2006-11-29

Security Absurdity

File this under the "blogging about blogging" category:

A recent Slashdot article turned me on to the Security Absurdity blog, highlighting, as the author puts it, "The Complete, Unquestionable, and Total Failure of Information Security." While not typically a great source for finding nuggets of highly-valuable InfoSec news, the old geek standby comes through once again.

In essence, this is a series of editorials about how information has, as a profession, been a miserable failure. Looking back at my posts, I suppose the author of Security Absurdity managed to articulate the heart of a lot of my, and the community's, complaints all along. Pity the user of a computer, nowadays.

However, I want to make perfectly clear my view that the Information Security community is not the one responsible for these problems. The root cause, by in large, is in the design and implementation of software: Software producers have created this mess of a situation that we in the InfoSec community are trying so hard to fix. They failed to build reliable, secure products and educate the users upon purchase of the products' proper use, period.

Moving on to our role, I agree with the author: we have also failed. We have failed to properly articulate the universe of problems created by bad software or software implementation, and furthermore, we have failed to educate those who should need to know, and build technological protections for those who shouldn't have to worry about it. We've taken too narrow a focus, setting our sights on specific problems and dedicated huge amounts of resources designing fantastic solutions, while turning a blind eye to the bigger problem.
Case in point: firewalls.
Problem solved: applying principle of least privilege to network-based, inter-computer communication.
Bigger problem narrowly addressed: Principle of least privilege.
Illusion: bigger problem nearly solved by narrow solution.

Security product vendors share as much of the blame as we analysts do: overstating the effectiveness of their products, while helpful to their bottom line, hurts the industry in a bad way. People unfamiliar with the scope of information security challenges believe that their purchased solution to solve a narrow set of problems is a silver bullet - or something near to it. These individuals shouldn't have to worry about the gory details of security to browse the web. After all, my DVD player plays DVD's, why should my computer be any different?

I don't have the solutions, but clear and concise communication from the InfoSec community to the rest of the computer-using world would be a really great start. Bravo to the SA blogger(s). Their commentary is long overdue, and the community would do well in heeding some advice therein.

No comments: