Note to self: make sure all equipment in the machine room at work is above floor level. One of the hazards of basement machine rooms…

It is a good rule of thumb that, if you know little about a subject, you should buy quality — buy from a big name. That's why people buy HP computers from Dixons: people who don't know anything about computers can always buy from them and be fairly assured that they will get a working system. Only the geeks like me are going to build from parts, reuse scavenged parts thrown out from work, and buy components from suppliers listed in the small ads — at least, it's only the knowledgeable that can do so safely. It's the same in most things: novice stock market investors should buy Shell, and not Lastminute.com; non-mechanics shouldn't buy cars that "need work". You don't get bargains by buying safe. But the world is a market, and if you try to get a bargain when you don't know the goods, the odds are that the people who do know what is what are the ones getting the better end of the deal.

All the big-name companies have to do, to keep the privileged position of being the company that the clueless go to, is get and keep a reputation for being honest sellers and providing working, safe kit. So what to make of Sony's rootkit-infested CDs? Surely, with all the ad campaigns about pirate CDs being poor quality, no support, risk of viruses etc, the one thing you don't want to do is give genuine CDs a reputation for having viruses, since that immediately removes the "reasonable argument" basis for buying genuine CDs: the reason (apart from the law) to buy genuine is that you get a safe, clean, no problems product. Or it was. Who is ever going to buy a DRM-protected CD from Sony again? Who is going to agree to a EULA from a company that has shown it uses the permissions granted to detrimentally tamper with your computer? And used the fact that the users don't know what it is doing as an excuse? With this making major news outlets like the BBC, whatever made them thing that tampering with people's PCs would be acceptable?

But enough ranting; the above is obvious to anyone reading the case. This is just an excuse to pile in on boosting the Google ranking of Russinovich's blog post — now up to the 13th hit for Sony on Google!

I just finished reading Secrets and Lies. Probably, having worked in IT security for approaching 5 years, I should have read it sooner. I wasn't that impressed by the bulk of the content, though, as it is clearly aimed at a less technical audience (the Star Wars analogy is a rather feeble twig offered to the techies), and it offers mainly critisism and very little constructive advice. In fact, most of the book is about the inevitability of endless security problems that will never be prevented.

But at the end it was redeemed by Schneier admitting that he felt the same about it — he simply realised that there was no hope to offer. Essentially, the book it good at explaining why there are problems, bad at explaining any way of dealing with them, and therefore good at advocating the important and inevitable alternative:

• Software companies will need to accept liability — to some extent, yet to be determined — for faults in their products.
• Once there is liability, it will be dealt with as modern economies deal with all such risks: Schneier focuses on insurance, but industry codes of practice and external audit, even without the insurance driver, are powerful defences in court to say that due diligence was done to prevent faults.
• The importance of people watching people watching people — concious consideration of security at management levels (instead of treating it as one-off technical bugs), and expert, external auditing to gauge and minimise risks.

In this book Schneier is certainly in fear-uncertainty-and-doubt mode — and doing a better job as a self-publisist than a security advisor. But it's an excellently written book from the point of view of raising the problems with a non-technical audience, and I'm very glad to see such an influential book taking time for well written defences of important concepts like open source, full disclosure, and the value of anonymity. Essentially he is arguing that perfect security is hopeless: but we shouldn't worry about it, instead just balance the risks and ensure that no individual person or company bears too much risk on their own. Provided the credit card industry can cover the fraud out of set-asides from their transaction charges, who cares if credit card numbers are stolen occasionally?