October 24, 2007 8:12 AM PDT

Schneier: Beware security products

A leading security expert has warned businesses to beware of buying shoddy security products.

Bruce Schneier, founder and chief technical officer of BT Counterpane, issued the warning at the RSA Conference Europe 2007 in London on Tuesday. He told delegates that they should not necessarily trust security vendors to give a fair representation of the security of those products.

"There might be a political bent to security decisions, or there might be a marketing bent," said Schneier, citing as an example people selling smart cards who "do a lot to convince us that smart cards are the answer to security problems. For every company that's secure, there's at least one 'me too.'"

Schneier said it was difficult for companies to judge the security of varying products because known attacks are relatively rare, making it hard to collect enough data for security-product evaluations.

"If events are high-damage and rare it's difficult to get data. I'm not going to know (the validity of a product) because I don't have the data. After 9/11 there was a huge inquiry into what went wrong, but it's hard to tell what went wrong because it was one event. There's not enough data," said Schneier.

"The (security) market is asymetrical--the seller knows a lot more than the buyer," said Schneier. "In the U.S., a lousy used car is called a lemon--but you don't know until you drive it off the lot that it's a lemon."

If marketed correctly, bad products can drive good products out of the market, Schneier warned.

"Products can have the same claims, the same algorithms, the same buzzwords, and one is very secure while the other is just slapped together. If there's no functional way to test a product, you'll buy the cheaper one," said Schneier.

Schneier said that due to market dynamics, good products tend to rise to the top, but that the market probably couldn't stop the incidence of rare events. He warned businesses not to get "caught up in the feeling of security, driven by fear, rather than the reality."

"Fundamentally, we are not rational," said Schneier. "The brain is just barely functioning in the security community. It's still in beta testing. There's weird holes and shortcuts, and all sorts of patches and work-arounds."

Businesses should evaluate security products very carefully, said Schneier, and find trusted individuals with expertise who can make security decisions within a company.

Eric Baize, senior director of the product security office of storage company EMC, agreed that there were both good- and bad-quality security products available.

"The law of statistics is such that in anything there are good- and bad-quality things," said Baize. "This applies to wine, food, and security products. There has been a lot of discussion about whether security should be added on to the infrastructure, or included as a core feature. Now in the security space companies are selling secure infrastructures."

Shannon Kellogg, director of information security policy for security company RSA, said that it was critical to build security into systems from the beginning.

"Building core security functionalities is absolutely critical," Kellogg said. "Systems in the past didn't have security functionalities, but it enables your company to do more. If your car has brakes, it enables you to go faster."

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
RSA Security Inc., security, smart card, London, conference


Join the conversation!
Add your comment
Name names
Why the dance? If Schneier knows of products or vendors who are guilty, why not just name them? Otherwise, his "advice" is useless.
Posted by ejevo (134 comments )
Reply Link Flag
Kettle Calling the pot black...
Who's to say that his company is NOT the "me too" company? (* ROFLOL *)

Profile of the company, length of time on the market, market share and number of security flaws should help differentiate the wanna-bees from the pros.

If companies CANNOT make the right decision, then maybe they should consider hiring a better IT professional expert capable of making the right decision.

Posted by wbenton (522 comments )
Reply Link Flag
security devices
This gets complicated. All marketed devices must have some kind of scientific study behind it. That is how they sell it. They tell you what it will do, often 'parroting studies' that they do not understand.

Furthermore, if the security corp outsourced for the device built and/or the research behind it, they only know what they were told. Not too many out there follow 'sound methodology' in their research. That is across the board, most instruments, medical tests/studies you name it.

Whether you have fw rules, or running labs on normal value research, if the research behind the device is unsound,it affects all done based on those defects.

For years I had to watch people die from incorrect medical tests. They were already off, but looked like they were set to create false negatives. Talk political!! More sick people go home, insurance corps pay less, drug companies get richer as we go around the merry go round.

I now have to watch all of the horrid crimes on the net, knowing that the firewalls may be incorrectly calibrated on bad research. That is before a corp gets it, puts in settings/ rules ids etc.

If device research is bad security people cannot know the limitations of the instrument, the 'true' error rate in the 'band' you can count on, nor where in that band-the error is greater. That is, unless they did their own research on the devices they have.

Not sure of the politics unless it is to sell more expensive stuff.What holds true of pc vendors could affect firewalls, backdoors. I do not know, but i cannot explicitly trust anyone. That is why security would do better perhaps, if they did some tweaking.

That leaves the best option as-hacking. Make it do what you want it to do for good. Is not that what hackers have always done on both sides of the fence? making things do what they were not intended to do? Time to get creative and turn the table on computer crime.

The catch is then with a new more secure creation, who do you trust? Go public,the crackers know it, and who in the world knows who they are? Really.

Posted by bewoofy1 (6 comments )
Reply Link Flag
last comment
I am talking about backdoors encoded into the hardware. Can we even trust the boards in our pcs anymore? The board has already been 'breached'. It is a question of how badly. It does not matter if a thing is a router,firewall,cell phone digicam. They are all computers with 'pc architecture circuitry', processors,ram,etc.The only difference is that they are designed to do different things.
Posted by bewoofy1 (6 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.