Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Software News

Information Security Is Becoming Infrastructure 75

Bruce Schneier has a story at Wired about his observations from the recent RSA conference. He noticed that the 350+ vendors who attended the conference were having difficulties selling their products or even communicating with potential buyers. Schneier suggests that the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it. Quoting: "When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference."
This discussion has been archived. No new comments can be posted.

Information Security Is Becoming Infrastructure

Comments Filter:
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Sunday April 20, 2008 @11:32AM (#23135016)
    Comment removed based on user account deletion
    • Re: (Score:2, Insightful)

      by PDG ( 100516 )
      I read your post the other day and agreed whole heartedly with it. I remember back in '97 when PGP keys were parts of email signatures and such.

      Now, its unheard of.

      I've set my machines up with GPG and my wife's as well, and autoconfigured them to encrypt any and all email between the two of us, but my attempts to get others to do so has proven fruitless.

      I harp the same line Zimm did--when you put a letter in the mailbox, you put it in an envelope, right? Why is email any different?
      • I harp the same line Zimm did--when you put a letter in the mailbox, you put it in an envelope, right? Why is email any different?

        While in some sense I agree that the problem with encryption is that it isn't ubiquitous, isn't easy to use and isn't the default, I think part of the problem is that email isn't the functional equivalent of sending a letter in the mail. It's the functional equivalent of sending a postcard. Most the emails with my wife are at the level of "the puppy ate (insert another e

        • Maybe you'd stop eating expensive things if you weren't so cold and wet.
        • by PDG ( 100516 )
          Agreed on the unimportant email, but plenty of important info gets passed along via email as well.

          I also agree that the stuff does need to be transparent. The fact that I pre-configured my wife's computer to do it automatically is proof of that (because she doesn't have a clue)

          The core problem is the lack of options right now. Unfortunately there doesn't seem to be a lot of importance placed on secure email so GPG is about all we have.
        • Re: (Score:2, Informative)

          by Eighty7 ( 1130057 )

          Putting pgp keys in our emails doesn't help that. It has to be transparent. And that's exactly what Scheiner is saying.

          Yeah, good luck with that. In my experience, mail encryption is fundamentally difficult - like going from driving cars to planes. You have to know the basics of key management ie get someone's PUBLIC key, encrypt messages using HIS public key & he decrypts using HIS private key. That's already a dealbreaker for most people. Does he seriously expect they'll listen when he talk about ke

        • by umghhh ( 965931 )
          well transparent or not belief that users can stay ignorant while industry does its hocus-pocus is just silly. I do not need to know all the gory details of how the car I drive to work every day works but knowing the basics helps to make intelligent guesses e.g. not to buy Toyota's hybrids because they are less efficient than 'normal' cars or to use safety belt etc. On the same principle I prefer to know what and how the tools that protect me and my electronic transactions work. Ignorance may be a bliss but
        • People do not see email as postcards. A friend of mine runs a small website, and people use email to contact the company for orders. A surprising number of them include their credit card numbers RIGHT IN THE EMAIL. That is INSANE! These are the same people who worry about typing those numbers into websites!
    • ... I "don't want to go through the minimal (to us) effort of working with crypto," and except for my work (and hobbies) as programmer, I should not have to work with crypto. Microsoft should have made that a standard feature, with shortcut icon to Properties including others' public keys, of all user actions resulting in 1+ bits sent off the client. If an Internet browsing program can legitimately be described as integral enough to computing to be part of the operating system, then encryption damn well is
  • by convolvatron ( 176505 ) on Sunday April 20, 2008 @11:36AM (#23135040)
    maybe the problem with selling security is that is that the products are a pile of afterthought patches. security is a property that should lie at the foundations of a design. why should i put some 1u appliance with alot of molded plastic on my ethernet at all?
    • by houstonbofh ( 602064 ) on Sunday April 20, 2008 @11:51AM (#23135114)
      I was thinking this myself... I could be that people don't understand it. But it could be that the products don't work all they well. Or it could be that a bad network design makes it all pointless anyway. But get HP or BMC in there with a big network plan that includes security, and it works.

