Slashdot Mirror
Security for the Paranoid
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
Mark Burnett talks about his computer security methods...
"Outwit, outplay, and outlast those pesky script-kiddies."
While being paranoid is argueably good (although Mark may be a bit extreme compared to most), I did wonder a bit about one comment near the end of the article which was: "And I install hotfixes the day Microsoft releases them" which seems to put an awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.
Hulk SMASH Celiac Disease
get with it man, you're not important, nobody wants your porn
The only truely secure computer is one which is switched off and disconnected from the network.
And smashed with a sledgehammer.
And set on fire, to the temperature of 600F, which should be sufficient to destroy the magnetic bits in the hard drive.
And then nuke it from orbit, it's the only way to be sure.
"Can of worms? The can is open... the worms are everywhere."
And this guy is set up very secure.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Paranoia's a good starting point for the IT Security beginner, but well-informed abject fear is the mark of a seasoned professional.
Creative Commons music that doesn't suck: emptydrum.com
for a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?
antipaucity
Well, I can see the guys reasons.
However, information security has to be appropriate to the data you wish to protect.
A system that annoys users by making it hard to access the information (long passwords changed weekly for example) will just leave you with a static store of information.
The information will never be *USED*. There will be no point in having it.
Use security appropirate to your data. He IS paranoid, and - offtopic: sounds a bit of a nob.
I know for sure if I was one of his kids, I wouldn't WANT to connect to his network!
Training is the best security measure that can be taken; training user's to not do stupid things, to use secure passwords, to not share information they shouldn't.
If you start your kids off learning to use computers securely, with good self protection habits, then the likelihood that they will become victims of identity theft or other phishing is greatly reduced.
When it comes to security, there is no such thing as paranoid... they really are out to get your password, your ID, your SSN and everything else that will help them get your money...
Support NYCountryLawyer RIAA vs People
... is about the only part of his screed that could make sense to me. Not because one should not divulge a password to one's wife, but because keeping passwords entirely private is good policy. Almost everything else about his life strikes me as goofy. If you read any of the "hacker" books, hacking and gaining access to people's stuff isn't about cracking passwords, it's about social engineering and dishonest behavior, most of which the author's behaviors won't prevent. But, if it makes him feel better.... (I wouldn't want to live on his network.)
I worked at a large company and called the administrator of their unix mainframe and complained that /usr/bin and /bin both didn't even have execute privelege so I couldn't even see what commands existed. The administrator dressed me down and explained they did that for security reasons so people couldn't hack in. He went on to tell me about the giant breach on that system from outside hackers and hence, the very tight "security". I gently reminded him the "breach" actually occurred with those very same directory permissions.... and they didn't prevent the hack. Sigh...
Speaking of smart cards, anyone know where how to obtain a simple smart card home solution? All resources i've found are for large enterprize distributions... i'm only looking for 2 or 3 smart cards..
The Digital Couture Collection
Does it seem kind of stupid, especially for the 'security paranoid', to announce to the public that you use "at least 14 character passwords"? Seems to me you just set a lower bound and cut out 13^128 possibilities for a cracker :-p
"What's the difference between a random 14 digit password and a random 6 digit password?" 8 digits?
[an error occurred while processing this directive]
mark me troll if you must. but I see this as a legitmate question....
if he's so damn paranoid, what the hell is he using windows for?
I think you can be too paranoid. I seem to remember a story a while ago about security measures that were overly invasive. Require 14 character password with non-alpha characters, and get your users putting their passwords on their monitors with post-it notes.
Its true, you never seem to realize your folly until its too late and your data is gone, but in my case, my home network isn't so important to me that I think its worth so much security that it interferes with my enjoyment or productivity.
Usually my stance is that I let the foil-hat wearing scurity gurus have their toys, but I continue to look for the solution that is "good enough" and that conforms to MY wishes, not theirs.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
I cant see a need for this level of security on a home network, where the only thing an attacker would want to do is zombi-ize your windows boxes. strong passwords are good, firewalls are good, wifi mac address lock down is good, but smartcards? why not requier a hair sample.
Also, if you are that paranoid, you better put in a shark-filled mote, because a physical attack still leaves you volnerable, and with those insane levels of security, you sort of make yourself a target, people figure that if you go to those lengths, you have something great...
