Slashdot Mirror
Security for the Paranoid
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
Mark Burnett talks about his computer security methods...
"Outwit, outplay, and outlast those pesky script-kiddies."
While being paranoid is argueably good (although Mark may be a bit extreme compared to most), I did wonder a bit about one comment near the end of the article which was: "And I install hotfixes the day Microsoft releases them" which seems to put an awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.
Hulk SMASH Celiac Disease
get with it man, you're not important, nobody wants your porn
The only truely secure computer is one which is switched off and disconnected from the network.
And smashed with a sledgehammer.
And set on fire, to the temperature of 600F, which should be sufficient to destroy the magnetic bits in the hard drive.
And then nuke it from orbit, it's the only way to be sure.
"Can of worms? The can is open... the worms are everywhere."
He who gains security at the expense of laziness deserves neither. - Ben Franklin
And this guy is set up very secure.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Paranoia's a good starting point for the IT Security beginner, but well-informed abject fear is the mark of a seasoned professional.
Creative Commons music that doesn't suck: emptydrum.com
I don't believe this is really him!
for a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?
antipaucity
I only allow connections to my ssh daemon -- and I only accept public key authentication...
:-))
So what?
Well, I can see the guys reasons.
However, information security has to be appropriate to the data you wish to protect.
A system that annoys users by making it hard to access the information (long passwords changed weekly for example) will just leave you with a static store of information.
The information will never be *USED*. There will be no point in having it.
Use security appropirate to your data. He IS paranoid, and - offtopic: sounds a bit of a nob.
I know for sure if I was one of his kids, I wouldn't WANT to connect to his network!
Training is the best security measure that can be taken; training user's to not do stupid things, to use secure passwords, to not share information they shouldn't.
If you start your kids off learning to use computers securely, with good self protection habits, then the likelihood that they will become victims of identity theft or other phishing is greatly reduced.
When it comes to security, there is no such thing as paranoid... they really are out to get your password, your ID, your SSN and everything else that will help them get your money...
Support NYCountryLawyer RIAA vs People
... is about the only part of his screed that could make sense to me. Not because one should not divulge a password to one's wife, but because keeping passwords entirely private is good policy. Almost everything else about his life strikes me as goofy. If you read any of the "hacker" books, hacking and gaining access to people's stuff isn't about cracking passwords, it's about social engineering and dishonest behavior, most of which the author's behaviors won't prevent. But, if it makes him feel better.... (I wouldn't want to live on his network.)
I worked at a large company and called the administrator of their unix mainframe and complained that /usr/bin and /bin both didn't even have execute privelege so I couldn't even see what commands existed. The administrator dressed me down and explained they did that for security reasons so people couldn't hack in. He went on to tell me about the giant breach on that system from outside hackers and hence, the very tight "security". I gently reminded him the "breach" actually occurred with those very same directory permissions.... and they didn't prevent the hack. Sigh...
What's the difference between a random 14 digit password and a random 6 digit password?
Speaking of smart cards, anyone know where how to obtain a simple smart card home solution? All resources i've found are for large enterprize distributions... i'm only looking for 2 or 3 smart cards..
The Digital Couture Collection
don't really understand the issues, can't measure adequately the consequences and put a lot of faith in "false security". Or maybe it's just me.
This is totally insecure, but very convenient.
Does it seem kind of stupid, especially for the 'security paranoid', to announce to the public that you use "at least 14 character passwords"? Seems to me you just set a lower bound and cut out 13^128 possibilities for a cracker :-p
You can be paranoid about a meteor striking u and live deep in a cave underground (hopefully forgetting an earthquake can get ya).
The paranoid end up causing devastation in the long term. Let's have some reason to madness. The most "locked down" systems always crack for some reason or another. Either, and crucially people don't cooperate (writedown 14 char passwords on pieces of paper etc) or b it causes u to lose out on productivity. The Great Wall didnt help China too much did it?
This is not paranoia, it is just a demonstration of the problem for security profession that people don't teach and train employees properly.
His 50 character password is probably something like: &%)(#)_@)__!@I#)())@(LNSO#(*X-=0-=#(*)(*#)S9x900e8 0#**(^^*#+@
Yeah, that guy is paranoid.
mark me troll if you must. but I see this as a legitmate question....
if he's so damn paranoid, what the hell is he using windows for?
Is this your 16 character password? It doesn't have sufficient entropy.
I think you can be too paranoid. I seem to remember a story a while ago about security measures that were overly invasive. Require 14 character password with non-alpha characters, and get your users putting their passwords on their monitors with post-it notes.
Its true, you never seem to realize your folly until its too late and your data is gone, but in my case, my home network isn't so important to me that I think its worth so much security that it interferes with my enjoyment or productivity.
Usually my stance is that I let the foil-hat wearing scurity gurus have their toys, but I continue to look for the solution that is "good enough" and that conforms to MY wishes, not theirs.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
I think security is a priority we all need to focus on more. With that said, I do think that a 14 character password is a bit _much_ for a local PC. A smart card installment is absolutely crazy...
Does this guy not trust his wife or kids?! This guy is going a bit far to protect his pr0n.
Plus, I don't even think shredded paper is healthy for plants...
- j
rm -rf
I cant see a need for this level of security on a home network, where the only thing an attacker would want to do is zombi-ize your windows boxes. strong passwords are good, firewalls are good, wifi mac address lock down is good, but smartcards? why not requier a hair sample.
Also, if you are that paranoid, you better put in a shark-filled mote, because a physical attack still leaves you volnerable, and with those insane levels of security, you sort of make yourself a target, people figure that if you go to those lengths, you have something great...
I'm sorry, I really thought my computer was supposed to be useable.
5 passwords to boot and check email on the laptop? What in the world are they *for*? BIOS, system login, email login, maybe one for decrypting if you're receiving encrypted emails all the time. What else?
Security is a balance. Very few security measures only make things more difficult for an attacker- most of them make life make difficult for the person taking them as well. It *is* useful to analyze the threat in any situation, because it helps you make an informed judgement as to how secure something needs to be made, balancing risk versus useability.
Not checking luggage when you fly? What, are you worried about someone snooping through your underwear? Oh, sure, don't put anything important in there if you're worried about that, but really... this truly is on the paranoid side of things.
The ringing of the division bell has begun... -PF
What happened to the tinfoil hat jokes?
Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.
A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.
Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.
I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.
-- People who hate Windows use Linux. People who love UNIX use BSD.
This isn't meant to be flamebait, but why is he using Microsoft software in the first place? Arguably they've gotten more secure over the years, but still, most viruses are written for MS systems. You can put up all the firewalls you want, but if you're getting email, you could be exposed to viruses. I'd wonder if he's using Outlook abd IE.
With his security concerns, I'd expect him to be using Mac OS X machines.
The guy uses 5 passwords for his laptop, and I am sure that is fine for him.
Security for the sake of security, for example, can sometimes backfire.
For example, a company I used to work for had this policy that you had to change your password every 30 days, have at least 1 special character, one capital, one number, etc.
This was on an intranet, and most people hated this feature.
Most people ended up using a system like
Jul@1996 for their password. Mon
Kind of defeats the whole purpose of security.