      I think they have it backwards. Security isn't a utility, it is a highly technical skill. You need a person, not a box.
    • Re: (Score:3, Interesting)

      by eihab ( 823648 )
      A similar conclusion can be drawn from the article:

      The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused.

      This is the state of security products for the most part nowadays, hoax products and snake oil salesmen "IT'S 2009 READY!!!1!".

      Now, I do agree with you that security should lie at the foundation of a design, but security also works by constructing layers of defense. No matter how good your design/implementation is, software is very complicated and someone will slip somewhere.

      Unless you write your own OS, design your hardware and write its firmware, then wr

    • by alen ( 225700 )
      it's the same with any product

      a herd of tiny companies makes something to fix some obscure problem that 99% of people will never encounter but the marketing hype makes it seem like the end of the world
  • Comment removed (Score:4, Interesting)

    by account_deleted ( 4530225 ) on Sunday April 20, 2008 @11:45AM (#23135084)
    Comment removed based on user account deletion
    • A lot of companies don't want to pay for it, because they think it should have been designed in the project in the first place too... Or assume they're secure. A lot of the snake oil has one good side, it makes people aware the security wasn't in, in the first place.
      However, since those salesmen have a product, not a redesign, to sell, none of their solutions really address the problem, but makes them a lot of money.
      I'm mostly talking about smtp and spam here, but the same concept applies elsewhere, to a
  • NOOOOOOOOO (Score:5, Insightful)

    by Original Replica ( 908688 ) on Sunday April 20, 2008 @11:46AM (#23135090) Journal
    the complexity of the security industry is forcing it away from end-users and into the hands of companies who can bundle it with the products that need it.

    Great, once again the tools I need to protect myself are being taken away given to "the professionals". So if all the security tools go to the ISPs and other infrastructure how do I protect myself from ISP spyware?
  • i can't count how many products are crazy ways to push updates or check for updates or are just easier ways for admins to use features of Windows or some other MS product that is part of the product but requires more than clicking a button to make it work. I use SQL 2005 and there are so many ways to get into the guts of the product and see what is really happening that it will take months to learn it all. but there is no shortage of products that do the exact same thing except with a colorful GUI and so yo
  • by smithfarm ( 862287 ) on Sunday April 20, 2008 @11:58AM (#23135152) Journal
    Whether you're a computer user or a small shop owner in the Bronx, nobody likes paying for security.
  • Good news. (Score:3, Interesting)

    by Shoten ( 260439 ) on Sunday April 20, 2008 @11:59AM (#23135154)
    This is a good thing. I'm working on a proposal for a...well, it's $900 million worth of something, I'll say that. It's a huge project, with a lot of different technologies (even by IT standards). I'm the "Security Tower," the group of people responsible for security in the solution, and I've never had it so easy. Sure, there are firewalls, and an IdM extension to support SSO, and a few other things for security, but for the most part our security is architectural. Every area of the solution has products with security infused into them to some degree, whether it's encryption for the endpoints, key management for the central system that manages the endpoints, and so on. Instead of having to wait until the rest of the solution was finalized, and then play catch-up to try and get security added in, it's been a matter of mapping requirements to security functionality that is already there.
  • Of course, security consultants think that security should be left to the professionals. (ie, them)

    The information security people are getting jealous because project managers have the certification/religious body (PMI) and a certification (PMP) that is basically required for many serious projects. That keeps the rates high by limiting the marketplace and mandating some prescribed process for doing everything.

    Security consultants like to put that "CISSP" on email signatures and business cards because it mak
    • Re: (Score:3, Insightful)

      by ladybugfi ( 110420 )
      Bollocks.

      The answer is not just to give more money to security consultants (like me, a CISSP + GSNA) nor hw/sw vendors.

      The answer is to develop a good security management framework that works for the organization. Security is not a product or a consultant or a service. Security is a process. Invest into developing the process and the organization is set to survive whatever the Chinese/Government/God throws at it.
    • Re: (Score:2, Insightful)

      by Anonymous Coward
      IT people are finally starting to question the dubious value of cash-cow security software like AV, so the security community rolls out some more fear-mongering.