I'm sorry, I really thought my computer was supposed to be useable.
5 passwords to boot and check email on the laptop? What in the world are they *for*? BIOS, system login, email login, maybe one for decrypting if you're receiving encrypted emails all the time. What else?
Security is a balance. Very few security measures only make things more difficult for an attacker- most of them make life make difficult for the person taking them as well. It *is* useful to analyze the threat in any situation, because it helps you make an informed judgement as to how secure something needs to be made, balancing risk versus useability.
Not checking luggage when you fly? What, are you worried about someone snooping through your underwear? Oh, sure, don't put anything important in there if you're worried about that, but really... this truly is on the paranoid side of things.
The ringing of the division bell has begun... -PF
Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.
A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.
Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.
I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.
-- People who hate Windows use Linux. People who love UNIX use BSD.
The guy uses 5 passwords for his laptop, and I am sure that is fine for him.
Security for the sake of security, for example, can sometimes backfire.
For example, a company I used to work for had this policy that you had to change your password every 30 days, have at least 1 special character, one capital, one number, etc.
This was on an intranet, and most people hated this feature.
Most people ended up using a system like
Jul@1996 for their password. Mon
Kind of defeats the whole purpose of security.
I tend to think one should use security proportional to sensitivity on certain matters, knowing that nothing is perfectly secure.
But enforcing 'security' for the sake of security, especially random, and unsupported 'security' can make the average user resentful, and the process much less secure.
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
This is an interesting article, but brings up one little thing for me about security - when you go this far out, you make yourself a target. The first thing I thought at the end of the article was, "man, I'd love to show this guy." And I didn't think along the same lines he did. I thought small focused high-speed cameras placed under the neighbors' eaves, I thought replacing his keyboard with a snooped replica... Again, social engineering and hitting someone where they are not looking seems to be the key to any cracking, not technical powerhousing. And pronouncing to the world that you use three firewalls is just asking for trouble.
I'm not a cracker, I'm not even much of a hacker, but I'm naturally sneaky bastich. (TM) And as real sneaky bastiches know, you don't ever stand in someone's face and tell them to you're going to beat the crap out of them, you wait until they turn around.
I try to be a nice guy despite my tendencies, but still... This kind of article reminds me of the French and their lines.
My little site.
Did I win?
Another one bites the dust
I'm not wrong. You haven't thought about it hard enough.
Let's see if this guy's kung fu can survive a few rounds against international superhacker "bitchchecker". Just have him email his IP address to bitchchecker@madskillz.com... (Please allow for a lengthy response time, as bitchchecker is probably busy rebooting his machine for the 75th time today.)
Someday a real rain is gonna come...
Seriously. I would fear the guy doesn't even begin to fathom risk analysis. He just breeds paranoia. Guys like that break budgets wide open and spend lots of money they shouldn't on lots of stuff they don't need. He's like Mel Gibson in Conspiracy. Three firewalls? I hope they are open source cause Checkpoint licenses are expensive.
You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.
I use a "Spaceballs" password.
123456 for 6 digits and 1234567890123456 for 16 digits. In fact, that is what I use for Slashdot.
*N>V&GO)JBT^U
NO CARRIER
H3h3, w3 @r3 1n!!1! W3 pwn j00 0r10n! D@mn, l00k, 1'm p0$t1ng as 0r10n B7@$t@r!
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
...require my kids to use at least 14 character passwords on our home network
What do you want to bet I can find the passwords written on a post-it under the keyboard?
A security policy that doesn't take usability into account is worse than no security policy at all.
It's simple: I demand prosecution for torture.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.
For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.
If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.
Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
What's the point of all of this nonsense? Really?
His kids will probably never want to touch a PC after the trauma of memorizing 14 character passwords just to surf the net at home.
How many systems are actually vulnerable to password cracking anyway? Most ATM machines eat your card if you enter 5 incorrect PINs... most enterprise networks disable accounts if you have multiple incorrect passwords.
This guy is on the same level as a mall rent-a-cop who always wanted to be a policeman, but can't pass the mental exam. He just gets a rise out of hassling people with arbritrary nonsense.
