« Spire's Second Law of Internet Dynamics | Main | More Sex is Safer Sex »

What a bunch of bull

Schneier is off on a sue your way to security nirvana run again about software security: "The primary reason the IT security industry exists is because IT products and services aren't naturally secure."

Naturally secure. Naturally secure. Naturally secure. I can't seem to get it through my head. What the heck does "naturally secure" mean? Name any non-trivial asset or resource that is "naturally secure"? Now, up the ante with an intelligent adversary. Somebody, please - what is it that can be naturally secure against an intelligent adversary?

The notion of "natural" security in the face of an intelligent adversary is so fundamentally ignorant that the whole thing must be a charade. It isn't even a pipe dream - it is an impossibility. Throw in the fact that IT resources are increasing in value and function and there is no doubt of that impossibility.

There is a comment to that same post attributed to "Bruce Schneier" and if it really is Bruce Schneier, then his motives become clear. He writes, "And nothing will change until you can sue that guy's ass if his security products don't work." Yeah, right.

May 03, 2007 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345207f669e200e550718a068834

Listed below are links to weblogs that reference What a bunch of bull:

» Soylent Security from Lori MacVittie
Soylent Security [Read More]

Tracked on May 04, 2007 at 11:23 AM

» IT Seat Belts from Perilocity
Once people, especially customers, come to expect something, companies may do it without even being sued or having laws about it. But people, for all their pride in individuality, are strongly influenced by what everybody else does. [Read More]

Tracked on May 10, 2007 at 11:07 AM

» IT Security Industry from Richard Veryard Software Industry Analysis
It's always useful to ask provocative questions. Questions like "Do we really need X?" (or the equally provocative "Does Y matter?") shouldn't be dismissed with a simple Yes/No answer. Such questions call for an exploration of the true actual or potent... [Read More]

Tracked on May 11, 2007 at 11:05 AM

Comments

Peter,

I find this post and your Computerworld completely disingenuous.


Much has been written about the economics of computer security and like many industries before it there has been resistance to change and accountability.

Once upon a time you couldn't expect that your Doctor or your Engineer was accountable either until eventually people got regulations and such.

The history of new products and technologies is one of rapid new developments, snake-oil, eventual regulation as people come to expect a certain level of quality and accountability from the products and services they buy.

You attempt to make the point that software is somehow inherently different than other products without actually making a strong case that it is.

If I buy software that claims to provide certain features and benefits, and it doesn't deliver, at what point can I expect that the developer/vendor had some fault? Should software vendors never be liable for faults in their software? Maybe just never liable for faults exploited by a third-party?

What about a lock vendor that says their lock is pick-proof and the it gets picked by the average joe. Should I be able to get restitution from them?

One of the best pieces I've read on the topic came from Cem Kaner - http://www.badsoftware.com/theories.htm.

I've tried to write about it a little on my blog as well but I think he does as good a job as any in explaining the multiple theories of liability that might apply to a given software security/quality situation.

Posted by: Andy | May 04, 2007 at 12:59 AM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment