Friday, July 22, 2005

$3 Billion of Snake Oil

I will be presenting a talk at DEFCON next week, and I would appreciate any assistance I can get in the way of examples of wasted security dollars.

The title and abstract of the talk are:

The Information Security Industry: $3 Billion of Snake Oil
A raging fear of The Computer Evildoers has driven enterprises to the safety of the herd, buying whatever elixirs the big vendors peddle. Security consumers waste bilions of dollars on ineffective (but well integrated!) solutions. However, as technology users grow more sophisticated about security threats (often learning the hard way), opportunities will surface for innovative startups to deliver effective IT survival mechanisms. This talk will review the industry's blunders, and sources of opportunity.

So, please post or email examples of wasted security dollars, or opportunities you see for startups in data security today.

Thank you!


  1. Not an example but supporting arguments on why there will never be such thing as a perfectly secure system.

    Andrew Odlyzko on Economics, psychology, and sociology of security

  2. There are some good classical examples in "The Cuckoo's Egg" by Clifford Stoll. I don't remember the names of the companies but a security companies computers were used by Russian Spies to break into milnet. Its a great true story. Its also a reason to never use emacs and stick to vi.

  3. David,
    i. Current generation of silicon based AV engines - great performance very little security (you can just connect a wire and you get better performance - highest possible - with almost same level of security).
    ii. IPS systems (we talked about this one) - yet another "rule" (signature) based network security.
    iii. Outbreak management - some things are better be prevented.
    Shlomo T.

  4. Anonymous1:21 AM

    Would VeriSign's purchase of Thawte (for a reputed $575 million ) qualify?

  5. Bruce Shneier of Counterpane has a newletter called "cryptogram". Go thru early issues, you will find a gazillion examples of badly implemented (and therefore wasted) security.