2007-05-07
What computer security is
There is a vital thing to remember about computer security: security is not math, security is people. Thinking that security is math gets you mathematical perfection and white hot disasters.
(These disasters happen for much the same reason that firewalls are dangerous: people think that they are completely protected once they have math on their side and thus don't take any further precautions.)
You can create the most mathematically perfect computer security system known to humanity and people will misuse it, or bypass it. If you make it impossible to bypass, you will sooner or later discover that all actual work is being done on people's personal laptops, passed around on USB keys, and only enters your perfect system when someone needs to file an archival copy (assuming they remember to).
(This is true of any cumbersome system, of course. People are lazy and so are very good at getting their work done in the most efficient way, without much concern for the larger picture.)
The near stranglehold that math has on computer security is very unfortunate. We would probably all have much more practically secure machines if computer security was considered a subfield of human factors research.
One corollary: anything involving people involves compromises. Real security is not mathematically perfect. It is better to have a usable but somewhat flawed security system than a flawless one that is unusable in practice because it is too complex and unwieldy.