Friday's post about security blogs apparently contained a bit of unintended controversy.
When describing Bruce Schneier's blog, I said "I don't agree with a lot of what he says". Apparently this is heresy in some parts, although I don't understand why. Bruce is unquestionably a very, very smart man (and an excellent writer, I simply loved Applied Cryptography), but he's no Chuck Norris 🙂
On most topics - security architecture, crypto design, threat analysis, etc, Bruce is remarkable. I find most of what he writes to be insightful.
But Bruce seems to have a complete blind eye when it comes to Microsoft. To my knowledge, even though essentially every other serious security analyst has acknowledged that Microsoft has done a staggering amount of work to improve the security of its products, Bruce still maintains that Microsoft has no clue when it comes to security. That stings.
The #2 hit in a search for Bruce Schneier Microsoft is: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1011474,00.html which includes: " Microsoft is certainly taking it more seriously than three years ago, when they ignored it completely. But they're still not taking security seriously enough for me. They've made some superficial changes in the way they approach security, but they still treat it more like a PR problem than a technical problem". This couldn't be farther from the truth (the #1 hit is Schneier's FAQ about the PPTP analysis he did where he neglected to acknowledge the work that Microsoft did to rectify the issues he found after his analysis).
And then there was this gem (from February of this year): http://www.schneier.com/blog/archives/2007/02/drm_in_windows.html. He took Peter Gutmann's article and accepted it as the gospel truth, even though Gutmann had absolutely no factual basis for his speculation - Gutmann hadn't verified a single one of his claims, heck he hadn't even installed Vista at the time he wrote his paper.
On the basis of one paper from someone who had never even RUN Vista, Schneier leapt to the conclusion that Microsoft had embedded DRM into all levels of the operating system and that was a reason to avoid Vista.
For the following 5 paragraphs, please note: I AM NOT A LAWYER. I AM NOT GIVING A LEGAL OPINION, THESE ARE JUST MY THOUGHTS.
I also believe that he hasn't fully thought out his position on holding companies financially liable for the security holes in his product. At first blush his idea is attractive, but I firmly believe that the consequences of his idea would totally destroy the Internet as we know it today.
It's also entirely possible that it would kill the open source movement (talk about unintended consequences). Let's say that there's a security vulnerability found. If the vulnerability is found in a closed source product (or in proprietary code), then the corporation would be the only one that could be held liable for the damages - the individual developer would be protected by the corporate liability shield.
But for open source projects, often there is no such corporate liability shield (I could imagine scenarios where a corporate liability shield might apply, but I don't think they apply in general). So who pays up if a vulnerability is found in an open source project? The only likely target is the individual developer (or developers) who introduced the defect (I suspect that those involved in the distribution that contained the vulnerable code would also be targeted).
This means that it's highly likely that the individual contributors to open source projects would be held personally financially liable for security vulnerabilities they introduce. So to contribute to open source projects, you'd have to have many millions of dollars of personal liability insurance (or run the risk of financial ruin if a mistake is found in your code). That is highly likely to result in a stifling of the open source movement, and there's no easy way to work around it.
It's also likely to decrease the likelihood that a corporation would adopt an OSS solution. Consider the situation where a bank (or major retailer) is worried about having its customer records hacked. Since the bank/retailer is going to be held responsible for its security breaches, then the bank/retailer has to factor that risk when it chooses a vendor for its database solution. If the bank/retailer thinks it can sue the software developer who developed the database solution in the event of a breach, and it has two choices for a database vendor, one of them developed by a bunch of people who don't have any real assets and the other comes from a company with insurance and assets, it would be crazy to choose the one where you have no one to sue.
Those are a couple of reasons why I disagree with Bruce Schneier on occasion.