"I've written again and again how measures like two-factor
authentication aren't going to make electronic banking any more
secure. The problem is if someone has stuck a Trojan on your computer,
it doesn't matter how many ways you authenticate to the banking
server; the Trojan is going to perform illicit transactions after you
"It's the same with a lot of our secure
protocols. SSL, SSH, PGP and so on all assume the endpoints are
secure, and the threat is in the communications system. But we know
the real risks are the endpoints.
"I'm reminded of the post-9/11 anti-terrorist hysteria -- we've
confused security with control, and instead of building systems for
real security, we're building systems of control. Think of ID checks
everywhere, the no-fly list, warrantless eavesdropping, broad
surveillance, data mining, and all the systems to check up on scuba
divers, private pilots, peace activists and other groups of people.
These give us negligible security, but put a whole lot of control in
the government's hands.
"Computing is heading in the
same direction, although this time it is industry that wants control
over its users. They're going to sell it to us as a security system --
they may even have convinced themselves it will improve security --
but it's fundamentally a control system. And in the long run, it's
going to hurt security."
-- Bruce Schneier,
"Security in Ten Years" (a conversation with Marcus Ranum)
for linking to it]