Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Do We Really Need a Security Industry? 297

netbuzz noted that Bruce Schneir's latest column discusses the security industry where he points out that "The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
This discussion has been archived. No new comments can be posted.

Do We Really Need a Security Industry?

Comments Filter:
  • "Schneir"? (Score:5, Informative)

    by sczimme ( 603413 ) on Thursday May 03, 2007 @03:14PM (#18978221)

    At least spell his name correctly: Schneier [schneier.com].

    • by johnwyles ( 704259 ) on Thursday May 03, 2007 @04:10PM (#18979383)
      A better question is: Do we really need columnist like Bruce Schneir telling us what a perfect world might look like?
      • Re: (Score:3, Informative)

        Bruce Schneier is not "a columnist". He invented the firewall, is is one of the more clued people regarding IT security in the world.
      • Re: (Score:3, Insightful)

        Let's put this a different way: how big is the market for putting tougher locks on automobiles? Of course they still get stolen, and there used to be a pretty good market for after-market car alarms, but most cars have good enough of a security system (in the opinion of their owners, that is). Most computers, though, if they were cars, have no locks on the doors, and it's far too easy to bypass the ignition key, steal the fuel, and so on.

        I think that's what Mr. Schneier is getting at: most appliances and th
  • by teknopurge ( 199509 ) on Thursday May 03, 2007 @03:14PM (#18978233) Homepage
    The article assumes security is static: "..if computers were designed to not be susceptible to virii.."

    If it's not virri or worms or buffer-overflows then it would be something else. Human intellect has this uncanny ability to grow and adapt.
    • Mod parent up! (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Thursday May 03, 2007 @03:20PM (#18978377)
      Also, do not forget that an Internet connection allows anonymous attackers to assault your systems 24/7/52.

      Having a firewall may not force the workstation software providers to improve their security. But the firewall provides a single point where you can focus intensive monitoring efforts.

      We live in a world where people will trade their password for a bar of chocolate.

      Over time the technology WILL get better. We're already seeing some of that. But in the end, even with perfect software security, we will still have problems because PEOPLE will be using the systems.
    • In other news (Score:5, Insightful)

      by Otis2222222 ( 581406 ) on Thursday May 03, 2007 @03:54PM (#18979043) Homepage
      If people didn't commit crimes there wouldn't be a need for police.
    • by neoform ( 551705 )
      I'd say it's more of a problem of an idealistic viewpoint.

      It's like saying "if humans are so civilized, we shouldn't need militaries.."

      It's a nice thought, but there's always fighting amongst people, and computers and technology will always have flaws..
    • Re: (Score:3, Insightful)

      by neiby ( 1097305 )
      I hate to nitpick, but the word is viruses, not virii. You may not return to your regularly scheduled program.
    • In the English language, the standard plural of virus is viruses. This is the most frequently occurring form of the plural, and refers to both a biological virus and a computer virus.

      The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms. Their occurrence can be variously attributed to hypercorrection formed by analogy to Latin plurals such as alumni or false analogy to Latin plurals such as radii; idiosyncratic use a

    • Virii is not a word (Score:3, Informative)

      by Anonymous Coward
      Virii isn't a word. It's not the Latin plural of "virus". It would be the plural of "virius", if that were a word, which it isn't. Quite plainly, "virus" has no Latin plural. "Viri" is the plural of "vir", which means 'man'. In Latin, it was a catch-all for "poison". It has no plural in the same way the English word "everyone" has no plural.

      There are entire wikipedia articles on this issue. What you're doing is wrong, and I've modded you down for being an idiot. The correct plural is "viruses". Start using
  • O RLY? (Score:5, Insightful)

    by wampus ( 1932 ) on Thursday May 03, 2007 @03:15PM (#18978237)
    And if our buildings and public places were built securely, we wouldn't need police, right?
    • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Thursday May 03, 2007 @03:34PM (#18978703)
      From TFA:

      If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall.

      Now, take a default installation of Ubuntu Feisty Fawn. Even if you hook it straight into the Internet WITHOUT an external firewall (or running any firewall software) you'll still be very secure.

      That's because, by default, there aren't any open ports. There's no way for any worms to attack your system. That's just basic security practice.

      Now, there are other ways to crack a default Ubuntu installation. But they require that the admin have done something to make it LESS secure (or you can physically access the box).

