Sunday, February 11, 2007

When were-sme's collide

(With apologies to Logan Whitehurst for the theft and paraphrasing of his song title) Bruce Schneier likes to talk about "security theater". You'll hear me expound about security (or computer) church now and then. Neither is very productive and both are made up of much the same people (and there's more of them than most think).

Example: this post from 360 Security. Mr. Malm seems to be self-justified in "taking a swipe" at Mr. Thompson because Mr. Thompson "took a swipe" at Microsoft. I call it "security church" because it appears that Mr. Malm's "faith" has been offended, triggering a self-righteous attack on Mr. Thompson (calling him by his first name, implying lack of expertise, belittling his company, etc.) without supporting any of his arguments.

"Security church" is just as dangerous as "security theater" in that it is a collection of unjustified human reactions (bowdlerization (not a real word but an eponym), pillory, apocryphy (my attempt to turn a noun into a verb), censorship and outright anathema) used against anyone who has the courage to be contrary. (I'm sure that Adi Shamir didn't win any points at the conference with his prediction of security in the future.) It is both the institutional inertia that is resistant to change and the fickle flightiness of chasing "the new paradigm".

Behind it all is the tendency to take the shortest path (i.e., it is easier to scorn someone that argue a point). That these acts are usually easy to recognize and almost impossible to combat is the really sad part.

(Side-sarcasm: did they really say "security should be built-in, not added on?" Please! I don't want that 1996 flashback.) (See? It's easy.)