I'm reminded of the post-9/11 anti-terrorist hysteria -- we've confused security with control, and instead of building systems for real security, we're building systems of control. Think of ID checks everywhere, the no-fly list, warrantless eavesdropping, broad surveillance, data mining, and all the systems to check up on scuba divers, private pilots, peace activists and other groups of people. These give us negligible security, but put a whole lot of control in the government's hands.

Computing is heading in the same direction, although this time it is industry that wants control over its users. They're going to sell it to us as a security system -- they may even have convinced themselves it will improve security -- but it's fundamentally a control system. And in the long run, it's going to hurt security.

The problem with control is that circumventing the control system leaves systems vulnerable, and if you aren't watching for problems you don't see them coming before it is too late.

Once you figure out how to hack the control system, you're pretty much golden. So instead of a zillion pesky worms, by 2017 we're going to see fewer but worse super worms that sail past our defenses.

Control systems are that elusive silver bullet of security. We all want a fix that is easier and more effective than the methods we have today. We're not going to get it. As Schneier and Ranum point out in their piece, complexity and poor practices are threats to security.

Ranum closes with the last point that includes:

Because real security is not something you build -- ­it's something you get when you leave out all the other garbage as part of your design process.