I tend to think one should use security proportional to sensitivity on certain matters, knowing that nothing is perfectly secure.
But enforcing 'security' for the sake of security, especially random, and unsupported 'security' can make the average user resentful, and the process much less secure.
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
I'll admit it too, I am a bit paranoid and depressed. I try and keep my system secure. I keep everything behind a router with NAT. I have a software firewall. I keep tough passwords. But I still get attacks. If only someone would pay me for the time I spend securing my system. If only someone would pay me for all the frustration. It is not fun.
I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.
I have not gone as far as smart cards. I don't even know if they would work to secure a system. If a hacker can get around your router and NAT, if they can bypass your software firewall, if they can do all that, I think they are probably smart enough to play chess with whatever other security set-up you have.
At the most basic level, everything is hardware. If there is some exploit on the hardware level, then OS be damned. What can you do? If a signal can reach your NIC, the hacker has a chance.
I think it is impossible to have a bulletproof system, even if you take human error out of the equation. So the only possible solution left is to discourage the behavior of hacking into systems. The best way is to increase the penalties where the risk is too great for the reward. Right now it is a game, people like playing. But if the result of a harmless "sneak and peek" hack was time in jail, then I doubt anyone would do it.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
The reason there are locks on doors is to let people in. If we wanted to keep people out, we would not have a door.
At least he knows what firewall software is used for. Most customers I talk to at work have two firewall and three antivirus programs instaled but haven't a clue what they are used for. Then when their mouse doesn't move so well because they haven't cleaned it in years they say, "I don't know why my mouse is acting funny. I have antivirus software installed!"
From the article:
It takes five passwords to boot up my laptop and check my e-mail.
One of those passwords is over 50 characters long.
The first day he wakes up with some memory loss is going to be rough! Password-protecting your laptop is not only a good idea, but essential. But this is a just a little over the top. -- Paul
OpenSource.MathCancer.org: open source comp bio
And because he can't remember all those passwords, he has them written in clear uppercase letters on a paper hidden in one of his socks. Or he has the paper beneath the floor mat, along with the key to the house.
This sig does not contain any SCO code.
This is an interesting article, but brings up one little thing for me about security - when you go this far out, you make yourself a target. The first thing I thought at the end of the article was, "man, I'd love to show this guy." And I didn't think along the same lines he did. I thought small focused high-speed cameras placed under the neighbors' eaves, I thought replacing his keyboard with a snooped replica... Again, social engineering and hitting someone where they are not looking seems to be the key to any cracking, not technical powerhousing. And pronouncing to the world that you use three firewalls is just asking for trouble.
I'm not a cracker, I'm not even much of a hacker, but I'm naturally sneaky bastich. (TM) And as real sneaky bastiches know, you don't ever stand in someone's face and tell them to you're going to beat the crap out of them, you wait until they turn around.
I try to be a nice guy despite my tendencies, but still... This kind of article reminds me of the French and their lines.
My little site.
during the fc3, i was prompted for a root password. i turned to my brother said, "this needs to be secure, right?". "no," he replied, "it needs to be quick. you're going to type it many times a day".
i just loved the gpg keys manager which asked for a passphrase using both punctuation and numbers "somewhat reminescent of 'leetspeak'"
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
How do his kids remember their passwords, especially since i assume they are random and are changed weekly? I assume they don't write them down. Why doesn't he just give his kids limited accounts and let them have easy passwords, that way even if they are broken into they can't do much damage.
Philosophy.
Someone could just break in and steal his hardware. What about backups? How about sniffing the wire and grabbing those FTP and POP passwords?
TODO create witty sig.
He may be paranoid, but his methodology is sound. Always be prepared is a good motto to follow. People think it's weird that I always drive with both my hands on 2 and 10 (I don't have airbags), but it's saved me once, and once is enough. I also drive with my headlights on.
Basically, preparing for the worst is a good thing to do, because when it comes, you won't have to scramble to deal with it.
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
I'm not wrong. You haven't thought about it hard enough.
I don't care about your information. I just want to install a z0mb13 backdoor so I can DDoS someone else.
Next question?
I'd like to use more and larger passwords on different accounts, and probably change them more often, but honestly, my head is too small to hold all of those passwords. In this day and age, do you _realize_ how many different logons I have?
What's a good console based password program to keep these different passwords? This way I should be able to get to them through SSH if I need to. Or, is doing this defeating the whole reason for having multiple passwords?
--Lance
Y'know, he might be an extreme example of paranoia, but I sympathize. Speaking as someone who has a public exposure, I can see why someone would want to hack him: It's all about the bragging rights. Here's the part I can't figure... what's this about not checking luggage? Avoiding online check-in services is not unreasonable, if you're that sensitive. But it's people like Burnett who turn what's ordinarily a tolerable-if-no-longer-pleasant experience into a nightmare as they try to jam their bags into the overheads. Don't get me started on the kids who have to bring a roll-aboard to be like their parents. (Yeah, that might be offtopic, mod me if you must.)
Let's see if this guy's kung fu can survive a few rounds against international superhacker "bitchchecker". Just have him email his IP address to bitchchecker@madskillz.com... (Please allow for a lengthy response time, as bitchchecker is probably busy rebooting his machine for the 75th time today.)
Someday a real rain is gonna come...
I don't see any problem with a healthy dose of paranoia, though when it starts to affect your productivity or enjoyment, it might be time to step back and take a look.
That being said, I see every attachment as a virus, for example. If you can't send me a weblink or include it in the body of a message... it's probably not important enough to view. Too bad I can't teach my parents to this... of course, it keeps me busy cleaning virii and spyware off their machine...
Seriously. I would fear the guy doesn't even begin to fathom risk analysis. He just breeds paranoia. Guys like that break budgets wide open and spend lots of money they shouldn't on lots of stuff they don't need. He's like Mel Gibson in Conspiracy. Three firewalls? I hope they are open source cause Checkpoint licenses are expensive.
You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.
89374891751574 - 636957 = 89374891114617 (14 digits)
TODO create witty sig.
The measures you take depend on what you are trying to protect. The sad thing is that today, protecting your financial stuff has nothing to do with you. Criminals just hack it or buy it from credit clearing houses. Sure, shred your bank documents, but no modern criminal gathers account information that way anymore. Why dig around for one account in some trashcan when you can get thousands from a central location.
Can I mod the root of the thread +1 funny? :)
nt
Nuke it from orbit you say?
Isn't it more likely that a space alien can recover information from a nuked, burned, smashed and disconnected computer than a human?
I'd keep that computer on planet earth thank you very much.
The Internet is full. Go Away!!!
...require my kids to use at least 14 character passwords on our home network
What do you want to bet I can find the passwords written on a post-it under the keyboard?
A security policy that doesn't take usability into account is worse than no security policy at all.
It's simple: I demand prosecution for torture.
If he really was paranoid, there was be a blue dot for his picture, the column would be written by "Joe Noneofyourbusiness", and the font would be ancient Phoenician.
Well, there's spam egg sausage and spam, that's not got much spam in it.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.
For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.
If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.
Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
What's the point of all of this nonsense? Really?
