Slashdot Mirror

Marcus Ranum would suggest you shut Windows Update off, completely, and never turn it back on. Just use an ancient version of OpenBSD with no patches applied, running Apache from 1995. It's never had a security hole in anything because it doesn't suck.

Dont confuse it with Artificial Ignorance

mod_security is a reactive security measure. It's blacklist based, which makes the classic error of attempting to "enumerate badness".

While it's great if you've identified an existing threat to an application you cannot properly secure, it does nothing to protect you against future attacks using less obvious techniques.

mod_security alone is not an adequate solution. It's still necessary to proactively write secure applications in the first place, which means making sure you're never allowing raw, unfiltered/unescaped user data into places where it shouldn't go.

http://www.ranum.com/security/computer_security/editorials/dumb/index.html

Why bother with anti-virus for the system itself? (Note: anti-virus is acceptable for mail servers or file servers.)

Instead, why not focus on identifying the known good code ... and quarantining anything else?

Maybe there aren't an infinite number of ways to obfuscate code (eventually your obfuscation would exceed the capacity of the local hard drive) but there are FAR more ways to obfuscate code so it bypasses the anti-virus scanners than there are bits of known good code.

I should be able to boot from some form of rescue CD with a HUGE list of filenames, checksums, etc ... and what application they are associated with ... and validate every single file on a workstation. And then quarantine everything else so it can be manually verified.

There, even if you get infected, the disinfection is simple AND effective.

Wow what bad advice. There have been zero day exploits for all browsers. IE in protected mode in vista is much more secure than a thrid party browser.

What is a firewall going to do for you that your NAT router won't? Block phoning home? How does Joe Average user know if LSASS.exe or CSRSS.exe or BITS.exe should be allowed out or not?

How does a non-outlook email client protect you? Eudora will deliver an attached virus just like any other client. When's the last time you saw an outlook-specific vulnerability that didn't require people running an attached executable?

The only good advice you gave is to "learn about computer security" (about as likely to be followed by joe average user as the advice to exercise and eat right is to be followed by bob average slashdot reader), and don't download and run random programs (but wait, aren't open source programs random free programs you can get on sites like sourceforge, which have ads?)

While this link won't help joe average user, it should be of interest to slashdot readers. IE in protected mode on vista is default deny BTW.

The six dumbest ideas in computer security...
http://www.ranum.com/security/computer_security/editorials/dumb/

Makes for a great news media sound bite, but what they've done is implemented Idea #2 of the Six Dumbest Ideas in Computer Security. Still, as long as it drives up their public visibility and stock price, who cares whether it works or not.

Every time I read some new whiz-bang security tool, I look back to Marcus Ranum's terrific The Six Dumbest Ideas in Computer Security article.

This idea meets three of the 'dumb' criteria:

1) Default Permit. Use of firewalls (even 'intelligent' firewalls) allows all traffic through, except that traffic that looks somehow bad.
2) Enumerating Badness. Kind of like #1, you're blacklisting the bad stuff. There's a helpful chart in the article to show why this is dumb.
6) Action is Better than Inaction. 'Nuff said.

Reid

"And your solution is...?"

I don't have to produce a solution, I don't advertise myself as some kind of research guru. What have the various research departments being doing for the past decade, while they've been about innovating Web 2 and integrated INNOVA~1. I do know given their research funds and I could come up with a better solution than CAPTCHAs.

"Please bear in mind "The system does not do X and Y" is not generally the form a real solution takes"

The system does x and Y and doesn't do everything else, is a form of enumerating goodness, as Marcus Ranum said enumerating badness is a dumb idea, as I've previously quoted on a number of occasions here.

I did say don't tell me how not to do it .. :)

Make a gazebo with the inverted dish. Example:

http://www.ranum.com/fun/projects/gazebo/index.html

What your sujesting falls under number two.

Enumerating the bad is usually a bad idea, since it is to easy to change what is "bad". We enumerate the good with firewalls, why should software security be any different? Distro repository + corperate repository should cover all software necessary, right?

Will we now see true evolution of software viruses?

This is pretty much #1 and #2 in this list of The Six Dumbest Ideas in Computer Security.

Non-admin rights, client-side file-scanners, web-side black-lists, and user training is the only way malware is going to go away.

There are many alternatives to this, starting with: "Recognize that operating systems which are readily compromised by malware are broken and not acceptable for use." If you choose to use an OS which is so intrinsically weak that it cannot survive exposure to the (unfirewalled) Internet without anti-virus, anti-spyware, anti-adware, etc., then you have chosen poorly, and no subsequent choice you make will compensate for that.