      It's remarkable how many PMPs are really risk-seeking, control-averse, self-declared security expert cowboys trying to impress the bosses on how many shortcuts they've taken to get the project out the door. Outlooks like this are far from scarce and unfortunately leads to the purchase of expensive common-control level solutions to compensate post-im
      • by Bargeld ( 621917 )
        Well damn, wish I'd read your reply before I posted. Far more eloquently stated than I put it. /salute

    • by Bargeld ( 621917 ) on Sunday April 20, 2008 @02:26PM (#23135998) Homepage

      Of course, security consultants think that security should be left to the professionals. (ie, them)
      Because it should. Or more accurately, oversight of it should. But when you have security-savvy architects, project managers, and (rarely) business-line managers, it makes the need for micro-managed technical oversight MUCH less. But no matter what, someone needs to be managing the big picture of risk across all the silos of expertise.

      Security consultants like to put that "CISSP" on email signatures and business cards because it makes them sound like doctors or lawyers, but at the end of the day, nobody really gives a shit.
      Amen :) It's always struck me as a grandiose, sad conceit...and I _AM_ a CISSP. It'll be a cold day in hell when I throw it around like a badge of pride, let alone authority, because frankly, it's a mediocre standard. Management at my last employer forced me to write the exam "to make our practice more credible to clients", and I spent a whopping 2 days "studying". The bar it sets is...very low. Not bad for a foundation, but not good for much else.

      I've been doing infosec work for over 17 years now, and IMO, the "problem" as it were, is that the demand for expertise has utterly outstripped the experienced pool of talent.

      Net result? Exactly what you observe: "cash cow security" that is more focused on implementing wildly expensive (and frequently Rube-Goldberg-esque) technology solutions. Why? Because the inexperienced security practitioner immediately and inevitably turns to vendors for "turn-key solutions" to every risk (and many non-risks :)

      Conversely, the much smaller number of people with substantial experience in the trenches are the ones who might point out that a $50,000 security awareness campaign _just might_ reduce net risk a WEE BIT more than a $3million 17-tier-firewall-atrocity. Or that a 10-man-hour risk assessment by security professionals attached to EVERY project's design phase _just might_ have a better chance of reducing risk than a $30k penetration test of every project by an external vendor that is 9 times in 10 a glorified canned vulnerability scan by a junior drone.

      Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper.

      --Bargeld
      • Not much of this is likely to change anytime soon. Sad to say, information security is still a very young and immature science. Things won't get better until the experience-pool gets deeper. --Bargeld
        You make a valid assessment of the IT Security industry. My question is how and where do the "junior drones" find the knowledge and experience that is needed?
        • by Bargeld ( 621917 )
          Time :(
          Wish I had a better answer. There might be one.

          PS: My "drones" snark is directed more at consultancies selling BS than at inexperienced-but-learning security people trying to do their job. Used to be in charge of a security consulting practice, and was sabotaged endlessly by a sales force positioning my team as "all created equal", or promising that in a pinch _I_ would personally deliver every engagement, so boilerplate SOW's are just fine. It's all about the billable, baby...*sigh*
      • I totally agree with you on taking proactive measures during the planning phases of the project. That also makes me stop and think that the team-building approach that Brooks laid out in the "Mythical Man-Month" is the type of approach that would help address problems like this.

        When people talk about the Mythical Man-Month, they usually refer to the assertion that throwing people on a project tends to delay the project. But another key point in that book was that the programming/implementation team was more
        • by Bargeld ( 621917 )

          If you took a bright programmer on each team, and had her focus on security issues as a primary responsibility, I think you'd develop a fantastic core of security expertise on project teams. Certainly better than the drive-by security types that dominate the field.

          Slowly but surely, I see more companies "getting this". It's been many years since I've had trouble finding "that guy", the bright dev or admin who also gives a shyt about security, who WANTS to be the evangelist, the translator, and work together with infosec from 'go'. The opposition to this approach is usually bureaucratic, rooted in upper management who historically view infosec as adversaries (and to be fair...many security professionals, even experienced ones, HAVE frequently been adversarial and aut

  • by Doc Ruby ( 173196 ) on Sunday April 20, 2008 @12:13PM (#23135218) Homepage Journal
    One advantage of security as infrastructure rather than as products is that infrastructure is the foundation of a service, not just something bolted on afterwards.