His kids will probably never want to touch a PC after the trauma of memorizing 14 character passwords just to surf the net at home.
How many systems are actually vulnerable to password cracking anyway? Most ATM machines eat your card if you enter 5 incorrect PINs... most enterprise networks disable accounts if you have multiple incorrect passwords.
This guy is on the same level as a mall rent-a-cop who always wanted to be a policeman, but can't pass the mental exam. He just gets a rise out of hassling people with arbritrary nonsense.
Conformity is the jailer of freedom and enemy of growth. -JFK
Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security.
I would be, too, if I'd be using Windows
Sigh. Use a real OS (*nix), and couple it with the most sensible security precautions you mention, and then some. Get rid of all Microsoft products, and get rid of 90% of your security problems.
Keep trying Mark.
http://ward.vandewege.net/blog/
i'm in! thanks, man. uh...pretty boring stuff here, though.
Does a 14-character password make much sense, public network or private? I've got the impression that most security problems are due to either faulty code (buffer overruns) or malicious code within programs (email attachments, spyware, adware, or the slightly more legitimate software activation). Social engineering/phishing must make for a distant third, when it comes to computer security. Sure, one could do a dictionary attack on passwords...but isn't that the least of your worries? The most unguessable passwords won't stop a security breach if the software is faulty.
when you make yourself a target by being an advocate, I guess you have to make your kids use 14 character passwords. Not as if this will actually protect you in any way...if someone wants in, and they have any skills, they're going to get in. All the paranoia in the world doesn't change a thing.
-- http://www.criticalassets.com
How is THAT more secure??? I once spent half a day tracking down a totally bizarre printing behavior/bug that turned out to be a LAN where machines had multiple firewalls running. Multiple firewalls can be more trouble than one well configured firewall.
Someone who thinks that it matters how long your passwords on a Windows box are, is not paranoid, he just looks like a fool. Second, IT security guys talk of him being paranoid? Gosh, these guys must have been educated by Bill Gates personally.
I guess he uses IE -- because out of a VMware box that can make no harm -- except spying out all of your network and web passwords.
A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue.
It's my job to be suspicious when there is nothing to be suspicious about. What the FUCK do you think I am? The night watchman??
Now Mitch, why do you think we brought you here? One day you get home from work and this shows up at your house (he shows a thick lettersized envolope). Inside it are pictures of you on the beach with another woman. And that ain't screwing Mitch, no... you're looking in her eyes and making love to her. It is the kind of thing that a wife might be able to forgive, but never forget. Mitch, we're here to look out for you, so if you think of anything you want to talk to us about, I'm sure you'll call me.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.
But is he sure they're his kids?
"For a successful technology, reality must take precedence over public relations, for nature cannot be fooled."--Feynman
This guy doesn't get it. Security is much more about people, not about 50 character passwords and redundant firewalls. Social engineering is much more of an issue than triple firewalls.
14 Character pwds for his kids, on his home network, that isn't connected to the outside (his VMware box is for internet). Yeah, that's useful.
He reminds me of the guy in town who advertises websites that a backwards compatible to Netscape 1.2 - very shrill, gets some attention, but is really clueless.
He deletes unused services on his servers? What's so special about that? I delete unused services on my desktop. There's no need to waste resources on stuff you don't use.
I use clay tablets myself. When I'm done with them I grind them into dust then make ceramic ashtrays out of them.
If I catch you trying to look at my tablets I just smash them on your head, eliminating the tablets and your memory.
As our Network Security Guy, I'm noticing something:
If the perimeter is secure, and the topology is secure, and the servers are secure, and the workstations are secure (and everything is patched.) There really isn't a whole lot for my IDS to do.
This wouldn't prevent a person from social engineering their way in though.
Our new office has these spiffy doors that require cardkey access in, b ut just walking up to them to leave unlocks them....turns out if you slide a piece of paper between the two glass doors, you can trigger the IR sensor to open the doors and let you in. I'll bet that gets changed soon.
"Draco dormiens nunquam titillandus."
...back up his kids?
-- often wrong; never in doubt
While what Burnett is saying is possible, I'm guessing he wrote this column just to try to provoke discussion and that he probably just follows regular good security practices. Even though the article is dated on the 26th of April rather than the first, I don't see how someone can live for long with those kind of restrictions. In the end you have to balance security with real life considerations, and this article tilts things a bit too far on the security side.
Some people waste their time watching "American Idol." Others waste their time high on drugs, while still others waste their time trying to make the rest of us believe in their deity of choice. Even if the guy is paranoid, it's his time to waste.
/.
At least he's not wasting his time reading
Most of my internet traffic goes through at least three firewalls. Is that too paranoid?
Almost definitely, yes.
Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter?
Yes, it does. Welcome to the real world, where you have finite resources and impatient users. If you only have X amount of resources, do you spend them on protecting things that are a target or on things that nobody cares about?
Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me.
So, can anyone tell me exactly what he's thinking? It seems like he doesn't even know.
It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.
50 characters long? Why stop there? Why not 128 characters long? Why not memorize your entire public and private keys?
I think that this fact alone -- that he has a 50-character password -- shows that he's not playing with a full deck of cards.
From TFA:But is he running Outlook?
Someone looking to install a zombie does not need to crack his 5 passwords to do so.
In fact, I cannot think of ANYTHING that requires 5 passwords to protect that won't be just as secure with 3 passwords (or even 2 passwords) provided that each password is protected in the same fashion (writing down the 5 passwords and sticking it beneath your keyboard works that same even if you have 20 passwords).
Security is all about restricting the avenues of attack. But once an avenue is restricted, piling more layers upon it does NOT make it more secure.
I'm guessing that his 5 passwords are:
#1. BIOS password
#2. Hard drive password
#3. Windows login
#4. email password
#5. some other password that may be earlier
Now, think about what someone would have to do to be able to get the first 2 passwords.
If someone can get those, then they can get the other 3.
Is he paranoid? I don't believe so.
But he does NOT understand computer security as well as he would like to believe.
You won't be able to get to them in time. Besides, we know the threat is closer than than that. Some of us even know that the apocalypse isn't coming, it's here already.
Look what happens in every zombie movie; you think you have an opportunity to drive even 25 miles and dig up your S&W 1006 and your M4? You're zombie food.
You need your sidearm ON YOU, and your rifle at arm's length. You need 2k rounds for your sidearm and 5k rounds for your rifle on hand ALL the time, along with supplies to crank out another 10k rounds if necessary.
More shit buried in the woods is a great idea, too, but don't leave yourself unarmed.
Paranoia is a recognized and severe mental disorder. It seems disproportionally widespread among the general population in the US. I wonder why...
"I require my kids to use at least 14 character passwords on our home network"
To bad his daughter has it written down in her diary to remember and his son wrote it on a sticky note next to his monitor....
Unstable Apps: Our Android Apps Don't Suck
You don't need 14-character passwords or smartcards if you're protecting a PC that has no internet connection and no important files on it.
.vbs email attachments), then you're fine. You can spend your entire life locking down your system, and then what. You realize that Windows 98 is no longer supported and you need to upgrade and do it all again.
