Helthcare is different because when someones health is flawed, they can't be returned to the manufacturer. Parents, even in such cases where careful planning was involved, almost never have control over how their offspring's body will function. Technology on the other hand is engineered through conscious decision making. So, even though all the meticulous planning in the world will not create perfection, there will always be someone to blame. Health Care and disease prevention fall in the category of enhancing and improving upon nature. Security is about fixing and finding someones mistakes and bandaging the ones which can't. Man did not build nature. After all, gods can't be expected to be perfect, that's why we build machines.

Decius wrote:

I wrote up a long response to this yesterday and unfortunately I managed to accidentally kill the browser window. Calling the whole industry out on the table is a classic method of self promotion in the security industry. Imagine if I wrote the same article about healthcare.

Clearly, we have failed to solve the problem of disease! Healthcare professionals are responsible! They are complacent and lazy! Look at all the health problems we face! AIDS, Cancer, Heart Disease, Lung Disease, Polio, Black Death, the Flu! Look at all these poor people who have been impacted by these diseases! We're one random mutation away from a flu virus that will wipe out all of humanity! And the CDC has the audacity to not be in a permanent state of emergency! Why? Diseases are out evolving our protections and healthcare is inaccessible!

Would you take this article seriously? Would you agree that the entire healthcare industry is a failure? Would you stop going to the doctor because you figure its a big waste of time? Would you get mad at your doctor for being a complacent member of the healthcare industry?

In fact, there have been significant improvements in the state of the technical situation, due to things like more vulnerability research, automated patching, IPS technology, and exploit protection technologies. A vast number of problems have been solved. DOS attacks are much harder than they used to be. Worms don't propagate as well as they used to. Most modern attacks cannot be targeted. Trying to entice people to click on your evil web page is harder than owning their network directly. The directed attacks we see today are very sophisticated. Compare the complexity of the most recent sendmail bug to bugs in sendmail 10 years ago.

We're not done yet, but its ignorant to argue that nothing substantial has been accomplished.

Attacks are up because there are more financial motivations today then there were 5 years ago despite the fact that its harder to perform attacks than it was 5 years ago. Computer security professionals will never "solve" crime because its not a technical problem and it doesn't have a "solution." With respect to things like phishing attacks and consensually installed spyware, computer security professionals also cannot fix the reality that a fool and his money are easily parted.

Certainly, new thinking is needed and welcomed. There are fresh ideas and strategic changes that will have a huge impact that are still waiting for the right person to find them. But an honest way to pursue that is to talk about the ideas. Calling the whole security industry a failure isn't about new ideas, its not true, and its not useful.

RE: Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.