Slashdot Mirror
The Six Dumbest Ideas in Computer Security
Frater 219 writes "The IT industry spends a huge amount of money on security -- and yet worms, spyware, and other relatively mindless attacks are still able to create massive havoc. Why? Marcus Ranum suggests that we've all been spending far too much time and effort on provably ineffective security measures. It may come as a surprise that anti-virus software, penetration testing, and user education are three of "The Six Dumbest Ideas in Computer Security"."
Cue the "Installing Windows" jokes...
http://brandonbloom.name
Who the fuck is Marcus Ranum and why I should care what he suggests?
Unless they ban the movie Hackers and eradicate all copies of it everywhere, they're not gonna make hacking uncool...
[o]_O
I thought the overall article was dumber than the six dumb ideas.
These people get the crap and then bring it into the cacoon, thus negating the hundreds of thousands of dollars of security infrastructure
What are some of the dumbest security *policies* you've encountered?
I worked for a firm earlier where we had to change our passwords every week where the password had to 1) be exactly 14 characters and 2) be ~60% different to the previous four passwords.
The result was of course that almost every user had their passwords on post-it notes.
To illustrate, ask yourself this question: why do most corporate computer users have permissions on their computer to download and execute arbitrary programs?
Now, it should be noted that even Linux gives the average user this capability. But that needn't be so.
Antivirus programs are a bandaid, not a solution. But most people treat them as a solution, and therein lies the problem.
If you really want to take care of security issues, you have to do so at the foundation.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Yeah, I'm taking all my anti-virus software off the computers right now. I don't know why I ever though it was useful anyway. It's more efficient to deal with the infections as they come in then it is to try to prevent it.
I'm gonna stop using condoms too while I'm at it.
Sometimes my arms bend back.
#1) Posting your password on a forum
#2) Going into a shady carding IRC channel, telling everyone there that you are an undercover FBI agent, and then saying "you are all dumb! Hack me! HAHAHHHA!!!"
.....
The internet.
"Yields falsehood when preceded by its own quotation" yields falsehood when preceded by its own quotation.
Woah, he's not talking about Slashdot?
In #4, "Hacking is Cool", he obviously means "cracker." Also, the last part of that section says that security professionals should not know how to crack. Bullshit. If you don't know how exploits are used, how can you block them? How can you write a secure program if you don't know what a buffer overflow is?
you have put on all the AV and security polices you want. but if joeslob is going to click on and run "naked_sluts.exe" he get emailed, there is nothing you can do. my solution? don't fucking work administering computers, it's a cunt of a job and it's hugely under paid for the time and stress it causes.
If you mod me down, I will become more powerful than you can imagine....
Hence the technology formerly known as TCPA.
The article really fails to address any real issue with security. What the article really read like was something more along the lines of, "Six Things Dumb Management Sometimes Do In Relations to Computer Security". The real problem with technical computer security is the poor quality of software (software designed without security, or without enough security in mind), and the general lack of general system protection (NoExec memory, Stack Smashing/Active Bounds Checking, Targetted/Strict ACLs, etc). The damage worms/viruses/hackers can cause on a much stricter system is really far less than a normal system, if the penetration can even be achieved in the first place.
Using BASIC for anything other than spaghetti programming.
1) Default deny instead of default allow.
Actually, default deny is just as stupid as default allow, as if you have default deny, people just get sick of being asked if they want to allow something, and end up clicking "yes" on every box they see.
2) Enumerating Badness
So you want to write a virus scanner that somehow can recognise viruses without being told which programs are viruses. Modern virus checkers already mostly do this. With spyware it's very hard for a computer to tell the difference between a program you wanted installing and one you didn't. How do you expect it to tell?
3) Penetrate and Patch
So you are saying we should write code without bugs and holes? What a great idea that is? why did no-one think of saying that before?
4) Hacking is cool
You think people should learn how to stop hacking and intrusion without learning how existing hacks work? Then you are stupid. Shush.
5) Educating Users
So you are saying that we have to do security without teaching users how to do it. That just isn't going to work unless you never let users install their own applications or plug-ins. Yes teaching users is hard, but it has to be a vital part.
6) Action is better than Inaction
So, after saying the state we are in is rubbish, you now say we shouldn't actually change anything. Eh? Or are you saying "don't try something new without testing it first"? Well thats more than a little obvious.
This is just trolling, crap, and obviousness. Your average slashdot post really.
Combination - fun iPhone puzzling
I patch PHP to set a constant in the namespace of the script whenever a 'dangerous' function is called (eg: system(), shell_exec, the backtick operator etc., others
If the script is allowed to call the functions, all well and good, it's just logged. If not, the offending IP address is automatically firewalled. I purloined some scripts from the 'net that allow shell-level access to manipulate the firewall.
So, now I had a different problem - the webserver wasn't running anywhere near the privilege needed to alter the firewall, and I didn't want to just run it under sudo in case anyone broke in. I wrote a (java (for bounds-checking), compiled with gcj) setuid program that takes a command string to run, an MD5-like digest of the command, and a set of areas to ignore within the command when checking the digest. The number of areas is encoded into the digest to prevent extra areas being added. If the digest doesn't match, the program doesn't run. This is a bit more secure than 'sudo' because it places controls over exactly what can be in the arguments, as well as what command can be run. It's not possible to append ' | my_hack' as a shell-injection.
So, now if by some as-yet-unknown method, you can write your own scripts on my server (it has happened before, [sigh]), you're immediately firewalled after the first attempt - which typically is *not* 'rm -rf
Well, PHP and SQL injection of course, but the same script is used there - if the variables being sent to the page are odd in some way (typically I look for spaces after urldecoding them as a first step - SQL tends to have spaces in it
What would be nice would be a register within a PHP script that simply identified which functions were called. In the meantime, this works well for me...
Just thought I'd share, because it's similar to what the author is saying regarding only trusting what you know to work, and everything else gets the kick (squeaky wheel-like
Simon
Physicists get Hadrons!
- That DRM systems don't work
- That DRM systems are bad for society
- That DRM systems are bad for business
- That DRM systems are bad for artists
- That DRM is a bad business-move for MSFT
A very good read if you are in the position of explaining this to someone in a position to mandate DRM.http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002347.html
Dave's "Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"." http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002366.html
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
"To illustrate, ask yourself this question: why do most corporate computer users have permissions on their computer to download and execute arbitrary programs?"
Most likely because either:
1. The IT department is too stupid to lock down the computers.
or
2. They need to run some stupid Windows application that requires the user be an administrator.
The second option is all to common even now, and one of the major problems with desktop security in Windows.
Sometimes my arms bend back.
is the permit by default tendency. This is like having a fence that springs out of the ground only when certain people are sensed approaching it. It needs to be up and topped with barbed wire and the only gate needs to be locked until someone is given a key to it. NAT routers are like that. They can only forward traffic when you bother telling it to and until then sit there stupid making you wonder why your new SSH installation won't talk to the outside world.
OTOH, it is a collosal pain in the arse to deny all traffic and only allow what you want because so much code is network aware these days and designed to talk to some place across the net. Then again, it does tell you which apps are communicating in the first place.
On my Windows boxes I use Sygate Personal Firewall to create a specific list of allowed executables and block everything else with a block all entry at the bottom of the fall-through list. No match, no talk. Inbound and out. Combined with NAT it makes for very little traffic reaching my internal network. When I leave my desk for the night and Windows is running, remove a few check marks and save and it only allows the file sharing app to talk and I keep that updated and locked down at all times.
It also can be set to approve or deny execution of code that may have changed since last allow/deny challenge.
That which is not forbidden is not only not compulsory, but probably suspicious.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
placing a company data server out on your front lawn with a "FREE" sign on it.
It seemed pretty good to me apart from point 5. But I'm only a mathematician, so I await whatever wisdom you impart.
For the love of God, please learn to spell "ridiculous"!!!
Maybe there were many deaths 60 years ago. There was also a lot of deaths 4 years ago. But I can guarantee that there will be many deaths in the future if we don't probably secure the most vital networks. You do know that computers control eletricity, water, airplanes, banks, food processing plants, etc? Just watch a hacker change the recipe of the hippest kid food and poison 10,000, or watch two planes crash in mid-air, with no hijackers endangering their lives since the autopilot was hacked from the ground.
The past is not my priority, the future is.
on linux, just mount /home and /tmp with noexec - now nothing can be executed except that explicitly installed.
Basically he said don't patch anything and design things that are secure. Pretty ignorant of security if you ask me. It's hard for the end user to design things that are secure when every layer of software/hardware they use is buggy. From the kernel, OS, network protocols, database, software language, drivers, routers, firewalls, and applications all contain bugs and design flaws. [1] Until you create the perfect human being there will be bugs and design flaws. [2] If a person can use a computer to do anything, then it can be hacked as someone can always get your password. [3] Why is that? Because a great portion of break-ins are inside jobs done by the Sys Admins or DBAs or other pissed off employees with access. Ultimately, you can never have 100% security unless a computer cannot be used by anyone. You have to at least try and improve the system as you go. This is the only way to *limit* the break-in possibilities, you will never prevent them all 100% outright.
This will never change as long as the market rewards timeliness over quality. Also, in many businesses, you have a contractual obligation to be running by a certain date. Hell or high water, you are going to ship on that date.
