets of nation-states,"
umm... we ARE all targets of nation-states- no pretending required.
maybe he meant 'priority targets' or some such...
Security isn't a product. It's really that simple. Security comes from properly implemented instruction in code. ie that isn't riddled with bugs. Unless your selling me a service which audits the software's source code I use and/or configurations (for example Apache's configuration, SSL enabled, up-to-date, good configuration for Drupal, etc ) I'm not convinced that there is any value in your security product. Your not going to be safer unless the software your using isn't riddled with bugs and poor default settings and/or configuration.
I have to admit that I would pay for a subscription to an auditing service for GNU/Linux. I wouldn't pay for an anti-virus solution as anti-virus software is an outright fraud. The companies can't fix bugs in the code (on proprietary platforms) and at best there is a slight chance some malicious software might get picked up (the risk and costs vs reward though isn't worth it). It won't stop new malware from exploiting old un-patched bugs and most malicious software in the will get through. 99.8% detection isn't going to do shit when 98.8% of malicious software isn't actually spreading and/or has been patched years ago.
Yea- I don't use MS Windows or Mac OS X or any proprietary software (well, except, unfortunately a proprietary BIOS, and possibly other low-level microcode, but drivers/firmware for individual components are mostly free in my systems, ie ThinkPenguin.com).
Excellent, I need help with a stubborn glitch we are having. How do I contact them?
Table-ized A.I.