Slashdot Mirror
Security for the Paranoid
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
Mark Burnett talks about his computer security methods...
"Outwit, outplay, and outlast those pesky script-kiddies."
While being paranoid is argueably good (although Mark may be a bit extreme compared to most), I did wonder a bit about one comment near the end of the article which was: "And I install hotfixes the day Microsoft releases them" which seems to put an awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.
Hulk SMASH Celiac Disease
get with it man, you're not important, nobody wants your porn
The only truely secure computer is one which is switched off and disconnected from the network.
And smashed with a sledgehammer.
And set on fire, to the temperature of 600F, which should be sufficient to destroy the magnetic bits in the hard drive.
And then nuke it from orbit, it's the only way to be sure.
"Can of worms? The can is open... the worms are everywhere."
And this guy is set up very secure.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Paranoia's a good starting point for the IT Security beginner, but well-informed abject fear is the mark of a seasoned professional.
Creative Commons music that doesn't suck: emptydrum.com
for a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?
antipaucity
Does it seem kind of stupid, especially for the 'security paranoid', to announce to the public that you use "at least 14 character passwords"? Seems to me you just set a lower bound and cut out 13^128 possibilities for a cracker :-p
"What's the difference between a random 14 digit password and a random 6 digit password?" 8 digits?
[an error occurred while processing this directive]
mark me troll if you must. but I see this as a legitmate question....
if he's so damn paranoid, what the hell is he using windows for?
Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.
A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.
Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.
I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.
-- People who hate Windows use Linux. People who love UNIX use BSD.
Did I win?
Another one bites the dust
Seriously. I would fear the guy doesn't even begin to fathom risk analysis. He just breeds paranoia. Guys like that break budgets wide open and spend lots of money they shouldn't on lots of stuff they don't need. He's like Mel Gibson in Conspiracy. Three firewalls? I hope they are open source cause Checkpoint licenses are expensive.
You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.
For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.
If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.
Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
As soon as I read this article, I sent it to many of my friends, because it's funny. It's an elegant, understated, hilarious demonstration of an important point. It starts perfectly reasonably and gets progressively sillier, until by the end it's way over-the-top hyperbole. This essay is a really lovely piece of writing, because at first it suckers you in with its reasonably paranoid stance, and when you realize you've been had -- I guess that's if you realize you've been had -- makes you think about diminishing returns.
What I say does not represent the views of my employers, my friends, my cats, or myself.
The problem is his kids! What about the social engineering risks. Someone could just buy his kids a six pack in exchange for their passwords. The only logical solution is to get rid of his kids. Probably get rid of his wife too. I doubt she can really be trusted to have acess to the system.