[ISN] Schneier questions need for security industry

From: InfoSec News (alerts@private)
Date: Fri Apr 27 2007 - 01:35:23 PDT


http://news.com.com/Schneier+questions+need+for+security+industry/2100-7355_3-6179500.html

By Will Sturgeon
Special to CNET News.com
April 26, 2007

LONDON - Outspoken author and security guru Bruce Schneier has 
questioned the very existence of the security industry, suggesting it 
merely indicates the willingness of other technology companies to ship 
insecure software and hardware.

Speaking this week at Infosecurity Europe 2007, a leading trade show for 
the security industry, Schneier said, "the fact this show even exists is 
a problem. You should not have to come to this show ever."

"We shouldn't have to come and find a company to secure our e-mail. 
E-mail should already be secure. We shouldn't have to buy from somebody 
to secure our network or servers. Our networks and servers should 
already be secure."

Schneier, chief technology officer at BT Counterpane, said his own 
company was bought by BT Group last year because the U.K. 
telecommunications giant realized the need for security to be part of 
any service, not an add-on at additional cost and inconvenience to the 
user.

His words echoed those of Lord Alec Broers, chair of the House of Lords 
science and technology committee, who suggested every company, from 
operating system and application vendors to ISPs, needs to take greater 
responsibility for the security of end users.

"Security is a small but important piece of the bigger picture," 
Schneier said. He added that consumers shouldn't accept any product that 
is inherently insecure.

However, Graham Cluley, senior technology consultant at Sophos, 
suggested Schneier's dream may be a long way from reality. "Why didn't 
everybody think about this sooner?" said Cluley. "It would be great."

"It would be great if robberies didn't happen and if road accidents 
didn't happen and if I didn't stub my toe," he added. "But what you have 
to realize is that software developers are human and humans make 
mistakes.

"I can't imagine there ever being a 100 percent secure operating system, 
because a vital component of programming that operating system is 
human."

Jon Collins, service director at analyst house Freeform Dynamics, 
expressed his own doubts about the value of the security industry but 
said it will always be fed by dual forces of end-user error and the 
shipping of insecure products.

"I always used to think the security industry existed to make people 
scared and then sell them something to protect them from what they were 
afraid of. But now I think it exists because of what people are prepared 
to buy," he said, adding that investment in security products tends to 
be reactive to a problem a company has already suffered, making security 
a "fire extinguisher industry."

But Collins added that it is not true to suggest that user reaction is 
always due to inherently insecure software or hardware.

"Even if everything was secured, the end user would still find a way to 
configure it wrong or install it wrong or enable the wrong privileges 
and permissions," he said.

Will Sturgeon of Silicon.com reported from London.

Copyright 1995-2007 CNET Networks, Inc. All rights reserved.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Apr 27 2007 - 02:02:48 PDT