Re: We shouldn't need a security industry

He has some valid points there, but I think his supposition (from the title) is a bit unrealistic. Sure vendors need to be more diligent in the code they release, but no matter how bulletproof the code, you're always going to have users that muck things up and cause problems. You're always going to have people seeking to use the product in ways it was never designed (hooray!). etc etc etc.

Re: We shouldn't need a security industry

At some point either the so called security luminaries either lose touch with reality, or say shit just to get their name in a headline. Probably both.

Re: We shouldn't need a security industry

It is a funny statement when you think about it.

In his book Beyond Fear he writes about how people tend to want total security even though such a thing is not possible.

This new thought seems to be a contradiction to something he said was not possible.

There is a loophole, however, in the use of shouldn't.

"Shouldn't," can be a specification for policy, or it can be a statement of desire or want.

You shouldn't do that.
or
I shouldn't have to pay for stuff.

Taken as the second example, prepend such a statement with, "In a perfect world," or, "In Utopia," to get:

In a perfect world, I shouldn't have to pay for stuff.
In a perfect world, we shouldn't need a security industry.

Different point:
The article's metaphor of, "car brakes," is missing something: how common it is for people to attack email vs. how uncommon it is for people to cut brake-lines.

A better metaphor could have been used.

He is selectively choosing a specific point of security: reliability/durability-- can the product do what is claimed without failing.

When you get the the end of the article, you can see that his use of shouldn't is one of hoping or wishing, such as prepending the "In a perfect world," sentence fragment to the statement.

There is another problem not brought up in this thread yet. Consumer are the the ones at risk, or the victims of lost time, money, resources when there is failure in software. By blaming the consumer, is this not the same as blaming the victim?

Here's my news byte: Isn't blaming the consumer for poor choices like blaming a person that was raped because of their choice in clothing?

My take? Sensationalist news-byte to get people's attention, but remain mostly true because of alternate definitions of words. How much of this is because of how this story was reported, and how much of it is from Schneier? I have no idea. Reporters that can make mountains out of mole hills often stay employed, but I don't know if that is the case here.

Re: We shouldn't need a security industry

So what color is the sky in Schneier's world? He should know that many of the problems with security in IT are due to the fact that the sprang from a closed system were security was unneeded and would probably have been undesirable. He should also understand that historically, there is always a lag between when a technology is adopted for widespread use and when the laws and security catch up with it. That's mainly because until what ever it is starts to be used in general no one puts that tech to a bad use.

To continue with his car metaphor, you don't need traffic lights if the fastest object is a horse.

It used to be that Schneier was always insightful and dead on the money, but this is the second time in recent months that he's waaaay off the mark. His comments on Boston PD and the ATHF signs seemed to be an ignorance of police work, so I just shrugged that off, but after this one I'm beginning to wonder if he's losing his edge.

Then again, no one I know gets everything right, so maybe he's just hitting a bad streak.

Re: We shouldn't need a security industry

I think the article is pretty self evident. In a perfect world I agree. I hate having to install 20 different security add ons, tweak a billion registry settings, security policy plug ins, file permissions, etc. It is massively time consuming...

.. Then again I do the same thing with the servers running on BSD as well. Recompile code, apply patches, set permissions, etc.

In the ideal world I just install the OS, add a web server, and get on with the business of watching pr0n and planning a convention. But it doesn't quite work that way yet. OpenBSD is the closest to this mind set.

Re: We shouldn't need a security industry

In my youth working as Dell tech support, other workers would complain all the time that MS sucks, and they hate all the calls. I then reminded them, if it all works most of the time, then they would not have a job

Re: We shouldn't need a security industry

I think we'd all appreciate that world

Re: We shouldn't need a security industry

I can understand the argument he makes, but here is a simple concept on a very basic level coming from an incredibly green person (me :))

Millions of dollars of computer equipment and security policies can be taken down by a simple 5 cent sticky note :)

If it is looked at another way, we shouldn't need police and military to live freely in our country. After 9.11 happened, so many people complained about how inconvenient it is with all the extra added security. Computer security is no different.

Maybe software manufacturers need to improve their security. But all that means nothing if the end user un-checks auto update or doesn't apply any themselves and the list could go on and on. I am always shocked at how wide open people leave their setups.

Bottom line is (IMO), for many people, security is not convenient and we are a society that demands that.

Re: We shouldn't need a security industry

Not that it is going to happen in my life time but I see this as the future. There will be very secure servers where access to the information is controlled through comprehensive digital rights management. Communications between individuals and systems will be encrypted. There will not be corporate networks. Internet 2 maybe even Internet 3 will be the corporate network.

In the mean time, I will continue to live in reality and understand and accept that it is my role to make sure that those systems for which I am responsible need to be as secure as they can be while still allowing access to those systems by those that need to use the systems and information they contain for business.

Re: We shouldn't need a security industry

"We shouldn't need a security industry"...to add insult to injury, here is another example of not leading by example. The below article to me is just as much of a reason we have security issues as any other reason.

"The hard drive contained information on employees who worked for the Homeland Security agency from January 2002 until August 2005. TSA, a division of the Homeland Security Department, employs about 50,000 people and is responsible for security of the nation's transportation systems, including airports and train stations."

News story here fresh off the press: http://www.msnbc.msn.com/id/18497134/

Re: We shouldn't need a security industry

A conversation of this nature will always turn to semantics and perspectives, and any real, and meaningful argument can't be summed up in a quick blurb like this article.

Maybe we don't need the various flavors of bureaucracy ala HIPPA, but watchdog groups like Foundstone can be very beneficial.

This may sound over simplistic, but I say this only as a starting point - Common sense, and a working knowledge will be your best ally in basic security, but in most environments, this is shooting a little high.

T

Re: We shouldn't need a security industry

I think you said it better than I did SlackJaw. That was the point I was trying to make with the sticky note statement. I am definitely not opposing any of the watchdog groups or security companies because we definitely need them.

I just have to sometimes remind myself that I shouldn't be surprised by the irresponsible ways information is handled by others. What I would like to see ideally, although as you said, this is shooting a little high, is better education with handling information and of course, some kind of accountability.

So I don't want to hijack the thread by going on some other tangent. I just think Bruce is aiming his water at the top of the fire and not at the base.

Re: We shouldn't need a security industry

I do agree that the user is normally the weak point in any security system.
Security professionals will always be requred, even if just to teach people how to keep themselves secure online.
However I think there will always be a need for a security industry, given the nature of technology I forsee larger systems with even more complex functions that will have many more ways of being penetrated.

Re: We shouldn't need a security industry

after reading this thread I feel that we're living in some sort of utopia..