A panel discussion involving a group of experts held during DEMO '06 in Phoenix last week concluded that the state of security today is not where it should be. But the panelists also had suggestions on how to improve it.A panel discussion involving a group of experts held during DEMO \u201806 in Phoenix last week concluded that the state of security today is not where it should be. But the panelists also had suggestions on how to improve it.During the conference, which is owned by Network World, former IBMer and consultant John Patrick called together a panel of industry and academic figures to try to answer the question, \u201cWill the good guys be able to stay ahead of the bad guys?\u201d But first Patrick asked the panel to assess the current state of security, and the responses showed that the good guys aren\u2019t necessarily ahead of the bad guys to begin with.\u201cThe state of security is terrible\u2026 absolutely abysmal,\u201d said Hilarie Orman, former research scientist and onetime member of DARPA\u2019s Information Technology Office; now CTO and vice president of engineering with Shinkuro, which makes file-sharing software. \u201cIt\u2019s difficult to argue there\u2019s a good state of security right now.\u201dAnother panelist reminded the audience that there\u2019s no such thing as perfect security. \u201cIt\u2019s a cat-and-mouse game\u201d that the industry plays with hackers, \u201cbut we need to bring [the threat] down to a level where we can live with it,\u201d said Partha Dasgupta, an associate professor with Arizona State University\u2019s Fulton School of Engineering.The good news, according to another panelist, is at least the industry and users are beginning to think about security, yet it is harder to retrofit security onto hardware and software that\u2019s already been built. Nonetheless, both enterprise and consumer products need to find a balance between being secure and being useful, said Charles Palmer, manager of the security, networking, and privacy departments at IBM\u2019s Thomas J. Watson Research Center.\u201cIf [security] makes the system really hard to use or is done wrong, you\u2019ve got a brick,\u201d he said.One possible solution to the rash of identity theft that has broken out of late is biometrics, where computers scan a finger, face, retina, or other part of the body and save that image for authentication. The problem with biometrics, agreed the panel, is that once a thief learns how to reproduce a fingerprint, the owner can\u2019t change the original.New technology is being developed that doesn\u2019t actually take a picture of the finger, but some small measurements of the finger\u2019s characteristics, said Palmer, who added that 4% of the population can\u2019t produce good fingerprints and that pineapple juice can temporarily remove a person\u2019s fingerprint.Another promising area is challenge-response biometrics, says Dasgupta, where instead of matching a spoken word or phrase to a previously recorded one the phrase is changed every time, that way a thief can\u2019t record the phrase and replay it over and over to gain access to protected data. \u201cThat\u2019s much more sophisticated, and much more complicated,\u201d he said.Fingerprint biometrics are the best bet at the moment because the technique has been in practice the longest, said Dasgupta.Another technology that can help improve the current state of security is encryption, the panelists agreed. However, most people don\u2019t know how to use it and even when it is employed, it is poorly managed, Orman said.\u201cEncryption does protect data,\u201d said Orman. \u201cThe weak point in this is almost always key management. Even when data\u2019s been encrypted, someone can find the key, since key selection and protections is so bad\u2026 usually the key is lying around somewhere.\u201d\u201cThe problem is at the end points,\u201d added Dasgupta. \u201cWhen you\u2019re using encryption, you have to encrypt at one end and decrypt at the other.\u201dAnother point of agreement among panel members was that security needs to be part of a new application or operating system from the beginning \u2013 not an add-on or afterthought. \u201cWe continue to build systems without thinking about security from the beginning,\u201d said Palmer. \u201cWhat developers really want is [a tool that] looks at code and tells you if it\u2019s evil, and that\u2019s impossible.\u201d\u201cAll code is evil, let\u2019s face it,\u201d retorted Orman, drawing chuckles from the audience. \u201cIt\u2019s been interesting watching the evolution of network security protocols, it\u2019s very difficult to change them\u201d at this point, she said.Patrick asked the panel if mobile devices were a particular security risk. Technically speaking they\u2019re not, said the panel, but it\u2019s the way people use them today that creates vulnerabilities. Good security \u201crequires you to take your Blackberry and type your password in every time you open it,\u201d Palmer said.