    The biggest problem with security is that it's added afterwards as a "deluxe feature", rather than integrated with every design and implementation detail. Adding security afterwards means always catching up with the original insecure condition. It means creating an insecure system that the bad guys like, then fighting your own system along with the bad guys while you labor to secure it.

    But the "built-in" tech shouldn't become completely invisible. The bundles should be transparent, not closed and opaque. Because nothing has a higher risk of insecurity than something unknown that you can't inspect. And no matter how well a vendor inspects their own secure component, if it's properly secured no extra scrutiny makes it less secure, only more. Leaving it transparent, visible only when you inspect it, is the best, safest tech.
    • by yuna49 ( 905461 )
      Along the same lines, my general predisposition is to remove as much responsibility for security from users as is possible. That means scanning email for viruses before they reach the desktop, blocking users from downloading dangerous payloads (like executables) over the web, and so forth. Security should be a part of infrastructure, not something tacked on at the users' end.

      Perhaps one reason why it's so hard to figure out what those guys are hawking at the RSA conference is that what they're really hawk
      • Your network is most likely infected with the Microsoft Windows virus.

        Along the same lines, my general predisposition is to remove as much responsibility for security from users as is possible. That means scanning email for viruses before they reach the desktop, blocking users from downloading dangerous payloads (like executables) over the web, and so forth.

        Your diligence is commendable, by the way, but if the client machines on your network were running professional-grade operating systems, that would not be necessary. Limited User accounts really should only be able to run executable programs which are located on a protected partition, which in turn should only be writable to the Administrator.

        Security should be a part of infrastructure, not something tacked on at the users' end.

        True. And if the operating system isn't computing infrastructure, then ffs, what is?

  • Most security problems are a result of misunderstanding the purpose of an object in the infrastructure, and telling other components lies about its nature (permissions boosting). Bad admin does this with a human face. Poor products do this when out-of-the-box configurations don't match the user's requirements, allowing too much be begin with, or having options that bad admins change inappropriately.

    So, how do we do this in a product-based environment? Do we need new module API, covering anything that comm

  • The vast bulk of ongoing security issues is because of a single glaring market/government oversight-software is not being required to have a normal consumer warranty. Is it a product like other products-as patents suggest-or is it a work of creative art, like copyright suggests?

    I contend that society needs to make a clear distinction between the two and force the industry through legislative action (because voluntary is clearly not working) to choose one or the other, but not both.

    If
    • forced to code so well that normal warranties can be offered. This would stop the massive release of perpetual betaware that has never ending security and functionality issues, and separate the truly thoughtful and "engineering first" efforts- from the good companies that would succeed

      That is true, but it would also raise the price of an OS several fold and require more restrictions to be placed on application designers. Car manufacturers can require that you only use certain, high rated tires for their [stretcher.com]
      • Expensive? Damn straight. I'd pay $1000 for an OS that was warranted to be secure for my work computers, wouldn't you? Heck currently I pay orders of magnitude (real orders of magnitude, not market-speak orders of magnitude) more than $1000 for the software on my business servers. Then, I'd run the $100 "home edition" on a gaming rig. And a shortlist of third party software? Bring it on. I'll only run Adobe and Kodak at work, and then put "Uncle Bob's HAckSorS Shareware" on said gaming rig. Kind of like how
        • by sjames ( 1099 )

          Perhaps you should look at an s390. You'll get the warranty you want for orders of magintude more cash. Alas there is no "home edition". All bets are off if you run Adobe on it, that's a different vendor.

      • The medical profession and insurance and pharma industries needed the slap downs because in the old days they were killing people or maiming them and got away with it. And even despite more scrutiny they are still trying to dodge safety issues, such as using barely knowledgeable academics as a "name brand lead author" on papers (headline article in recent JAMA). Nope, that liability was needed, they brought it on themselves because they refused to self regulate. If they had done it from day one they never w
        • by sjames ( 1099 )

          Actually, Warranties are NOT going to help and are NOT practical in software as we know it.

