Schneier: Why rubbish security products win out

Submit

Linux.conf.au kicked off its main proceedings in Melbourne on Wednesday morning with a stark message from security guru Bruce Schneier: "When security companies give you cost justifications, they're complete bullshit."

Schneier, author of the books Applied Cryptography, Secrets and Lies and Beyond Fear and described by outgoing Linux Australia president Jonathan Oxer as "a walking security advisor on the entire human race", told a sold-out keynote audience that IT security planning is rarely effective because it fails to take into account the emotional considerations involved in security.

Most security products either address perceived gaps in security and provide an emotional sense of stability without actually doing much useful, or solve actual problems but don't impart the same sense of security, he suggested.

"You can feel secure even though you're not, and you can be secure even though you don't feel it," Schneier said.

"Making security trade-offs is something we do multiple times a day," he noted. "You'd expect human beings would be really good at making these trade-offs, but fundamentally we're hopelessly bad at it." The reason for that, he said, is that "we respond to the feeling of security rather than the reality".

Evolution means that pattern will be difficult to reverse, Schneier argued. "Our society is evolving faster than our species. Modern times are harder. Technology makes it harder, and the media makes it harder."

"People make the trade-off based on the feeling of security, not the reality. The economic incentives are for companies to make people feel secure. That's where you are rewarded in the market."

Drawing on George Akerlof's "lemons market" theory on the economics of information asymetry, Schneier said: "In markets where the seller knows a lot more than the buyer, bad products drive out good products -- and this is very much the case for security."

One notable problem, said Schneier, is the return on investment calculations for security software, which often draw on rare and devastating events to justify their cost: an approach which renders basic mathematics of little use.

"In IT, there isn't a lot of data -- this is one of the problems we have. You have to rely on emotion because we don't have the data. It's very hard to evaluate non-functional requirements."

Understanding of fundamental security principles also needs to dramatically improve, Schneier said.

"We know very little about software security. We can't even prove a program terminates, let alone that it's secure. We don't have a rigorous security methodology. It's going to be a long time before it can be applied to programs and systems and anything resembling actual commercial size."

Talkback

Quick Poll

What is the biggest data management challenge in your organisation?

Inconsistent data and overlapping sources
Rising management and maintenance costs
Scaling the database to meet business needs
Handling analysis of streaming data
Complexity in data security auditing and reporting databases
Inability to keep up with growth in requirements

ZDNet Australia Live

What fibretech seems to be saying is that it shouldnt be enough that 93/97% get better than satellite. 100% should. If I've misread you...

4 minutes ago by Gav on NBN Co inks $620m satellite deal

RT @damiencummings: Does Facebook accurately count users? http://t.co/KLSlJsgO

8 minutes ago by harishvasudevan on twitter, retweet

Ansell comes back from IT **** up: Ansell has said it is rectifying problems with its new business processing sy... http://t.co/wPyaBdO6

8 minutes ago by NewsinIT on twitter, retweet

RT @zdnetaustralia: Is the telco code enough, or does the regulator need to step in? http://t.co/iLgTOdX7

8 minutes ago by smsmybiz on twitter, retweet

Ansell comes back from IT **** up - Ansell has said it is rectifying problems with its new business processing syste... http://t.co/7QH6c8Oq

18 minutes ago by pcrepairs_au on twitter, retweet

What is missing from the code is a ban on the telcos creating their own funny-money by offering (say) "$500 worth of calls for $50" (and...

18 minutes ago by MaudeLynne on Telco customer code goes to the regulator

@joshgnosis who is responsible for this? that is one hell of a #newspun !!! http://t.co/9dd7tvx3

23 minutes ago by maolaowai on twitter, retweet

Open source needed to save democracy - Software - News - ZDNet Australia http://t.co/nH2C1VPb

28 minutes ago by TheSocial1 on twitter, retweet

Ansell comes back from IT **** up: Ansell has said it is rectifying problems with its new business processing sy... http://t.co/hVtbecMH

28 minutes ago by oztechguy on twitter, retweet

Spamvertised 'Tax information needed urgently' emails lead to malware http://t.co/ma7weWG1