      Your example is about the physical world. And the problem there is that physical access is already assumed. We can take steps to REDUCE the physical access, but that still leaves social engineering attacks.

      You will always need police just as you will always need sysadmins who will READ THE SECURITY LOGS. No matter how secure you are.
      • by arivanov ( 12034 ) on Thursday May 03, 2007 @03:51PM (#18978975) Homepage
        Err... I think you took the example too literally.

        That is besides the fact that the original analogy is wrong. What Bruce thinks is that as computing becomes a utility the security needs will decrease.

        I hate to disagree. They will remain, probably even increase to match the "it just works" expectations you have for an utility.

        Utilities do not have less expenditure on security just because they have become a utility.

        Water companies have to deal with mandatory security of the water supply. Gas companies have to deal with mandatory security of the gas grid. Electrical companies need to provide security of the electrical grid. Old style telecommunication companies have some very hefty obligations regarding the availability of their communications in an emergency and have expenditure related to that as well.

        Add to this the day-to-day battle with fraud and theft of service. Even without "national minorities" going around and digging out all of your copper cables and selling them for scrap there is a very large expenditure on security in any utility. Granted, it no longer appears as an item on the end-user bill, but it is there none the less. And lots of it.

        If it all ends up being folded into the utility fold it may in fact end up being more than now. Everything else aside a utility is obliged to maintain a certain standard of service, hence 100% of Joe Bloggs will be covered by AV and firewall, not 1% like now and so on.
        • What Bruce thinks is that as computing becomes a utility the security needs will decrease.

          No, he thinks that as computing becomes a utility, the market for selling security to end users will fade away, because the 'utilities' will be buying the security wholesale. Users won't care about whether any anti-virus products are running on Google's servers; they'll only care if they can get access to the shared documents that they run their businesses on.

          What Schneier is saying is that security won't be an add-o

        • Re: (Score:3, Interesting)

          by cduffy ( 652 )

          What Bruce thinks is that as computing becomes a utility the security needs will decrease.

          That's not what he argues, though.

          If you RTFM, Bruce's article argues that as computing becomes a utility, security will become "baked in" such that 3rd-party, add-on security products will, to the extent that they exist at all, be implicit functionality that users don't need to think about. To the extent that security will become cheaper, that's because R&D on it will be largely paid for by the utilities (who have

      • Better yet, turn the box off, disconnect all of the cables and bury it in 100 feet of concrete on a US Marine base and tell them that it contains nuclear secrets, which must be protected at all costs. Then, your box will be secure, it will also be unusable. IT security is always a trade off between security and usability. A server with no open ports is not a server, it's an island of useless resources. It's not a bad admin who opens ports, it's just a function of the job. Now, as stated, that admin shou
    • by grcumb ( 781340 ) on Thursday May 03, 2007 @03:56PM (#18979105) Homepage Journal

      And if our buildings and public places were built securely, we wouldn't need police, right?

      Put down that analogy; you're liable to cut yourself. 8^)

      Security in buildings and public places represents an utterly different problem set from software security. They have virtually nothing in common. Suggesting that software security today is like (heh) a walk in the park is wildly wrong.

      I hate analogies, because they cloud things more than they clarify them. But if I were to use yours, I would say that if our buildings and public spaces were better policed, we wouldn't need to pay for personal, individual security guards who pat down and disarm even our friends before they allow us to so much as look at one another.

      Schneier's point is valid. In a healthy, heterogeneous software environment, the threats are fundamentally different from those we face today. We could move from trying to protect ourselves from clicking on tainted image and document files(!) to creating secure site configurations tailored to our particular needs. I too dream about the day when we have configurations that are not so draconian that people are precluded by fear from taking advantage of some of the Internet's greatest advantages: the end to end network.

      There are some who will say that software is inherently insecure, and that it cannot be secured. There are some who say that people using 'safe' technologies and processes are only safe by virtue of the fact that there are easier targets in abundance. They are wrong. And this is Schneier's point: Whatever inherent problems there may be in software security, the vast majority of Windows users - let's call a spade a spade - work in an environment that is so utterly flawed that there is a quantum difference between the security issues they face and the vastly more limited security issues they could be facing, if only the manufacturers would cease to treat security as a cost centre external to their core business.