Security should be also be implicit, and invisible. It's currently not, but that's where we need to head. No one should need to memorize 14-character passwords like y&1bv,10-ine,. It's just silly. If smartcards make things easier, then fine. Same with biometrics.
I think it's possible to be "too paranoid". If you get a kick out of having your home PC behind four firewalls, changing passwords every 30 minutes and team of experts constantly reading through logs, comparing files with their official MD5 signatures (oops, can't use MD5 anymore, maybe MD5+SHA1 now), and constantly backing up to DVDs which are immediately encrypted and sent off-site for safe keeping, etc, etc etc.
If you like that stuff, that's fine, but you're crazy. If you're in the 90% percentile (router + o/s patches + application patches + don't click on the
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
How else do you cleanse the palate between beers?
Wasabi.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Even if the password is not case-sensitive eight characters allows for more than 2.8 trillion passwords using the 26 letters and 10 digits. Many systems time out after three or so attempts. Even if you allow a thousand attempts (an absurdly high number) you'll still be very safe.
Of course is someone steals a password-protected system he would have an unlimited number of attempts. So make it a nine character password. If the cracker can run one million tries a second he has only a 50% chance of cracking a truly random password in the first 16 years of trying.
Show your work:
Number of seconds in a year = ca. 3,153,600
36^9 = 101,559,956,668,416 / 1,000,000 = 101,559,956
101,559,956/3,153,600 = 32 years to search entire key space.
32 / 2 = 16 years to search half of key space.
Insert witty sig here.
Passwords suck. If you want strong authentication use a hardware fob. Like SecurID or iButton.
If you really want to go all out get a vascular hand scanning biometric device. Like the banks in Japan have started rolling out.
But seriously, a 50 char password? Don't bother. Many applications simply truncate passwords silently past a given count. Use a smaller password with more entropy. Harder to remember but 50 chars is too much.
Ok, ok. some people love weird long passphrases. Fine, but you can't use passphrases for most password entry fields. That's all I'm saying.
I found the key logger quote amusing. This isn't that bad of an idea; although if anyone suspects you are security savvy they wont use an obvious dongle. They will embedd the logger inside the keyboard. Does he wrap his keyboard in a tamper evident package?
Last but not least, why use Windows if you are that paranoid? Trustix Security Linux or some other distro which provides strong access controls within the kernel and secure defaults for applications and permissions is a much better choice.
A bit of malware could make an end run around all those passwords and careful preparation.
My $0.02
This guy doesn't have a clue. He's suffering from the delusion that "quantity has a quality in itself" (Stalin quote).
3 firewalls ? Why not 6 or 12 ? Or 1, properly configured.
5 passwords ? Why not 20 ? How is he tracking all his passwords - with "Password days" and all ? I'm betting the farm he isn't memorizing them all. If he is, they're not different enough, not good enough. I'm sure 4 of those 5 can be cracked with readily available cracker kits.
No, he's all about "a lot of security" as opposed to "good security".
Oh, I can't help quoting you because everything that you said rings true
Don't forget, you can always DoS a box with a hammer.
Ice Cream has no bones.
Next thing you know, this guy will think he will end up on an island with 20 castaways without any food,water or shelter except for a TV crew and he will make them do challanges.
WhatMeWorry
I believe there needs to be an adequate balance between security and funtionality. I take my home security very seriously (not as serious as Mark B.)and monitor everything because I am the only one using computers on it. Unfortunately some of my customer's computer skills can be comparable to that of a donkey's,so I am forced to choose the necessary balance. I think this should be the way every administrator should approach a security situation.
~@~
He likely also has an armored car- I read an article in the NY Times about armored cars- It quotes the guy who sells them as saying that 1/3 of the buyers are under threat, 1/3 think they are under threat, and 1/3 wish they were in one of the first two categories... A lot of people are paranoid because they think it makes them important.... Like whats on Burnett's machine, Nude pics of Richard Hatch?
Almost every Harvard student was High School Valedictorian- After a year of college, half are in the bottom of the class
OK, so this guy is setting a "good example" for his kids so they will know *how* to use tight security practices. Will they? Who knows...
The hardest part will be that since it's such a PITA to jump through all these hoops, there will either be work-arounds, or it just won't be user-friendly. Too much work seems to be involved just to get on the computer to play (whatever your definition of that may be).
I think he needs to get a little less secure in order to balance out the security-to-usability features. How about focusing a bit more on safe and smart computing vs. fugly passwords???
I think there is a point where you can go overboard. Like having crazy security like that on a personal computer... I mean, geeze, there is a point where the inconvenience outweighs the benefit. (If there is any benefit for a home user to use a Smart Card.)
Don't take life so seriously. No one makes it out alive.
"They have the greatest chance of continuing the species line."
Not necessarily. A paranoid creature might be to fearful to ever hunt and/or forage properly and would constantly be weakened and vunerable to disease. Their lack of social contact would also exclude them from the safety in numbers and support of the group also lowering their chances.
A healthy sense of risk doesn't necessarily make you altruistic or "soft" as you snidely put it, just reasonable. Judging from how strong the urge to socialize is in primates (including us of course) after millions of years of evolution I'd say that paranoia is not a strong predictor for survival.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
Burnnet better be equally paranoid about the important things in life. one can only wonder how many different/simulataneous kinds of birth control he will demand his chaste teenagers to use.
He's EXTREMELY paranoid, using 127.0.0.1 exclusively as his IP address. He says this is so that DDoS attackes end up getting reflected back at the sender. A lot of hackers who have tried to crack his machines do wonder how in the world he has already managed to get copies of all of their own files once they do break in...
...how geeks complain about "l00sers" using 3-characters passwords and now that there's someone who's trying to tell his kids to use proper password, we hear complaints too.
What exactly is a Slahshdot-approved(TM) password? Please tell me. I long to be as cool as all you 1337 h4x0rz but I don't want you calling me a paranoid.
You are more than the sum of what you consume. Desire is not an occupation.
Hey, thats fine to have long passwords. But what regulations cover where the kids can store the post it notes with the password on it?
I've found the drawer closest to the keyboard to be the most secure place to store passwords that people can't remember
If you blog it...
like Bitchchecker.
Which is totally understandable.
The word paranoid is the important point. He is being stupid, because a casual hacker looks for easy targets. To stop them you only have to secure your system well enough that it isn't easy to get into, so they move on, as the internet is a big place.
The only reason you would do all the silly crap that he has done, is because someone is out to get YOU, and is only after you. They are determined to get into your system, any way they can. Now, if your system is the Strategic Missile Command computers, then I could see why someone might really want to get in. However, this guys is a nobody. He isn't rich, he isn't influential, and he isnt powerful. Nobody is out to get him, so yes, he is paranoid.
I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.
HA! I just wasted some of your bandwidth with a frivolous sig!
Why not just go the entire nine yards and tatoo bar-codes on the kid's forhead? Smart-cards are yesterdays news.
Skip right to the retinal scanner.
"Some days you just can't get rid of a bomb."
