I had yet another computer journalist call me to ask if Vendor X’s security solution was THE security product to solve all our security problems. I get a call or e-mail like this about once every two weeks. Usually they’ve read the vendor’s own PR, another newspaper article, or even my own column touting a particular product. The typical conversation goes something like this:
Journalist: "Hey, do you think Product A from Vendor X will solve all our security problems?" (I’m not making up this question, either -- I hear a version of it 99 percent of the time.)
Me: "No, I think security is only going to get worse and every proposed product is doomed to failure. I predict that within a few days the Internet will collapse and online communication as we know it will cease to exist and the Internet will have to be rebuilt from the ashes over the next six months. On the positive side, we’ll all have a lot more time for our family soon."
Journalist: [Silence or pause] “Huh?”
To be fair, a little more than half of them know I’m pulling their leg. Only a few formally ask if they can quote me.
It bothers me that a lot of computer security journalists don’t really know security. Not that I’m an expert, but when a vendor’s press release starts out with the phrase, “We detect all threats known and unknown, without frequent updates," I immediately discount that product.
Usually I end up explaining to the journalist how none of the security products we use will ever be perfect because they are all point solutions ignoring the real problem: Most hackers and malware spreaders never get caught. If hackers and malware writers knew we could catch them most of the time, we wouldn’t even need anti-virus software or firewalls, because our security threats would be almost gone.
This is analogous to speeding on the highway. Nearly everyone speeds on the highway because few speeders get caught. But if every speeder got a ticket every time (think ticket-cams), you’d see all drivers slow down.
The real computer security problem is a lack of persuasive authentication. If the Internet allowed default authentication and accountability for every packet and every program, from source to destination, hacking and malware would stop overnight. In a better world, if someone sent me a malicious program, I could track it back not only who sent the program to me, but who sent the program to them, and so on … back to the original creator, with nearly 100 percent certainty. Hacking would cease to exist.
It’s not as if this idea is unknown to the world. Many security solutions attempt to tackle authentication: PKI, S/MIME, PGP, ActiveX, smart cards, network access control solutions, etc. But each of these is only point a solution, tackling a particular part of the problem but not every possible scenario.
Lots of people are trying to build a holistic solution, but persuasive authentication isn’t easy or fast to accomplish. The Trusted Computing Group’s open standards are a good place to start. They offer guidance to computer device manufacturers and software developers attempting to build in default trust and authentication.