The InfoSec Blog

Schneier questions need for security industry

Posted by Anton Aylward

http://news.com.com/Schneier+questions+need+for+security+industry/2100-7355_3-6179500.html

"We shouldn't have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure."

and

"Security is a small but important piece of the bigger picture," Schneier said. He added that consumers shouldn't accept any product that is inherently insecure.

Dumb Dumb Dumb!
You can't fight basic economics!

In my Quotes Database

Be very glad that your PC is insecure---it means that after you buy it, you can break into it and install whatever software you want.
What YOU want, not what [content providers] want.
-- John Gilmore of the EFF

Amusing, yes, but true.
And in a deeper way.

When the PC came out it was shipped as a very crippled system but an OPEN SYSTEM. You could easily open it up and plug stuff in. This meant there
was opportunity for third party developers, hardware and software, and upgrade path. A whole 'ecosystem' grew up around the PC. The threshold to entry was low - hence much freeware and shareware and a massive amount of experimentation. The fact that it was crippled actually encouraged developers.

Contrast this with the closed system of the MAC when it came out. Look at the market share.

We can see this in economic history as well. Countries and eras where power and control mattered more were not economically aggressive. The most obvious example is cold war era USA and The Soviet Union, but there are many others through history. Its not about "freedom" in the sense that Tom Paine and the American Founding Fathers wrote of it so much as freedom to prosper. Hong Kong under British rule demonstrated that. Economic growth without the need for USA-style or any of the European styles of "democracy".

The issue isn't that software products are insecure. That is an emergent property of the economic system that allows their development; as people here have pointed out many times, the market pays for what it wants wants. Commenting on certain types of firewalls, Marcus Ranum has observed that people are more willing to pay for speed than security. (And why do people pay for cars that can go faster than our roads will safely permit?)

Perhaps "closed" isn't quite the right term. Apple's iPOD is a closed unit, but there is a vast market of third party add-on units for it. The iPOD economic ecology is very rich, rich enough to allow competitors (look how many other MP3 players there are).

But the point is that a product strategy that allows for this "let others add value" is a sound one. In many ways its better than having a closed system and worrying about your "channels" because the developers of these add-ons are doing your marketing for you.

Make your policy generic, not specific

Posted by Anton Aylward

Some of us security types were discussion policy, login notices and the like.

Someone commetned on a badly written poicy about the use of corporate e-mail and discussion about the company.

... I recently worked at a place that had an weak and over specific email policy.
One day management realizes there are other areas where "contraband communication" can take place - internet groups, blogs, forums, IM, Blackberries, etc. If the policy hadn't been wrtten to deal specifically with "email" or been more general about the level of technology it would have saved us some hassle.
As it was, our policy development and approval process was too sllw and ciumbersome.

This is a generic issue and not limited to e-mail, IM, etc.

Long ago in a policy development workshop that I was running we thrashed out how to express ACCESS CONTROL so that it was perfectly generic, applied to
everything from the parking lot to the executive washroom, was in language everyone from the Board of Directors to the Janitor could understand. Of
course it applied to computer/network access, and its wording marched the requirement of the 'restricted access' logon notices.

I've been told the lawyers didn't like it but the reasons seemed to boil down to the fact that the language was so straight forward and unambiguous that there wouldn't be enough billable hours if it came to a court case.

If you structure your policy management properly so there is a succinct POLICY STATEMENT and ancillary sections that address

  • Justification
  • Consequences of Non compliance
  • Roles and Responsibilities
  • Who/When/Where/Why Does this Apply?
  • Guidelines for Interpretation
  • Relevant Standards (Internal and External)

and of course

  • Procedures

then its a very effective and efficient way to work.
This is because

a) You don't need a lot policies if they are "general"
b) It makes them easy to learn and remember
c) You don't have to keep going back to the board to get picayune changes approved