Choosing to ship before something is finished isn't usually decided by software teams, but by the business owner. IMO, they are preaching to the choir on this one.
If my firewall doesn't allow by default then it's going to be turned off entirely sooner or later when I can't get something working. The system should be secure without the firewall (just don't run unnecessary services), the firewall is there for an extra layer when exploits are found (by blocking specific exploits), to protect servers that don't need to be public (but this is not strictly necessary since internal auth methods should be good enough, leaving a non-public service open is far better than blocking one that's meant to be public.) and to give an uncompromised log of any intrusions which do occur (which is just as easy with default permit)
I am trolling
Ranum's attitude is hyperpessimistic:
"[S]ometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness
[...]
about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine"
Of course the "amount" of goodness Ranum puts on the Internet is vastly more than the badness, using each of those 30 "good" apps much more frequently than each of those 75K viruses. Even considering average Netizens, not quite as clean as we can presume Ranum to be, and even the few Net saboteurs pumping badness into our Internet, there's still much more goodness (or "whateverness") than badness.
--
make install -not war
This is the same putz that, in Risk Digest, denied what he wrote in his own book! Hey Ranum, go get some Ritalin then write something. There's a great mind there, it's just trapped.
:)
My post captcha is "uncouth"... Ain't that the truth!
Actually there should be seven. I remember its something starting with: "installing MS Windows....."
Password must be 10+ characters in length, contain upper and lower case letters, 3 numbers and 2 special characters.
Result:
Users keep their passwords on post-it notes stuck to their monitors.
2) Constant password expiration
Passwords expire every 3 months. New passwords can not resemble old passwords.
Result:
Users keep their passwords on post-it notes stuck to their monitors.
You make some valid points glasshopah but opposed to what? So you don't patch, or educate users or do pretty much anything?
Perhaps the more insightful question Marcus is, how much 'security' is worth doing at all? What are the actual success criteria that worth aiming at? I tend to think Marcus, that security like everything else in life and commerce are worth doing at about a c+ (as in grade not compilers).
*head explodes*
Did you actually read the article, or did you just repeat one of its points by accident?
Do you know what algorithm they applied to determine string similarity? If it were a naive algorithm, you could simply shift a 14-character string to the right each time.
Otherwise, you could rot-6 it each time. You'd quickly become familiar with rotational codes.
noexec can be easily circumvented. Read here for more information.
/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev) ./date ./date: Permission denied /lib/ld-linux.so.2 ./date
Relevant example:
alex@joker:/tmp# mount | grep tmp
alex@joker:/tmp#
bash:
alex@joker:/tmp#
Sun Dec 3 17:49:23 CET 2000
Crime as a problem of context is studied in Gregory Bateson's seminal book Mind and Nature: A Necessary Unity. Bateson addresses two flaws in our court system. One is to treat a crime as something isolated and somehow measurable in penal terms. Taking a crime out of context, i.e., the makeup of the criminal, is blind to the forces that generate criminal actions.
Bateson speaks of (crime) "...as not the name of an act or action; it is the name of a frame for action. ...( he suggests)... we look for integrations of behavior which a) do not define the actions which are their content; and b) do not obey ordinary reinforcement rules." In this context he suggests play, crime and exploration fit the description. As long as we are only able to punish according to some sort of arbitrary eye for an eye method of bookkeeping we will be unable to root out crime.
Bateson's second criticism of our judicial system addresses it's adversarial nature. He writes... "adversarial systems are notoriously subject to irrelevant determinism. The relative 'strength' of the adversaries is likely to rule the decision regardless of the relative strength of their arguments. Bateson's second
He further goes on to a brilliant analysis of the Pavlovian study of dogs in terms of the dog's view of the context; and, how the dog's context is violated when the dog's view of a "game" of distinction is morphed into a game of guessing without there being any markers to tell the dog the context of the game has been changed. This switch in context drives neurotic and violent behaviour in the dog. I suspect much anti social behaviour is driven by the criminal's inability to read society's context markers.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
that has a familiar ring to it...
I work for the Department of Redundancy Department.
On linux the avg user can be denied permission based on the rights you setup for their respective home directories. System wide bins usually dont have write permissions or depending on its utility read, write or execute permission. Which is why sudo exists etc etc. So essentially no, Linux doesn't give the average user that capability. The same goes for most other Operating Systems; even Windows.
As the article rightly points out, and btw. if you had bothered to read it you would have been aware of this, there is no reason at all why joeuser should even be able to download and execute "naked_sluts.exe" on a companies network.
And I quote:
"Dealing with things like attachments and phishing is another case of "Default Permit" - our favorite dumb idea. After all, if you're letting all of your users get attachments in their E-mail you're "Default Permit"ing anything that gets sent to them. A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server where users can log in with an SSL-enabled browser (requiring a password will quash a lot of worm propagation mechanisms right away) and pull them down. There are freeware tools like MIMEDefang that can be easily harnessed to strip attachments from incoming E-mails, write them to a per-user directory, and replace the attachment in the E-mail message with a URL to the stripped attachment. Why educate your users how to cope with a problem if you can just drive a stake through the problem's heart?"
And I follow his thinking....
You allow through what you want, harden those systems to the level of the firewall that you are protecting them with, and then harden the systems that they connect to, to the same level.
At the end of the day though, you can only harden so far. You have to balance the security vs ease of use arguement along the way. The best way to do this is to take all the applications that make the business money, find a secure way to allow them through (Proxy or otherwise) and then deny the rest of the traffic. As people whinge, allow those applications through based on merit.
One of my friends at the moment is trying to convince his head of IT (My old head of IT) to impleement IPSEC everywhere. That's a great idea and all, especially from a security persepctive, but it adds a layer of complexity that could well become harmful and the head of IT isn't going to buy into it.
What we need to do is go about education, telling the users what should and shouldn't happen, the idea that if "this" comes up to hit cancel or to report it, and that is their options. Make this the default for the "deny any" policy that Marcus was trying to get across.
At the end of the day, we can't harden everything, as much as we would like to we can't. Simply because of a lack of resourcing or otherwise this isn't a possibility. Unless someone comes to bat for a much larger (And smarter) security group, that is going to look after absolutely EVERYTHING, every single request that crosses a helpdesk and specifies what every user will need access to and ensuring that those applications are hardened will Marcus' idea ever take off.
Oh I wish for the day when it does, but in the next 5 - 10 years, I don't see it happening..
Please someone prove me wrong.
Curiosity was framed; ignorance killed the cat. -- Author unknown
Try OSX. As of some update about a year ago, OSX stopped having "default permit" for launching applications by double-clicking. If you double-click and that leads to launching an executable that hasn't been run before, it pops up a dialog to ask you about it.
Thus, no more executables bearing viruses disguised as documents.
Can anyone tell me how to set my sig on Slashdot?
#1 starts out fine, until you notice that his argument necessitates trusted computing, which has never really made it into vogue.
He should have kept it about things that "Default Permit" actually addressed when people were considering it, rather than hopping down a path that requires technology that is barely in use yet, as it if were at some point a direction that we had already considered.
OK, we shouldn't educate users at all, huh? Yea I think that business users should never have admin rights to their business machines but for everything you can't nail down, you're either going to have to have smart users or have the IT folks hold the users' hands constantly.
My belief is that users should be as educated as possible but it should never be a business requirement. Feel free to lock things down; you should restrict access but also let your users know why they are that way. Hell, maybe it will help them with their home systems. Maybe they'll even pass good habits onto others. I can't see that as being a bad thing.
There is a way to fix security problems on end-user machines completely.
The solution is to keep the operating system and applications on read-only media. The end-user operating system of the future should be designed around this idea, and they should reboot from readonly media on a regular basis, this way viruses cannot spread and worms cannot get a foothold.
Its doable. Its feasable. Its the future, once engineers really decide to solve the problem.
The main goal behind TCPA/TPM is to make DRM actually work. Preventing virii/worms is just a sideeffect.
In the business world you don't make as much money protecting applications as you do making people pay repeatedly for the same content. Well... except for security and antiviral firms.
[!] No, I can't see my comments. They are not worthy of +3 moderation.
is a raving lunatic. Ask him about how he last the privilege to ever own a gun again. Or how he started a company but didn't a single penny when it was finally bought out.
wow thats bad.
"Hard"? That's quite an understatement. A certain ridiculously heavy and ergonomic DEC keyboard of mine would look a lot better if it was just "hard".
No, this has absolutely nothing to do with the stains on the upper right corner vaguely reminiscent of human brain tissue. That was coffee. Seriously.
"I'm gonna stop using condoms too while I'm at it"
Its too bad your father had the same attitude.
Someone please tell Marcus to stop tooting his own horn, sheesh
Now it isn't really surprising that some people on /. do have a problem with understanding what they read, but this, this is just amazing.
Needless to say that it promptly got modded up.
"2) Enumerating Badness
So you want to write a virus scanner that somehow can recognise viruses without being told which programs are viruses. Modern virus checkers already mostly do this. With spyware it's very hard for a computer to tell the difference between a program you wanted installing and one you didn't. How do you expect it to tell?"
No, as he makes clear he does not want to write such a virus scanner. What he rightly asks is why people who only need 10 applications should even be able and allowed to run any other software.