A followup point would be "Understand that it is not possible to 'clean' a malware-contaminated system. The only acceptable course of action is to wipe to bare metal, reinstall, and restore from backups." While it might have been partially true in a limited sense that some malware could be removed by anti-whatever products, that's certainly not the case now: it's much more likely that malware will evade detection and removal. Of course, it serves the purposes of both anti-whatever companies and lazy system administrators to continue propagating this fiction, because if they actually had to scrub and rebuild systems as often as they're infested, they might have to face some hard choices that they'd rather not.

And an excellent set of auxiliary points may be found in Marcus Ranum's The Six Dumbest Ideas in Computer Security, where he enumerates the most egregious (and sadly, most common) mistakes made by nearly everyone, including supposed "experts" with strings of meaningless, worthless certifications after their names.

So there are plenty of alternatives -- but choosing them and implementing them requires vision and insight, two qualities badly lacking in many in the profession.

And of course I'm sure the biggest threats to computers out there are the Joe and Sally Clueless of this world that click on everything and all the security in the world isn't going to help when the user is willing to happily put in their password and jump through whatever hoops they have to so they can look at the dancing bunny. It once took me a week to figure out why this office network kept getting boned. It turned out little Velma the walking disaster area was bringing infected cds and flash drives from home so she could listen to music and look at her pictures on break. So I know from experience that all the security in the world won't help if you have a user that refuses to listen to you and does what he/she wants to anyway.But that is my 02c,YMMV.

Like Default Deny. Marcus Ranum is my hero. ;-)

Marcus Ranum has an interesting talk (MP3) in which he discusses Feynman's Challenger commentary at some length in the context of designing reliable/secure software systems.

The talk gets off to a bit of a rough start (see Ranum's comment below), but contains much insight and makes a lot of sense before long. Highly recommended for those in the software development field, where the approach is often 'throw it together, then poke at it and patch it until it stops obviously breaking'; the rigour Feynman & Ranum describe may be overkill for some systems, but exposure to this other approach can help make most of us better developers. I found it helpful, anyway—your mileage may vary.

This was an improvised dinner address, delivered without powerpoints and after a few too many bottles of beer. [...] The objective of this talk was to take the high ground with respect to treating computing as an engineering discipline, instead of the kettle of kludges that it has become. I realize it's very very idealistic stuff.

The blog post makes a nice contribution by linking to Feynman's original thoughts (for example, here: http://www.ranum.com/security/computer_security/editorials/dumb/feynman.html ), ones I haven't read for a long time (and was happy to be reminded of). However, the author makes the mistake of thinking that the original thoughts need to be interpreted and summarized for the reader. Feynman's words by themselves are simple to understand, are concise, and contain just the tone for which geeks go gaga. Anyone interested in the subject will be able to make his or her own judgements about the engineering and politics involved in the Shuttle development, engineering in general, and the extensions to software development.

It seems there are other people who sees a story validated by 4 different, independent security companies as FUD.

``The real defense here is preventing this from happening in the first place.''

Yes.

``That is, educating users not to click haphazerdly at anything that they feel like''

No.

Because, as you yourself point out,

``and that is a heck of a challenge. most users do not understand what can happen and many likely do not really care'' ...and they shouldn't have to. You open these attachments (etc.) because you think they will do something good. You don't expect them to mess up your computer. Without support from the operating system and other legit software on the computer, attachments _couldn't_ mess up your computer. The only reason they can is that the software people use to open them is insecure. It allows (through design, sloppiness, or bugs) arbitrary code execution where all it _should_ allow is viewing images and perhaps movies and sound. Proper sandboxing and safe code (which is easy to write in all but a handful of commonly used programming languages) will solve this problem.

As an example of the above, I am working on a programming language, and one thing this programming language will feature is different subsets for different niches. One such subset will allow any program to be written, so long as it doesn't change the state of anything outside the program that was not passed into it as a modifiable data structure. That means no interaction with any files on your system, no popup windows, no phoning home, no sending spam, etc. If you give it a file to read and an area of the screen to draw on, these are the only things it will be able to do.

Why are we still talking about this in late 2007. What have the supreme innovators being doing the past decade. Ranum laid out the solution here:

"if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems":

* Spyware
* Viruses
* Remote Control Trojans
* Exploits that involve executing pre-installed code that you don't use regularly

Give me Marcus, Bruce, or these guys any day. When is the security industry going to move on from this FUD?

Next! AG.

As much as I hate Microsoft, having better error handling is not a bug. This is a virus scanner problem. Of course the entire concept of enumerating badness is flawed. http://www.ranum.com/security/computer_security/editorials/dumb/

Marcus Ranum: 1997 Read what he says about chroot(). http://209.85.165.104/search?q=cache:x7STuouYe7oJ:www.ranum.com/security/computer_security/archives/security-for-developers.pdf+chroot+site:ranum.com&hl=en&ct=clnk&cd=3&gl=us

Then all hail the Paladin of security. http://www.ranum.com/stock_content/p-n-mjr-2-large.jpg

"Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is, today."

