Decius wrote:

Calling the whole industry out on the table is a classic method of self promotion in the security industry. Imagine if I wrote the same article about healthcare.

I had a similar reaction. This article reached me by word of mouth; a colleague brought it up in the browser to show me, and before we'd paged past the first screenful, my reaction was, "so what's this guy selling?" My analogy was to "peace", which I still prefer to the "disease" analogy, for some of the reasons k pointed out, and for others, but your riff does illustrate how easily criticism slips into hyperbole.

Computer security professionals will never "solve" crime because it's not a technical problem and it doesn't have a "solution."

This observation dovetails nicely with my "peace" analogy.

Certainly, new thinking is needed and welcomed. There are fresh ideas and strategic changes that will have a huge impact that are still waiting for the right person to find them. But an honest way to pursue that is to talk about the ideas. Calling the whole security industry a failure isn't about new ideas, it's not true, and it's not useful.

So, this guy doesn't have the new ideas. One might conclude the supporters are just jumping on the bandwagon because it makes good press. It might be insightful to survey the reactions and see how they split between "yeah, what he said!" and "here's an idea."

Naturally the as-yet-unpublished Part II is where the author swoops in to save the day with his ingenious "solution."

My sense is that this article follows a common dialectical analytical pattern; I am reminded of Nicholas Carr's "IT Doesn't Matter" from 2003, although this security piece is not as well crafted. Previous Memestreams references to the Carr piece: 1, 2, 3, 4.

RE: Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.