In other words, he's also advocating a deny default policy here. Deny everything from being executed, unless it is really needed.
"3) Penetrate and Patch
So you are saying we should write code without bugs and holes? What a great idea that is? why did no-one think of saying that before?"
Nope, he's pointing out that penetrate and patch is a very ineffective approach to achieving security and that it's far better to already start out with security in mind. Not a dumb idea at all.
"4) Hacking is cool
You think people should learn how to stop hacking and intrusion without learning how existing hacks work? Then you are stupid. Shush."
Nope, not really. He merely suggests that it's ineffective to say the least to engage in an arms race with the bad boys.
"5) Educating Users
So you are saying that we have to do security without teaching users how to do it. That just isn't going to work unless you never let users install their own applications or plug-ins. Yes teaching users is hard, but it has to be a vital part."
Nope, he's simply pointing out that not letting users install their own applications or plug-ins is a much more sensible approach than to count on educating users. He points out that one might get the impression from past experiences that educating users hasn't been an overwhelming success.
"6) Action is better than Inaction
So, after saying the state we are in is rubbish, you now say we shouldn't actually change anything. Eh? Or are you saying "don't try something new without testing it first"? Well thats more than a little obvious."
Nope, he is saying that contrary to what many IT people like to do, that is follow the hype of the moment, it is often a better idea to simply just wait how a new idea works out and then adopt it. I can't see anything wrong with that advice.
"This is just trolling, crap, and obviousness. Your average slashdot post really."
Congratulations, I couldn't have described your post better myself.
Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness.
/bin /sbin /usr/bin /usr/sbin /usr/X11R6/bin/ /usr/local/bin |wc -l
/bin/ls.
Okay Mr Whitelist Everything, let's ensure that every time I want to run a program on my computer I'm prompted to confirm that's what I want to do. Let's start by actually counting the number of programs I will have to do this for:
$ ls -1
ALERT: Attempting to run un-registered program
Are you sure (y/n)y
ALERT: Attempting to run un-registered program usr/bin/wc.
Are you sure (y/n)y
5187
Looks like I've got my work cut out for this week.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Maybe he's a friend of ESR's or RMS's. Trying for his own elevation to 3 char alias fame...
amen
Wow! That was one of the better articles I have read here! Very good! Thanks!
I'm not aware of any - although if anyone knows of one, I'd be interested too - just to make sure I've not made a stupid mistake...
It's not too hard, though, if you download the PHP source and look in "ext/standard", you'll see the various files - for example 'exec.c'. If you look in there, you'll find a function per php command {exec(), shell_exec(), system(), passthru()}, to all of which you could simply add
Then you just need to write something that registers a shutdown hook (there's examples at php.net) and decides what to do. In my case I generate a vector of the intval(constant) values with comma's between (eg: "0,0,1,0,0,1"), and check to see if they're all '0'. If they are, I just exit normally. If not, I check the entry in the SQL table 'syscall_allowed' for that script corresponds to the exact string above (I used comma-separated values to make this easier). If there's no match for script and vector, I firewall the incoming (REMOTE_ADDR) ip address.
Simon.
Physicists get Hadrons!
I think there's some miscategorization.
My understanding was that these would be security ideas that were basically empty suits. Ideas #2 - #6 confirm this understanding. But then who advocates "Default permit" on the basis that security-wise it's the right thing to do?
ANS: No one I have ever seen.
People may advocate default permit but usually for performance, business, laziness etc. reasons. Never as a good security idea. Ergo "Default Permit" isn't even a security idea therefore how can it make some list as the most prevalent ("most-frequently-seen")? Makes no sense.
Number seven: taking advice from a security expert whose great claim to fame is an ongoing quest for even greater hyperbole.
Jeez, Marcus, are you always going to be a self-promoting twat?
Marcus, your list is crap. Here's a list:
1) No one is watching. IDS, firewall logs, doesn't matter - no one is watching.
2) Most security people don't get it. They run NFR and think that they're safe.
3) Security is a low priority. Time to market matters. Security ranks below documentation and above performance tuning.
Raising awareness of network security is a good thing. Doing it with bombast and self-promotion is just being a media whore.
='^)
Well, he did have a few good points, that you cannot make an application secure by continually patching it. However:
:-)
1) Default permit--- Seems like an argument for TCPA. The fact is though that we need a balance of usability and security. If you take one too far, you will hurt the other. Also, a reasonably administered Linux system is not going to try to contain damage better than a Windows system simply because a better balance exists between what you can do with user rights and what you need admin rights for. It is not a question of "permitting by default" but rather "what you permit by default."
If restricting by default worked in the real world, Windows would be the most secure OS ever, and people would never need admin rights.....
And take this quote (minor dumb ideas):
"We don't need host security, we have a good firewall" - no, you don't. If your firewall lets traffic through to hosts behind it, then you need to worry about the host security of those systems.
Gee... I must be dumb because I thought that one of the main points of host security was to protect against internal threats.
Now for user education....
The main reason why user education doesn't work is because people don't put in the resources to ask people to take it seriously. People are told "do this, don't do that" yet nobody actually tries to educate them. Thing like explaining *how* people use these tricks to gain access to the network. Sure many users will still be dumb (when I worked at Microsoft one of the managers in my department had managed to get his system infected by every major virus outbreak in the previous several years and he was one of the first at Microsoft to get infected by loveletter), but that is not the point. The point is that if you increase the percentage of smart users, you increase your chances of catching a threat before it is to late.
Penetration Testing:
You are not testing your app, silly. You are testing your network which likely has third party apps. This is a way of determining what sort of risks you have so you can try to mitigate them. No, it is not always feasible to read through the source code of every app you run as you seem to think
"We can't stop the occasional problem" - yes, you can. Would you travel on commercial airliners if you thought that the aviation industry took this approach with your life? I didn't think so.
True. But you cannot be sure you stop the determined hacker. There is a serious difference here. Also it may be the case that occasionally business needs may require some sort of fairly insecure setup. In these cases, your security is likely to involve managing rather than completely eliminating problems.
For example, I run the SQL-Ledger Wiki. We have had a number of defacement problems in the past because it is publically writable. Duh.... However, it is important that anyone can write to the Wiki so we do our best to ensure that 1) these events are minimized technologically and 2) there is *no way* that an attacker can force data loss aside from a whole in the application. In this case, we cannot prevent the occasional problem because it is inherent in the system requirements. However we can and do manage it quite well...
As for enumerating badness, I will agree that signature-based detection is no longer adequate. However, this does not mean that enumerating badness is a bad idea. It just means you are using the data wrong. If we can enumerate and prioritise all the badness in Apache, IIS, Websphere, SunOne, etc. we can begin to make educated decisions relative security of these applications.
LedgerSMB: Open source Accounting/ERP
I think that what we're mising here is that applications SERVE the needs of a business. "Let's build it right in the first place" is pretty much a no-brainer, but if a business has a need for a particular application, whether that app is hack-proof or not is not something that senior business managers tend to give a flying fuck about, in my experience. The requirements phase of any project tends to include a "don't let this app take it up the ass" clause, but that's subservient to the overall aim of the project - whatever it may be.
I'd rather send those cents to the folks in New Orleans that are suffering as though they are in some third world country. A shame, a shame, a shame that what happened down there *actually* happened on US soil! To make matters worse, it could still happen - again!
"But then who advocates "Default permit" on the basis that security-wise it's the right thing to do?"
No, he does not!!!! No, he does not!!!
RTFA! RTFA! RTFA!
And I quote:
"The opposite of "Default Permit" is "Default Deny" and it is a really good idea. It takes dedication, thought, and understanding to implement a "Default Deny" policy, which is why it is so seldom done. It's not that much harder to do than "Default Permit" but you'll sleep much better at night."
said as a joke, I realize it's got it's points. However it does rank bottom of the list for security in an overall sense. Consider the virus, worms and 11 sec to breach dangers of putting a windows box online. It needs mention as one of the upper 6.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
From the article:
"On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don't understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me."
The author has a point here, but answer to his question is very simple - his computer doesn't ask for permission to execute most programs because most users would absolutely panic if their computer regularly asked for their input.
I base this on my own experience as a college tech, which is necessarily limited. That said, two points to consider:
I have never, ever seen a student running in a non-administrator account on their Windows PC, even though XP supports this feature. This would prevent much malicious software from running, and avoids the "default permit" behavior that the article author finds so odious. However, users do *not* want to see error messages when they try to run things, nor do they want to log into a different account to install their p2p flavor of the week. They want things to "just work". So, non-administrator accounts are fantastically unpopular.
Another example: Zonealarm. My school encourages students - in fact, tells students they are *required* to - install ZoneAlarm. So what happens? Zonealarm asks them if they want to let, say, AIM or Weatherbug access their network connect - and the user freaks out. They think it's an error, that their computer is busted, etc.
In short- desktop machines tend to be default-permit because desktop users are completely unwilling to deal with an alternative arrangement.
I'm the stranger...posting to
The weak spot in this is, that for it to work, the user have deny the executable from running. Most users don't. Especially not if the e-mail containing an the executable contains some plausible explanaiton why they should allow ti to run. E.g. telling them that it is an important secrurity update from Apple.