Conformity is the jailer of freedom and enemy of growth. -JFK
Does a 14-character password make much sense, public network or private? I've got the impression that most security problems are due to either faulty code (buffer overruns) or malicious code within programs (email attachments, spyware, adware, or the slightly more legitimate software activation). Social engineering/phishing must make for a distant third, when it comes to computer security. Sure, one could do a dictionary attack on passwords...but isn't that the least of your worries? The most unguessable passwords won't stop a security breach if the software is faulty.
How is THAT more secure??? I once spent half a day tracking down a totally bizarre printing behavior/bug that turned out to be a LAN where machines had multiple firewalls running. Multiple firewalls can be more trouble than one well configured firewall.
This guy doesn't get it. Security is much more about people, not about 50 character passwords and redundant firewalls. Social engineering is much more of an issue than triple firewalls.
14 Character pwds for his kids, on his home network, that isn't connected to the outside (his VMware box is for internet). Yeah, that's useful.
He reminds me of the guy in town who advertises websites that a backwards compatible to Netscape 1.2 - very shrill, gets some attention, but is really clueless.
Some people waste their time watching "American Idol." Others waste their time high on drugs, while still others waste their time trying to make the rest of us believe in their deity of choice. Even if the guy is paranoid, it's his time to waste.
/.
At least he's not wasting his time reading
Most of my internet traffic goes through at least three firewalls. Is that too paranoid?
Almost definitely, yes.
Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter?
Yes, it does. Welcome to the real world, where you have finite resources and impatient users. If you only have X amount of resources, do you spend them on protecting things that are a target or on things that nobody cares about?
Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me.
So, can anyone tell me exactly what he's thinking? It seems like he doesn't even know.
It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.
50 characters long? Why stop there? Why not 128 characters long? Why not memorize your entire public and private keys?
I think that this fact alone -- that he has a 50-character password -- shows that he's not playing with a full deck of cards.
You won't be able to get to them in time. Besides, we know the threat is closer than than that. Some of us even know that the apocalypse isn't coming, it's here already.
Look what happens in every zombie movie; you think you have an opportunity to drive even 25 miles and dig up your S&W 1006 and your M4? You're zombie food.
You need your sidearm ON YOU, and your rifle at arm's length. You need 2k rounds for your sidearm and 5k rounds for your rifle on hand ALL the time, along with supplies to crank out another 10k rounds if necessary.
More shit buried in the woods is a great idea, too, but don't leave yourself unarmed.
How else do you cleanse the palate between beers?
Wasabi.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
Even if the password is not case-sensitive eight characters allows for more than 2.8 trillion passwords using the 26 letters and 10 digits. Many systems time out after three or so attempts. Even if you allow a thousand attempts (an absurdly high number) you'll still be very safe.
Of course is someone steals a password-protected system he would have an unlimited number of attempts. So make it a nine character password. If the cracker can run one million tries a second he has only a 50% chance of cracking a truly random password in the first 16 years of trying.
Show your work:
Number of seconds in a year = ca. 3,153,600
36^9 = 101,559,956,668,416 / 1,000,000 = 101,559,956
101,559,956/3,153,600 = 32 years to search entire key space.
32 / 2 = 16 years to search half of key space.
Insert witty sig here.
This guy doesn't have a clue. He's suffering from the delusion that "quantity has a quality in itself" (Stalin quote).
3 firewalls ? Why not 6 or 12 ? Or 1, properly configured.
5 passwords ? Why not 20 ? How is he tracking all his passwords - with "Password days" and all ? I'm betting the farm he isn't memorizing them all. If he is, they're not different enough, not good enough. I'm sure 4 of those 5 can be cracked with readily available cracker kits.
No, he's all about "a lot of security" as opposed to "good security".
Oh, I can't help quoting you because everything that you said rings true
"They have the greatest chance of continuing the species line."
Not necessarily. A paranoid creature might be to fearful to ever hunt and/or forage properly and would constantly be weakened and vunerable to disease. Their lack of social contact would also exclude them from the safety in numbers and support of the group also lowering their chances.
A healthy sense of risk doesn't necessarily make you altruistic or "soft" as you snidely put it, just reasonable. Judging from how strong the urge to socialize is in primates (including us of course) after millions of years of evolution I'd say that paranoia is not a strong predictor for survival.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
The word paranoid is the important point. He is being stupid, because a casual hacker looks for easy targets. To stop them you only have to secure your system well enough that it isn't easy to get into, so they move on, as the internet is a big place.
