By Will Sturgeon, 26 April 2007 09:31
NEWS
Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware.
Speaking to silicon.com at the InfoSec show at London Olympia this week - a leading trade show for the security industry - Schneier said: "The fact this show even exists is a problem. You should not have to come to this show ever.
"We shouldn't have to come and find a company to secure our email. Email should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure."
Schneier, CTO at Counterpane, said his own company was bought by BT last year because the network realised the need for security to be a part of any service, not an add-on at additional cost and inconvenience to the user.
His words echoed those of Lord Broers, chair of the House of Lords science and technology committee, who suggested every company - from operating system and application vendors to ISPs - needs to take greater responsibility for the security of end users.
Schneier said: "Security is a small but important piece of the bigger picture," adding consumers shouldn't accept any product that is inherently insecure.
However, Graham Cluley, senior technology consultant at Sophos, suggested Schneier's dream is a long way from reality. "Why didn't everybody think about this sooner?" he said. "It would be great."
Cluley added: "It would be great if robberies didn't happen and if road accidents didn't happen and if I didn't stub my toe but what you have to realise is that software developers are human and humans make mistakes.
"I can't imagine there ever being a 100 per cent secure operating system because a vital component of programming that operating system is human."
Speaking to silicon.com, Jon Collins, service director at analyst house Freeform Dynamics, expressed his own doubts about the value of the security industry but said it will always be fed by dual forces of end-user error and the shipping of insecure products.
He said: "I always used to think the security industry existed to make people scared and then sell them something to protect them from what they were afraid of. But now I think it exists because of what people are prepared to buy," adding that security investment tends to be reactive to a problem a company has already suffered - making security a "fire extinguisher industry".
But Collins added it's not true to suggest user reaction is always due to inherently insecure software or hardware. "Even if everything was secured the end user would still find a way to configure it wrong or install it wrong or enable the wrong privileges and permissions," he said.
Comments
There are 13 comments. Join the discussion
1. Simon Bain
I see that Graham Cluley is looking at his own job. Of course robberies happen and yes I have stubbed my toe (on a needle actually that needed an operation) however I think he misses the point.
It is not that we do not need a security industry, just that "we do not need a security industry" to secure what should already be done. A bank secures its money as best it can. A robber then steals it and the police get involved and security experts look at the robbery and add extra security. However initially that bank did at least try. If not they would not get insurance. Application vendors generally miss this bit out expecting the likes of Sophos to pick up on their lack of security conscience. Surely Sophos would be far better at the top end of industry not at making sure Mr & Mrs email is secure. It should already be...
2. Tony Whitby
Can he define where security starts & software ends. For instance is a firewall an unnecessary security product or necessary software/hardware to provide a common interface to maintain secure access to company systems? More 'Pie in the Sky'!
3. misceng
Buffer overrun seems to be the major source of security breaches in current software. I remember the days of interpreted Basic. Then I wrote programs with a routine which accepted all inputs and passed it byte by byte to the routine that should accept it. The routine vetted the input and would not accept any bytes in excess of the necessary input. Is it naive in this age to expect similar care in handling buffering.
4. Will McMeechan
Cars come with brakes, yes, but despite that there are still crashes and cars are stolen which is why there is a very healthy SECURITY Industry as well as the INSURANCE Industry making a great deal of money from the car drivers
5. Dr John Dimmock
The wide area network cannot be truly policed simply because it is not owned by any government, corporation or individual; this means that security must be the responsibility of the user
There are many ways of securing emails including (free) public key encryption, the main problem is that the vast majority of users simply do not understand the “open” nature of the “inter” network and have quite understandably become accustomed to the great speeds available and low costs in respect to written communications
Snail mail, using the UK national postal system (Royal Mail) is at least in some kind of “wrapper” and is (at this time) delivered by “trusted” employees; email in its basic format is simply not a secure transit method
Dr John L Dimmock - Technical Director
Media Services Sussex Ltd
Metroweb Network Services
First Internet UK Ltd
MetroCell Ltd
6. anonymous
"We expect cars to come with brakes, so why are we happy to pay again to secure our technology?"
This is a rubish analogy, you expect a car to come with a lock,
But people still pay extra for an engine imoblizer, an alarm and a tracker (monthly fee), so i dont see why your OS / Technology should be any diffrent. If you want better security then you have to pay for it.