          For one, when is that last time you have seen anything that absolutely warrants against break-in? Certainly not your car or house. Risks digest has had several postings about keyfobs that unlock several cars in the same parking lot and even one where the physical key operated an identical car. The dirty secret of home security is that anyone with the ability to kick hard and a hammer can break in and disable most al

          • by zogger ( 617870 )
            "However, $20,000 OSes with $50,000 word processors is simply not going to fly."..you just pulled that out of thin air, you have no actual idea what it might cost, do you? I have an OS and a "word processor" that costs zero and is inherently by past historical track record significantly more secure than OS and word processors that costs hundreds of dollars now.

            You want a metric, the rest of all industry has one, it is very, very simple, you sell something and it is bogus and causes physical or financial har
            • by sjames ( 1099 )

              I based the prices on the guesstimate of 100 times the price. That's the same as the liability markup on drugs but considerably less than the may not fail cost for space shuttle avionics software.

              Please name any industry that warrants against criminal acts (such as breaking and entering) committed by a 3rd party (hint, there re none). Since there are none, there are also no metrics for it. Even safes and armored cars don't absolutely warrant that they won't be broken in to, only that they will "resist" fo

              • That's an easy one, whomever you handed the cash to for your OS or the third party application that hosed you. If they in turn turned around and blamed someone else in their vendor stack, so be it, such is the nature of cutthroat predatory capitalism. It is the system we have, the software snakeoil peddlers just want the "caveat emptor" exclusion. So far, they have it, eventually, someone who got really took and has deep pockets and is finally fed up enough with the ridiculous EULA nonsense is going to brea
                • by sjames ( 1099 )

                  Just so you know, I agree a lot of software is crap, and soem of it in addition to being insecure is also unfit for it's purpose. I'm just saying that in order to bring law into it, there must be legal standards.

                  I *KNOW* that whoever wrote the crap part is to blame, I'm not stupid. I'm saying that if *you* buy an OS from one place, pay someone else to install python, and then buy my python program from me and install it, who gets the blame when you get hacked? You'll probably blame me and it'll cost me a

                  • We have this huge security industry that by default is always one step behind the level they need to be at. There's little to no accountability anywhere though. If no one is at fault for designing and pushing bad products, then why bother with the security at all then? It never actually works all that well "in the field", the existence of huge botnets prove this. And I think it is because software releases that have no accountability to them encourage just more of the same. At a minimum it should be clearly
                    • by sjames ( 1099 )

                      There is one phenominon I have no explaination for. If we can figure that out, many of the stability and security issues would solve themselves.

                      MS (primarily, but others as well) repeatedly announces new improved versions just like Lucy holding the football for Charlie Brown. Like Charlie Brown, users everywhere for some reason fall for the hype and believe that the result will be different this time in spite of decades of history. When MS announces a new release I am nearly to the point of actually heari

      • by Skapare ( 16644 )

        It's one thing to make an OS fully secure. It's something else entirely to make it enforce security on other products. I want the former and not the latter. It is then my responsibility, delegated to the makers of the applications I add on, to make sure the applications themselves are secure. The OS only needs to provide the necessary facilities that applications might need. If an application specifically allows anyone that can reach that computer to login and erase crucial files, that is an issue of t

  • While I agree in principal that security should be embedded as a core component in the services sold and puchased, I hope organizations realize security cannot really be bought simply like "..and add 1kW of power, thank you".

    The correct amount and nature of security is very much relative to the risks the organisation is facing. Those risks are dependent on the kind of business they're doing and also on their business model.

    However, as a security professional I still see people who say "It must be ... mmm ..
    • No amount of "security as infrastructure" will help if organisations do not have a good risk management and analysis framework or do not understand what kind of security they need and how much. If they don't understand it, they cannot ask it of the vendors and thus they will get either nothing or something random.

      I've only encountered a few companies that could even implement anything like "Best Practices" for security. Why? because currently INFOSEC is seen as a cost to the company without any type of revenue from it, like most of IT, only worse. When your blocking traffic from a poorly created application that a company depends on, or a mis-configured windows clustered server, INFOSEC is blamed for outages, because it's the one thing that actually does it's job, the rest of IT will see security as something preve

  • he seems to be the only person that consistently "gets it." Does he need a surrogate to carry his children?
  • You can't take care of security at the infrastructure level. Insecure products can be built on a secure infrastructure. Commercial software will continue to force users to run with elevated permissions. New document formats and communications channels will provide new places for malware to hide. Infrastructure cannot police end-to-end secure tunnels.