God is REAL! Unless explicitly declared INTEGER
Instead of working on treating the root of the problems of computer security, we get defensiveness over the status quo and lame excuses?
Every point he makes is true. We have design-solutions (not just patches) to every existing security vulnerability, but instead of doing things over, the turd gets polished.
Why do Linux and Mac almost have no viruses? It's because the turd is a bit better, but also there is some crap that could be fixed and probably is in SELinux.
You could at least have mentioned money, but these excuses are BS.
Slow down and read my fucking post.
The point was this:
- This was supposed to be a list of security ideas that suck
- My fucking point in my original post was that the first dumb idea (i.e. "security idea that sucks") -- "Default Permit" -- isn't even a fucking security idea
- To go extra slow for the Really Big Retards, therefore, what is idea # 1 even doing on the list?
You can apologize now, asswipe.Here's a simple problem for you. On a Fedora Core 4 system with SELinux enabled, configure Samba access on a directory that can be also accessed by Apache without disabling SELinux for either. Should be easy, right?
Turns out, you can't do this! For someone coming from a system with proper implementation of ACLs (such as Windows or Mac OS X) this is just unbelievable. And folks who wrote SELinux say this is by design, because if you give access to the same data to two apps, you can't isolate these apps. WTF? Do I want to isolate these apps? No, I simply want to be able to copy pictures to the webserver in my closet. If I can't do something as trivial as this, then folks who actually run serious stuff on Linux are bound to have problems too. My guess is, the first thing folks do is they disable SELinux and move on. That's what I did, eventually.
Just make sure the corporate users can only write to their home directory and mount /home with noexec. Since they don't have the root password (this is a corporate environment, remember?) they won't be able to install and run anything.
When users are annoyed by questions they don't understand, support costs go up. Windows users really can't answer questions about whether to allow various TCP connections. Since only programs we approve can be installed on the "users" machine, there is no point in default deny.
Just like currency security doesn't try to identify all the different kinds of forgery, so the idea of "trusted" computing is that all programs are bad except the ones signed directly or indirectly by Microsoft.
To be effective, "trusted" computing must be airtight against workarounds by end users. That is why hardware enforcement is an integral part of the picture. The XBox project has been very effective in eliminating holes in the "trusted" computing hardware, thanks to the many volunteer hackers attacking it.
Currency security experts don't spend time on basement printing presses. They spend time on creating currency features that are expensive to reproduce on a small scale. End-user freedom is not an issue in the "trusted" computing paradigm. We simply want an airtight system that allows *only* Microsoft approved programs to execute, and a hardware enforced way to retroactively delete content when Microsoft makes a "mistake".
We want to ensure that defeating the hardware interlock on our machines requires resources way beyond what an individual or small company can muster. It doesn't matter if organized crime or Chinese corporations have the resources. Their exploits give us justification to tighten the screws on our captive users.
One of the main real selling points of our software is that we aim it at users who don't know or care about computing. They just want to use some applications. If our users had any desire or aptitude to learn about security, they would have defected to that "competitor" that shall not be named. Once we succeed in legally banning un-"trusted" hardware, any talk of user "education" will be banished to dark alleyways.
You say, "never let users install their own applications or plug-ins". Darn tootin. The whole point of "trusted" computing is to prevent users from installing their own applications or plug-ins. That is 99% of the security problem with Windows. If a user doesn't know whether to allow a TCP connection, they certainly have no idea whether some no-name (i.e. non-Microsoft) program is safe to install.
We have 100s of millions of machines running our software in the field. We have a nearly complete monopoly on desktop software. Knee-jerk actions are simply out of the question. The damage done by an insufficiently tested patch is far worse than the damage done by the nastiest malware - because our users will blame it on *us*. (The rebels blame the malware on us, but that is irrelevant.)
I was expecting a mindless article—but this one actually makes some good points. I'm impressed.
This has to be the worst article in terms of truthfulness, content, and the authors understanding of the subject in general I have seen since the last Michael Moore documentary. Most of the practices mentioned are good when they are carried out. The real issue of balancing security with delivery for the end user is a tough one and some simplistic article categorically denying the worth of all security practices is worthless itself. Security is an in depth process and with the dangerous combination of ignorance and arrogance comes a security breach. The same goes for physical security if you have inept people installing the locks and maintaining the doors, someone will eventually enter who you didn't expect. With worms the threat is even greater because it is all automated and attacking from angles your IT team may not have expected or anticipated because they are under trained over paid egomaniacs who got the job because they sounded like they knew what they were talking about and exuded a confidence far superior to their actual abilities or training, much like the author of this POS.
Default deny makes more sense when you think of it at the organizational level -- like a firewall. Both default deny and allow mean that you have to respond to new needs ... but default allow means you have to respond to new attacks (by blocking them) whereas default deny means you have to respond to new user needs (by allowing them). I've operated both sorts of firewalls -- and when you are in good communication with your user base, default deny is both more reliable and MUCH LESS WORK.
Ah ... you didn't read the article, did you? Every program that's running on your system that you didn't authorize to be there, is a problem. It doesn't matter if it's a "virus" or not, or if it's on Symantec's bad-guy list yet. Consider the following dialogue I had with a Windows technician:
Me: Windows host foo.example.org is cracked. It's portscanning out and trying to break into things. I've blocked it off the network.
Tech: I just ran an anti-virus scan on foo, and it didn't find anything. The user wants to get back to work; please put it back on the network.
Me: I didn't say it had a virus; I said it was scanning out and trying to break into things. It's still trying to scan out. I'm not going to put it back on the network.
Tech: Antivirus software says clean!
Me: snort says scanning out!
Tech: Antivirus software says clean!
Me: tcpdump says scanning out! Go get Clueful Tech to look at it.
Clueful Tech: Oh yeah, it's got all these processes called "fuck.exe" running. It's hosed. I'm reinstalling it.
Me: Thank you, Clueful Tech.
If you need antivirus software, your problem is not viruses -- it is that you don't have any control over what programs are getting to run on your computer. Get that control, and you don't need antivirus software.
Anyone who tells you that all software has bugs is being honest. Anyone who tells you that all software is equally buggy is trying to sell you Microsoft IIS. We can go a long way towards "code without bugs" just by observing the history of software and going with those options which have proven to need much less patching in the past.
We can also -- and more importantly, I think! -- favor software that is architected in such a way as to minimize security exposure. That means privilege separation and least privilege. Running your Web server as root is a brain-dead idea. It means not using more complicated software than you need -- if boa or publicfile serves your needs, don't use Apache.
It's interesting, but it isn't essential to the job. What you need to know is that attacks work by exploiting mistakes in the design and implementation of programs. What you need to know about buffer overflows, for instance, isn't how to exploit one for fun and profit -- but rather, that any C program that uses gets() is broken ... and that programs written in higher-level languages that have checked strings can't suffer from them.
There is a place that I've found that "hacking knowledge" is useful -- in demonstrating incontrovertibly that a problem exists. Joe Moron has a Windows-based embedded print server that's vulnerable
I was working as an IT Manager for a mid-sized company for a while. The main problem with "locking down users" is, that nowadays there is no respect for IT Administrators anymore. Especially in small/mid-sized companies, where every single employee goes directly to his/her boss or even worse to the CEO just to complain about their "inability to work", because of the locked down computer. "The bad admin locked down the computer and I can't work anymore!". Sure, the PHB, CEO, HR won't understand the difference between user/admin rights.
...), there were another ten or twenty complains.
I have a pretty strong personality and a thick skin, but after a while, I gave up. Even brand-new interns complained about the situation that they were not able to install their "favourite software" or about the blocked ports at the corporate firewall.
After a while, the HR manager came to me and said, that in four years, half of the employees complained about me. Whenever I tried to change something (firewall, user rights,
All of the users are working as administrators on their computers at home - I know that, because most of them told me about the troubles they have with spyware and viruses, but they would never accept to have lower permissions at work. The common sense is, that the computer at work is actually theirs.
The same with company laptops. Everyone connects it at insecure networks at home, friends, hotel rooms, other companies and so on and after a business trip, you have to either reinstall the machine or remove spyware/malware.
It's just the lack of understanding, the habit to always work with admin rights at home and the lack of respect for the job of an IT administrator/manager.
#1 Anti Virus never works because there is always a new virus coming down the pipes. Any programmer worth his salt could write a deadly virus in under an hour, but since we're civilized we choose not to.
#2 When you disable Windows XP firewall, its not fuily disabled. You need to go into complex files and manually disable it.
God spoke to me.
Try making ld-linux.so.2 non-executable. Let me know if that works out for you ;-)
His idea of "writing perfect code", as you say, is basically the idea of taking the time to design your app instead of jumping in to code and ending up with a mess that is hard to debug.
:P
Also I would imagine it involves programmers learning about how to avoid programming pitfalls such as buffer overflows (make sure your buffer can hold the required data or make your char arrays on the heap so you can size them as needed, etc).
He also mentions that patches WILL be needed, just not as often as say, Internet Explorer needs patches.
Also, you mentioned a user possibly downloading and installing malware by mistake. He addresses that type of thing partly in like #5 or something.
Anyways I think the whole Default Deny thing would help mostly for network stuff (Windows Firewall already blocks everything except what you tell it to not block, all routers block incoming ports except for a whitelist of forwarded ports, etc).
