Apr
9
“Many people get discouraged when you talk about security because so many popular approaches to security fail. They just fail. For example, there’s security by inconvenience, which I’m sure you’ve seen practiced at the airport where they put us in corrals like cattle and run us around. It’s proven that that is not an effective security mechanism, but they do it anyway because we’ve got to do something; we have to at least put on a show that we’re making you safe. That makes people feel better, so it accomplishes that — maybe — but not much else. We’ve tried security by obscurity, where you try to make your system so complicated that the attackers can’t understand them. That doesn’t work. We’ve seen people try to inject speed bumps into the information super highway with the thinking that’s going to slow the attackers down — it doesn’t. We’ve seen confusion of security with identify, that if we know who wrote the code then that tells us something about how safe it is to use. That turns out to be completely useless. What we’re left with is security by vigilance, and that doesn’t really work either.”
Douglas Crockford about security approaches