As soon as I read this article, I sent it to many of my friends, because it's funny. It's an elegant, understated, hilarious demonstration of an important point. It starts perfectly reasonably and gets progressively sillier, until by the end it's way over-the-top hyperbole. This essay is a really lovely piece of writing, because at first it suckers you in with its reasonably paranoid stance, and when you realize you've been had -- I guess that's if you realize you've been had -- makes you think about diminishing returns.
What I say does not represent the views of my employers, my friends, my cats, or myself.
Someone needs to send a team of Troubleshooters over to see what's up with this Burnett guy.
You see? You see? Your stupid minds! Stupid! Stupid!
You want paranoid? How do we know he's not sugggesting these 'methods' while holding un-released exploit code for ALL of them! --Ben
-so this once I'll be anonymous
Shouldn't I be seeing a foot icon here? This guy can't be serious, can he?
And the brethren went away edified.
"Password Day"...come guy, get some help! Better yet, get a hobby or a mistress for crying out loud.
Here is my security: If it's important it doesn't go digital. Paper and ink baby! The more I practice it, the more I like it.
To me, it's all about the gamble. Let's face it, having security measures in place means it's less convenient in most cases. And yes, biometrics are certainly fallible methods as the rely on factors that can potentially change leaving situations and scenarios open to question. (I've got cold and allergy symptoms now and my eyes are shot, my voice is gone and thanks to a skateboarding accident, my fingertips are in a state of healing.)
So an important aspect of security that rately gets much discussion is the notion of damage control and controlling the amount of damage that is possible. People sometimes discuss the notion of having an important server running from a CD or some other read-only media while the data is stored on some sort of network-controlled storage only allowing access under certain conditions. So once an intruder makes it in, there should be little to no damage they can inflict.
So passwords, cards, biometrics have their place, but I think it's also important, and sometimes moreso, to think about the damage that occur.
Of course his wife doesn't know his password -- who the hell could remember thirty passwords that are at least 14 characters in length and get changed every week or so? I'm surprised he has a wife. Is she allowed to go outside? If I were him, I'd be afraid someone might look at her...
And what the hell is he doing, doing things like online banking or getting mail from his bank online? Does he really trust these companies enough to give them this information?
The scary part is that the way the article is written, the guy sounds like he knows he's a nut. It would be fun though, to write up a list of things he could do in addition to the things he's listed and see if it pushes him over the edge.
The problem is his kids! What about the social engineering risks. Someone could just buy his kids a six pack in exchange for their passwords. The only logical solution is to get rid of his kids. Probably get rid of his wife too. I doubt she can really be trusted to have acess to the system.
From a security perspective, it is not the patches which crash your computer or destroy data that are a problem. They are just annoying. Reinstall, restore your data from a back up, and you are ready to go again.
The problem comes from bugs with exploits in the wild, but no patches yet.
Unpatched IE vulnerabilities
Unpatched Windows XP Vulnerabilities
I'll probably be modded down for this...
...security is too paranoid. security (arguable) costs money.
business is too cheap.
so what do you do?
ITS FUCKING CALLED RISK ANALYSIS/MANAGMENT!!!!!!!!!
the thing that matters is that:
a. you don't write it down
b. you can remember it
c. it's not in a dictionary (i like to use latinized versions of english words that never existed in latin in the first place)
d. it has non-character portions (1 or 2 digits, non-standard characters like # * . > )
e. it's got nothing to do with your school, work, car, teacher, pet, child, parent, or birthplace.
The reality is that 80 plus percent of all passwords fail most of the above, even when they're more than 7 characters long.
Oh, and don't tape it under your keyboard, put it on a post-it, on the side of your monitor/computer, in your desk drawer or inside an unlocked cabinet - I already looked there.
But then I used to be the Acting Security Officer for MAPHQ back in my mil days, when I would wait till the Finance personnel just ducked out to get a drink at the water fountain or talk to an officer walking by outside about sports to go in and install keyboard listeners on their "secure" PCs that they said couldn't be cracked.
-- Tigger warning: This post may contain tiggers! --
I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger. He feels so safe with the PC's turned around that... -doesn't see the usb keylogger in the front usb port... ...or the usb dongle plugged into the keyboard usb port of this nice Dell by Microsoft keyboard...
On a side note, what is he going to use as a cup holder now?
//Nothing to see here, please move along.
There are levels of security. There are threat assessments. He probably uses a sledgehammer to hammer nails. Sigh.
One thing is for sure, it's not paranoia if they are really after you--the only person after him is himself.
BTW, why doesn't he standardize his home with OpenBSD, or ack, Linux. Why on earth is he using a VM for browsing? Unless *he* is doing something "evil".
"It takes five passwords to boot up my laptop and check my e-mail.
One of those passwords is over 50 characters long."
a few things jump out at me... first since he's using windows i don't care how long the stupid pasword is most windows vulnerabilities just skip that step entirely
Second, 3 firewalls? for a home network? are you kidding me? unless you bring your work home with you, and you work for the CIA on something 10 people are allowed to know the existance of (in which case you wouldn't be bringing it home) this just screams obsessive compulsive
Third, I feel sorry for his kids, I'm all about encouraging smart surfing at a young age... but 14 character passwords? If you told me to remember a 14 character password in my teenage years i'd probably do one of two things, A. roll eyes... "ok dad..." and turn around and write it down on a little piece of paper, or B. stop using the computer. Kinda sounds like the users where I work now actually... including the eye rolling
The Answer
Mary's is dadisaparanoidgeek
...
John's is deathdealer2000
Linus's is ima1ee7haxx0r!
Boy, that took two minutes to figure out
-- Tigger warning: This post may contain tiggers! --
This is just an amateur paranoid.
Most people are scared of terrorism, not realizing you're more likely to get malaria or die from walking across the street.
You're at more risk of death just going to a bar than you are of terrorists, for example.
The same applies to computer security. Three firewalls but they use IE for a browser with no encryption. That's how the real world works.
-- Tigger warning: This post may contain tiggers! --
Yet if you call him up and say you were from MasterCard and asked for his info, he'd probably give'em up withtout a second thought. He's a manager after all... =)
-- If you actually say LOL instead of laughing, maybe it's time to go outside! --
* I never get any work done
When his internet goes down, it takes him 2 hours to figure out which firewall is broken.
He cannot collaborate with you to work on anything because getting the work back and forth between you is nearly impossible.
When he uses bittorrent, he is a leach.
His kids tell their friends and anyone offering them cookies what a crazy dude their dad is, and what he makes them set their passwords to.
On his networks he doesnt allow p2p, IRC, IM, email attachments, netmeeting, or shared folders, or installing any software. Would you use his network if you had a choice?
And, after all that, he is _STILL_ not secure from anyone properly motivated.
There is another side to security, which is practicality. Every security precaution is a tradeoff of getting work done.
Make the website read-only.. how often does this make staff unable to save files and not understand why? What applications and features does it break?
Change every password on a regular basis? How often do you forget them, or where do you write them down? Do you go somewhere and not have the one you need? Or did you bring it with you on your trip where it could be stolen?
Use your shreddings for mulch? How much bleached paper can a mulch pit take before it stops being a mulch pit? Do his wife's flowers fail to sprout?
Turning your PCs around.. great you can see the keyboard plug. Now, burn me a CD rom with this weeks numbers on it..