38 minutes ago by teksquisite on twitter, retweet

Does Facebook accurately count users? http://t.co/KLSlJsgO

43 minutes ago by damiencummings on twitter, retweet

by http://t.co/vmlQ0Ecb: Ansell comes back from IT **** up: Ansell has said it is rectifying problems with its ne... http://t.co/UJdAxaMX

43 minutes ago by InternetTechSec on twitter, retweet

Tech? Done in days. Business model? A little longer :-) Finally! LoadRunner, more #agile than ever in #AWS and #vcloud http://t.co/O8ZaBty3

43 minutes ago by xthestreams on twitter, retweet

#trollDay “@lukehopewell: Our headline of the year: http://t.co/ldugUO77”

43 minutes ago by mwyres on twitter, retweet

RT @mwyres: #trollDay “@lukehopewell: Our headline of the year: http://t.co/ldugUO77”

43 minutes ago by zackster on twitter, retweet

You may not realise but massive numbers of metro suburban citizens cannot currently get broadband and many more cannot get anywhere near ...

46 minutes ago by harryinthesoup on NBN Co inks $620m satellite deal

RT @stilgherrian: SOPA/PIPA fail, studios try anti-piracy 'charm offensive'. http://t.co/xuqzY3Rm

48 minutes ago by LiamPomfret on twitter, retweet

"If you are trying to trace with the ftp trick it's just worthless." Hackers: $50,000 to keep source code private - http://t.co/x4BBGyav

53 minutes ago by ChrisMorrisCo on twitter, retweet

Malware's the next nuclear bomb: Kaspersky: Governments have begun to create malware in the form of cyberweapons... http://t.co/VpOaDbIR

1 hour ago by oztechguy on twitter, retweet

Malware's the next nuclear bomb: Kaspersky - ZDNet Australia http://t.co/dubHKvUX #B

1 hour ago by stuxnet420 on twitter, retweet

NBN Co inks $620m satellite deal http://t.co/qgNiZcFH

1 hour ago by cablefarm on twitter, retweet

Does Facebook accurately count users? http://t.co/hQcOtd2s via @zdnetaustralia

1 hour ago by Amanda2bi on twitter, retweet

by http://t.co/vmlQ0Ecb: Malware's the next nuclear bomb: Kaspersky: Governments have begun to create malware in ... http://t.co/KfveHrKX

1 hour ago by InternetTechSec on twitter, retweet

Malware's the next nuclear bomb: Kaspersky http://t.co/wJTLAbCP (via @Shogannai)

1 hour ago by anpikakunin on twitter, retweet

I guess we will hear more about this in the future..

1 hour ago by borrisz0r on Cochlear implant recall costs over $100m

Malware is the next nuclear bomb: Kaspersky http://t.co/j3oBGlxc

1 hour ago by zdnetaustralia on twitter, retweet

Malware's the next nuclear bomb: Kaspersky http://t.co/ILhLnszV

1 hour ago by Shogannai on twitter, retweet

RT @zdnetaustralia: Malware is the next nuclear bomb: Kaspersky http://t.co/j3oBGlxc

1 hour ago by XmediaDS on twitter, retweet

Govt mulls closing Optus TV loophole - In the wake of Optus' victory over the sporting codes in its TV Now case, spo... http://t.co/6PxhKfB2

1 hour ago by pcrepairs_au on twitter, retweet

Can't believe how quickly things are happening on operation kill TV Now http://t.co/BK3Ecj1D

1 hour ago by engochick on twitter, retweet

RT @zdnetaustralia: NBN Co inks $620m satellite deal: http://t.co/LsbQBeXL

1 hour ago by DaveMcRae on twitter, retweet

Yahoo loses board chairman in reshuffle: By Josh Lowensohn, http://t.co/lS9JInfl on February 8th... http://t.co/R2FuBaYx #dualstack #ipv6

1 hour ago by b0rn2Frag on twitter, retweet

Rights holders lobbying for a quick change to the copyright act in the wake of the Optus TV Now case. http://t.co/dZAkzp0f #optusnrl

1 hour ago by joshgnosis on twitter, retweet

This is my point of view and like I said I cannot please everyone and I'm not going to try. Nor am I arguing about the economics, what I...