The only reason you would do all the silly crap that he has done, is because someone is out to get YOU, and is only after you. They are determined to get into your system, any way they can. Now, if your system is the Strategic Missile Command computers, then I could see why someone might really want to get in. However, this guys is a nobody. He isn't rich, he isn't influential, and he isnt powerful. Nobody is out to get him, so yes, he is paranoid.
I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.
HA! I just wasted some of your bandwidth with a frivolous sig!
As soon as I read this article, I sent it to many of my friends, because it's funny. It's an elegant, understated, hilarious demonstration of an important point. It starts perfectly reasonably and gets progressively sillier, until by the end it's way over-the-top hyperbole. This essay is a really lovely piece of writing, because at first it suckers you in with its reasonably paranoid stance, and when you realize you've been had -- I guess that's if you realize you've been had -- makes you think about diminishing returns.
What I say does not represent the views of my employers, my friends, my cats, or myself.
The problem is his kids! What about the social engineering risks. Someone could just buy his kids a six pack in exchange for their passwords. The only logical solution is to get rid of his kids. Probably get rid of his wife too. I doubt she can really be trusted to have acess to the system.
From a security perspective, it is not the patches which crash your computer or destroy data that are a problem. They are just annoying. Reinstall, restore your data from a back up, and you are ready to go again.
The problem comes from bugs with exploits in the wild, but no patches yet.
Unpatched IE vulnerabilities
Unpatched Windows XP Vulnerabilities
I'll probably be modded down for this...
I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger. He feels so safe with the PC's turned around that... -doesn't see the usb keylogger in the front usb port... ...or the usb dongle plugged into the keyboard usb port of this nice Dell by Microsoft keyboard...
On a side note, what is he going to use as a cup holder now?
//Nothing to see here, please move along.
One of my pet peeves is security systems that force an unreasonable UPPER limit on password length. There is one system here at work that requires a 6-8 digit password. Even worse, another system requires a 5 digit "PIN" when really they mean a 5 and only 5 character password.
Why this really is annoying to me is because I use a 4 tier password system. Tier 1 is for my bank accounts, when that is changed the password is reused for tier 2 applications--my passwords on my home computers. Tier 2 password becomes tier 3, my email, and those passwords become tier 4, i.e. all my passwords at work. That way I only have to remember 4 passwords at any one time (and 2 truncated ones) and no sticky note security.
More music, fewer hits
This is just an amateur paranoid.
Always do right. This will gratify some people and astonish the rest. -- Mark Twain
Second, 3 firewalls? for a home network?
He didn't state what type, but I can guess...
1) Software Based firewall (Possibly two if you don't trust the first.
2) Wireless AP to internal network Firewall.
3) Internet firewall.
I have two of these on my home network (for the windows client), ZoneAlarm + Hardware. When I install a wireless access point I will then add another one to firewall that segement.
Enjoy.
It's just the normal noises in here.
I would argue that inconvenient security is not secure. People will find ways around it, sometimes in the worst possible way from a security standpoint.
Good security should be relatively unintrusive. E.g., your security badge includes a java button, you need it and your password to log on. (I'm not sure if jbuttons are wireless, but if not substitute some smart device that is.) Once you're logged in a kerberos TGT is written to your badge. You can then access most secured functions because they quietly get the ticket from your badge. You could set up the system so your tickets (not TGT) only live for 10-15 seconds - you walk away from your desk to go to the bathroom or "coincidently" run into that cutie at the water fountain and the ticket can't be renewed and the applications are disabled (and screen blanked?) until you return. Then you have to repeat your password (since somebody might have taken the badge off your still-warm body) and everything is as you left it.
If you need special rights you provide the password for another TGT, one with a short lifetime. Think 'sudo' as an analogy.
It's far more secure than having to maintain a separate username/password for multiple applications, yet simultaneously far more convenient. Nobody will complain, esp. if badges are required or they're already used to get through doors. Most people won't even understand how the badge around their neck gives them access to their workstation (and possibly others when working with others).