For an OS, I agree, perhaps a whitelist of programs to run might be too much trouble for too little gain. Perhaps John Doe WILL download that program no matter how many ways you block it.
Doesn't mean you can't fire him after you find out he used a company PC to run unauthorized software.
And your shiny new default deny will isolate the problem, keeping a virus from propagating and spyware from transmitting.
Actually, the permission-to-launch dialog does not protect against malicious applications disguised as documents. If you double-click an app it will launch without question. What the dialog box defends against is an automated exploit that involves sending an application and a document to a system and then a request that the document be opened, which would launch the app before this dialog was introduced.
So Cory Doctorow is against DRM, but what Marcus Ranum suggests is exactly what is used to secure the DRM core - a "list" of allowed apps.
People will need to rely more on backups and the ability to log attacks and then rollback and redo the operation of a system. Of course that is only easy with mostly self-contained systems that do not execute business transactions. However, even banks "rollback" phising attacks by calling back money sent, so its not impossible to undo for them either, it just needs extra steps.
I'm still trying to figure out what people mean by 'social skills' here.
These days hostile environments, like the internet, are a haven for hackers / crackers / advertisers / etc. The real pain is that without a network like the Internet... there aren't many other alternatives... And even if you have something else popular, wouldn't the problem move / copy from one network to the other???
Writing bug-free code isn't possible, taking responsibility in writing secure code is. Sad to say, many companies still aren't taking this responsibility, and that's something that needs to be improved.
Many system administrators aren't taking the security features of their operating system seriously... Also here there is room for improvement.
Besides these points, there's nothing much to add. It's a story everyone knew...
About virus scanning and spyware detection, these are last resorts... Only when everything else fails...
SELinux fixes this hole, and I believe this fix is in later kernels (not the one I have though).
Personally, I agree with you. Basically this boils down to "don't trust the user". That's fine in big corporate environments where there's a separate department of office monkeys dedicated to each task which needs to be done, but it's going to be a pain in the ass (for both worker and administrator) in a smaller environment where people need to be flexible in their work routine.
Most days I write software, some days I try out new libraries or sample code, some days I work on web pages, some days I write papers, some days I do graphics. I appreciate it if the computer has a watchful eye to cover my backside, but I would be very annoyed if it blocks my activities outright and I have to run to the nanny every time I need some permission to do something new.
In that vein, each of the points has some applicability, but it's pretty obvious. Confirm unusual activity, address causes not just symptoms, write good code, test the waters. No duh. And if you're a sysadmin and don't want to do any work, lock all the computers in a closet and give everyone an abacus. It's easy to preach security by removing functionality.
And just food for thought -- #6 (test the waters) conflicts with #3 (redesign) and #4 (don't crack).
#3 because redesigning code has a tendancy to just reopen old wounds as much as fix potential problems -- you're trading the well-known for the cutting edge, which is exactly what #6 advises against.
#4 because you can't expect people to know how to do things "right" without first learning from others' mistakes -- learning current security problems and how they are exploited *is* important. It has nothing with being "cool". It's useful information.
...the idea that it is only the ubiquity of a system (not its design & implementation) that is the greatest determining factor behind the likelihood of exploit.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
pretty much just says "only allow things you know and prohibit everything else" what it fails to think about is, in that case the number of retarded "Why cant i run app x" will be multiplied by 1000...
Spot on. Thus, my signature;
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Sugar coat it however you want, but using any version of Windows is by far the single largest security risk, period. Partially this is because Windows is the predominant desktop OS, but it is also because *nix is generally secure by design, whereas Windows is user friendly by design.
If you install Windows, you are making a conscious decision to open yourself up to a plethora of attacks that simply aren't possible on any other platform. Maybe the benefits outweigh the risks, but don't pretend that the risk isn't there or that it's some outdated joke.
Allrighty-o let's get into the business...
<quote>The Six Dumbest Ideas in Computer Security</quote>
Why six? Why not five or traditional ten? Only "six" ideas in ComSec area drags us down, huh. Yeah mate keep on dreaming.
<quote>There's lots of innovation going on in security - we're inundated with a steady stream of new stuff and it all sounds like it works just great. </quote>
Actually Marcus we are NOT "inundated with a steady stream of new stuff" and they do NOT "sound like they work just great". Actually,I pray you meant software and hardware protection methods when you mentioned the word "stuff", nothing is new on the western front. We are still using routers, switches, antivirii software and firewall boxes, and software , to protect our machines. Yes you can say "spyware protectors" are new but then they are not new practically they are specialized firewall-antivirus programs that checks only a limited area of the hard disk and network activity. And both are "old" technologies.
<quote>Every couple of months I'm invited to a new computer security conference, or I'm asked to write a foreword for a new computer security book. </quote>
Which ones? There are two books mentioned in your website and only one of them is about computer security, barely... trying to get people using linux is not a ComSec business. Your duty is to secure the network as it is. Whether your employer uses linux or windows is regardless on that matter. Trying to convert a 80 windows machine'd topology to linux is a sure shot to get fired as far as I can see...
<quote>And, thanks to the fact that it's a topic of public concern and a "safe issue" for politicians, we can expect a flood of computer security-related legislation from lawmakers.</quote>
Yeah. We can expect it about p2p'ing and filesharing which is a grey area ethically. And local laws won't affect attackers from overseas. You found a cracker who has successfully cracked into your system from Lebanon. What will you do? Find and get him in USA to get into trial which will cost a LOT to your employee? Politicians are talking about the 'net since the Clinton-Gore election so what is new?
<quote> So: computer security is definitely still a "hot topic." But why are we spending all this time and money and still having problems?</quote>
Yes it is a hot topic but, although it is a rhetorical question let me answer that we are spending all this time and money into ComSec because nothing is fool, or for that matter crack,proof.
<quote>Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas.</quote>
Including educating users... and non-patching... and tagging problems... Anti-good... yeah... *drooling*
<quote>They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. </quote>
Erm, if one spends that amount of money into a firewall and somehow make it transparent to everyone... sorry "Hackers" I would bet my money that that person had a braindamage before installing that! When considering there are free alternatives on the market...
<quote>Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality."</quote>
Then what are you doing here exactly? What are you trying to tell us? Don't educate users, don't patch the system? Don't know how an attack is made so we can't create a solution to that?? Don't know about you guv, but you are "trying to ignore the reality."!
<quote> Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don't fully understand the situation, </quote>
like you
<propaganda mode>but other times it's just a bunch of savvy entrepreneurs with a well-marketed piece of junk they're selling to make a fast buck. In either case,
Electronic Liberties must be defended at all costs!
FTA: '"Hacking is Cool" is a really dumb idea.'
Maybe I just read too much O'reilly but what ever happened to the difference in definition between hacking and cracking. I mean for a self-professed 'expert on security system and design', he uses the word 'hacker' like an intern at CNN.
One of the Top Ten Dumbest Things in Network Security is completely forgetting about how employees need to use their computers!
Security needs to be balanced with Business and keeping employees happy.
At one non-tech job, we needed to use software completely written in ActiveX. It took a week and lots of cash outlay in wasted time before the IT people finally realized that the firewall/proxy setup was to blame for all of the computer related problems. Instead of adjusting the firewall, they took it down completely. What a bunch of complete fuck-ups.
Employees also want reasonable access to the internet. Neither managment nor employees wants the ability to see porn. But I might want to go onto the NRA or NOW website, without it being blocked!
Now, where did I put that encrypted USB key....
Summary: "If we built everything secure by design, we woudln't have these problems"
Yay.. how insightful.
Try OSX. As of some update about a year ago, OSX stopped having "default permit" for launching applications by double-clicking. If you double-click and that leads to launching an executable that hasn't been run before, it pops up a dialog to ask you about it.
.jpg file expecting it to open in Preview, but another application is launched instead. You'll get a message that reads, "You are opening the application 'mysterious suspicious program' for the first time. Are you sure you want to open this application? ....to see the application in the Finder without opening it, click Show Application."
Actually, this will not stop you from launching an application (that is, an executable) by clicking on the application icon, it only prevents documents from opening applications that you have never run before. Say you double click what you think is a
You can open the application by clicking it directly, and it will run without first presenting you with any warning. If I remember correctly, this was introduced by Apple to prevent users from inadvertently launching new (possibly malicious) applications that had somehow tricked the OS into associating certain file extensions with them. However, it's useless if you open a "document" that is actually an executable in disguise, as these will run without prompting you.
1. Install clean system and all apps you will use ...
2. Scan drives to mark all software as safe
3.
4. Profit!
Read the article entitled "The Monoculture Hype" by the same guy, on the same website, to see him advocate several of the approaches he later castigates as being dumb.
I found the Dumb Ideas article interesting but it's tone is pure hype, designed to draw attention and, frankly, the dumbest thing is that it's so easy to reveal the author as a hypocrite by simply reading a contradicatory article listed right there on his home page.
Sure, no one was quite the maladjusted, beardy dork that symbolizes the real hacker, but at least they weren't on fuckin' rollerblades. Sheesh.
--grendel drago
Laws do not persuade just because they threaten. --Seneca
The first time every application is launched, I get the dialog. When I install a new application, the first time I run it, I always get the dialog. It doesn't seem to have anything to do with opening a document vs. the application itself.
