Security for the Paranoid

Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."

Re:Mark is Paranoid, but Trusting of Microsoft?

[UnknowingFool]

awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.

Don't worry let him get one or two bad ones and that'll change his tune. Fortunately for him, MS hasn't released a bad one in a few years. (If you don't count SP2 which had its problems).

Re:Security,,,for the average user?

[yagu]

I worked for a place that the customer service people typically used more than 30 (I am not making this up) different systems. And the passwords and rules were amazing, different, obtuse, and really fscked up. The claim was this provided maximum security. My experience out on the "floor" when visiting these clients (we did software for them) was either:

• spiral bound notebooks with matrices for the systems and passwords for easy access.
• yellow stickies on the sides of monitors with systems and passwords.
• yellow stickies or notebooks in drawers....

NOTE: all of these practices were against company policy..... but rendered the rep's jobs undoable without the "aids". So much for security to a paranoid level.

Cleansing Palates

[SeanDuggan]

How else do you cleanse the palate between beers?
Wasabi.

Eight character passwords are sufficient

[windowpain]

Even if the password is not case-sensitive eight characters allows for more than 2.8 trillion passwords using the 26 letters and 10 digits. Many systems time out after three or so attempts. Even if you allow a thousand attempts (an absurdly high number) you'll still be very safe.

Of course is someone steals a password-protected system he would have an unlimited number of attempts. So make it a nine character password. If the cracker can run one million tries a second he has only a 50% chance of cracking a truly random password in the first 16 years of trying.

Show your work:

Number of seconds in a year = ca. 3,153,600

36^9 = 101,559,956,668,416 / 1,000,000 = 101,559,956

101,559,956/3,153,600 = 32 years to search entire key space.

32 / 2 = 16 years to search half of key space.

Quality vs quantity

[bigmouth_strikes]

This guy doesn't have a clue. He's suffering from the delusion that "quantity has a quality in itself" (Stalin quote).

3 firewalls ? Why not 6 or 12 ? Or 1, properly configured.

5 passwords ? Why not 20 ? How is he tracking all his passwords - with "Password days" and all ? I'm betting the farm he isn't memorizing them all. If he is, they're not different enough, not good enough. I'm sure 4 of those 5 can be cracked with readily available cracker kits.

No, he's all about "a lot of security" as opposed to "good security".

Re:Convenience = 1/Security

[EvilTwinSkippy]

Delusions of granduer to be sure.

That said, we have a lock on the door to our data center, and a camera that snaps a shot as you go in. Backups are made 3 floors above on a half-floor, that nobody knows about, and requires a key to access as well. The backup tapes for our operation are in one of those locked locations, or in the hands of a courier who carts them offsite to some remote salt mine or something.

We aren't keeping the formula of coke. We are keeping our donor database and membership roles. They are priceless to us.

Re:Mark is Paranoid, but Trusting of Microsoft?

[EvilTwinSkippy]

Skip Microsoft.

He has an awful lot of trust in his kids.

No Dad, I didn't install that game... No Dad, I don't know who installed that driver... No Dad, I don't know who tried to delete the "WINDOWS" folder to make more space for MP3's.

Re:Isn't he going after the wrong things?

[lheal]

• I've got the impression that most security problems are due to either faulty code ...

Nope. Most problems come from sloppy practices such as sharing passwords, not having a password, or leaving yourself logged in.

The best thing about forcing the kids to use 14-character passwords is that it sets the tone for their attitude. If you tell kids "Be secure!" and don't require strong passwords, they might not get the message. Require strong passwords and you don't have to tell them, they just get it.

The real problem with TFA's laundry list of practices is a false sense of security. If it takes 5 passwords to check your mail, it's really easy to think you can write whatever you want in that mail. It would also be easy to think you are safe, but then some completely new attack vector is discovered against which you have no defense - but you assume you do.

There is a case to be made for TFA's "better safe than sorry" approach. His leadership by example for his clients is good, too.

But I think a more apt cliche to apply is "pick your battles". Put your energy into protecting what you hold most dear. Don't make it hard to do the right thing. Don't waste time being 99.999% safe over some unlikely issue while possibly ignoring some more likely one altogether.

Re:Try to count them.

[DA-MAN]

Many new laptops can have a hard drive password set in BIOS, that is written to the drive at a low level. Moving the laptop drive to another machine will not let you read the data unless you know the password (or have some really high end equipment to take it apart I imagine).

It looks like the enforcement of this requires the BIOS to interract. I have not been able to find a way to remove this password, but I've had no issues with pulling data from the drives with passwords by just putting them in external usb enclosures.

So although you will not be able to steal machines and sell the hard drive for parts, you can steal the machine and get data if that's what your target is.