Thursday, February 26, 2004

Security Guru Unmoved by Gates' RSA Remarks:
"Schneier's Gates comments followed some anecdotes about how everyone can help solve the security problems facing all enterprises. 'Get involved,' he said. 'That's how we make changes. Otherwise security is something done to us.'

Most security systems affect multiple parties, he explained, but usually only one person makes the decision about how security is implemented. 'At this point it's a negotiation. The players with most power are the ones who get to decide what the final answer is,' Schneier said. 'The best way to effect security is to gain power in negotiations. The best way is to change the environment in which security decisions are being made. Change the agenda of the players. Change the outcome.'

Every person has to make security work for himself, he said. 'The goal of security systems is the most security for the least amount of trade-offs. The way to do that is to make the party who is best able to mitigate the risk responsible for the risk,' he said, saying that computer software companies at this point do not share in the risks of software security or insecurity. "

Schneier said one of the best and simplest "security systems" he's seen is the local convenience store or fast food restaurant that displays a sign at the cash register that says, "Purchase free if you don't get a receipt." The system is not designed as a customer service, as it may appear, he said. Rather, it's a means of co-opting the customer into keeping an eye on the store employee who may be suspected of skimming from the cash register. Nevertheless, the customer will be watching if he knows he could get something for free.

"Good security systems are in line with their capabilities," he said. "The store manager is hiring you, aligning your interests with your capabilities. Very cheap security system. For the money it's really good. That's what we should strive for in security systems. The goal is to make them as effective as possible and work with the natural tendencies of people already there."

http://www.eweek.com/print_article/0,3048,a=120200,00.asp
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)