Do We Really Need a Security Industry? 297
netbuzz noted that Bruce Schneir's latest column
discusses the security industry where he points out that "The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."
Do we really need car mechanics? (Score:2, Interesting)
Its just another blame placing game (Score:2, Interesting)
you wanna know who's fault it is? its the person breaking the law, breaking the systems. but you know what you can do about that? next to crap.
Just Build A PC with no Functionality! (Score:3, Interesting)
I have the utmost respect for Bruce, but that statement is fairly ridiculous. Its like saying if we built automobiles that could never crash then we wouldn't need road rules. Basically you can sub anything into that statement. If we made food that wasn't unhealthy we would need Jared and annoying Subway commercials...
if offices had no doors or windows (Score:1, Interesting)
then again, maybe IT security guards should be making 10 dollars an hour and normal security guards should be making the same (it would be a raise)
This is awefully fanciful (Score:3, Interesting)
If people were perfectly peaceful, we wouldn't need laws or governance
If everybody washed their bums correctly and cooked meat well every time, nobody would have to worry about butt-worms
If people were perfectly courteous and attentive on the road, there would be no need for auto-insurance
So now let us imagine what it would take to get to a point where we no longer need people specialized in securing and maintaining the integrity of data. Do We Really Need a Security Industry? YES! We most definitely do, and always will! Is there room for improvement? Yes, vasts, and there always will be!
Re:This is awefully fanciful (Score:3, Interesting)
That would also rid of world of the foodborne butt-worms problem. Actually it would trade off butt-worms of one sort for another, but you can't have it all.
http://www.roughlydrafted.com/ [roughlydrafted.com]
Re:I see what he did there (Score:3, Interesting)
The concept was that if computers were secure anyway, threats to them would be non-issues.
The similie isn't "If murderers just stopped wanting to kill us." More accurately, it's "It's the victims' fault for being murderable."
It's about on a par with those who claim the students at VT deserved what they got because they didn't protect themselves by carrying guns.
I have a better question... (Score:5, Interesting)
Re:Yet... (Score:2, Interesting)
While most (read: all) of
http://samspade.org/d/firewalls.html [samspade.org]
My take (Score:3, Interesting)
You can always create a "Groundkeeping Crew" and then no one else in the entire company would have to worry about the grass. However, the day you create an "IT Security Task Force", everyone else lets down their guard. Products like personal firewalls and anti-spyware have allowed application and OS developers to sell insecure software without retribution. If security were forced back to the source where the problem is easiest to solve, we would be in better shape today.
Instead, I see a security team trying to lock down the network and application architecture teams trying to get as much data through as possible. Since everyone's goals are 180 degrees from each other, things go much more smoothly when they keep the other side in the dark.
Not what he said at all (Score:3, Interesting)
What Schneier is saying is that security won't be an add-on, after-the-fact product that people buy to protect their computing infrastructure. It will be integrated into the design of every program that a 'utility' runs, because the best way to assure your customers they'll have five nines of reliability is to build every piece of the system to be as secure as possible from the ground up.
(Insert folk tale of the impracticality of retrieving scattered livestock vs. maintaining the structural integrity of their enclosure and preventing their escape in the first place.)
Re:Sort of ... but not exactly. (Score:3, Interesting)
That's not what he argues, though.
If you RTFM, Bruce's article argues that as computing becomes a utility, security will become "baked in" such that 3rd-party, add-on security products will, to the extent that they exist at all, be implicit functionality that users don't need to think about. To the extent that security will become cheaper, that's because R&D on it will be largely paid for by the utilities (who have an interest in lowering costs) rather than the vendors (who don't).
Not the same thing at all.