Security expert Bruce Scheier grabbed the headlines with his comment, "A lot of the software on this show floor is just snake oil...", referring to the Infosec security show in London.
He said that in the context of saying "Anti-virus is easy. Anti-virus products actually work."
The phrase "snake oil" is too sensational a phrase and I'm disappointed in him for saying it. It implies a lot of the software vendors are incompentent and simply out to cheat their customers, fly-by-night charlatans. They are not.
There are several definitions for snake oil, but the theme of all of them is:
- something of little or no value,
- misrepresented,
- with the intent to deceive.
Schneier would read these three points and say, "Aha! But I'm right on all three!" I don't doubt he could go from booth to booth at any Security trade show and poke holes in the products, building an argument that they have (or will have) "little or no value". I'm sure he could be doctrinaire and find enough of a gap between function and marketing to label "misrepresentative". He could then say that if the vendors know about the imperfections and their sales sound bites are too simplistic, then that constitutes an intent to deceive. Rubbish.
Those in the Security industry and those who keep themselves informed know that Information Security is a very complex problem. Bruce Schneier learned this in his career. In the 90s, Schneier learned that Cryptography was the simple part, building a secure system that used Cryptography was the really hard part. I agree with him when he says that anti-virus does the easy part, but someone has to attack the harder problems. The result is security products that work until the criminals look for and find ways around them. When that happens, the security vendors catch up and deliver a new product that works until the criminals launch a fresh attack. Were the security vendors incompetent? No, they did the best they could to solve one part of a hard problem. Was there an intent to deceive? No, they know the war is not won. Do they create the problem? No, criminals do.
A fairer comparison is to the medical industry. Consider any of the many horrible diseases that threaten humanity and look at the response of medical researchers and companies. With no cure for AIDS in sight, drugs are found that lessen symptoms and prolong life. It would be plainly cruel to scorn this work by calling it "snake oil". When diseases became resistent to common drugs, no rational person claimed those drugs were snake oil.
I have been a security developer for a long time now. I've worked for several security companies and met with people working in many many more. I know the mindset, the work ethic, the game plan. Each company wants to ship a better product than the other because that's good business. That's how you make money. Each company wants their product to be chosen so, like writing a resume, they put the best face on it and use comparison charts to show how they are the best. Rarely have I encountered a security product that deserved the name "snake oil" and the companies that shipped it did not last.
That, Mr. Schneier, is how capitalism works.
