Δαφνη Ευτυχια Αρθουρος

"I've written again and again how measures like two-factor authentication aren't going to make electronic banking any more secure. The problem is if someone has stuck a Trojan on your computer, it doesn't matter how many ways you authenticate to the banking server; the Trojan is going to perform illicit transactions after you authenticate.

"It's the same with a lot of our secure protocols. SSL, SSH, PGP and so on all assume the endpoints are secure, and the threat is in the communications system. But we know the real risks are the endpoints.

"[...]

"I'm reminded of the post-9/11 anti-terrorist hysteria -- we've confused security with control, and instead of building systems for real security, we're building systems of control. Think of ID checks everywhere, the no-fly list, warrantless eavesdropping, broad surveillance, data mining, and all the systems to check up on scuba divers, private pilots, peace activists and other groups of people. These give us negligible security, but put a whole lot of control in the government's hands.

"Computing is heading in the same direction, although this time it is industry that wants control over its users. They're going to sell it to us as a security system -- they may even have convinced themselves it will improve security -- but it's fundamentally a control system. And in the long run, it's going to hurt security."

-- Bruce Schneier, "Security in Ten Years" (a conversation with Marcus Ranum) [ thanks to vvalkyri for linking to it]