Comments on: Schneier questions need for security industry
Speaking at a trade show in London, security guru sparks debate about the sources of and responses to security problems.
Most Popular
Latest tech news headlines
- Leaked HP, Gateway 'Core i3' laptops are low-cost
January 2, 2010 11:43 AM PST
- AT&T, Luke Wilson try smaller coverage number
January 2, 2010 9:41 AM PST
- For eBay sellers, a holiday hamster hangover
January 2, 2010 6:00 AM PST
- See all headlines
RSS Feeds
Add headlines from CNET News to your homepage or feedreader.
More feeds available in our RSS feed index.
- Markets
Related quotes
Sometimes, the product is pushed out too early - yes, but if it waited to be tested to a zero-fault it would never get to market.
Sometimes, the user is an idiot - yes, but not always.
Sometimes, the default settings are not secure - yes, but that what customization is all about. The OS is not necessarily less secure because the default setting is "open."
Security is one important aspect of network design, but it is not the only aspect. As password policy that it too tight merely leads to end users taping the password under their keyboard or only changing the number of the month. ****** and Toilet Water consider this a "more secure" environment.
Standardization is inherently insecure because the network rules are known - but then if they weren't the Internet wouldn't work.
This could go on ad nauseum. Yes, many an OS or software suite goes on the market with holes, but even the well-tested products have to face hackers and attakers who've learned a few things over the years.
Many of the security products on the market are ineffective and not especially innovative, but that could be said about any industry. In the meanwhile, pick your security solution and take your chances.
The security assumes that buying their product will mitigate 100% of the risk. If they don't sell it as mitigating 100% of the risk, then we as users have to accept some risk. Life is full of assuming risks. You do the best you can, life isn't perfect and neither can we expect security to be perfect.
An example, with Vista, the OS is much secure but the pain of that is just too much for an end user to bear. Similarly, a corporation wants to manager their business, customers, financial transactions,etc. They don't want to, but have to, manage security. Security is not a revenue generating option. It is strictly a cost overhead.
I am glad that someone like Bruce brings it out in the open and hopefully can start a healthy debate.
The security assumes that buying their product will mitigate 100% of the risk. If they don't sell it as mitigating 100% of the risk, then we as users have to accept some risk. Life is full of assuming risks. You do the best you can, life isn't perfect and neither can we expect security to be perfect.
An example, with Vista, the OS is much secure but the pain of that is just too much for an end user to bear. Similarly, a corporation wants to manager their business, customers, financial transactions,etc. They don't want to, but have to, manage security. Security is not a revenue generating option. It is strictly a cost overhead.
I am glad that someone like Bruce brings it out in the open and hopefully can start a healthy debate.
Answer->Microsoft.
If Microsoft would come out with a Good OS without having all these flaws in it.Plus have the Hackers,they"HIRE" help them come with a great Program to Protect the OS.like the Blackhats do with Linux.
Really this Guy is a real nut case.
Enough said...........................Mark T
- RE:: near flat InfoSec EEG
- by wti October 25, 2007 2:42 AM PDT
-
- Like this Reply to this comment
-
(7 Comments)And the blame resides equally with "vendors" as with "customers."
Too many vendors "blow smoke" (aka over sell a product's true capabilities, largely by selling "features" as if they were a vetted architecture) and "flash mirrors" (withholding vital information, some times in the face of direct questions) about what their latest-and-greatest does not manage to accomplish. (For the vendors of "bad" products, disclosing the truth would be a matter of "confession.")
Both failures are not to be excused.
Customers have to be faulted for being predisposed to seek out SnakeOil/SilverBullet/EasyButton "solutions" to complicated InfoSec problems.
The brain *is* *barely* functioning.
People are not thinking strategically and pro-actively. They are mostly reacting and they are well conditioned to spending out their quarterly budgets according to a deadline, not according to a well defined mission.
That's why so much garbage gets sold and bought in the name of Security.
Security is hard and the hardest parts are very easy to get wrong.
Concrete facts have to be sussed out, hypotheses have to be made, analyzed/tested, and "good" *conclusions* drawn, before we can begin to know what really needs to be done in a given situation. Only then can we begin to piece together the parts that might solve the problem.
This a much bigger problem than, "these products/technologies are good," and, "those are bad." That is the most simplistic sift that *always* has to be made; but even the "good" products can only be sanely utilized within the scope of their own strengths and weaknesses.
When "security" is built directly into a product's core, if it isn't scrupulously standards-based and intended to be fully interoperable according to those standards, we wind up with more proprietary crap that deliberately creates new gaps along its seams.
We abhor and ignore complexity.
An EasyButton is fine for photocopiers and buying office supplies.
There is just no such thing in RealWord InfoSec.