I’ve been meaning to post this for ages – Marus Ranum on why information security is an abject failure. And he’s right – the problem is the complexity of todays interactions, both at a protocol and language level.

To me, the problem is one of failure of KISS (Keep It Simple, Stupid). Applications and protocols haven’t been, and we’ve had more tacking together of technologies, and expansion of complexity of everything.

I mean, consider what languages you needed to know 10 years ago, and now:

Then:

HTML 3.2, JavaScript maybe, Perl if you’re brave, SQL if you’re a hero.

Now (Microsoft Stack only):

HTML 3.4, 4 (various favours), XHTML, XML, XSL, XPATH, JavaScript (much more complex), ASP.NET 2.0, C# or VB, .NET frameworks 1.1, 2, 3 and 3.5 (soon), ADO, SQL, CSS, ‘AJAX’

That’s just the languages and base technologies – never mind getting into a higher level of software (e.g. SharePoint). Or non-MS technologies – Ruby, Rails, Python, Java in various forms…

It’s similar in protocols…

Then:

HTTP, HTTPS, FTP, SMTP / POP

Now:

HTTP, HTTPS, FTP, SMTP / POP, SOAP, Web Services (plus various extensions), IMAP, Various Peer-To-Peer protocols, Various Instant Messaging protocols

(Yes, those are fairly high level, and from different levels of the stack – but still, you’re expected to know about them.) (And yes, I suppose you’d need to know a bit about TCP/IP and IPSEC)

Does that sound simple? Does my granny skateboard?

(Well, no, but that would be so cool).

Security will be impossible with such a complex, varied stack of technologies, and developers simply won’t be able to specialise enough to know how to make secure enough applications. It alarms me how wrong people are getting password storage alone – I mean, this stuff has been known since the 70’s. If they can’t get that right, how will they manage with a such a deep and varied set of tools?