1 hour ago by fibretech on NBN Co inks $620m satellite deal

Govt mulls closing Optus TV Now loophole: http://t.co/mWyxcaNm

1 hour ago by zdnetaustralia on twitter, retweet

@chrispilgrim: Do you know how much it costs currently to get top tier NBN speeds in Surry Hills (basically 3 or 4 kms from the CBD)? It...

1 hour ago by gammprog on Libs would wind back NBN to fund roads

RT @stilgherrian: SOPA/PIPA fail, studios try anti-piracy 'charm offensive'. http://t.co/xuqzY3Rm

1 hour ago by chakko on twitter, retweet

AVADirect, Maingear start shipping gaming laptops with Sandy Bridge-E desktop ... http://t.co/IUDDJdJg

1 hour ago by tetgaming on twitter, retweet

My yahoo account has been down all day, and I use it to run my business. If you call Yahoo, they will set up your MS Outlook account to h...

1 hour ago by tenderfoot on Yahoo Mail suffers overnight outage

Chrome for Android finally arrives - Software - News - ZDNet Australia http://t.co/dIpXYS0I

1 hour ago by rock_the_boat on twitter, retweet

fibretech, that's totally wrong. The metro users of the NBN will be subsidizing the NBN services in the regional zones because they co...

1 hour ago by tsudo77 on NBN Co inks $620m satellite deal

I know many people won't like this (not that you can please everyone anyway) but in one word "Equality"

1 hour ago by fibretech on NBN Co inks $620m satellite deal

Best thing ever! ZDNET is sending an aircraft into space and taking suggestions for what to attach to it: http://t.co/JpwkoQB5

1 hour ago by lauralovescake on twitter, retweet

SOPA/PIPA fail, studios try anti-piracy 'charm offensive'. http://t.co/xuqzY3Rm

1 hour ago by stilgherrian on twitter, retweet

What's the alternative fibre tech?

2 hours ago by mwil19 on NBN Co inks $620m satellite deal

@Spiraldeath Don't you think every tax payer deserves the same level of QOS? After all these people are leaders in primary industry whic...

2 hours ago by fibretech on NBN Co inks $620m satellite deal

@Fibretech so how would you propose to give broadband to a residence that is out in the middle of the Australian Desert and there is not ...

2 hours ago by Spiraldeath on NBN Co inks $620m satellite deal

Satellite technology is always a backward step when it comes to providing broadband. No matter how much bandwidth satellite provides the ...

2 hours ago by fibretech on NBN Co inks $620m satellite deal

I'm doing an assignment at my school about whether Facebook should have age restrictions; I think that even if you put an age limit on fa...

2 hours ago by Student onetwothree on Facebook to get age bans, parent control?

More TV Now => More mainstream fanbase in the future => More revenue streams from complementing products and accessories e.g. shirts, sho...

2 hours ago by pcr on More TV Now may mean less TV later

Shame on the Pilot, a company which employed him and gave him livelihood now he wants to sue the company. What if it was his personal lug...

3 hours ago by karan.vinayak on Pilot sues Virgin for being iPad Luddite

is Australian Cloud a puplic traded co. and if so what are the stock symble
thanks perry222

4 hours ago by perry222 on Australian clouds compared

I could care less about mobile footy coverage but if it wipes out Ray Warrens inane bleatings after forty years of aural misery I am all ...

4 hours ago by btone on More TV Now may mean less TV later

5mb/s calculates out to 625kb per second which means that a 1mb eMail will go out in under 1 second. Why isn't this fast enough ?

5 hours ago by deandari on Optus unveils NBN small business plans

PS. Living in Europe.

6 hours ago by Sparcosso on Chrome for Android finally arrives

This story has been voted 20 times in the last 24 hours!

19 hours ago, Symantec confirms hacker extortion

This story has been voted 10 times in the last 24 hours!

21 hours ago, Symantec confirms hacker extortion

Keep up with ZDNet Australia

Inside ZDNet Australia

ZDNet / Schneier / Story

Schneier: Why rubbish security products win out

Topics

Top related stories

Related gallery

Related stories

Talkback

Resource Centre Useful content from our premier sponsors

Quick Poll

ZDNet Australia Live

Facebook Activity

Keep up with ZDNet Australia

ZDNet Events Calendar

Plan Comparison

Sponsored resources

Inside ZDNet Australia

Services