    Unless everyone participates in security, the system is not secure. As we learned years ago, a password can be purchased for a candy bar. Millions of AO
    • No, we learned how many people are either willing to write down their password or lie about it for a chocolate bar.
  • Theres a desire for information security to be "easy" and automated, but when it comes down to it, thats the last it (information Security) can be, at least until AI is perfected. It will always take a human who understands the technology and the implications of network/workstation based attacks on the small and large scale. There are just to much complexities in todays networks that a single device/application/solution could deal with effectivly without human intervention.

    They don't want to have to become IT security experts

    Maybe not but someone will

  • This is interesting...are we actually thinking security is separate from the underlying applications or services that are being implemented? Security is an element of a solution we provide to our customers or if your an internal IT shop, the end-users. Sure there are components that are purely infrastructure items that IT uses to secure an environment, such as IDS\IPS, Anti-Virus, Firewalls, etc. Maybe this Slashdot post shows us a symptom of the overall lack security posture technology companies tend to ta
  • by kscguru ( 551278 ) on Sunday April 20, 2008 @01:58PM (#23135812)
    From TFA:

    I can't figure out what any of those companies do
    Anyone doubt this? Let's take a tour through a few products that "make you more secure":
    • Antivirus: works by scanning files being written to/from disk, and by scanning I mean "run ~1 million instructions in an emulator then see if it matches a virus pattern". Requires weekly updates to latest definitions. One of the most successful "security" products
    • Static code analysis tools (e.g. Coverity). They take your source code, run a heavy-duty static analysis program on it, and point out memory leaks / double frees, uninitialized variables, and other flaws. My educated guess is that 1/3 of viruses involve such a problem. Useful, but to a manager, you can find a different 1/3 of flaws with a manual code audit that costs about as much.
    • Windows Vista (yeah, ha ha). Includes improved account control and privilage separation! Except that most users get so sick of the Allow box that is required for so many things on Windows that Vista has NOT fundamentally increased security.
    • Network intrusion detection appliance - you plug this into your network, and it does something when it detects a malicious access pattern - I dunno, maybe it bakes cookies? But detecting malicious access patterns makes you more secure!!!
    The security product that takes off will be one that says "with product X, you will never experience security problem Y". Unfortunately, the security products out there are crap (product X decreases chances of problem Y from 1% to 0.01%) and security folks are the most paranoid about providing any guarantees. (Use the word "impossible" at a security conference and watch what the blogosphere does to you. I dare you.)

    In other words: most security products provide a small marginal gain, while their vendors tout them as essential, must-have products.

    The single most telling "security" trait I have seen is from the security group at my employer. They send out a feature proposal, and then flame anyone who disagrees with by saying "if you don't agree to this, we'll probably get hacked next year and it will be your fault for being against the security of our products!". Never mind the technical flaws (ASLR doesn't work when you map 1GB of contiguous memory in a 32-bit process) or performance implications. Security "sells" based on fear, and the security industry sales arm has yet to realize they have cried WOLF too many times for purchasers to take them seriously anymore.

    • Ahh yes FUD (Fear, Uncertainty and Doubt) The previous INFOSEC company I worked for was all about that. Best sales technique they had. It's definitely a self-perpetuating meme, that lately, companies have started to ignore.
      • by base3 ( 539820 )
        Good. It's about god-damned time that "security" ceased being a magic word that made money and organizational power come from the sky for those who uttered it.
    • Static code analysis tools (e.g. Coverity). They take your source code, run a heavy-duty static analysis program on it, and point out memory leaks / double frees, uninitialized variables, and other flaws. My educated guess is that 1/3 of viruses involve such a problem. Useful, but to a manager, you can find a different 1/3 of flaws with a manual code audit that costs about as much.

      I'd argue that if your software is important enough to deserve a thorough manual audit, you should probably consider doing both as they tend to catch different sorts of problems. Witness all the code cleanup that has been done in FOSS code on the basis of bugs found through Coverity's DHS funded code scanning service [coverity.com]. Other than that, I'm pretty much in agreement with what you say.