      • The core argument of the analogy is:
        If people behaved properly, we wouldn't need an entire field of work to clean up after them.

        If people coded properly, we wouldn't need security products.
        If people obeyed the law, we wouldn't need cops.
        In other words, "No kidding, Schneier. Welcome to the real world, where people don't act ln an ideal manner."

        You're reading things far too literally (focusing on the details in the difference in security modesl) to get the core message.
    • And if our buildings and public places were built securely, we wouldn't need police, right?


      It isn't possible to build buildings that are completely impenetrable to human attack on their own. It is possible to build software that is, assuming no physical attacks involved.

    • My take (Score:3, Interesting)

      by Jaime2 ( 824950 )
      My take on this article is that it is a bad thing to seperate "IT Operations" from "Security". It annoys me every time I see a company that has a "Chief Security Officer". Security is a fairly unique problem and can't be handled the same way as getting the lawn cut.

      You can always create a "Groundkeeping Crew" and then no one else in the entire company would have to worry about the grass. However, the day you create an "IT Security Task Force", everyone else lets down their guard. Products like persona
  • by geek ( 5680 ) on Thursday May 03, 2007 @03:15PM (#18978241)
    If murderers just stopped wanting to kill us. If drivers just wouldn't have accidents. If kids just didn't wander into swimming pools and drowned..........

    Utopia is a pretty cool place. I'd like to go there too.
    • Re: (Score:3, Interesting)

      Actually, disturbingly, you have that backwards...

      The concept was that if computers were secure anyway, threats to them would be non-issues.

      The similie isn't "If murderers just stopped wanting to kill us." More accurately, it's "It's the victims' fault for being murderable."

      It's about on a par with those who claim the students at VT deserved what they got because they didn't protect themselves by carrying guns.
    • Re: (Score:2, Insightful)

      by borroff ( 267566 )
      Well, anyone can be killed, if the assassin is willing to sacrifice their life, so that one is difficult to argue with. Let's make a better analogy: If our computers can be thought of as a place to store valuables (private information, etc.), let's compare the computer to a bank.

      Over the years, banks have become more and more secure, and a bank robber (a physical bank robber, not a hacker) has a very low probability of getting away with it without being caught. Why? Because banks have put a lot of effor
    • by jsebrech ( 525647 ) on Thursday May 03, 2007 @05:34PM (#18980671)
      Utopia is a pretty cool place. I'd like to go there too.

      You make it sound like building software that is secure by nature is impossible. It isn't. SELinux is secure by nature. Qmail is secure by nature. Qmail is guaranteed by the programmer to not have security bugs, with a $500 bounty for the reporter of the first exploit.

      Modern desktop operating systems have mediocre to poor design from a security perspective. They could be built a lot better, only they're not because it is far more profitable to not improve the security and focus on features instead (flashy window animations sell better than being bulletproof).

      Heck, even the software I build for a living is far less secure than it could be, because I have feature-pressure forcing my hand.
  • by Anonymous Coward
    I mean they only exist because cars aren't built perfectly.
    • Contrary to what people are saying here, security isn't an either-or problem, just like your example of car mechanics.

      If we all had crappy cars that needed repairs every 200 miles, we'd need a LOT of mechanics (plus a lot of spare parts). If we had great cars that only needed service every 300,000 miles, we'd still need mechanics, but very few of them.

      I don't have any statistics to back this up, but I'll hazard a guess that people spend a lot less on mechanics, on average, than they did 30 years ago. Back
  • by uarch ( 637449 ) on Thursday May 03, 2007 @03:15PM (#18978245)
    The primary reason we need law enforcement is because people don't always follow laws. If people always followed the law there wouldn't be any need for law enforcement. If bad people weren't allowed out of childhood no one would bother buying guns or even locks on their doors. If everyone was generally nice we wouldn't have to spend billions every year enforcing the law.
    • by non ( 130182 )
      no, in some cases, people don't follow laws because they're using a different life strategy. in the animal world there are plenty of examples of what are known as 'cheater' strategies. in certain species of frogs sexual attraction is based on the sonic qualities of the frog's croak; deeper croak = more attractive. some frogs would likely never get reproductive opportunities because they don't croak deeply enough, so they hide between the water and a deep croaker so that a female leaving the water to mate wi
    • The primary reason we need law enforcement is because people don't always follow laws. [...] If everyone was generally nice we wouldn't have to spend billions every year enforcing the law.