Lastly.. even if your security is 100%, and noone can get in, the obvious solution is to put a gun in your face and order you to login. Is that really what you want as the path of least resistance?
But very appropriate:
I know I'm being paranoid, but am I being paranoid enough?
Professional Politicians are not the solution, they ARE the problem.
That sounds like an album by Queens of the Stone Age...
1) BIOS password.
2) Windows Login Password.
3) Windows Network Login Password.
4) VMWare Server Password.
5) Mail Server Password.
Good security practices state that you should never use that 'Remember this Password' option any program displays for you. I can see why he would have five passwords to enter.
Enjoy,
It's just the normal noises in here.
It's because of people like you I've had to decentralize my bot nets. Nuke this!
Mwahahahaaa...
*sigh*
Sad, isn't it.
Always do right. This will gratify some people and astonish the rest. -- Mark Twain
Have you ever had a guy like this running your servers or network? Its gets to the point where you have to run subversion programs/systems to get any work done in a timely fashion.
While he is busy changing 100 of his passwords every week a whole group of users are not getting any work done because they need a port opened on the firewall.
What does this guy do for a living that he has all this time to waste on useless tasks in the name of "what if" security?
He isn't paranoid. He knows about risk analysis. It sounds like he just turned security into a hobby...
So since he is considered paranoid and requires 14 character long passwords, what does my 49 character long password make me?
Information security has a major black eye because too many people absolutely don't understand that security is NOT the goal and never should be.
Accomplishing whatever your business is is the goal. Doing it efficiently and profitably is the goal. Serving your customers is the goal. Helping and not harming them is the goal.
Every bit of information security which does NOT serve those ends should get a rapid ejection from any institution. Those bits that do serve those ends should be promoted not because they're "security" or policy, but because they're good business.
I would argue that inconvenient security is not secure. People will find ways around it, sometimes in the worst possible way from a security standpoint.
Good security should be relatively unintrusive. E.g., your security badge includes a java button, you need it and your password to log on. (I'm not sure if jbuttons are wireless, but if not substitute some smart device that is.) Once you're logged in a kerberos TGT is written to your badge. You can then access most secured functions because they quietly get the ticket from your badge. You could set up the system so your tickets (not TGT) only live for 10-15 seconds - you walk away from your desk to go to the bathroom or "coincidently" run into that cutie at the water fountain and the ticket can't be renewed and the applications are disabled (and screen blanked?) until you return. Then you have to repeat your password (since somebody might have taken the badge off your still-warm body) and everything is as you left it.
If you need special rights you provide the password for another TGT, one with a short lifetime. Think 'sudo' as an analogy.
It's far more secure than having to maintain a separate username/password for multiple applications, yet simultaneously far more convenient. Nobody will complain, esp. if badges are required or they're already used to get through doors. Most people won't even understand how the badge around their neck gives them access to their workstation (and possibly others when working with others).
A slightly weaker version uses a USB dongle attached to your keys. Nobody walks away from their car keys for long.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
It does impose a set of costs, however. Secure software usually has barriers to access (logins, passwords, etc) is usually slower (to gain access, if nothing else), adds an additional implementation cost, and (to be truly secure) is never finished.
However..
If you get hacked, or your data goes into the black hole, or something else bad happens, then there is a much greater cost you must bear. - Sometimes THAT cost is catastrophic.
But as long as nothing ever goes wrong, and you can be certain it never will, then security is a bad thing.
Of course, sometimes, you truly don't care, or need to, in which case, security is also a bad thing.
Look at the concept of most Wikis - anybody can post anything - no security against most forms of hacking. That is the intent.
But of course, when you do care about bad things, your level of paranoia should at least greater than the level of how much you care, and not necessarily related to the level of threat, which you probably cannot estimate accurately.
There is not nearly enough love in the world, but there is far too much trust.
Excuse me. I don't known a huge amount about encryption techniques, but I strongly suspect using 16 characters rather than 6 is just a matter of the decryption program taking a couple of extra nanoseconds to crack. This is like door locks. They keep out the honest folks. The crooks are gonna break a window and ignore the lock. So, basically, we *are* talking about paranoia here, not rational security savvy. I think we may need to take back the word "paranoid" from the guys who think it means overly cautious. It doesn't. It means nuts in a particular clinically defined way.
Hic iacet Arthurus, rex quondam rexque futurus.
my kids will all have 14-character randomly generated names
I doubt that we will ever figure out - and I suspect that even if we did figure out we couldn't do much about it
Yes, the guy is crazy, and I speak as a security dude (who has also written for securityfocus).
He's right that even the paranoid have enemies. He ignores that many of the paranoid with enemies still get done in, despite all the paranoia.
The most important point, however, is that his approach to secure will do zilch to improve security in general. Microsoft releasing a new patch improves world-wide computer security a thousand times as much as his 50 character password.
Because frankly, I don't care if his machine gets hacked into, and neither does anyone else. But the two or three million hacked windos machines that are part of dozens of zombie networks, now that is a serious problem.
Assorted stuff I do sometimes: Lemuria.org
man that was funny. i laughed for about 5 minutes
I'll just use my special getting high powers one more time...
Paranoid admins who like to practice "information denial techniques" on their systems, making them essentially unfixable. The thinking is, "We don't want a hacker to have any information about our network. We don't want him to even know what kind of system he's on if he ever does get in. So we've got to hide as much system stuff as possible."
We've got quite a few of those here, most of who have had "security at ANY COST" drilled into them by the higherups. Here are a few gems:
I'm sure there's another super-paranoid person on this topic who may flame me for this and say I'm a rotten admin for keeping any debugging tools on a system. But a lot of people forget that 50% of security is keeping the bad guys out, and the other 50% is allowing the good guys to do their job without a huge hassle. Sure, having people logging in via telnet, or allowing "password" as a password sucks. But timely patching, keeping an eye on your system services, EDUCATING YOUR USERS, and having a good firewall policy will keep far more trouble out than instituting the Fourth Reich on a production system.
There's no sig like this sig anywhere near this sig, so this must be the sig.
Personally I find that two firewalls (hardware, Linux, *BSD, definitely not a Windows software firewall) are plenty for the paranoid. My first one is line is my router, which has pretty restrictive acl's for incoming traffic and also does NAT for the host sitting behind it -- which is a Linux box with iptables from hell. Behind the Linux box sits my Windows machines. If I count the Win XP SP2 software based "firewall" that I guess I do have 3 of them. Am I paranoid too? I certainly don't think so, and I've never gotten hacked although countless idiots have tried, and continue to try every day.
You been pwn3d! Watch your back man, because I'm right there behind you!
Paranoia is the misordering of priorities though irrational fear. For example, I am posting to Slashdot using links2 run from a Gentoo livecd from my second machine. If I was doing this for any reason other than because my main system had suffered disk failure, requiring a reinstall, or random geek value, I would be seriously paranoid, for I'd focused so strongly upon having an unhackable system over implementing anonymisation over ipv6.