7. me
interesting analogy, but cars were around for about 80 years before better locks appeared, another 10 before deadlocks; and then you could always break a window, so immobilisers, and...you get what you pay for...or not as the case may be. maybe a question of perceived risk versus the cost, as with everything in life; and the perception varies with time,its then called experience. so all in all not much difference between the two industries.once again its people.we produce the "pefrect system" and 5 minutes later the users break it. thats life innit ?
8. Dr Mark Hosey
Allow me to reiterate comments I have previously made in reply to articles regarding security in Silicon.com.
I believe it is time for the introduction of European standards that clearly define acceptable levels of security all software must attain before European marketing of those products? Standards work for all other industries, so why not software and ISPs.
In the past I have also expressed the sincere belief that ISPs must provide a minimum level of security for all services they provide their clients.
I regard my ISP connection as another front door on my house connecting it to the outside world. The last thing I want is some shoddy product on or connected to my PC that leaves me and my family vulnerable to criminal activity.
ISPs and software writers have a duty of care to provide us with safe and secure products and services just as any other manufacturer or service provider of other products used in the home or business does.
Surely the insurance industry must get involved and drive for measures that make the internet a safer and more secure medium?
9. Rob garner
Gold Bars & Pokemon Card collections require different levels of security. The same is true of data. So whilst applications should provide an inherent level of security, additional layeres are always going to be required depending on the data owners perception of its value.
10. Nick Cole
People aren't happy to pay extra, its just that we don't have any choice.
The very people who design and implement the flaws make an income from the fixes and protection that is supposed to insulate us from their design failings!
11. Barmak Meftah
Very interesting set of assertions. One of the ways that I think would be most effective for technology products(software or hardware) to be inherently secure starts with the buying habits and requirements that should be put on vendors by the consumers of those products. If vendors are held accountable to prove to consumers that their products have gone through appropriate security checks before their products can be sold, it would drive the priority of inherent security to the very top. If this becomes an obstacle in the sales cycle for vendors, we can have high hopes for secure email solutions for example without having to hire experts or solutions to make email systems secure. Security has to become an integral part of the development, testing and deployment lifecycle of any product.
12. Andrew Rice
I've made this argument not just about security, but also quality and training. Software should be intuitive, self checking and not allow invalid input. We are a long way from these ideals. Why?
Time, money and control. In the early days, systems were entirely bespoke, built for a purpose. Now you get your OS with the hardware, your applications from another vendor, your comms from another, your security from another. Programs are developed by developers who know nothing about programming. They know more about designing and reusing code than bits, bytes and original thought ( Apollogies to the few who do). This hotch potch means no one company can take overall responcibility for the system, leading to the weaknesses we have to cleanup. (I actually left my HND course as I had continous arguments with the lecturers over this and Y2K being someone else's problem). Whilst users don't care enough to understand why one browser may be more secure than another and prefer to use the one handed to them on a plate and businesses do not insist on having a fully understood system these problems will continue.
Would it be practical to have the perfect hardware, OS, applications and communications? We would not have had the rapid growth in business, information sharing and world dynamics if we had had to wait and pay the price for this. Business and consumers mitigate the risks associated with the poor environmnet by investing in specific security. Whilst this cost is less than the cost of dealing with the security event it is protecting against this is acceptable. One day there will be an even more major security event. Some have already happened ( one such outbreak caused an international company to close its network for 5 days and cost $50,000,000. I know of this one as I was involved in the cleanup ho many other companies were affected, I don't know ), but when the big one hits we may well see the push needed to get suppliers to develop better code, systems and communications but there will always be a need to have the checks and balances we can offer.
Regards
Andrew Rice
13. anonymous
Rob garner is right, it depends on what you're trying to secure.
It would seem Big Business owes us a duty of care to secure the data it has on us by encrypting it, as was alluded to in another article.
Would encrypting data make Big Business less reliant on Network Security products?
I can't help wonder how much the Banks spend annually on Perimeter Security whilst leaving us all open to fraud by the magnetic strip on the back of Chip and Pin Credit Cards?
It just strike me as really inconsistent.
As the Whistleblower TV programme showed people are still the leakest link, and some of these organisations shouldn't be trusted with our data.