      This is a logical fallacy.

      We don't need to spend billions every year enforcing the law, anyway.

      We have a number of laws which not only need not be enforced, but should not be enforced.

      If we stopped enforcing the bullshit laws, we would be able to spend a lot less money.

      However, we continue to enforce them because they

  • And if (Score:2, Funny)

    by 0racle ( 667029 )
    If a frog had wings he wouldn't bump his as ass it hopped.

    Nothings perfect, those imperfections can be exploited. There will always be a need for security products.
    • Re: (Score:2, Funny)

      by Floritard ( 1058660 )
      How did this get +3 Funny? He screwed the order up and didn't even bother to use the funnier colloquialism "bump it's ass a'hoppin'!" No imagination. Then again I could tell you an even funnier and more cliché quip, but then I'd have to kill ya! Ha!
  • its kinda like saying that someone who gets raped is responsible because they didn't have martial arts skills, and wouldn't need mace or a stun gun in the first place if only judo was taught as schools or something crazy like that. Where does the blame game end?

    you wanna know who's fault it is? its the person breaking the law, breaking the systems. but you know what you can do about that? next to crap.
  • If if's and but's were candy and nuts, then what a wonderful world it would be!
  • by jshriverWVU ( 810740 ) on Thursday May 03, 2007 @03:15PM (#18978263)
    In a perfect world software would meet it's requirements perfectly. But because of politics, timing, money, or just overlooking a single character in the source, bugs do and will happen. Just the way the world works. Same thing goes for anything. If your TV breaks, you take it to be repaired or get a new one.
  • Yeah (Score:5, Insightful)

    by SpiffyMarc ( 590301 ) on Thursday May 03, 2007 @03:15PM (#18978267)
    Sure, why not? You don't rely on the contractors who build your house to provide all the security you could ever need, but you do expect them to install windows and doors that lock. Windows and doors that lock aren't inherently "impenetrable", though. If you want to go beyond that, you call ADT or someone similar and let them take it to the next level.
    • Re: (Score:3, Insightful)

      by Red Flayer ( 890720 )

      Windows and doors that lock aren't inherently "impenetrable", though. If you want to go beyond that, you call ADT or someone similar and let them take it to the next level.

      So you go get aftermarket security for your windows and doors. What Schneier is saying is that for IT, the ADT-equivalent in your analogy will be introduced into products pre-market. It's like the builders of your home automatically installed ADT and Sloman and you just know that you're secure without knowing what ADT and Sloman are. I

      • by AGMW ( 594303 )
        So you go get aftermarket security for your windows and doors. What Schneier is saying is that for IT, the ADT-equivalent in your analogy will be introduced into products pre-market. It's like the builders of your home automatically installed ADT and Sloman ...

        Actually, I'm not sure that's what he's saying at all. To continue with the building analagy, what (I think!) he's saying is that the current OS's (well, OK, those from M$) are like buying a house but it not having any windows or doors. The whole th

  • by PhxBlue ( 562201 ) on Thursday May 03, 2007 @03:16PM (#18978279) Homepage Journal

    If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. ...

    And if pigs flew out of my arse, I wouldn't need to go to the supermarket to buy bacon. What's his point?

  • by xtracto ( 837672 ) on Thursday May 03, 2007 @03:17PM (#18978299) Journal
    As long as there is a human behind the computer, there *will* be a possibility of exploiting a vulnerability on the system... the human being.
    • As long as there is a human behind the computer, there *will* be a possibility of exploiting a vulnerability on the system... the human being.
      This is, of course, why Microsoft created UAC - that way ALL issues are a PEBKAC!
    • by bobdehnhardt ( 18286 ) on Thursday May 03, 2007 @03:30PM (#18978627)
      Amen. Technology is limited, and the bad guys know where those limits are. Awareness is a huge part of the equation, no matter how much technology you throw at it, and no matter how tight that technology is.

      Never underestimate the power of human stupidity.
      Always remember that a human is in the matrix.
      • Up to a point, yes. But if security can be had without teaching the user, all the better. No email should be able to infect a computer just because it is being recieved by am mail application. No user should have to know the inner workings of a firewall, let alone know how to install one. Because, as you said, never underestimate the power of human stupidity. The trick is to take the user out of the equation. And that seems to be the gist of (at least the second part of) the article.
    • Re: (Score:3, Insightful)

      by Tim C ( 15259 )
      That's exactly what I was thinking.