More seriously, being excessively slowed down though having to jump through security hoops, and having your mindspace taken up can end up reducing productivity, and risks seriously eating into profits. Hence we have security specialists, who call themselves "paranoid" because they would be, if they had a normal (meaning non-security) job. It is entirely possible that someone in security is too paranoid for security, and trusts those that they should be weary of on grounds of insufficient competence because of irrational fears of those who's motives they do not trust.
Avoiding obviously taking sides, it's clear to [Democrats|Republicans] that [Republicans|Democrats] are paranoid about various risks. This isn't just relativism: those who seek power tend to perceive a greater need to control the masses than the rest of us. Someone has to be getting it wrong!
Paranoia is a strange thing...
Wikileaks, no DNS
Some people will view this kind of paranoia as a challenge, which will only encourage them to attack him.
Ahh, the self-fullfilling prophesy of paranoia: Act out enough, and you get all sorts of unwelcome attention that just confirms your egomania.
Of course, if I were really interested in getting into this guy's computers, I would shoot him once in the foot and tell him that the next bullet would go into his head if he didn't spill all his passwords. Computer security is only as good as the weakest link...
HA! I just wasted some of your bandwidth with a frivolous sig!
I'm wondering what really was the article about. did he want to brag about his (seemingly overzealous) security measures or was he really wondering what was the security field stance on his positions.
It really felt to me that this article had nothing good produced as a good base for discussion.
One last thing, there is way more the security than firewalls, passwords or security tokens. Come on! give me a break.
If he wanted a good debate on the subject he would have explained what was the result of his risk anslysis and then justify the controls to minimize those risks.
Again, it looked to me a bit like this: "look at me i have to type in a gazillion passwords to read my mail, beat that!"
http://maps.google.com/maps?oi=map&q=1349+S+Banbur y+Dr,+Syracuse,+UT+84075
Not paranoid enough, eh?
In which case, having that many passwords is just stupid. It is not providing any more security.
More important is a credible threat, probability and loss analysis, compared with a list of countermeasures and their costs.
Otherwise, it's just the cops featherbedding, just like the CIA did over the strength of the USSR -- even just before the collapse and perestroika.
Don't give in to fear.
Assume he has perfect electronic security. The would-be data burglar will always look for the softest possible break-in point.
If he makes his electronic security infinitely strong, then he better check the locks on the doors, the security system, whether he takes the same routes regularly, etc.
how long do you think until the guy logs into his network only to see "4££ ¥0ur B4$3 4r3 B3£0n9 70 |_|$" scrolling across the screen?
What is with this guy? Keep the PC turned around so if you know if there's a keylogger installed? 50 character passwords? Surfing from a VMWare box? What's he got on his network that he thinks is so important? I wonder if he checks his precious email with POP-S or if he just transmits his PW over the wire in plaintext? Is he worried about financial data getting out? It's easier to set up a computer not connected to the network which houses sensitive information than it is do deal with these ridiculous security whims. What is the point of having password strings that large? Brute force password attacks are very slow, noticable, and hardly ever used except by admins with a passwd dump who are doing a strength test. A 6-8 character alphanumeric with a couple of Shift-number characters thrown in is very adequate protection, IMHO.
Additionally, the fact of the matter is that most of the network attacks out there are being done by script kiddies looking for an easy system to break into so they can set up a warez server or make it part of their zombie network. If you are on some wuss home network you'll never have to worry about port scans as long as you've got a firewall and no exploitable holes exposed to the outside.
If you are being specifically TARGETED for an attack, it's a slightly different story, but even then the chances are pretty good no one's going to waste their time trying to brute force your password. Most likely they'll just send an email trojan via email to somebody inside your network that phones home right through however many layers of firewall you just happen to have. A fat lot of good a big password will do you then....
And speaking of being targeted, this guy just put a bullseye on his forehead. I have a feeling quite a few people are going to take this article to task and find out how good this guys security REALLY is.
-R
How much importaint stuff does need to protect on his computer? Usualy kids have a game or two, list of MSN addy's, and some school work on the computer. At home the guy prolly has credit card# financial information, personal projects and that's about it. If he is going to go crazy securing his computer (digital info) than he should be X2 as paranoid protecting the PHYSICAL information. I suggest having his credit card implanted in his skin, 8 security gaurds at his side at ALL times, satalite survalence. The card should be encrypted in egyptian 2048 bit encryiption hyroglifics and to use his card he must submit a fingerprint, voice, and dna samples along with a urine test.
Many security people think the whole aim of tightening up is to completely disallow a hack. 100% security is impossible, and the scene becomes a competition between the security guys and the finance/management people about how much to spend on it.
My idea of security is to clearly make it unworthwhile to hack. To gain $10, the hacker/cracker should have to spend $20 in cracking effort. An OpenBSD router is fine for a ~50-employee company. 14-character passwords, smartcards and biometrics would be excessive.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
ok...so my real question is, why in the world is this guy running microsoft products? Not to say, microsoft isn't secure, I would be asking the same question if the article implied he was using linux.
If I was that paranoid nothing but a locked down openBSD machine behind the nastiest firewall imaginable would be good enough for me.
Tharkban (It is a signature after all)
The point is that Linux, BSD, and any other OS that's open source can actually be examined. If you're paranoid, you have to audit all the code yourself and hand-write the base assembler to assembly the quasi-compiler; refer back to the thought experiment of the bugged compiler which would infect compiler and login program to propagate itself. Even further, you'd want to use an open system where you can verify all the firmware, including the BIOS, to make sure no hooks are in place to compromise your security. And even further than that, you need to validate all the chips and processors in your system that they're not bugged either.
So, for one who claims he's really paranoid, he's very much a far way off from real paranoia. He's not even taking the basic step of validating his operating system.
Eurohacker European paranoia, gun rights, and h
Brag about security, and you'll have to use it.
We all dance, we all sing.
-The Streets
BIS is actually scale that psychologists use to measure ones behavior. BIS stands for Behavioral Inhibition System which is often times coupled with BAS which stands for Behavorial Approach System.
High on BIS basically means you focus on the negative surroundings/environment. Take skydiving for example, a person high on BIS would be focusing on what if the parachutes don't deploy, what if I go into shock, etc. etc. Someone high on BAS would be skydiving gives a rush of energy that I can't really experience anywhere else.
I'm not saying high on BIS is bad. In fact, a person can be both high on BIS and high on BAS simultaneously since these 2 scales are not necessarily contradictory. High on BIS are good for situations which need it and knowing how weak computer security can be today, it might be a good thing.
You can read more about it here: The Behavioral Approach System & The Behavioral Inhibition System
HD Trailers
I just wanted to slip in a comment here before this amusing thread died. I don't mind if everyone thinks I am crazy, and I enjoyed the comments, but I don't like the idea that people got the wrong message from the article. Of course, this was a casual commentary meant mostly to be entertaining, and some of you picked up on that. I don't have bars on my windows and I don't give my kids polygraph tests. There is a certain humor about security that plenty of people can relate with. Nevertheless, there is enough truth to what I posted.
The point was this: I am a security professional, so is it so bad for ME to be paranoid? I'm not telling you to be paranoid, that's MY job. I spend an enourmous amount of time implementing security measures that are way beyond the threat model for my home (which is also my work) network. I also spend a considerable amount of time doing research and reading and other stuff. Other professionals spend lots of time in school and independent study to further their own professions--they do it for the benefits of their clients.
