Slashdot Mirror
Security for the Paranoid
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
Mark Burnett talks about his computer security methods...
"Outwit, outplay, and outlast those pesky script-kiddies."
While being paranoid is argueably good (although Mark may be a bit extreme compared to most), I did wonder a bit about one comment near the end of the article which was: "And I install hotfixes the day Microsoft releases them" which seems to put an awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.
Hulk SMASH Celiac Disease
get with it man, you're not important, nobody wants your porn
The only truely secure computer is one which is switched off and disconnected from the network.
And smashed with a sledgehammer.
And set on fire, to the temperature of 600F, which should be sufficient to destroy the magnetic bits in the hard drive.
And then nuke it from orbit, it's the only way to be sure.
"Can of worms? The can is open... the worms are everywhere."
And this guy is set up very secure.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Paranoia's a good starting point for the IT Security beginner, but well-informed abject fear is the mark of a seasoned professional.
Creative Commons music that doesn't suck: emptydrum.com
for a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?
antipaucity
Well, I can see the guys reasons.
However, information security has to be appropriate to the data you wish to protect.
A system that annoys users by making it hard to access the information (long passwords changed weekly for example) will just leave you with a static store of information.
The information will never be *USED*. There will be no point in having it.
Use security appropirate to your data. He IS paranoid, and - offtopic: sounds a bit of a nob.
I know for sure if I was one of his kids, I wouldn't WANT to connect to his network!
... is about the only part of his screed that could make sense to me. Not because one should not divulge a password to one's wife, but because keeping passwords entirely private is good policy. Almost everything else about his life strikes me as goofy. If you read any of the "hacker" books, hacking and gaining access to people's stuff isn't about cracking passwords, it's about social engineering and dishonest behavior, most of which the author's behaviors won't prevent. But, if it makes him feel better.... (I wouldn't want to live on his network.)
I worked at a large company and called the administrator of their unix mainframe and complained that /usr/bin and /bin both didn't even have execute privelege so I couldn't even see what commands existed. The administrator dressed me down and explained they did that for security reasons so people couldn't hack in. He went on to tell me about the giant breach on that system from outside hackers and hence, the very tight "security". I gently reminded him the "breach" actually occurred with those very same directory permissions.... and they didn't prevent the hack. Sigh...
Does it seem kind of stupid, especially for the 'security paranoid', to announce to the public that you use "at least 14 character passwords"? Seems to me you just set a lower bound and cut out 13^128 possibilities for a cracker :-p
"What's the difference between a random 14 digit password and a random 6 digit password?" 8 digits?
[an error occurred while processing this directive]
mark me troll if you must. but I see this as a legitmate question....
if he's so damn paranoid, what the hell is he using windows for?
I think you can be too paranoid. I seem to remember a story a while ago about security measures that were overly invasive. Require 14 character password with non-alpha characters, and get your users putting their passwords on their monitors with post-it notes.
Its true, you never seem to realize your folly until its too late and your data is gone, but in my case, my home network isn't so important to me that I think its worth so much security that it interferes with my enjoyment or productivity.
Usually my stance is that I let the foil-hat wearing scurity gurus have their toys, but I continue to look for the solution that is "good enough" and that conforms to MY wishes, not theirs.
-d
"Here Lies Philip J. Fry, named for his uncle, to carry on his spirit"
Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.
A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.
Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.
I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.
-- People who hate Windows use Linux. People who love UNIX use BSD.
The guy uses 5 passwords for his laptop, and I am sure that is fine for him.
Security for the sake of security, for example, can sometimes backfire.
For example, a company I used to work for had this policy that you had to change your password every 30 days, have at least 1 special character, one capital, one number, etc.
This was on an intranet, and most people hated this feature.
Most people ended up using a system like
Jul@1996 for their password. Mon
Kind of defeats the whole purpose of security.
I tend to think one should use security proportional to sensitivity on certain matters, knowing that nothing is perfectly secure.
But enforcing 'security' for the sake of security, especially random, and unsupported 'security' can make the average user resentful, and the process much less secure.
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
Did I win?
Another one bites the dust
I'm not wrong. You haven't thought about it hard enough.