      There is nothing that a computer can do to protect itself from a determined user with the root password. If I want to install the latest BonziCometWeatherCursorBuddyBug crapware then my PC can't stop me, no matter how secure the OS is. Even if OSes and applications could be 100% hardened against remote exploits, there's nothing that can be done about trojans, other than educating the users and using anti-malware products.

      To be honest, I expect better from Schneier - he of
    • As long as there is a human behind the computer, there *will* be a possibility of exploiting a vulnerability on the system... the human being.

      Don't worry; that annoying problem will be eliminated soon when SkyNet goes online.
    • Re: (Score:3, Insightful)

      As long as I live, there is a possibility that I will be killed from a blow to the head by a meteorite. But do you think that an entire industry needs to be dedicated to this? The security industry doesn't depend on the possibility of exploits alone, some threshold of severity must first be past. I mean, if Windows was never invented, and we were all using user-friendly Unix-based systems, do you really thing there would be a dedicated anti-virus industry?
  • I've really been saying this for years. It's like digging a hole then putting a piece of wood over it so you can cross the hole. Why not just never dig the hole in the first place?
    • Exactly! Who needs software! I buy my computer to sit there and look pretty.

    • Re: (Score:2, Funny)

      by pturing ( 162145 )
      I suppose you're posting this comment via a snail-mail to http gateway.
    • It's not like we're digging holes deliberately.

      It's more like we're making multi-story buildings, and flooring is so complex & costly that we only put flooring where we expect people to walk - then someone has the blindness, gall and/or malice to wander somewhere nobody was meant to go and obviously shouldn't, and ends up where they shouldn't.

      Utopian totally-secure software is extremely costly to create.
      The imperative is to create software that does what it's supposed to (which is hard & expensive e
  • Clearly, computer security is overrat
  • If people would just behave themselves, buy better locks, and gets some guns, we wouldn't need the police. If politicians would act 100% in line with the will of the people and the constitution, we wouldn't need the courts. If...

    Humans act as fractures of a whole; it's called society. A person does what that person does best and others make up for the failings. This extends to our software as well. When we try to consolidate too much, we get monocultures with which problems being to become transparent to t
  • we wouldn't need vaults!

    -Rick
  • Baby & Bathwater (Score:2, Insightful)

    by __aaanwh8370 ( 67651 )
    And if humans weren't susceptible to cancer, we wouldn't need oncology.
    And if humans weren't always metabolizing away their energy store, we wouldn't need the food industy.

    The point being that the computer is susceptible to these unfortunate side effects for the same reason that they're so successful in the first place - being part of an open ecosystem, being able to adapt, being able to interconnect, being able to hide information from users so that they can attend to value-add tasks.

    Not that we coul
  • So the reason we have a security industry is because lazy programmers can't see all edge cases in a virtually infinite system. That's like saying that if only we lived in sterile white rooms all our lives, we wouldn't need health insurance.

    • That's like saying that if only we lived in sterile white rooms all our lives, we wouldn't need health insurance..

      More like saying that all doctors should also be nutritionists, since what he's actually saying is that all the code-writers should be the security industry.

      The initial statement seems to imply that he's saying that we should eliminate the industry. That's obviously a bit extreme, and I'm sure that there are going to be lots of people who will blow apart that strawman argument.

      The more importan
  • "The primary reason separation of powers exists is because government powers and services aren't naturally protective of your right. If politician were already respectful of your right, there wouldn't be any need for checks against abuse of power. If corrupt congressmen couldn't be used to sell out your rights to the highest bidder, no one would bother with congressional oversight or independent counsels. If there were no more unconstitutional laws or executive overreach, no one would need a Supreme Court m
  • Why aren't IT products and services naturally secure, and what would it mean for the industry if they were?

    Because they're made by humans, and humans are imperfect.

    To put it another way, we wouldn't need seatbelts if only we didn't have road accidents, and we wouldn't need lawyers if we didn't have arguments, we wouldn't need police if only people would stop breaking the darn law, and we wouldn't need Slashdot mods if only all of us here acted nice and smart all the time.