A slightly weaker version uses a USB dongle attached to your keys. Nobody walks away from their car keys for long.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Paranoid admins who like to practice "information denial techniques" on their systems, making them essentially unfixable. The thinking is, "We don't want a hacker to have any information about our network. We don't want him to even know what kind of system he's on if he ever does get in. So we've got to hide as much system stuff as possible."
We've got quite a few of those here, most of who have had "security at ANY COST" drilled into them by the higherups. Here are a few gems:
I'm sure there's another super-paranoid person on this topic who may flame me for this and say I'm a rotten admin for keeping any debugging tools on a system. But a lot of people forget that 50% of security is keeping the bad guys out, and the other 50% is allowing the good guys to do their job without a huge hassle. Sure, having people logging in via telnet, or allowing "password" as a password sucks. But timely patching, keeping an eye on your system services, EDUCATING YOUR USERS, and having a good firewall policy will keep far more trouble out than instituting the Fourth Reich on a production system.
There's no sig like this sig anywhere near this sig, so this must be the sig.
Paranoia is the misordering of priorities though irrational fear. For example, I am posting to Slashdot using links2 run from a Gentoo livecd from my second machine. If I was doing this for any reason other than because my main system had suffered disk failure, requiring a reinstall, or random geek value, I would be seriously paranoid, for I'd focused so strongly upon having an unhackable system over implementing anonymisation over ipv6.
More seriously, being excessively slowed down though having to jump through security hoops, and having your mindspace taken up can end up reducing productivity, and risks seriously eating into profits. Hence we have security specialists, who call themselves "paranoid" because they would be, if they had a normal (meaning non-security) job. It is entirely possible that someone in security is too paranoid for security, and trusts those that they should be weary of on grounds of insufficient competence because of irrational fears of those who's motives they do not trust.
Avoiding obviously taking sides, it's clear to [Democrats|Republicans] that [Republicans|Democrats] are paranoid about various risks. This isn't just relativism: those who seek power tend to perceive a greater need to control the masses than the rest of us. Someone has to be getting it wrong!
Paranoia is a strange thing...
Wikileaks, no DNS
Some people will view this kind of paranoia as a challenge, which will only encourage them to attack him.
Ahh, the self-fullfilling prophesy of paranoia: Act out enough, and you get all sorts of unwelcome attention that just confirms your egomania.
Of course, if I were really interested in getting into this guy's computers, I would shoot him once in the foot and tell him that the next bullet would go into his head if he didn't spill all his passwords. Computer security is only as good as the weakest link...
HA! I just wasted some of your bandwidth with a frivolous sig!
More important is a credible threat, probability and loss analysis, compared with a list of countermeasures and their costs.
Otherwise, it's just the cops featherbedding, just like the CIA did over the strength of the USSR -- even just before the collapse and perestroika.
Don't give in to fear.
Many new laptops can have a hard drive password set in BIOS, that is written to the drive at a low level. Moving the laptop drive to another machine will not let you read the data unless you know the password (or have some really high end equipment to take it apart I imagine).
It looks like the enforcement of this requires the BIOS to interract. I have not been able to find a way to remove this password, but I've had no issues with pulling data from the drives with passwords by just putting them in external usb enclosures.
So although you will not be able to steal machines and sell the hard drive for parts, you can steal the machine and get data if that's what your target is.
Can I get an eye poke?
Dog House Forum
ok...so my real question is, why in the world is this guy running microsoft products? Not to say, microsoft isn't secure, I would be asking the same question if the article implied he was using linux.
If I was that paranoid nothing but a locked down openBSD machine behind the nastiest firewall imaginable would be good enough for me.
Tharkban (It is a signature after all)
The point is that Linux, BSD, and any other OS that's open source can actually be examined. If you're paranoid, you have to audit all the code yourself and hand-write the base assembler to assembly the quasi-compiler; refer back to the thought experiment of the bugged compiler which would infect compiler and login program to propagate itself. Even further, you'd want to use an open system where you can verify all the firmware, including the BIOS, to make sure no hooks are in place to compromise your security. And even further than that, you need to validate all the chips and processors in your system that they're not bugged either.
So, for one who claims he's really paranoid, he's very much a far way off from real paranoia. He's not even taking the basic step of validating his operating system.
Eurohacker European paranoia, gun rights, and h