Whenever I do a fresh clone of my hard drive, and boot off of it to check it, every application gives me the dialog upon attempted launch. Apparently, the file that keeps track of what's been run before is clone-proof.
Do you have any sources for OSX exhibiting this behavior? Aside from my own experience, Wired talks about this update and says "The alert is invoked whenever a disk image is mounted or an application is launched for the first time."
Also, this is unrelated, but I thought I'd mention that Safari now notifies the user for every download that contains an executable, in case you weren't expecting one. I don't use Mail; I'm interested to know if it also warns users about executables in attachments?
Can anyone tell me how to set my sig on Slashdot?
You do realize that you can do essentially everything you are suggesting with SE-Linux without the overhead of maintaining a whitelist. This basically means turning the computer into an appliance.
Now in this case, with SE-Linux, you can even specify what files a given application can load. This can be used to limit scripting languages to known good scripts, or to prevent confidentail information from being sent via email.
The SE-Linux information is stored in the inode, so it is specified by the administrator at file creation time or inherits properties according to policies. This avoids the issues you see with trying to maintain a whitelist of hashes and apps.
The point is that the user cannot be given something like the pointless SSL certificate browser warnings that allow a user to click "I don't care, let me in anyway". Default Deny, not Default No.
And if someone in AR forgets to pay Thawte for your SSL cert and it expires for a critical server (say internal app for credit card processing), users will be locked out. Cute. I am a firm believer in manual override capabilities. That will never happen, you say. All I have to say is domain name registration exiration for Hotmail....
Here is the problem. People think of security in a vacuum. Real security is a piece of a larger availability/security/usability problem. You have to tackle all three at once and ensure that one does not preclude the others within reasonable parameters.
LedgerSMB: Open source Accounting/ERP
Nobody can write perfect code. No matter how good our code is there's always something a little off, or that we didn't account for. What he's saying is we should prevent any use that we didn't intend.
If you're writing a PHP script, toss in a regex to catch anything not matching exactly what we know the PHP script will use. We want cid to be a number and op to be some text. Look for it and match it. And exclude anything that isn't exactly how it should be used. Rather than allow people to toss in any number of crazy stuff like UNION commands to feed into the SQL. Trying to figure out every wrong way to use a piece of software is the real impossible "head in the cloud" idea. Knowing every correct way should be trivial. Just code it in, and stop everything that doesn't fit that pattern.
Here and there it's right, and a single line or two can stop pretty much anything bad. It's just a bit of work to isolate all the good things it does. But this is far easier than finding the bad stuff after the fact.
It is no longer uncommon to be uncommon.
Really good points.
I worked in "security research" field for 10 years. I loved it.
Then companies got involved, certifications/courses/books appeared, pentesting became a business...
I moved to another field, for the very reasons MJR explained in his editorial.
Everyone wanted to be "secure", but noone wanted to invest time or brains in order to achieve that goal.
In 4 years of pentesting (and I'm talking about BIG players and companies with bright people, big budgets), I have only ONCE seen a company that actually took SERIOUS measures in order to improve its' security. I'm not talking about adding another layer of firewalls or installing new toys, but actually redesigning their security infrastructure/thinking.
All the others wanted signed paper which says "You are secure now".
I ended up pointing all of them to MJR's Ultimate Firewall
Let's take this train of thought to its conclusion. Which is the smarter move: 1) that you should attempt to deny your machine to each one of those 75K viruses on an individual basis as they appear; or 2) that you should allow only those 30 "good" apps to run and never worry about the 75K viruses?
Right now, everyone's doing the first. He's saying, PRECISELY because of the point you've brought up, that we should be doing the second.
Enter any 11 digit prime number to continue....
I am the unwilling control for my Origin.
The author may be right that the things he listed are dumb ideas for mission-critical ultra-secure systems. However, he seems to be advocating the five dumbest ideas for usable systems.
.PNG format sent to them by family (where .PNG was not a whitelisted attachment, nor was email from a random gmail account).
The price of Default Deny is loss of flexibility. If it is easy to avoid denial (e.g. automatic addition to a whitelist), it's just Default Permit by another name. If it's really hard, it will keep you from doing everything except that which you already know you want to do--in other words, nothing new, nothing clever, just the same stuff over and over. This would turn computers into the equivalent of a stereo system. They do thsoe narrowly-defined tasks that they were engineered to do, and nothing else.
People are going to occasionally want to do something new. When they do, there are certain things that they almost certainly *don't* want to do. Thus, you enumerate badness to help protect them when they want to use their computer as a flexible general-purpose device.
It's better to have systems that are secure by design. Duh. The point is, though, that even systems that are secure by design are likely to have flaws. If you look for flaws, and fix them, then you have a chance of staying ahead of other people who are looking for flaws to exploit them.
The coolness of hacking has nothing to do with security. Hacking is cool because it demonstrates our ability to manipulate our environment, to do things that are supposed to be impossible through ingenuity. In a factory of mindless corporate drones, hacking is not cool. But if you live in the real world where programs have flaws, there is even a security use for people who enjoy finding ways to use the flaws to accomplish things that the creators didn't intend.
Educating users is ridiculous--his point is that users should't be educated because they should be educated before you hire them. Okay, and how did *they* get educated? What happens if you have to hire real people who are talented but they haven't all gone to this magical security training school? His point *should* have been that there are only some things that can be taught, and that you shouldn't assume you can teach completely counterintuitive behavior. But you might be able to teach someone enough to avoid clicking on strange attachments without deleting photos in
I don't want a secure, useless system. I want a secure, *useful* system. And that means compromises need to be made between security and usability. Reading this article gives very little clue as to how to construct a good balance.
Wow! Did you notice your system's clock is off by almost 5 years?
Have you ever used Zone Alarm firewall? Nifty little tool. Basically does exactly what this guy suggests: ask "may this access the internet [Y/N]" for each program that tries. Simple, yet really effective in catching malware.
I like your post with curses and righteous indignation better. you're well-thought out points without swears are boring.
I also stopped using condoms, since I limit my activities to my wife. I'm also free from those sorts of infections because I was fortunate in my choice of a partner. This also has a cost, I'm sure that sex with other partners could be enjoyable. I also know that the 'zipperless f*ck' is more common in fiction that in my world, so I'm willing to stick with my spouse.
I know you are being tongue in cheek, but there is an error in thinking if you cure the symptom rather than the root cause. If you can't trust your partners to be safe, why don't you consider finding safe partners? In this regard, Microsoft is like the town *****. If you can't trust your partners, or if you are unwilling to live with some restrictions, by all means install antivirus software and use a condom.
Think global, act loco
How do you get "nude pictures of barely clothed females"?
I'm not going to read all the coments to see if someone has already said this. Yes MS OSs have issues with viruses and other security holes but if the MAC OS or *nix was the huge commonly used OS it would have the same problems so please get of the MS bashing bandwagon. Disagree all you want but you either know deep down inside it's true or you're too ignorant/cocky/stuborn to admit that your favorite OS isn't perfect. Everyone knows it would be a waste of time to write a worm/virus for such a small number of computers.
"all i wanted was a pepsi..."
Yea, this is mentioned in the Securing Debian manual aswell, but this particular method does not work anymore...
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Hmm. On my computers, I have hundreds of programs that I run every day; sometimes a small one pipes to a more complex one sometimes several call each other in a chain. If any program asked me if I really want it to run as a default first step, I'd immediately delete it. Fortunately this was in his point number one, saving me from having to read any of the rest. This author is a ass.
grammar-lesson free since 1999. (rescinded - 2005)
PHP's "Dumbest Idea" in computer security: register_globals off
www.jmagar.com
-
So, from the point of view of enumerating types of goodness and badness, it's entirely true - he's not talking about bandwidth or volume of usage, but about the count of distinct categories.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Linky? I adore mocking the stupid! :)
Read this a while ago... Obviously someone reads http://del.icio.us/popular/
Seriously, this guy has some quite valid points, I've seen corporates install some quite wizz-bang products that are really a P.O.S. and spend amazing amounts of time adminning these things even when a concoction of spamassassin and an AV scanner would have done.
People (especially managers) know one thing above all - do things that will justify your position, make sure you're in control and please god don't let them fire me.
Honestly it makes me sick, those people should be made to work for a living rather than making life hell for those that actually do the work.
ho hum
You will also need to make the tmp directories (/tmp, /var/tmp) noexec. Theres probably some way to do this (without needing extra partitions) using something like SELinux or another LSM.
This is true to a point. It only applies if the app is launched through the APIs that the Finder uses. Commandline apps still do not have this property - write a new shell script, compile a new command, and run it - no warning. Assuming Mac users read the dialogues, however, it should help considerably against the simplest form of viruses, such as "click me" mass mailers. And I have the impression that Mac users do tend to read the dialogues much more than Windows users, because Macs don't spew so many useless and annoying dialogues all over the place - the default assumption is that dialogues probably contain some at least possibly useful information.
What is the robbing of a bank, compared to the founding of a bank? -- Bertolt Brecht
Definitely an interesting article. Unfortunately most computer users seem to prefer to run with their shields down by allowing cookies and scripts, which basically are the "Default Permit" application configurations. Same thing for HTML e-mail. It's almost like smoking tobacco. People know it's going to kill them but it feels good so they just keep smoking away.