  • Yeah, but... (Score:3, Insightful)

    by ushering05401 ( 1086795 ) on Thursday May 03, 2007 @03:21PM (#18978413) Journal
    Secure out of the box doesn't matter. Secure after I have installed the many third party programs I require to run my business matters. Secure after my clients install the latest OS 'update' matters.

    There is no way to absolutely positively guarantee any complex product can remain safe over a period of time as the environment it runs in will change through both vendor and user additions to that environment. And anyways, the market does not want to wait for 'secure.' The market hardly waits for 'workable.'

    Bruce's question is interesting on some levels, but seems shallow in a number of ways. That being said I read him all the time.

    Regards.

  • ...or I'd be unemployed! :)

    But seriously. Yes, we do. Of course, in a perfect world, we don't need it. In a perfect world, we could also do without a fire department, even without a police. If there's nobody breaking the law and if accidents don't happen, there's no need for either.

    Yes, a secure system would make security easier. Duh. But perfect security doesn't exist. Perfect security would be a perfectly secure system AND (and that's the part TFA doesn't bother to see) a perfectly secure user.

    As long as
  • by Evil W1zard ( 832703 ) on Thursday May 03, 2007 @03:22PM (#18978425) Journal
    I say just build an unbelievably simple AIS that has zero functionality. Thats right: no user interfaces, no applications, no storage of information, not even a keyboard. Then we wouldn't have to worry about all that nasty malicious code, and keystroke loggers and... Oh crap someone just walked in and stole my do-nothing non-functional system. Guess I still need physical security.

    I have the utmost respect for Bruce, but that statement is fairly ridiculous. Its like saying if we built automobiles that could never crash then we wouldn't need road rules. Basically you can sub anything into that statement. If we made food that wasn't unhealthy we would need Jared and annoying Subway commercials...
  • by Lord Ender ( 156273 ) on Thursday May 03, 2007 @03:22PM (#18978429) Homepage
    The problem here is that 99% of software purchasers simply don't have the ability to evaluate a product on the merits of its security. They do have the ability to evaluate products (1) on the merits of their prices.

    The companies that develop software know that (2) doing security properly is extremely expensive, and requires hiring skilled specialists, and inegrating those specialists at all levels of the development process.

    When you take points (1) and (2) into consideration, you realize that there is a lot more ROI in developing cheap insecure software than there is in developing expensive secure software.

    This is an example of capitalism failing due to poorly-informed consumers. But I can think of no way to solve the problem (a security quantifier???), so the industry will continue along as it does today: cheap software and band-aid security.
  • by boyfaceddog ( 788041 ) on Thursday May 03, 2007 @03:23PM (#18978455) Journal
    "The primary reason the IT security industry exists is because IT products and services aren't naturally secure."

    Which is like saying that the primary reason the physical security industry exists is because buildings aren't naturally secure.

    That simply isn't true. It exists becasue people are sneaky little bastards who naturally want what other people have. You cannot make something secure enough to keep everyone out - physically or digitally.
  • by mcmonkey ( 96054 ) on Thursday May 03, 2007 @03:23PM (#18978459) Homepage

    The primary reason the IT security industry exists is because IT products and services aren't naturally secure.

    Do we really need locksmiths? If buildings were naturally secure (aka didn't have doors or windows), we wouldn't need locksmiths.

    However, people need to get in to and out of buildings, so we need doors. And sometimes we need to control which people are going in to and out of a building. So we need locksmiths.

    So, if your IT systems are powered down, unplugged, encased in carbonite, and buried at the bottom of the sea, then the answer is no, you do not need a security industry. Or, at the other end, if all your IT doors and windows are open, and you don't care who comes in and out, then again, you do not really a security industry.

    But if you want some people to have access to your computer, but not others. Or you want to control the level of access people have, then yes, you do need a security industry.

  • This doesn't make sense:

    If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.

    If they are secure out of the box, then effort and money will have gone into making them secure out of the box. Thus a security industry will still be necessary, just more integrated with the development of a product.

  • While the software industry has substantial room for improvement, look at cars. Most cars are fairly secure out of the box (far more than most software), but LoJack still finds a decent market.
    • Most cars are fairly secure out of the box (far more than most software)

      bahahAHahAHaHAHhahahA!

      You are hilarious.

      Most cars are not worth stealing out of the box. The risk factor and what you get from the chop shop or the exporter ain't worth it.

