Comments on: More proof that security isn’t failing

By: 1 Raindrop

1 Raindrop — Fri, 19 Oct 2007 14:10:50 +0000

Sacred Cow Gored? Check.

As only a certified security high priest can do, Gene Spafford has started a linkfest o’ love spawning numerous backslapping from some of my favorite people in the blogosphere. I hate enjoy to be the contrarian, so while I agree with the general senitm…

By: 1 Raindrop

1 Raindrop — Thu, 18 Oct 2007 20:03:39 +0000

Sacred Cow Gored? Check.

By: Pete

Pete — Wed, 17 Oct 2007 16:07:34 +0000

@Tyler -

I didn’t get that message from his blog. I am suggesting that the assertions he makes are excellent evidence that security ISN’T failing.

Pete

By: Tyler

Tyler — Wed, 17 Oct 2007 15:53:01 +0000

Pete, I don’t know how you got the message that security ISN’T failing out of that blog entry. As far as I understood it, the point is that we’re wasting time and money treating the symptoms, rather than the problem. The point is that we can NEVER succeed if we keep doing what we’re doing.

By: shrdlu

shrdlu — Wed, 17 Oct 2007 13:49:12 +0000

Cherchez l’argent, mes amis. Mix in Spaf’s argument with Pete’s and add Marcus and Bruce, and you’ve got the answer: people don’t think security is failing enough to spend money doing something about it. The externalities aren’t intolerable. The public isn’t up in arms; if anything, security breaches have reached the same level of public semi-awareness as bombing in Iraq — it happens every day, everyone agrees how awful it is, and then they go back to their lattes.

We’re not going to fire or retrain a generation of cheap programming labor to Do the Right Thing and redesign systems. Not until it hurts enough, and let’s face it, it doesn’t. All the FUD and hand-wringing is within the security industry. We’re doing our jobs just well enough to keep things from melting down, so why should anyone pay more attention and money to something that’s mediocre but not a disaster?

By: Christofer Hoff

Christofer Hoff — Wed, 17 Oct 2007 12:58:54 +0000

In a rare moment of synchronicity, I saw Spaf’s post in my Google Reader prior to yours and I despite your choice of words (not like mine on my blog did me any favors) I think I understand and agree with your idea.

/Hoff

By: Pete

Pete — Wed, 17 Oct 2007 02:13:44 +0000

@Chris -

My not-so-clearly made point is – since there are no significant obstacles to adding more security, then people/organizations are explicitly deciding against stronger protection. If that is the case, then security can’t be “failing” in their eyes (or they would spend more / do more).

Remember that whether or not security is failing can have multiple interpretations to individuals.

Hope this helps!

By: Christofer Hoff

Christofer Hoff — Wed, 17 Oct 2007 01:40:37 +0000

Pete:

I’m just a plain ol’ country boy so I don’t get how you got to the last sentence; I’d suggest that preceding sentences suggest that since we’re not doing what we’re either capable of or *should* be doing, we’re failing.

Certainly not doing the right things is not cause for celebrating success.