I couldn’t believe my eyes when I saw Schneier’s latest post. With all my respect, I think that he tried to say something but eventually came up with something else that sounds horribly wrong. I usually don’t get into flame wars from obvious and quite practical reasons, but here I would like to share my view on the matter. I will break down the entire post into separate Q&A section so it is easier to comprehend.

Will I be secure if the software is written with security in mind?

No! No matter how secure software is, it can be broken into. Forget about buffer overflows and injection issues. Think of being legitimate. The easiest way to break into someone’s computer is to try combination of various usernames and passwords. The cracking could be harder, but not impossible.

Will software be ever secure?

No! The further we go the more insecure software will become. Have a look around you. What do you see? I see hundreds of companies which are getting their products out in just a couple of weeks of hardcore, agile development. Today software vendors have to be agile in order to win the race. They will produce even more software for less time. That, in general, leads to a lot of errors. Software vendors know that bugs exist and they already have PR strategies to tackle them when they are discovered.

Is it possible for one vendor to solve all security problems?

No! Since Schneier is mentioning BT, let’s take them as an example. BT might be able to stop the majority of attacks that target their networks, however, they will stop only the script kiddies. If the attackers are determined enough, they will be able to bypass what ever restriction are on place. Do not ever thing that BT will handle the security for you. Think about it! Does your government handle the security of your house? There are laws to prevent the majority of crimes but there is nothing that can stop someone from breaking into your house and trash it completely.

Do We Really Need a Security Industry?

Yes! I know that. You should know that. Everyone should know that. If you believe that you are secure out of the box… come on… get real. This is madness. Nothing has changed since the beginning of humanity. Nothing will change until our end. Physical and IT security are quite similar by nature. I don’t think that we are going to get rid of the police and other public institutions ever. Why would it be any different for the IT industry?

This is all I have to say. I know that I sound a bit like a mad man but to me Schneier’s statement that we don’t need IT security industry if software is secure out of the box is against my way of thought. I find his statement amusing but at the same time quite dangerous. Schneier is a well known opinion maker and as such he should be careful with the ideas he is feeding into the media. We still love you Bruce.