An article, Solutions for Identity Theft, Credit/Debit Card Theft, and Personal Information Theft Part I: Overview, takes what amounts to a "Default Deny" position for promoting computer security. It's pretty much a shields up approach. "If you want to protect yourself against identity theft you must not allow your Internet browser or your e-mail to accept cookies or to allow scripts to run. You must not allow HTML e-mail. Do not use Microsoft Outlook. Even better, switch from the MS Windows operating system to the GNU-Linux operating system."
"As if" they're in a Thirld World country? You ARE a thirld world country! You've got a ruling class that can do no wrong in the minds of the sheep, corruption to the core, feet-of-clay syndrome, you morally and intellectually bankrupt Americans are so oblivious in your SUVs and McDonalds to the reality; you are on the way out. You're over. Finished.
Just follow the Amazon link to his book from his home page... Read the reviews, then search Google Groups and Risk Digest.
While I agree with some of his other points, I think it's really dangerous to just give up on the idea of educating users. In the long run, no matter how secure you make the rest of your system, the user is always going to be a potential weak point -- they can disable or work around your carefully implemented "perfect security" because they NEED this ability to be able to use the system. On home systems, for example, even if you go with a white list, default deny policy, the user still has to be able to add new programs. Watch them download x fancy new shareware game, give it execute and net access permissions, and totally screw your entire careful security setup.
To make a point using the author's own analogy... while flying on an airplane, it's basically common knowledge that you don't want to walk up to the door and pull the big silver lever. Bad things happen if you do. However, if the plane has crashed and you need to get out, that's exactly the action you want to take. We don't have fire sensors that only enable the handles if the plane cabin exceeds a certain temperature... we rely on user education to make people only use this option at the right time.
Even the author's own solution, of scraping off all email attachments and saving them via url doesn't help. If someone sends out a virus, and it gets saved to a remote server, the user can still copy it to their system and run it. But if the user is educated about the kinds of thing that can happen when they do this, and about the dangers of running software from unknown or even partially untrusted sources...
Slashdot needs a "-1, Wrong" moderation option.
The Urban Hippie
I used FWTK in a very large corporation in the late nineties as mail gateways, and they were very nice for the time.
Plus, the source was included, so I was able to write my own "anti-spam" code to hook into FWTK long before it became an issue for most people.
Personally, it made me aware of the value of free software, and so I can cut the guy a lot of slack.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
http://www.zone-h.org/en/news/read/id=3287
"Why computer virus writers are useful and why we should thank them."
An Immunologist's view on computer hacking.
i'll bet it felt good to get that off your chest
OPEN. YOUR. EYES.
"the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of barely clothed females"
???
"mount /home noexec" ? Come on, we are talking about the "other" operating system here.
Since they don't have the root password (this is a corporate environment, remember?)
Yeah, right... Users will boot single-user from a floppy or reinstall Windows the minute they feel corporate security policies are preventing them from doing their job. TCPA prevents that (and other things too, but this is another story).
Saddam Hussein was the president of Iraq, not Sumeria.
Get some facts!
I'm going by Apple's description of the security update introducing the check, which implies that double-clicking the application does not trigger it (first line under second heading). Also, I have not experienced what you describe- installing and then launching an app does not ask me to confirm it on 10.4.2.
Double-clicking an executable file in Mail does ask you to confirm; I just tried it. Also, you can turn off the Safari behavior by unchecking "Open safe files" in prefs (which is a good idea anyway since it's a stupid feature).
Actually, his whole screed can be distilled down to four words:
deny: all
accept: trusted
Ranum is railing against defaults of trust, when we now have enough untrustworthy parties that it's more economical to specify trusted parties instead. I agree with him, on his basic point. But I do disagree with his exaggeration, comparing 75K viruses, most of which never affect a given user, to 30 trusted apps, almost all of which are used for much more communications by everyone.
Ranum has a long history of important contributions. I don't let him slide when he publishes a rant that leaves me expecting him to measure the traffic he's describing in units like "Libraries of Congress".
--
make install -not war
1. Use Windows
2. Use Windows
3. Use Windows
4. Use Windows
5. Use Windows
6. Use Windows
I'm confused by the title. Is this meant to be *dumb* ideas, or a dumb *list* of ideas? "Hacking is cool" and "Educating Users"?
WTF!
And where the hell is "Security by obscurity" on that list?
Do what I say, cuz I said it.
-Meatwad
Is there any reason why you can't remove the read privs in /lib and put any other necessary libs in another readable directory??
years users that need education will be out of the high-tech workforce entirely, or will be self-training at home in order to stay competitive in the job market."
My prediction is that in 10 years, the IT workforce will be much more technically savvy because they grew up in the computer age, however users will always require futhur education as new products are being created all the time, it is unreasonable to predict otherwise.
I couldn't think of a sig.
The idea that security is about technology.
It isn't. Sure, certain engineering and design principles can help security a great deal, but when it comes down to it, security is about the human brain. If you don't run the system intelligently, it doesn't matter how well designed it is, or how well the design is implemented. You will get p0wned.
I'd trust an all Windows 98 network without a firewall, run by someone who knows what they are doing, over an OpenBSD network locked down against everything run by my mom.
Victor? Is that you? I didn't know you read slashdot, Mr. Chavez!
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
personally, i don't eat at mcdonald's; i like to cook my own food (it's kind of fun, sort of like chem in some ways). i walk to school and back, and when i need to buy a car (probably after grad school), i'm going to go for something high mileage-- if only because i dislike high recurring payments. i'm still developing my moral standards, but i am working on it. as for the politicians it seems that the people who desire positions of power are the exact same ones who shouldn't have them. such is the case in many many countries and the UN. as a start i'd like to see a third party establishing the wages and benefits of congress... maybe have people vote on how well of a job their representatives are doing... but you know that bill would never pass. it would create quite a stir if it was publicised though..
and man, we need to start producing useful items for people instead of pushing around green pieces of paper. i hope to start a business after i finish school and establish myself, but for now i'll be writing web applications and building things for myself.
Good for him. But where's the incentive? Until the market punishes software vendors who don't design from the ground up for security, no one is going to design software that way.
Uneducationable users will always be the main security problem with computer systems.
I find it hard to believe that users still run random attachments to emails.
After 10 years people are still doing it.
You can't just remove all attachments from emails, so what should one do about it?
Software is not here to make up for the stupidity of people, it's here to help them utilises their intelligents. If you're not intelligent enough not to run random attachments to your emails, then you probaly won't find a computer very useful.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
How's an operating system to discern the difference between good code and malicious code? Malware doesn't just mutate from the OS's own binaries out of nowhere; some jackass has to fire up their warezd copy of C++ (assuming they didn't use the toolkit which is free) and write an ordinary program with malicious instructions (after all, isn't a program defined as a set of instructions the computer executes?).
Is Java runtime a virus? OMFG it can update itself. It can check for updates without me ever knowing when that action occured or see it. Firefox can too. Perhaps it should read: I still don't understand why users are so dumb that they let any old virus or piece of spyware execute.
Point in case, the OS only does what you f**king tell it to do!
Blame the user, not the software.
>> Humans make mistakes, but they also need to correct them. Sloppy code is not acceptable.
Have you ever written code for idiots?
When I'm creating software I have to hide my work in progress from management. By that I mean, show them chunks only. I can never let them see something that looks like an operational product till its' been up and running and tested six ways from Sunday, because if they see a working prototype, they'll try to force me to roll it out as productive immediately. Telling them it's "not done" doesn't work either - I've come it to work and found a demo project distributed as productive. I mean wtf? - Some PHBs just don't get it at all. You tell them its' running against a test database, needs 3 more weeks work and bang, its' out the door. - It's not on fire right now so it must be done, right?
In those circumstances, I don't really give a sh*t if it fails and costs them money, except the blame (and 3 am phone calls) fall to the team that wrote it.
You're %100 right, there is no exuse for buggy code, but there is tonnes of it out there, being used productively that was never really finished. Sometimes it's got less to do with the lazy developers than managers who don't listen.
http://request-header.info
That's almost a Haiku.
... the risk of people sleeping with the sysadmin. Which he was famous for when he was a budding hacker at Johns Hopkins.
Anyway...the point is that people are always going to be the point of failure. No amount of automated wizardry can even slow down people who are going to do stupid things.
JHU '83
You don't need to be administrator to do this, just to write to the registry to install most large software packages. Try this experiment:
Create a restricted user account.
Download an exe file, for example, putty.exe (just google it) as that user.
Run what you just downloaded.
Now figure out how to stop yourself from being able to do that...
Effect of reading too many "IDIOT's guide" and "for DUMMIES" books... :)
I honestly wouldn't say that it would count as a dumb idea, because the basic concept isn't too bad when it comes down to it. The big problem is that the implementation is just piss-poor right now.
As somebody already pointed out, the concept of DRM can be used quite nicely for securing a computer against a possible attacker. The problem is that in a panic over what to do with this new "Internet" thing, a few publishers, most of the labels, and most of the film studios have gone to ridiculous lengths to try to protect intellectual rights with content.
