We got the security we asked for.
'And, so far, I have to say, people seem to be liking the iPad. We are selling an iPad every 3 seconds.'
I remember all too vividly sitting with Sheila Brand and Marv Schaeffer in my conference room at 44 South Broadway in White Plains, trying to convince them that if DoD really wanted a B1 system from IBM, they should allow us to build it on the AS/400 platform where, among other things, object classification labels would be reliable. They insisted that they needed something that would run the MVS job stream. We were unable to convince them that was an over-constrained problem, that any system that could do that would, of necessity, be too open to be "secure" in any meaningful sense.They said that they understood that there would be compromises. They went back to Washington and put so much pressure on their contractors, and indirectly on IBM, that we succumbed.
The results were bitter. We devoted an entire annual release of MVS to building a B1 candidate and a lot of money getting it certified. When we announced the results at SHARE, the reception was enthusiastic but the demand was far less so. Marv Schaeffer was in the audience at the National Computer Security Conference when I announced that I had been heartened to hear that demand for the product was up by fifty percent until I was told that that was from 2 to 3.
The issue was never about security but about magic. It was about security at no cost. This was not unique to DoD. At every inflection point we have chosen open, popular, backward compatible, and cheap, over closed and secure. How else does one account for the popularity of Android, particularly among geeks? Not only do they prefer Android to iOS but they heap scorn and vitriol on Apple for keeping iOS closed.
One is reminded of Helen Custer's wonderful book describing wonderful Windows NT security. I thought "Right! Now they've got it!" Of course, when Microsoft realized that it would not be open to legacy apps, games, and outside provided device drivers, the security architecture was first ruptured and then scrapped. Today few Windows systems are operated in a manner that is as secure as Windows allows.
I think that the Internet began with the permissive rule, in part, because of a lack of imagination: no one was able to envision its success or importance. Perhaps, in part, because the rule was necessary to its adoption. Clearly one reason that TCP/IP drove SNA/SDLC from the market place was that it was an open architecture and an open implementation.
All that said, the Internet is sufficiently secure for most of its applications. If this were not so, we would not be doing them. That is not to say that it is secure as it might be. Harry DeMaio liked to say that "Doing business on the Internet was like doing business in Times Square: while there is some business one would not like to do there, clearly a lot of business is done there." On the other hand, a lot of fraud occurs in the private offices of Wall Street. That is to say, all security and trust do not come from the environment.
Some trust comes from the reputation of one's trading partners. When doing business on the Internet, I prefer to do business with the same firms that I have always done business with on the street, by phone, and by mail. These include American Express, Merrill Lynch, Fidelity, and Brooks Brothers. There are exceptions. I hold stock in Apple, Amazon, and eBay/PayPal. No matter who you are, I am more likely to do business with you if you will accept payment from them. Said another way, when doing business on the Internet, I rely upon the brand and compensating controls offered by my partners, not the Internet itself.
While my partners do make some attempt to ensure that transactions in my name actually originate with me, few offer the authentication that I would like. (PayPal, Google, and DropBox are notable exceptions.) Therefore, I do not rely exclusively on the authentication mechanism but check the confirmations and statements that I receive from them out of band. I like that American Express will let me choose, by type or size, which transactions they will confirm out of band.
I find Apple's experiment with iOS very hopeful. Unlike Google (Android) and Microsoft (Windows Mobile), Apple was willing to forgo backward compatibility. They are coming up on a million purpose built apps, from scratch, and in less than five years.
I like Google's out-of-band authentication scheme and Verisign's scheme that turns every iOS or Android device into a one-time-password token. Given that anyone can license these for pennies per transaction, session, or file, that they scale from very small to very large, that they resist credential replay attacks, and that users can opt in or out, that they are so sparingly offered and sparsely used supports my thesis. So does the fact that almost any system can be compromised by a bait message that appeals to some user's greed, lust, sloth, or even curiosity.
Security in the Internet will never be better than the absolute minimum we can get away with. It will never be quite as good as it should be or as we know how to make it. While that will be good enough for most of its applications, we will continue to use it for some applications for which it is not safe. No matter, how good a job we do, there will always be breaches. Get over it. Collectively that is how we chose it and continue to choose it.