Let's see if this guy's kung fu can survive a few rounds against international superhacker "bitchchecker". Just have him email his IP address to bitchchecker@madskillz.com... (Please allow for a lengthy response time, as bitchchecker is probably busy rebooting his machine for the 75th time today.)
Someday a real rain is gonna come...
Seriously. I would fear the guy doesn't even begin to fathom risk analysis. He just breeds paranoia. Guys like that break budgets wide open and spend lots of money they shouldn't on lots of stuff they don't need. He's like Mel Gibson in Conspiracy. Three firewalls? I hope they are open source cause Checkpoint licenses are expensive.
You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.
...require my kids to use at least 14 character passwords on our home network
What do you want to bet I can find the passwords written on a post-it under the keyboard?
A security policy that doesn't take usability into account is worse than no security policy at all.
It's simple: I demand prosecution for torture.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.
For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.
If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.
Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
Some people waste their time watching "American Idol." Others waste their time high on drugs, while still others waste their time trying to make the rest of us believe in their deity of choice. Even if the guy is paranoid, it's his time to waste.
/.
At least he's not wasting his time reading
You won't be able to get to them in time. Besides, we know the threat is closer than than that. Some of us even know that the apocalypse isn't coming, it's here already.
Look what happens in every zombie movie; you think you have an opportunity to drive even 25 miles and dig up your S&W 1006 and your M4? You're zombie food.
You need your sidearm ON YOU, and your rifle at arm's length. You need 2k rounds for your sidearm and 5k rounds for your rifle on hand ALL the time, along with supplies to crank out another 10k rounds if necessary.
More shit buried in the woods is a great idea, too, but don't leave yourself unarmed.
How else do you cleanse the palate between beers?
Wasabi.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
"They have the greatest chance of continuing the species line."
Not necessarily. A paranoid creature might be to fearful to ever hunt and/or forage properly and would constantly be weakened and vunerable to disease. Their lack of social contact would also exclude them from the safety in numbers and support of the group also lowering their chances.
A healthy sense of risk doesn't necessarily make you altruistic or "soft" as you snidely put it, just reasonable. Judging from how strong the urge to socialize is in primates (including us of course) after millions of years of evolution I'd say that paranoia is not a strong predictor for survival.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
The word paranoid is the important point. He is being stupid, because a casual hacker looks for easy targets. To stop them you only have to secure your system well enough that it isn't easy to get into, so they move on, as the internet is a big place.
The only reason you would do all the silly crap that he has done, is because someone is out to get YOU, and is only after you. They are determined to get into your system, any way they can. Now, if your system is the Strategic Missile Command computers, then I could see why someone might really want to get in. However, this guys is a nobody. He isn't rich, he isn't influential, and he isnt powerful. Nobody is out to get him, so yes, he is paranoid.
I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.
HA! I just wasted some of your bandwidth with a frivolous sig!
As soon as I read this article, I sent it to many of my friends, because it's funny. It's an elegant, understated, hilarious demonstration of an important point. It starts perfectly reasonably and gets progressively sillier, until by the end it's way over-the-top hyperbole. This essay is a really lovely piece of writing, because at first it suckers you in with its reasonably paranoid stance, and when you realize you've been had -- I guess that's if you realize you've been had -- makes you think about diminishing returns.
What I say does not represent the views of my employers, my friends, my cats, or myself.
The problem is his kids! What about the social engineering risks. Someone could just buy his kids a six pack in exchange for their passwords. The only logical solution is to get rid of his kids. Probably get rid of his wife too. I doubt she can really be trusted to have acess to the system.
The point is that Linux, BSD, and any other OS that's open source can actually be examined. If you're paranoid, you have to audit all the code yourself and hand-write the base assembler to assembly the quasi-compiler; refer back to the thought experiment of the bugged compiler which would infect compiler and login program to propagate itself. Even further, you'd want to use an open system where you can verify all the firmware, including the BIOS, to make sure no hooks are in place to compromise your security. And even further than that, you need to validate all the chips and processors in your system that they're not bugged either.
So, for one who claims he's really paranoid, he's very much a far way off from real paranoia. He's not even taking the basic step of validating his operating system.
Eurohacker European paranoia, gun rights, and h