  • Didn't Scheneier mean Computer Security is becoming a commodity (infrastructure sounds rather vague)? Is it really a bad thing? I mean, security is such an essential part of every thing that it really is supposed to be a commodity IMHO. Nevertheless, I disagree with him, it is very hard to embed security for all aspects in all products, so you always going to need supporting tools or services that will complement the security of the product you are interested in (like Antivirus Sofware complements Operating
    • Embedding security in other products may be hard (I don't entirely agree with this), but it is what is essential. Security should not be a separate product.

      For example, if you have a router between your LAN and your link to the internet, that router should be performing the security function for you. If you want to block certain ports from being connected to via the internet, block it there. If you want to establish a VLAN tunnel to another office, you could do it there.

      To the extent that any separate

  • From TFA (Score:3, Insightful)

    by techno-vampire ( 666512 ) on Sunday April 20, 2008 @03:55PM (#23136568) Homepage
    No one wants to buy security. They want to buy something truly useful...


    And there you have it, ladies, gentlemen and slashdotters, the problem in a nutshell. People don't want to buy security because they don't think it's useful. And then what happens when their site gets defaced or their database hacked? They blame the admins, that's what. They never, ever admit that it happened because they wouldn't pay the price needed to secure their machines, they just blame somebody else for not keeping them safe even though they didn't have the tools to do the job.

    • They never, ever admit that it happened because they wouldn't pay the price needed to secure their machines, they just blame somebody else for not keeping them safe even though they didn't have the tools to do the job.

      First, you admit that the price of keeping those machines secure exceeds the total value of the machines. As with any commodity, we blame the manufacturers of defective products for the damage done using those products for their advertised use. It's only Microsoft shirking their responsibility here, not Microsoft customers.

      • First, you admit that the price of keeping those machines secure exceeds the total value of the machines.

        No I don't. Security software and the extra time to install, upgrade and maintain it isn't anywhere near that expensive, and if it is, it shouldn't be. Of course, we're probably talking Windows here, where security is nothing more than an afterthought tacked on at the last minute. If we're talking Linux, Unix or some other real OS, it's largely built in from the ground up, making your claim even le

        • That was an imperative, not a declarative sentence.

          First, you admit that the price of keeping those machines secure exceeds the total value of the machines.

          No I don't. Security software and the extra time to install, upgrade and maintain it isn't anywhere near that expensive, and if it is, it shouldn't be.

          You overestimate the "value-add" of the crappy machines then. "Security" should be an adjective we use to distinguish good software from insecure software. Any product that does require separate "security software" to become realistically usable for its advertised functions would not succeed in a free market any better than doors that unlock from both sides without a key.

          Of course, we're probably talking Windows here, where security is nothing more than an afterthought tacked on at the last minute.

          No, I was and am certainly talking about Microsoft. I specified that twice -- in the

  • Most bad things that happen to users these days because they clicked a link that goes to a web site that installs malicious code. It seems that the largest security problem is that end users do not want to take the necessary minimal precaution (for whatever reason). It make no sense to me to try to build a "fool proof" infrastructure. The problem resides more with the end users and his/her computer. Since most computers (especially MS) like to use the internet to install software/updates. The problem is no
    • Why do browsers even have a "run malicious code" function?

      In "The Emperor's New Groove" there is a running gag where someone pulls the wrong lever and falls through a trap door into an alligator pit, then returns dripping water and kicking away alligators and asking "Why do we even *have* that lever?"

      Why does Firefox have a mechanism to install extensions to Firefox from within a Firefox window?

      Why does Internet Explorer have a mechanism to run native code downloaded from a website?

      Why does Safari have an '
    • I'm kind of stumped by who Schneier (and some readers in this thread) think attends RSA. I went last year, and it did not look to me like an end-user conference. It looked to me like it was a lot of people from companies large enough to have more than one person doing IT, and a company of that size is offering security as infrastructure to its users.

      Are they doing it well? It's all over the map. Are they at least aware that they're doing it? One hopes so. But most of the attendees that I saw were clea
  • The reason security infrastructure sells is the same reason why security books don't. It is the same reason we want air bags, not driving lessons.

    No one wants to learn anything, especially if it has nothing to do with the task at hand. We want it to just work, and it should.

    Just prevent it, don't make us think about it unless you want some of us to make mistakes.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...