Schneier questions need for security industry

“We shouldn’t have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn’t have to buy from somebody to secure our network or servers. Our networks and servers should already be secure.”


“Security is a small but important piece of the bigger picture,” Schneier said. He added that consumers shouldn’t accept any product that is inherently insecure.

Dumb Dumb Dumb!
You can’t fight basic economics!

In my Quotes Database

Be very glad that your PC is insecure—it means that after you buy it, you can break into it and install whatever software you want.
What YOU want, not what [content providers] want.
— John Gilmore of the EFF

Amusing, yes, but true.
And in a deeper way.

When the PC came out it was shipped as a very crippled system but an OPEN SYSTEM. You could easily open it up and plug stuff in. This meant there
was opportunity for third party developers, hardware and software, and upgrade path. A whole ‘ecosystem’ grew up around the PC. The threshold to entry was low – hence much freeware and shareware and a massive amount of experimentation. The fact that it was crippled actually encouraged developers.

Contrast this with the closed system of the MAC when it came out. Look at the market share.

We can see this in economic history as well. Countries and eras where power and control mattered more were not economically aggressive. The most obvious example is cold war era USA and The Soviet Union, but there are many others through history. Its not about “freedom” in the sense that Tom Paine and the American Founding Fathers wrote of it so much as freedom to prosper. Hong Kong under British rule demonstrated that. Economic growth without the need for USA-style or any of the European styles of “democracy”.

The issue isn’t that software products are insecure. That is an emergent property of the economic system that allows their development; as people here have pointed out many times, the market pays for what it wants wants. Commenting on certain types of firewalls, Marcus Ranum has observed that people are more willing to pay for speed than security. (And why do people pay for cars that can go faster than our roads will safely permit?)

Perhaps “closed” isn’t quite the right term. Apple’s iPOD is a closed unit, but there is a vast market of third party add-on units for it. The iPOD economic ecology is very rich, rich enough to allow competitors (look how many other MP3 players there are).

But the point is that a product strategy that allows for this “let others add value” is a sound one. In many ways its better than having a closed system and worrying about your “channels” because the developers of these add-ons are doing your marketing for you.

About the author

Security Evangelist


  1. I don’t see how your argument is in any way a contradiction of what Schneier and others in the article said:

    “I always used to think the security industry existed to make people scared and then sell them something to protect them from what they were afraid of. But now I think it exists because of what people are prepared to buy,” he said, adding that investment in security products tends to be reactive to a problem a company has already suffered, making security a “fire extinguisher industry.”

    Your iPod analogy is wrong because the third-party add-on industry that has developed around the iPod has to do with _extending_ functionality of the product. Not revert it to something it should have been in the first place.

    The security industry feeds the manufacturers who feed the security indtustry, etc. The manufacturers don’t have to make products secure because an entire industry sits at the ready to pounce on the new products and do it for them.
    There is not sufficient incentive to make secure applications or products.

    I liken it more to Microsoft’s recent statements about the Vista release, boasting about how many jobs and how many billions of revenue the new OS will create. Or rather, will _need_ to create just to keep it functional.

    By the same token if I throw garbage on the street you could argue that I’m creating jobs for more garbage collectors, but what Schneier says is that enough is enough.

    I actually agree with your basic premise, but it is a matter of degree. Right now the balance is _too_ skewed between what is a good, open model that will provide incentives for third-party spin-off security industries, and what is just blatant rape of capitalism — people making money for no other reason than manufacturers being unwilling to provide a quality product.

    And quoting H2G2 might earn you geek points, but your article is still wrong 😉

  2. Please note: I didn’t say the iPOD was broken. The whole narure of the ‘ecology’ I’m trying to describe is about extending the functionality of a basic – but extendable – product.

    Three other examples; the Apple ][, whose design features were mostly replicated in the PC, and in the motoring world, the Model T and the original Mini. Look at the reef “ecosystems” that grew up around their bare bones. Look at the D.I.Y. industry and home furnishing and decorating.

    Is the balance skewed? Possibly, but so long as the market is “open” and customers have alternatives they will send a financial message to the manufacturers. That’s what the market is about and why monopolies and oligopolies are considered an ‘evil’ by economists.

    Is capitalism blatent? Of course. What makes you think its possible for it not to be?

    — AJA

  3. I have not read the Schneir post in detail, but from Anton’s comments feel I understand what he is trying to get at. On the one hand Anton is correct, “You can’t fight basic economics!” On the other hand we all need to be taking a different approach to securing our businesses,
    homes and critical infrastructures.

    Security needs to “Become part of Everyone’s DNA”, part of the corporate culture, part of the way we do things. Our schools need to begin teaching or at least do a better job of teaching ethics and good computer security practices beginning already at kindergarten or before (by parents).

    Our youth are the ones that still have the potential to learn that a difficult password to guess does not mean it has to be difficult to remember or that it does not have to be painful to change it periodically. Good security and practices can become habit and natural, part of what is done becuase it is right, not because some legislater said we shoudl do it.

    Instilling good security habits and practices starting very young and reinforced throughout their schooling will make it possible for networks, applications, databases, systems, etc.. to be delivered that are secure because that is how you build them as part of the design and implementation life cycle, not needing to add the security in after they have been delivered and are in production. When you build a network it would no longer need to be built as a “secure network” because they are already one and the same thing because that is the natural way to build them. We don’t have secure network and insecure networks we have networks.

    This will take time, but will need to one day get started. We will have to have a few Romper Room graduates build some networks before “Security will begin to be part of our DNA” not something you add on just enought new controls because some legislation said we have to.


  4. Schneier is an idealist, but we need the occasional idealist to push us to do better. We’ve been trying to design secure, economical computers since the late 60s.

    I think Schneier’s (legitimate) point is that, on average, built-in security is more effective than add-on security. But it is also more expensive and less convenient. Built-in security will never be a high priority until people start dying in large numbers because of computer security breaches.

Comments are closed.