      But thousands of cars are stolen every year, especially the cars which are most lucrative for theft.

      The cars with the really high-tech theft prevention equipment are the least stealable for the average person, but someone with very good equipment can unlock your

  • I could rule the world. Better yet, we need a computer "lock box" to protect our computer stuff.
  • The only way to completely secure a computer is to turn it off.

    Instead of paying $39.95/year for a virus scanner license, $29.99/year for a firewall subscription, and $9.98/year for a spam filter, I think it would be far more effective for everyone to pool their money and hire hitmen to track down the 'bad people' and do 'bad things' to them. I bet you'd see the need for more secure computing go down. As it is now, they're not afraid of anything.

    http://www.imdb.com/Find?select=Quotes&for=pair%20 of%20pl [imdb.com]
    • Recall what happened to a major spammer sometime last year?
      Seems a lot of people thought it happened because of his spamming, and they were very happy about the results.
  • As long as humans use computers.... Yes.

    Wtf? Did this blurb totally overlook social hacking?

  • We will always need a IT security. Because just like almost anything else out there in the technology field there are always ways around things and ways to break things. Take example the encryption techniques for HD-DVD etc. While some may argue that they implemented flawed security, the movie industry must have had some level of confidence in the security mechanisms when they first rolled the systems out. Same is true for almost everything else. I do though feel that if companies did do more quality c
  • I like Bruce, but what the hell is he on about? Personal computers are designed to execute arbitrary code. If they weren't, we'd hack them so they would be (TP?). If you can execute code, you can find a way to wreck a system. Sure, it can be hard, but there will ALWAYS be a need for security specialists, and security software. Sure, virus scanners may one day disappear, but rootkit scanners, phishing lists, etc will take their place. Just because your computer engineering is perfect doesn't mean your
  • I don't think I've ever seen so many separate comments each with their own analogies before.

    One thing that hasn't been brought up (that I saw anyway), is that even if software security issues were mostly eliminated and the industry found itself without a consumer market for anti-virus products and firewalls etc. there will always be a niche market for specific applications where that little bit of extra security is needed. Intrusion detection systems, forensics software etc. will always have a market. And p
  • by Random BedHead Ed ( 602081 ) on Thursday May 03, 2007 @03:40PM (#18978809) Homepage Journal

    If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall.

    Sounds like a good reason to implement the Evil Bit [faqs.org] for all IP traffic from now on. (Of course, if you own stock in a firewall distributor or other security company, better diversify before they implement this RFC.)

  • by blindd0t ( 855876 ) on Thursday May 03, 2007 @03:44PM (#18978863)

    If people were perfectly peaceful, we wouldn't need laws or governance

    If everybody washed their bums correctly and cooked meat well every time, nobody would have to worry about butt-worms

    If people were perfectly courteous and attentive on the road, there would be no need for auto-insurance

    So now let us imagine what it would take to get to a point where we no longer need people specialized in securing and maintaining the integrity of data. Do We Really Need a Security Industry? YES! We most definitely do, and always will! Is there room for improvement? Yes, vasts, and there always will be!

    • Re: (Score:3, Interesting)

      by DECS ( 891519 )
      The real solution to butt-worms is having people not demanding food all the time. If people weren't hungry, we wouldn't need a food industry, and we could spend all that frivilously wasted money on podiums for pontificating analysts.

      That would also rid of world of the foodborne butt-worms problem. Actually it would trade off butt-worms of one sort for another, but you can't have it all.

      http://www.roughlydrafted.com/ [roughlydrafted.com]
    • But the problem is we don't need as large or expensive an industry as we have now. If we weren't using Windows, we wouldn't have to worry much about viruses, and that means we wouldn't need Norton or Symantec or McAfee any more. That's a lot of money saved.

      We'd still need people to look for security holes and fix them, but that's something the OS vendors should be doing.

      To relate to your other analogies:

      If people were more peaceful, we wouldn't need as many laws or police.

      If people were better drivers, we
  • The scariest part is the "security industry" is filling up with green newbies fresh out of college.
    They have all the right credentials and certifications. Only silver lining is if they don't screw up too badly, they may last long enough to get some real experience.