I do not recommend these extreme security measures for the average network. I do not recommend changing passwords every 30 days. I do not recommend going so far beyond the actual threat. Still, there are plenty of reasonable security measures that do go a long way. And for myself, does it matter if there is a threat or not? Wouldn't my clients like knowing that I have way more security than I need? I set a baseline of extreme security and work down from there to come up with what works for them. To me the cost/benefit ratio makes sense but it won't for most others, but it makes sense for me because that's how I learn. If there is an extreme case where it is worth it, I am ready to implement it.
I also believe in smart security. Many have implied that I take these extreme measures yet seem to forget the basics. Duh. Be smart and balanced about security. Don't alienate users because they need to be active participants in your security policy. I don't believe that you can be absolutely secure, but I do think there's a huge difference between 50% secure and 95% secure.
Judging by the surge in my IDS, firewall, and other logs, some of you took my article as a challenge. I usually don't mind people taking a stab at my network, just be cool about it. If you do find a flaw, I'd probably be impressed and I'd like to hear about it. That isn't a challenge, being smug about one's security isn't that smart.
And finally, about the hotfixes. That point wasn't quite fair because I am on the Microsoft program to beta test hotfixes. By the time they are released, I have already tested them on certain specific environments. I also do some articles and reports on hotfixes that same day so by the time they come out I know them pretty well. You should not blindly install hotfixes without testing them. I'd love to trust Microsoft more there but I don't.
And for the record, here are the five passwords to check e-mail on my laptop:
1. BIOS password (mostly as a statement, kind of like a legal notice)
2. Syskey password (for EFS encryption and other physical attacks)
3. Windows password (this is the 50-char one)
4. Password to mount the encrypted drive
5. Password to open my e-mail client
Thanks for the discussion,
Mark Burnett
Black Sabbath?
Legally you should always keep separate passwords because then the government can't argue (in a raid) that another in your household can give permission to sack your machine's memory.
Someone logged on to the credit card company's web site as me and changed my password, and then my address, and then attempted to charge $1500 at an online computer store.
To do so they had to have had the cc number, the 3 digit code on the back of the card, my user id, and my ssn. I guarantee you they did not get this information hacking my network or my personal computers. The information just isn't there. Neither is it in the shredded documents I stick in the garbage.
Moral of the story? The security of your personal data is only as good as the weakest security among those who hold your personal data in their databases. All it takes is one bad employee at the bank, or a credit card company, or an online vendor, or the mortgage company...
This guy is sticking his fingers in the small portion of the dike he controls, while the rest of it leaks personal information like a sieve.
-josh
A real security expert would feed the shredded bits to the red wigglers in his worm farm and then put the vermicompost in his garden.
Bring back Sirius Punk!
when the "inSecurity professionals" rejects security measures because it may be academically inconvenient. Given the type of data stored on networked computers and the potential catastrophe if the data was compromised, it's probably better to be safe than sorry. How safe and how sorry is obviously up to you...
"Tempers are wearing thin. Let's just hope some robot doesn't kill everybody." --Bender
The easiest way to not have to worry about LM hashes is to use a password longer than 14 characters.
This poor sod just happened to shoot one char too short in laying down the law to his kiddies. A clear-cut case of insufficient paranoia leading to Slashdot ridicule.
"We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
There's some formula here on Convenience inversely proportion to Security - but you need to find "reasonable" values for C and S. For many ppl this guys security is too inconvenient to bother with.
/programfiles rather than in the user's own area) but this usually doesn't work. So when the kids want to play a game I have to log them in as administrator and then every few weeks I find someones done something like copied all of /programfiles to their desktop or moved all the mp3s we have to their own folder (or worse still, taken just some mp3s from the common directory we put them in).
Also, as pointed out elsewhere, this guy seems to have a disproportionate sense of self importance. Sure it's fine to go to *some* lengths to stop a hacker (eg a firewall) rather than leave your home network wide open (assuming permenant Net connection).
At home I also try to have some security with 4 primary aged kids who download all sorts of crap off the Net. I have 3 XP boxes and one Linux box and make all family members have their own logins and passwords as we had so many fights when people look at other files and stuff like that.
The big problem I have is probably 80% of games the kids want to run only work if run as Administrator!! Many times I've tried changing permissions on files (usually games save data under
But it's not just games. I have a friend with a multimedia company and most of the highend apps his people use also require to be run as Administrator, so you get employees screwing up their machine configs all the time.
It'll be a while before developers and users understand they can't expect to just sit down on a PC and do anything (beyond what they're meant to be doing).
I have taught the kids to use logins and save downloaded stuff to their own area. I can't teach the app/game developers this.
I never have this problem with Linux (despite some of unix's security shortcomings) but then the kids rarely use it as it doesn't have any games they want and the free office stuff isn't what they're used to using - basically it's only good for surfing the Net - so it's a last option if all other machines are in use [sigh]
pithy comment
But yes, ginger root is generally the way I cleanse my palate. Wasabi is how I clear my sinuses.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
He does not make any provision for an infrared through-the-wall-camera watching his monitor, or a microwave bounce off of a window to detect the vibrations in the room that result from pressing keys on his keyboard-each has a different sound that can be recorded and digitized so that what he types may be reproduced.
I suggest heat lamps on the walls, floors and ceilings to deter infrared and atttach speakers to the glass in the windows After a few hours of listening to "Feelings" even the most dedicated spy will go insane.
Before reading the article I thought it may be a joke. But it seems quite reasonable.
Going through three firewalls: I assume one is on his router and one on his PC. The router firewall is invulnerable to M$ attacks, and if some spyware or a virus gets installed then the PC firewall will warn him when he transmits unauthorised data. Not sure where 3rd one comes in.
Needing 5 passwords from boot to reading email: guessing that the first is the BIOS password, this stops someone putting in a LiveCD and reading his hard drive. Next comes the Windows login. Third is the POP3 password that the email client asks for. Fourth is the 50 character password (probably a sentence from his favourite novel or a line from a song lyric) which decodes his PGP key. Possibly the 5th is to mount an encrypted filesystem.
Browsing from account with no admin rights: sounds sensible to me. I have friends who work in Windows but use a linux LiveCD to browse for safety.
Deleting unused services and blocking unused ports: sensible stuff again.
Install hotfixes the day Microsoft releases them: if you don't then you may get hit by latest worm, if you do then you will get shafted by the occasional bad patch. No right or wrong on this one, question of personal preference.
As for regularly changing passwords, he is sensible in doing what most of us are just too lazy to do. I wouldn't say he is over paranoid, on the contrary he has learned good habits.
Phillip.
Property for sale in Nice, France
This guy needs to step away from the computer, give it a rest you psycho. Surely with all these security precautions he hasn't got time to do anything productive. The best idea for this guy would be to put all his equipment in the shed with a couple of pounds of C4 and get the kids a goddamn Xbox.
What about shielding the house from Tempest evedropping? Obviously he's only over excited with the known method to protect himself not nessary paranoid.