April 26, 2007 10:07 AM PDT
Schneier questions need for security industry
- Related Stories
-
Report: Net users picking safer passwords
December 15, 2006 -
Nike+iPod raises RFID privacy concerns
December 13, 2006 -
Security A to Z: Two-factor authentication
November 27, 2006 -
BT snaps up Counterpane Internet Security
October 25, 2006 -
Does Wi-Fi security matter?
June 27, 2006 -
Driver's license or national ID card?
February 16, 2006 -
Terrorism threat to Net overblown
November 23, 2005 -
Cyberterror 'overhyped,' security guru says
November 23, 2005 -
Companies urged to move beyond passwords
September 14, 2005
Speaking this week at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, "the fact this show even exists is a problem. You should not have to come to this show ever."
"We shouldn't have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure."
Schneier, chief technology officer at BT Counterpane, said his own company was bought by BT Group last year because the U.K. telecommunications giant realized the need for security to be part of any service, not an add-on at additional cost and inconvenience to the user.
His words echoed those of Lord Alec Broers, chair of the House of Lords science and technology committee, who suggested every company, from operating system and application vendors to ISPs, needs to take greater responsibility for the security of end users.
"Security is a small but important piece of the bigger picture," Schneier said. He added that consumers shouldn't accept any product that is inherently insecure.
However, Graham Cluley, senior technology consultant at Sophos, suggested Schneier's dream may be a long way from reality. "Why didn't everybody think about this sooner?" said Cluley. "It would be great."
"It would be great if robberies didn't happen and if road accidents didn't happen and if I didn't stub my toe," he added. "But what you have to realize is that software developers are human and humans make mistakes.
"I can't imagine there ever being a 100 percent secure operating system, because a vital component of programming that operating system is human."
Jon Collins, service director at analyst house Freeform Dynamics, expressed his own doubts about the value of the security industry but said it will always be fed by dual forces of end-user error and the shipping of insecure products.
"I always used to think the security industry existed to make people scared and then sell them something to protect them from what they were afraid of. But now I think it exists because of what people are prepared to buy," he said, adding that investment in security products tends to be reactive to a problem a company has already suffered, making security a "fire extinguisher industry."
But Collins added that it is not true to suggest that user reaction is always due to inherently insecure software or hardware.
"Even if everything was secured, the end user would still find a way to configure it wrong or install it wrong or enable the wrong privileges and permissions," he said.
Will Sturgeon of Silicon.com reported from London.
See more CNET content tagged:
Graham Cluley,
security,
trade show,
London,
operating system
Sometimes, the product is pushed out too early - yes, but if it waited to be tested to a zero-fault it would never get to market.
Sometimes, the user is an idiot - yes, but not always.
Sometimes, the default settings are not secure - yes, but that what customization is all about. The OS is not necessarily less secure because the default setting is "open."
Security is one important aspect of network design, but it is not the only aspect. As password policy that it too tight merely leads to end users taping the password under their keyboard or only changing the number of the month. ****** and Toilet Water consider this a "more secure" environment.
Standardization is inherently insecure because the network rules are known - but then if they weren't the Internet wouldn't work.
This could go on ad nauseum. Yes, many an OS or software suite goes on the market with holes, but even the well-tested products have to face hackers and attakers who've learned a few things over the years.
Many of the security products on the market are ineffective and not especially innovative, but that could be said about any industry. In the meanwhile, pick your security solution and take your chances.
The security assumes that buying their product will mitigate 100% of the risk. If they don't sell it as mitigating 100% of the risk, then we as users have to accept some risk. Life is full of assuming risks. You do the best you can, life isn't perfect and neither can we expect security to be perfect.
An example, with Vista, the OS is much secure but the pain of that is just too much for an end user to bear. Similarly, a corporation wants to manager their business, customers, financial transactions,etc. They don't want to, but have to, manage security. Security is not a revenue generating option. It is strictly a cost overhead.
I am glad that someone like Bruce brings it out in the open and hopefully can start a healthy debate.
The security assumes that buying their product will mitigate 100% of the risk. If they don't sell it as mitigating 100% of the risk, then we as users have to accept some risk. Life is full of assuming risks. You do the best you can, life isn't perfect and neither can we expect security to be perfect.
An example, with Vista, the OS is much secure but the pain of that is just too much for an end user to bear. Similarly, a corporation wants to manager their business, customers, financial transactions,etc. They don't want to, but have to, manage security. Security is not a revenue generating option. It is strictly a cost overhead.
I am glad that someone like Bruce brings it out in the open and hopefully can start a healthy debate.
Answer->Microsoft.
If Microsoft would come out with a Good OS without having all these flaws in it.Plus have the Hackers,they"HIRE" help them come with a great Program to Protect the OS.like the Blackhats do with Linux.
Really this Guy is a real nut case.
Enough said...........................Mark T
And the blame resides equally with "vendors" as with "customers."
Too many vendors "blow smoke" (aka over sell a product's true capabilities, largely by selling "features" as if they were a vetted architecture) and "flash mirrors" (withholding vital information, some times in the face of direct questions) about what their latest-and-greatest does not manage to accomplish. (For the vendors of "bad" products, disclosing the truth would be a matter of "confession.")
Both failures are not to be excused.
Customers have to be faulted for being predisposed to seek out SnakeOil/SilverBullet/EasyButton "solutions" to complicated InfoSec problems.
The brain *is* *barely* functioning.
People are not thinking strategically and pro-actively. They are mostly reacting and they are well conditioned to spending out their quarterly budgets according to a deadline, not according to a well defined mission.
That's why so much garbage gets sold and bought in the name of Security.
Security is hard and the hardest parts are very easy to get wrong.
Concrete facts have to be sussed out, hypotheses have to be made, analyzed/tested, and "good" *conclusions* drawn, before we can begin to know what really needs to be done in a given situation. Only then can we begin to piece together the parts that might solve the problem.
This a much bigger problem than, "these products/technologies are good," and, "those are bad." That is the most simplistic sift that *always* has to be made; but even the "good" products can only be sanely utilized within the scope of their own strengths and weaknesses.
When "security" is built directly into a product's core, if it isn't scrupulously standards-based and intended to be fully interoperable according to those standards, we wind up with more proprietary crap that deliberately creates new gaps along its seams.
We abhor and ignore complexity.
An EasyButton is fine for photocopiers and buying office supplies.
There is just no such thing in RealWord InfoSec.