With recent high-profile hacks and “lulz” going around, there has been a marked level of discussion about whether these attacks are useful or damaging, what security is, and why it is failing or not failing. Most of that sort of discussion eventually makes my head hurt, but if there’s a blog post worth reading, it’s “Take a bow everybody, the security industry really failed this time,” by David Maynor over at Errata Security. I wanted to quote something from it, but the whole thing is quotable and discussable.
So, has the security industry failed? I’m not sure. I’m pretty sure the “real” talent in the security industry knows the problems and knows how to fix specific problems, but as Maynor illustrates, these are often just not listened to for various, ultimately economical, reasons.
Is this a problem of the security industry however? Certainly not entirely. I mean, what are you going to do when someone doesn’t have the budget to stop your extravagent attack? What can security do when companies like Ligaxx and SecuxxxxMetxxxs.com do crap work (if work at all) and still get attention because the customer doesn’t know better?
I’ve long said it, but finally the mainstream media is latching onto the infinite amount of drama that can be found in corporate and public digital security. In other words, security won’t ever be perfect. There will always be incidents. This means there will always be a fail, which means there will always be juicy, sensational bits of news to throw out. (Granted, my opinion would be even more cemented if any of the recent examples had been really damned good with their security…)
In the end, I really think lots of things are failing, and there’s really no answer to fix it.
Perhaps “security” needs to stop looking beyond its own borders. When we talk about security on a global level, ultimately there is nothing to feel good about. When we talk about security in a single organization, you can actually accomplish some damn good stuff.
Perhaps this is a problem illustrated by a three-way tug-of-war. Security vs economics vs convenience. With other actors thrown in, like consumers, greed, knowledge, and so on. There’s just no win there, only various points where everywhere is somewhat satisfied according to their own situations.
Perhaps, perhaps. Anyway, I have no answers here. I’m still trying to frame my perspective on things. It’s like not knowing if you like a sculpture or not, because you’re still trying to figure out how to properly look at it, what lighting, what angle.
I just know there’s a heck of a lot to be excited about and a heck of a lot to be upset about. And that itself is exciting and upsetting! (At some point, the disturbing vision of jerking off gloriously while sobbing in utter despair occurred, and that’s just not right at all. Yet I felt compelled to share it…hey, I’m in security, I’m not well in the head by default!)