Peter Gutmann on Computer Security Mentality
Well-known security researcher Peter Gutmann has a draft of his book on Engineering Security available on his web page. He has a lot of good commentary about challenges that the security community is facing. So far, my favorite passage challenges the common mentality that security has to be 100% or it's just not worth having.
Engineering an effective security solution in the presence of security geeks is an extremely difficult problem... Consider as an example of this a world where no-one ever locks their front door when they leave the house, and someone suggests that fitting locks and actually using them might help in dealing with the spate of burglaries that have occurred recently. This would be totally unworkable. If you lost your key you’d be unable to get into your own house. Conversely, anyone who found it or stole it could now get in. For a house with multiple occupants you’d need to get a new key cut for everyone in the house, including any temporary guests who were staying for a few days. If a neighbour dropped by to return an item that they’d borrowed they wouldn’t be able to get in. If there was a fire then emergency services wouldn’t be able to get into the house to look for people who might be trapped there. Door locks are obviously completely unworkable, and therefore not even worth trying. Better to leave theburglars a free hand than to even attempt a flawed security mechanism of this type.