Monday, May 07, 2007

do we really need bruce schneier?

there's a sacred cow in security, a living sacred cow by the name of bruce schneier... a cryptography expert, a squid enthusiast, and a self-proclaimed media whore, bruce schneier is one of the biggest names in security and he's asked if we really need the security industry...

according to bruce:
The primary reason the IT security industry exists is because IT products and services aren't naturally secure.
naturally secure? my reaction to those words is much like peter lindstrom's reaction, it seems to mean perfectly secure without 3rd party assistance (ie. inherently invulnerable) but that's just absurd... i know perfect security is impossible, you know perfect security is impossible, and bruce better darn well know that it's impossible otherwise what good is he as a security expert?

his very next sentence reads:
If computers were already secure against viruses, there wouldn't be any need for antivirus products.
now here it's quite clear he's talking about perfect security against viruses... there's just one problem, viral susceptibility is inherent to general purpose computers - so long as you can share data and the device can do more than a handful of narrowly defined things it can support viruses... this has been known for over 2 decades, i've said it here many times in the past, i've even said it in the comments on bruce's own blog so it's not as if he's never been exposed to the idea...

a really telling quote is the following:
The whole IT security industry is an accident -- an artifact of how the computer industry developed.
this suggests that security is only needed because of accidents/mistakes that happen when designing and implementing systems... this is a fundamental assumption that few people in security these days seem to question... a vulnerability is often described as a flaw, mistake, or error in the code - but this is one of the most common misconceptions i see about the nature of vulnerability as it ignores the prospect of inherent vulnerability... everyone always says that things should be made secure from the beginning instead of bolting security on after the fact, but the only way to avoid needing to add security after the fact is if it was perfectly secure from the beginning and once again, that's just not possible, not just because it's so hard to avoid all possible mistakes but because some forms of vulnerability aren't the result of a mistake... take a website, for example - there can only ever be a finite amount of bandwidth available for hosting that website so it will always be possible for an attacker (or group of attackers) to use up all of that bandwidth irrespective of any mistakes in the website or webhost or network or browser or operating system or any other component even remotely associated with such an attack...

bruce wants to believe that eventually security will be folded right into the products (like the OS) and services (like the network connection) so that 3rd party security products become redundant... this is, at it's heart, the logical conclusion to where the best-of-breed detractors see things going - after all, if security functionality is going to converge into single integrated products, it might as well converge right into the products that security is supposed to be protecting in the first place, right? unfortunately there will always be new and as yet unheard of attacks (and even existing attacks are not completely obviated by even the best security) so products and services can never be naturally secure and it will always be necessary to bolt on additional security after the fact...

so the question is, has bruce jumped the shark and do we need him badly enough that we'll follow...

4 comments:

Rob Lewis said...

Bruce may have been one of the first to emerge as a leader and expert in a field still in its infancy.

Interestingly, I was reading last week something by Guy Kawasaki who says "that those that have success on the first curve are unable to comprehend, let alone embrace the next curve." (see the art of innovation).

I have been thinking about that since I read it, wondering if pre-conceived mindsets found in the security herd would ultimately require the emergence of a new generation of leaders or gurus to emerge, in order for the industry as a whole to advance to real innovation.

kurt wismer said...

well, it's an interesting thought...

my take on the phenomenon is a little different, though... i think people (specifically big names who start to believe their own press) sometimes get a little too big for their britches and start offering authoritative opinions on fields outside of their specialty...

i think the very notion of a security expert is an indicator that this very thing is happening, since security is far too broad a subject for anyone to actually be an expert in it...

Javier said...

Kurt, I fully support your view. I can not agree that just having products naturally secure would make the IT Security industry useless. Even in an ideal world of applications with no vulnerabilities, there still would be threats. When it comes to malware, it does not just exist because there are vulnerabilities. Malware takes advantage of vulnerabilities to propagate, to make its life easier, but it would exist anyway.
Computers can not simply be secure against malware, because malware is just software that behaves in a certain way (that most people dislike), but they can not be so clever to know in advance what we would classify as malware (this is what AVs do for us, and still they fail sometimes)
What would happen with trojans distributed by means of social engineering attacks in a world with no vulnerabilities? Would users be more cautious to not allow installations of unknown applications from unknown sources? Would their change their minds just because applications are 100% secure? Maybe they would even relax further and make them more vulnerable to social engineering attacks.
Sometimes I wonder and I want to raise the question here, which is the distribution of malware installed through exploitation of vulnerabilities and the malware installed with user consent? I really would like to know. It would be very interesting to counter Mr Schneier

kurt wismer said...

@javier:
"which is the distribution of malware installed through exploitation of vulnerabilities and the malware installed with user consent?"

to me it seems clear that malware installed with user consent (as you put it) is a very frequent occurrence... the blackhat's are no less lazy than anyone else, they're going to attack the weakest link in the security of a system and that is generally the user...

social engineering wouldn't be such a mainstream topic if it weren't used as much as it is...