Security systems are complex things.
Recently a flaw was found in the popular encryption program PGP. What's interesting about this flaw is that it's not a problem with the code system. As far as we know, no one has found an easy way to crack the codes that PGP uses.
The flaw is more closely related to trust issues. Essentially PGP was too trusting about public keys, the files that a person distributes publicly so that anyone can send that person encrypted email or files. In a worse case scenario, this could mean that a second person could secretly read the PGP user's encrypted files.
The important lesson here is not that PGP is flawed--PGP has withstood the scrutiny and testing of thousands of programmers and computer scientists. The important lesson is in how we evaluate security systems.
When it comes down to making decisions, today people tend to prefer to have numbers. This is especially true for business. As a society, we like the simplicity of comparing a few numbers--such as a computer's processor speed--and then choosing the best. Lately there's a lot of this happening, especially with encryption.
We all know that 128 bit encryption is better than 56 bits. That's what it all seems to be about--numbers. But the unfortunate thing is that the numbers are a small part of the game. A bad code (or cryptographic algorithm) with a long, 128 bit key is still insecure. And even strong codes don't guarantee security.
In Bruce Schneier's book Applied Cryptography, he points out that government agencies--let's be clear here, we mean spies--don't usually have to bother trying to break the other guys' codes. Instead, it's a lot easier to attack the way the codes are used. In the spy world, often this might mean attacking the actual people who use them.
Back in the everyday, non-spy world, the approach is similar. Servers with otherwise good security can be broken because of a poorly chosen password. Inexperienced system administrators can make decisions that open up a system to attack. Often attackers have even been known to use con artistry to exploit the human weaknesses in the system.
Even large companies are not immune. Netscape had to fix its browser security a few years ago when college students discovered they could guess its secret keys: the program wasn't choosing them randomly enough. The code was secure, but not the implementation.
Microsoft also had to face some problems with its PPTP system. It was yet another case of secure codes being implemented insecurely.
Security systems are complex systems, and will probably always remain so. While it can be tempting to rely on impressive numbers, buzzwords and company names to choose a good security system, that's just not enough. Security systems require expertise and continual diligence. You can be assured that a flaw will be found--the question is how quickly you will fix it.
There's no magic solution for security. It's just a matter of constant work.
The good news? If you keep ahead of the game, you'll probably be okay.