Two separate comments on the blog from a few days ago reach into the nub of the security mess. Adam comments:
It's not that we're unable to propose solutions, it's that they're hard to compare. My assertion is that once we overcome the desire to hide our errors, we can learn to compare in better ways.
And Lynn writes:
Two separate studies recently reached conflicting conclusions: While one found that identity theft is on the rise significantly, the other reported that it is on the decline.So which is it?
Addressing these in reverse order, we can expect two professionally-prepared scientific reports on the same subject to reach the same conclusion, unless there are some other factors involved.
Firstly, it could be that we don't know enough (c.f., silver bullets). Secondly, it could be that we are not using scientific rigour, and the report is instead some for-profit advertisement. Or, thirdly, we could always simply be making a mistake.
All reasons are plausible... but now look at Adam's comment. If we apparently have a desire to hide our errors, what does that say? Are we all snake-oil salesmen? Are we not scientists? Is security only sales and hype, and there no professionalism in the field at all?
If we were talking about a science, and/or conducted by professionals, then we could assume that while Lynn's case was possible, it would be infrequent: professionals would not conclude if they did not know enough. Scientists wouldn't write for-profit advertisements, and although professionals might, they would be careful to disclose and disclaim. At the least, we would expose our data and ask for alternate analyses for the purpose of eliminating errors and mistakes.
If we were scientists, we recognise that the goal is knowledge, and the elimination of our own mistakes is the only way to advance knowledge. Having any desire whatsoever to cover our mistakes is incompatible with scientific method, indeed, it should be a joy to uncover our mistakes, as this is the only way to advance! And, even professionals know that recognition and correction of mistakes is a core professional duty.
This suggests then that security is not science and it is not a profession.
Is security only the marketing of ephemeral goods and services?
There is no moral difficulty in security being only, mere marketing. We humans have the right to make money, and spend it on what we like. If companies buy hype then let us sell them hype.
However, even in marketing there are limits. Even in marketing, we say that statements must be true. Even in marketing, professionalism exists.
Why is this? Perhaps it is time to consider a dramatic alternate to the true statement: Fraud.
Under common law, three elements are required to prove fraud: a material false statement made with an intent to deceive (scienter), a victim’s reliance on the statement and damages.
In today's Internet security world, we have damages, in Lynn's above-mentioned reports, whether up or down. We also have reliance by users on browsers, operating systems, CAs and server security. The intent to deceive is easy to show in the context of sales.
Do we have material false statements?
If the security industry was brought before the court of common law, I'd suggest that there's a pretty good chance that it would be found guilty of fraud!
Which is why Adam's assertion is so pertinent. Once we have committed fraud, we have also committed to covering it up. Fraud practitioners know that a strong signal of fraud is hiding the results, a desire to hide errors.
Fraud practitioners also know that fraud is a trap; once a small fraud is committed, we have to commit another and another, bigger and bigger. And each becomes easier, mentally speaking, than the first.
The security industry is caught in the trap of fraud: we are perpetually paying for the material false statements of our past, with bigger and bigger frauds. Where does this end?
Posted by iang at April 19, 2007 07:39 AM | TrackBacknote that the quote wasn't mine ... i found it in recent (san fran chronicle) newspaper article titled "Banks must come clean on ID theft" and posted the reference
http://www.garlic.com/~lynn/2007h.html#48 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/aadsm26.htm#58 Our security sucks. Why can't we change? What's wrong with us?
although I did note that in a couple posts from last month I had observed the relatively vast differences in various articles on how recent fraud numbers were interpreted.
http://www.garlic.com/~lynn/2007e.html#29 Securing financial transactions a high priority for 2007
http://www.garlic.com/~lynn/2007e.html#62 Securing financial transactions a high priority for 2007
now today there are references to recent Schneier article:
Bad Security Driving Out the Good
http://it.slashdot.org/it/07/04/19/140245.shtml
How Security Companies Sucker Us With Lemons
http://www.wired.com/politics/security/commentary/securitymatters/2007/04/securitymatters_0419?currentPage=all
and for a little more drift, there is recent thread topic drift related to nothing succeeds like failure
http://www.garlic.com/~lynn/2007h.html#29 sizeof() was: The Perfect Computer - 36 bits?
http://www.garlic.com/~lynn/2007h.html#33 sizeof() was: The Perfect Computer - 36 bits?
as well as somewhat similar reference in recent risk digest
http://catless.ncl.ac.uk/Risks/24.62.html