Speaking very generally, whitelists are an excellent way to go, and blacklists are impossible (read point #2).

The trick with whitelists, of course, is who maintains them and how. I'll bet the thought of the software using a single whitelist published exclusively by Symantec, is making a lot of small developers nervous.

I recommend some kind of distributed reputation system, possibly based on an OpenPGP WoT model (yeah, I always pimp the OpenPGP WoT; I must sound like a broken record) where many people can publish lists. (And if Symantec wants to ship the product set to just use their list by default with 100% trust, that's ok. Although it might be neat to have it, say, trust Debian's list too. :-) Then let the user decides who he trusts and how much he trusts each one, and if something isn't on the list or its trust is below some user-set threshold, then he gets a prompt explaining the situation, and asking what to do about it.

Yes, that prompt will confuse some people. I hear lots of horror stories about Vista being hard-to-use because of these types of things. But if the alternative is executing Malware...

But people still need to stop using applications that easily execute foreign code. There's no excuse in 2007 for clicking on a link in a web browser, or clicking an attachment in an email, being a potentially dangerous action. The AV companies shouldn't still be in business in the first place, and the whole premise behind scanning executables against a blacklist or whitelist, is that something has already gone terribly, terribly wrong.

According to Marcus Ranum, "world-renowned expert on security system design and implementation" and "an early innovator in firewall technology, and the implementor of the first commercial firewall product" (http://www.ranum.com/stock_content/about.html), white-listing was the way it should have been done since the start. In fact, black-listing (or as he calls it, "default permit") is at the top of his "The Six Dumbest Ideas in Computer Security" list (http://www.ranum.com/security/computer_security/editorials/dumb/).

According to Marcus Ranum, "world-renowned expert on security system design and implementation" and "an early innovator in firewall technology, and the implementor of the first commercial firewall product" (http://www.ranum.com/stock_content/about.html), white-listing was the way it should have been done since the start. In fact, black-listing (or as he calls it, "default permit") is at the top of his "The Six Dumbest Ideas in Computer Security" list (http://www.ranum.com/security/computer_security/editorials/dumb/).

No. No, it's not. In fact, the blacklist is the stupidest idea in computer security ever created and we're still paying for it.

See The Six Dumbest Ideas in Computer Security - "Enumerating Badness" (ie, blacklisting) is number 2.

Jesus, there's so much paranoia and resistance that apparently everybody forgets that black listing is one of the dumbest things you could do when it comes to security. It's no rocket science to see that if you're dealing with bots that attack blindly and dozens of new threats every day there's no way you're going to be able to keep track of all of them.

White listing is not about someone approving the list for you, it's just a generic mechanism that allows YOU to white list.

More explanations for a security expert here: The Six Dumbest Ideas in Computer Security.

"According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer"

Well DOH, is this the best that the security 'innovators' have come up with in 2007. How about a module in embedded hardware that runs a checksum on every executable and disables it if it fails the pass. It would have an install mode and a run mode. Only executables that are installed can be run. The original DOS executable had a file for just such a purpose.

Incidentally Marcus J. Ranum said this a long time ago in a reference to Enumerating Badness, nice of Symantec to have caught up ...

This is not a new idea, and many have talked about it before

Really, black lists were a bad idea from the start. Usually, the programs people want to run on a computer will remain fairly static, with perhaps a few changes when they update or find something online that looks interesting.

I'm sure they're must be some security software that uses whitlists already. Does anyone know of any free ones?

Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.

I evaluated Arcserve about a year and a half ago, using a leftover tape drive. I started a backup on it and then left for the night. When I got around to checking it a couple days later, the system was extremely unresponsive. "My Computer" would take minutes to open and you just couldn't open C: through Explorer no matter how patient you were.

After letting "dir" run over the weekend, my suspicions were confirmed. Arcserve had created 700,000 temp files in the root of C:. Each one was a small text file asking the operator to insert another tape.

To CA's credit, they did have a patch for that when I called in. But sheesh - if software is creating temp files in the root of C:, what the hell else is broken by design?

We ended up going with Netbackup, which was outrageously expensive and didn't quite work like we wanted it to (why do my weekly tapes have all of the daily incremental backups on top of the weekly full ones?) - but writing a perl script to call bpduplicate fixed that, and we ended up with a pretty hands-off system.

Just be glad their hold music isn't this.

What??! You didn't know Symantec had a company song?

Well, here it is in its full awfulness. And no, this is NOT a parody...

- Robin

If you think a computer virus author will actually get the chance to spread herpes, you haven't met very many computer virus authors. Unless, y'know, transferring herpes from his genitals to his hands counts as "spreading."

