Essays: 2002 Archives

Should Vendors be Liable for Their Software's Security Flaws?

  • Bruce Schneier
  • Network World
  • April 22, 2002

Network security is not a technological problem; it's a business problem. The only way to address it is to focus on business motivations. To improve the security of their products, companies - both vendors and users - must care; for companies to care, the problem must affect stock price. The way to make this happen is to start enforcing liabilities.

Read More →

Results, Not Resolutions

A guide to judging Microsoft's security progress.

  • Bruce Schneier and Adam Shostack
  • SecurityFocus
  • January 24, 2002

Last week, Bill Gates published a company-wide memo outlining a new strategic direction for Microsoft. Comparing this to the change when the company embraced the Internet, Gates elevated security to Microsoft's highest priority. By focusing on what he called "Trustworthy Computing," Gates plans on transforming Microsoft into a company that produces software that is available, reliable, and secure.

"We must lead the industry to a whole new level of Trustworthiness in computing." - Bill Gates internal memo, 15 January 2002.

Trust is not something that can be handed out; it has to be earned.

Read More →

Con: Trust, but verify, Microsoft's pledge

  • Bruce Schneier
  • CNET
  • January 18, 2002

Microsoft Chairman Bill Gates should be given credit for making security and privacy a top priority for his legions of engineers, but we'll have to wait to see if his call represents a real change or just another marketing maneuver.

Microsoft has made so many empty claims about its security processes--and the security of its processes--that when I hear another one, I can't help believing it's more of the same flim-flam.

Anyone remember last November when Microsoft's Jim Allchin, group vice president, said in a published interview that all buffer overflows were eliminated in Windows XP? Or that the new operating system installed in a minimalist way, with features turned off by default?

Read More →

The Case for Outsourcing Security

  • Bruce Schneier
  • IEEE Computer
  • 2002

Deciding to outsource network security is difficult. The stakes are high, so it's no wonder that paralysis is a common reaction when contemplating whether to outsource or not:

  • The promised benefits of outsourced security are so attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore.
  • The potential risks of outsourcing are considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake.

If deciding whether to outsource security is difficult, deciding what to outsource and to whom seems impossible.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.