  • by gelfling ( 6534 ) on Thursday May 03, 2007 @04:06PM (#18979295) Homepage Journal
    Shouldn't code be able to debug itself? Do we still need auditors? Why? Shouldn't our training and processes be up to snuff by now. See the point of a 'security industry' is not because things should work this way or that way but because they in fact DO work this way or that way. That's why they call it engineering, because it's engineered and that means it's imperfect.
  • And if my aunt had balls she'd be my uncle. It's not like there's some big conspiracy with all the app/OS programmers to keep their techie buddies in jobs here. People make mistakes, users are stupid, hackers are smart and sometimes evil.
  • Who do you think is going to make it secure "in the first place"?

    All you're doing is shifting the industry closer to the OS vendors, it's still very necessary.

    Of course if Microsoft bought up all the AV, Firewall, IDS and other security vendors with this goal in mind, many people would shit a brick and twitter's head would explode.
  • If homes were already secure against burglars, there wouldn't be any need for home security products. If bad drivers wouldn't be allowed to drive cars, no one would bother with traffic cops. If there were no more office shootings, no one would have to buy products to protect against their effects. If the society we lived in were secure out of the box, we wouldn't have to spend billions every year making it secure.
  • ... and still have their malformed, misguided, assumption-based view...

    (at least a large part of) the article is about security being mainly an "add on" process to the current IT process.

    Security should ideally be an iterative process, through each part of the development cycle of a product and through each stage in a deployment roll-out. This generally doesn't happen though.

    The "Security Industry" (e.g. anti-virus companies) is a necessity because security policies are lax, and further because no-one or no
  • Even without any 'technical holes' there will still be bad people doing bad things

    Might not need as large of a industry, but it wouldn't just go poof ..
  • by Time Ed ( 970465 ) on Thursday May 03, 2007 @04:33PM (#18979767)
    All the "..and if..." replies really miss the point here. Its not that he's stating the obvious, he's saying the glory days of IT security as an aftermarket industry are over. The focus of IT security is shifting from point products that deal only with the threat du jour, to integrated infrastructure. Security as a service, if you will.

    Look at Cisco. More and more of the monitoring and mitigation systems we run are turning up as part of the switch in next generation gear.

    Businesses want simple, cost effective systems that are built in to the infrastructure, don't get in the way of the money-making, and keep the bank and federal auditors happy.

    Besides, the best security tools are free. And most of IT security is just plain common sense. You don't have to have been at it as long as I have to know that. The technology we use only works one way, so threats aren't that hard to figure out. The rule is to be aware of what runs on your network and keep an eye on what comes and goes. If in the years to come that's all built in, cool.
  • Once upon a time, a bunch of guys cut down a bunch of trees to build a bridge to cross a stream. Between that moment and today, we've had thousands of years of often subtle improvements in our understanding of everything that underlies civil engineering.

    And despite that, last week an overpass in Oakland melted and failed because of a tanker truck fire.

    The rate at which failures occur in engineered structures of all sorts built during modern times is very low. This is because every time something has fai

  • If my house weren't made of flamable materials, we wouldn't need a fire department. If we didn't have people breaking the law then we wouldn't need police officers. If all nations were buddies we wouldn't need armies. If friction didn't exist I wouldn't need to do maintenance on my car.

    Nick
  • Good points (Score:4, Insightful)

    by Mike McTernan ( 260224 ) on Thursday May 03, 2007 @06:06PM (#18981181)
    I think some of his points are good:

    "Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure."

    All the commercial anti-virus software I've ever used has been full of FUD, displaying big red crosses and popup balloons telling me that my system is at risk because I haven't purchased some additional product or upgrade. I see the same companies rolling out stats about virus attacks and in mainstream media warning of the next big threat, doom saying wherever possible.

    Personally, as a programmer, I think the weaknesses in software will be fixed and operating systems changed such that deep probing virus checkers are obsoleted. I'd happily see this whole FUD spreading portion of the security industry die.

    Some of his points may however be too general:

    "The whole IT security industry is an accident -- an artifact of how the computer industry developed."

    There are still places where a security industry will always be needed, such as authentication though RSA tokens/smart-cards/biometrics and the associated infrastructure.

    In general I think he's about right though. Over time software will improve and things will be built in such a way that common failures of today are obsoleted just like other engineering disciplines have improved methodologies e.g. airplanes are not built with square windows anymore - http://en.wikipedia.org/wiki/De_Havilland_Comet [wikipedia.org].

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...