(Just doing my part to eliminate "Hackers are cool" from the dumbest ideas list...).

What kind of a flawed design is it where character encoding can impact security. The concept of scanning for unsafe strings is also flawed as in the case of virus scanning, as it only know about the stuff it knows about. This is another example of Ranums enumerating badness. If the SQL engine used only stored procedures then you wouldn't have to run a content scanner as the only thing coming over HTTP is DATA.

>You should look up Marcus Ranom's version
That's Marcus Ranum you clueless sucking pile of crap (and I only mean that in the nicest way).

This is his version.
http://www.ranum.com/fun/bsu/diy-dealy/index.html

BTW if you think I am mean, you never read anything from Marcus Ranum.

Be far the best entertainment in this book is his explanation of the Hamster Wheels of Pain.
http://www.securitymetrics.org/content/Wiki.jsp?pa ge=Welcome_blogentry_040505_1
http://www.securitymetrics.org/content/Wiki.jsp?pa ge=Welcome_blogentry_061005_1

It fits right into the same problem pointed out by Bruce Schneier and Marcus Ranum
when it comes to Pen-Testing:
http://www.schneier.com/blog/archives/2007/05/is_p enetration.html
http://www.ranum.com/security/computer_security/ed itorials/point-counterpoint/pentesting.html

It is not the same thing. This proposal calls for whitelisting. In contrast the joke required that bad people blacklist themselves.

Enumerating badness is a bad idea from a security point of view:
http://www.ranum.com/security/computer_security/ed itorials/dumb/

Enumerating goodness might work, but raises many issues. Who does it, based on what criteria and how are the criteria enforced?

Why do people keep demanding the DNS to solve all the problems in the world? It's just an address book, not the solution to world hunger. Oh, maybe that is the next TLD proposal: .endworldhunger

I don't remember where, but at some point I read somebody, probably a sys-admin, saying that if you really want security then what you need to do is disable all the things you do not need.

that which is not expressly permitted is forbidden

"(if OSS hoses your network, who you going to sue?"

Bullshit.

Marcus Ranum annihilated this argument in his "Stupid About Software" rant.

Of course, you're right that management ACTS that way - but it's all CYA. Nobody ever sues a software company for non-performance of the software. They just pour more good money after bad trying to make it work - until they either get something half-assed working or they abandon the project and start all over again with some other vendor.

Marcus Ranum's rant "Stupid on Software" covers this situation in detail.

NO corporation EVER sues a software company for non-performance.

Still accepting candy from the strangers?

Default permit is the dumbest idea in security (well, default passwords can't even qualify as "ideas" ;) )

--
There's a browser safer than Firefox, it is Firefox, with NoScript.

This is neat, but it's not exciting. I've written a smartcard proxy service that could also be used for evil. It works by capturing the client certificate request from a tls handshake, and sends the signed response to the server (some older web apps don't know how to use pkcs#11 libraries, which is what this is used for..it strips the client cert request out of the handshake so the client is none the wiser). I could rewrite my proxy to sign all kinds of data with the smartcard once the user gives the proxy his/her PIN...I could logon to banking sites and transfer money to me, buy stuff, essentially anything that the computer could do, and not inform the user.

I think Bruce Schneier's paper said it best. Sure the card is trustworthy, but when you're using any kind of smartcard, the card isn't the trust boundary. The card plus the computer (or pinpad in this case) that you're using it on is your trusted device conglomerate.

I think the real demonstration of this attack is that pinpads have vulnerabilities. Even that isn't earth-shattering. So does everything else where physical access is granted.

Which isn't to say that it isn't newsworthy (people should definitely be careful where they stick their card), but it does feed into idea #4 on the six dumbest ideas in computer security.

http://www.ranum.com/security/computer_security/ed itorials/dumb/

So called "User Education" is a silly idea. Simply put as the editorial highlights, if it was going to work, it would have worked by now. On the other hand this seems like an issue with IE itself where IE should never be asking "Is this okay?" in the first place.

On the one hand, users shouldn't be doing this and falling prey to phishing. On the other hand, why is IE enabling it to happen? Throwing up another "Do you want to do this? Yes/No" is not security nor is it a secure process.

"should we spend the money trying to educate people to recognize when they are being sent to a phishing site?"

The Six Dumbest Ideas in Computer Security - See #5 - 'Educating Users'.

``A better solution is to educate the users''

It's also number 5 on the list of The Six Dumbest Ideas in Computer Security.

Marcus Ranum wrote about this on his web site.
http://www.ranum.com/editorials/software-lawsuits/ index.html

A great quote from the article.

"So, if I understand the logic of my friends' senior management, they refuse to allow use of free/open source/unsupported software, so that they can have all the benefits of something that they never have the guts to take advantage of."