Bruce Schneier says the obvious:
Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren’t IT products and services naturally secure, and what would it mean for the industry if they were?Obvious in an emperor’s new clothes sort of way.— Do We Really Need a Security Industry? Bruce Schneier, Schneier on Security, 3 May 2007
Judging by the sputtering in the audience, he’s hit a nerve:
Naturally secure. Naturally secure. Naturally secure. I can’t seem to get it through my head. What the heck does “naturally secure” mean? Name any non-trivial asset or resource that is “naturally secure”? Now, up the ante with an intelligent adversary. Somebody, please – what is it that can be naturally secure against an intelligent adversary?So who’s right?— What a bunch of bull, Pete Lindstrom, Spire Security Viewpoint, 3 May 2007
It seems to me that Bruce is only saying what a number of us have been saying for some time: until you can sue a vendor that sells you insecure software, nothing’s going to change. In other words, software liability is the key.
Credit card vendors used to send out live cards in the paper mail that you’d have to decline. Crooks stole them out of the mail and used them. Eventually Congress passed a law saying that was illegal. Now credit card companies are liable if they do that. They don’t do it anymore. I think Hal Varian has been on about this point since around the year 2000.
Medical malpractice laws can be misused, but would you really want to have no legal recourse if a surgeon or other doctor really screwed up?
Think automobiles and “unsafe at any speed.” Maybe if we get over being blinded by all the chrome on Windows and realize its transmission is poorly designed and it has no airbags, maybe we’ll get somewhere.
Meanwhile, it can’t hurt to try to actually quantify what security is and does, as in Metricon 2.0. That might help sort out some of those “thousands of dedicated security products on the market”. If they thus become describable, maybe it will be more obvious which are good and which lousy. For that matter, I really would like to see some one of the many people who claim Linux and OSX have as many exploitable bugs as Windows attempt to quantify that in a Metricon paper.
As Bruce points out, all this wouldn’t mean that there wouldn’t be any security industry. However, it would certainly have less to do if it wasn’t constantly patching around and fixing up an open sewer. Think of all the money and creativity currently going into security fixups that could go into creating new products and services!
Only a bit more than a decade ago there was an aftermarket in TCP/IP addons for Microsoft products, because Microsoft didn’t get the Internet until 1995. Once Redmond started shipping an OK networking stack, that aftermarket mostly went away.
Bruce doesn’t think such a change could happen in security in his lifetime. Yet it was only eight years ago that he founded Counterpane, now already sold to a big company wanting in-house security. And it was little more than two decades ago that the Microsoft TCP/IP addon market started, and only about a decade ago that it went away. Bruce could easily live long enough to see his prophecy fulfilled.
-jsq
Does this make you a proponent and believer in vulnerability-free software?
Pete
Did the lawsuits about the Corvair make the automobile industry vulnerability-free?
Why is “vulnerability-free” a relevant question, anyway?
-jsq
Well, my post was about whether there was such a thing as being “naturally secure”. With software, I believe naturally secure means vulnerability-free. Do you have a different definition?
“Did the lawsuits about the Corvair make the automobile industry vulnerability-free?”
No, it didn’t. So liability didn’t work there either.
Why didn’t people sue their banks for fraud? Why did congress need to write a law about behaviour that is already covered by contract law and fraud?
The idea that an injured party can sue the responsible parties for their share in the liability is starting to emerge. TJX are being sued by the banks. Bank of America was sued for online banking by Lopez, claiming that BofA should have known that the PC was insecure.
Class action suits are probably the way forward. A law will bungle it.
PS: we still have a way to go when blogs discriminate against secure URLs!
Pete, that’s a strawman. We all know that security is a risk question, not an absolute metric. Liability helps the risk approach, and of course it doesn’t help that which we already know to be impossible.
@iang –
I think the idea of “naturally secure” is naive in exactly this way – as if security is absolute – so you make my point well.
Whether liability helps or hurts the risk question is dependent on an individual’s starting point for risk. There is plenty of evidence to suggest that it really is only a vocal minority whose risk posture is such that liability is of interest. To the extent that this hurts everyone else through the reduction of future benefits, it needs to be carefully understood.
In any case, there is no such thing as “naturally secure.”
I don’t really see what fixation on certain phrases does to help anything.
The basic point seems pretty straightforward to me: Microsoft (and other vendors) produces software with known design flaws (IE seems the most obvious example) that cause or exacerbate security problems, just like automobile manufacturors used to produce cars with shift patterns that had reverse where second had traditionally been; didn’t have seat belts or air bags; would catch fire easily in wrecks; etc. Laws weren’t the only things that helped with making cars safer, and of course no car is completely safe. Liability laws would help with software, too.
New laws aren’t the only way to establish liability, and if plaintiffs can establish liability using existing laws, more power to them. However, so far that hasn’t worked. And history indicates, e.g., in the live credit card scenario, that sometimes a law is a good idea.
So, Pete, tell us about the “plenty of evidence” of which you speak. Also why you think liability reduces future benefits. Help us to carefully understand.
-jsq
Security, Naturally
I am with Pete Lindstrom on this because, well, crikey, it makes no sense – Schneier says – we don’t need an IT security industry. Its a big historical accident. Programs should just be naturally secure. Uuuhhhmm…okkk….that’s great and all, we’ll j…