I recently mentioned writings by Marcus Ranum on "deep packet inspection" and related topics. This morning while browsing the firewall-wizards list I read a profound post by MJR. Here is the most powerful part:
"Basically, what's going on is that a lot of security practitioners are in the position of being asked to make something safe that is fundamentally dangerous. So we hide behind the notion of 'risk management' - basically the illusion that 'if we try hard to cover our butts it's less dangerous than otherwise.'
What that has accomplished is to create an environment in which security has NO CHOICE but to compromise because senior execs know that if they don't get the answer they want out of one security practitioner, they can keep asking until they get the answer they want out of another...
My feeling is that during the 90's we, as an industry, dug ourselves into a hole we're not going to be able to spend or risk manage our way out of. We did that by trying to deal with the 'real world' instead of demanding excellence, good design, and wise leadership."
Wow. That statement really made me question my role in the security industry and whether my contribution has been worthwhile.
For a sign that nothing has really changed in security, check out this thread from February 1998. It followed the release of a ground-breaking paper by Tom Ptacek and Tim Newsham. This seven-year-old thread is as applicable to the IDS vs "IPS" argument as any I've seen recently.