The concept of protecting intellectual rights isn't a bad one. Speaking as an author, if somebody told me that some unseen force is going to dictate to me what I'm allowed to do with anything I write, my first reaction would be to give them the finger and tell them where to stick it. If I want to sell the publication rights to a New York publisher, that's my decision. If I want to make it public domain and publish it on my website, that's my decision too. It's reasonable, and quite frankly moral, for my wishes regarding my work to be respected.
Unfortunately, there really isn't a good way to implement copyright protections in digital media yet. The United States came up with the DMCA, but that will probably change soon enough - it's one of those laws that will probably be a work in progress, written when the technology wasn't truly understood. All DRM essentially does when applied to content is dictate to the consumer what they can do with what they have just bought. It's like buying a lamp and then having the lampmaker tell you when you can turn it on.
Balancing it all is the big problem. The idea behind DRM with content is to protect the rights and wishes of the creator, but the only implentations of it right now do so by stripping away the rights of the consumer. I honestly think it would be a lot easier to just stick with the Berne Convention and trust the people who buy your work to be honest about what they do with it (and take reasonable, and I stress "reasonable", actions when you can prove they are not). I have a funny feeling the technology and its issues will sort themselves out given enough time.
Robert B. Marks
Author, Demonsbane in Diablo Archive
1. Windows 3.1
2. Windows 95
3. Windows 98
4. Windows 2000
5. Windows ME
6. Windows XP
#2: Enumerating goodness.
Guess what. You've just pretty much gone back to the dark ages. Everyone has a set of programs installed on their computer by the priesthood, and that's all they can run. Might do something about viruses. Definitely reduces the utility of the machines.
#3: Hacking worthless
Holding your adversary's skills in contempt is generally not a good idea. Refusing to learn them is just plain stupid. And, of course, hacking (even the black-hat sort the PC prefer to call "cracking) isn't what he says it is. Learn a particular exploit? Any script kiddie can do that. Figuring out how to identify holes and develop exploits, that's another thing entirely, and as useful for a security professional as lock-bypassing is for Medeco.
#6: Sit on your duff and let the other guy take the lumps.
Sure, you CAN do that. But there's reward as well as risk in adopting the new stuff. And consider that if everyone took that strategy, progress would be entirely stifled. His IT exec who waited two years to put in wireless may have saved money -- but he also had two years without wireless, which may have cost him more.
What you have seen is users rejecting poor [Windoze] implementation of privilege separation. My wife has no problems with a non root account on Mepis. It lets her run what she needs without being able to affect the system. The permissions are a little lose for my taste and the inclusion of non-free software like Macromedia Flash is a bad idea, but the restrictions are good enough. You don't have to annoy the user to keep bad things from happening.
The idea of only allowing 15 applications is not as good an idea as the usual pid uid system. First, each of those applications are actually a whole collection of programs so the problem is larger than stated. More important than that, the system for deciding what runs could itself be compromised and used against the user. This is exactly what happens in the admittedly dumb world of anti-virus. "Default Permit" is not really something that exist on unix systems. "Default Deny" as described by the author is something that will stagnate everything it touches and drive everyone crazy.
Friends don't help friends install M$ junk.
That is really a point worth considering. There are many Dilbert cartoons that use it as a punchline but I never paused to think that that ALL security have a negative productivity aspect (not necessarily net negative, but there is always something negative) to them. Perhaps a standard part of any security procedure should be to list negative aspects because I think people are too idealistic as with "Hey! Lets change passwords everyday!"
Your CPU is not doing anything else, at least do something.
First of all, since when is default deny "seldom done" and "difficult?" That's just rediculous. Just about every firewall product out today has a deny by default policy. And it is by no means a difficult concept. "Allow what you need and no more, if you find that you need something that is blocked, decide if it is _really_ needed and if so allow it" wow that's too tought to wrap my head around!
Also, the author seems to be under the impression that perfect software is possible...well sorry, bad news, it's not.
His ideas on "Penetrate & Patch" being wrong are just silly. Yes, of course it's true that some systems are more secure by design than others, no argument there. But that has nothing to do with the penetrate and patch cycle. The point of P&P is that you assume your system isn't perfect (and gee, what a far fetched idea that is!) and try to see how it could be broken. No programmer can think of everything and there _will_ be holes. I have also found that many security issues that didn't come in white box testing (that is analizing the source code) did come up in fuzzing and other black box approaches. Sometimes these problems are a lot more difficult to spot in the code than one would hope. Also the fact that software has an issue doesn't make it insecure by design (it could be, but it is not neccessarily true). Many times it is due to incorrect implementation of a good design, or simply a minor coding error.
Also, his idea that "if FOO worked, we'd have run out of BAR type of security problem by now." Yea, that's also not the case. Perfect example, buffer overflows have been around for quite a while now and we still seem them all the time. Companies make a diligent effort to prevent them, and attackers just figure out more creative ways to make em happen. Problems don't go away over night (if ever) once they are discovered and addressed.
His thoughts on enumerating badness are also a little out of whack. Sure it's not a good idea to assume that everything you know if is everything that exists...but it's a damn good place to start! This is one of those things that isn't a great idea, but is an effective first line of defense. It's gauranteed not to catch everything, but it's a sure fire way to get those low hanging fruit while you can.
proxy
I know this is not the first post within this topic, but I've mentioned Marcus's finer points in an earlier topic...
5 22744
http://slashdot.org/comments.pl?sid=161733&cid=13
link here
After two excellent story submission rejections, I can't take it anymore.
The first point is entirely on the money. At least 10 years too late, but totally accurate.
The second is just too overreaching: would you like a computer which can run 30 programs from a master list and nothing else? There are many cases where "enumerating goodness" is exactly the right thing to do, and - guess what - that's exactly how such cases are done, for example, sudo.
The rest of the article is basically boils down to this: if you don't want your system to be hacked, don't make it hackable. Sure thing. Don't debug your programs, just write them correctly. Don't install airbags into cars, just avoid crashes. Stupid us, doing all the precautions and safety things for years. Just don't make mistakes, see how easy it is?
NoScript users have been asking for black-list JavaScript/Java blocking since the beginning, but I'm still convinced white-list approach is the only way to go, when it comes to security. How can you tell for sure the link you're about to follow with a careless click (or, worse, the popup that is about to open without your consent) leads to a "safe place"?
There's a browser safer than Firefox, it is Firefox, with NoScript
This guy has a couple good 'no duh' points and several really stupid ones. Let me elaborate:
#1) Default Permit
This I agree with, in the case of firewalls in a corporate environment, where the input/output can be predetermined and controlled. Everything should be blocked except for the handful of things that need to get through.
#2) Enumerating Badness
This idea BLOWS for desktop applications, which is what he advocates. Why is it bad? Because while he only has "30"-or so applications he uses, as most people do, those 30 are different for most users. You can't enumerate all legit software, it can't be done. You can enumerate most of it. But then you get to a list comparable to 70,000 virus signatures you are trying to leave behind. Besides, if I write my own application, my anti-virus software would need an accurate, detailed signature of what the application looks and acts like to be able to identify and allow it... Something I cannot reasonably do. Which is why we have companies creates the signatures, for the (comparably) finite number of viruses and trojans. Default Deny on a desktop, especially personal ones, is a broken, unmaintainable, BAD idea.
Even in a corporate environment, which has more home-grown apps, you would need custom signatures for each internal app to function. Something not practical for an IT department to create. The idea just doesn't hold on a PC.
#3) Penetrate and Patch
His argument: if you had designed it securely, you wouldn't need to pentest it.
Ok, but how do you know your implementation was complete to the design, or that your design didn't have a hole in it? Well, you have to test it... pentest it, that is.
Yes, it is a great idea to securely design your apps, with secure-by-design principles. Afterwards, you STILL need to test it in a live environment to ensure you didn't forget or miss any steps. That is only a logical step. Pentesting even the most secure of networks is critical, to be able to PROVE they are secure. You can't just say 'because I said it was!' and expect that to fly.
#5) Educating Users
He contradicts himself. He says that you shouldn't have to educate users because they should already be educated... Which is a chicken/egg problem he never admits to. You should do both: hire competent, smart people, AND train them in the policies and guidelines of their environment.
Very true, and well said. However, the problem in most companies lies much deeper than this. It's a lack of thought in IT policy in general.
I work at a construction company. We have a growing office where many of the employees have computers. However, the people running the company treat IT as sort of a sidebar - something that doesn't actually affect the business, and thus there is a lack of corporate policy regarding computers and their use. All employee files are kept on their individual workstations, most of which are not backed up at all, let alone well. The email, too, is kept on individual workstations and the sending and receiving of email to/from company addresses is not monitored or controlled. We don't even control our own email server, our email resides on the server of a contracted IT guy and no one from our company actually has access to it (not even me, the in-office IT guy). Our networking is a mess, so someone wanting to take down our network could easily plug a laptop into a port somewhere (we don't even know where all the cables go) and put viruses or other malware onto any computer in the building, as well as steal all sorts of sensitive information.
So, with all these problems, what is the question that my boss (the president of the company) asks me most often? Am I sure that everyone's Norton Antivirus is getting updates every four hours, or is it just going once a day? Again - treating the bandaid solution as a cure.
Basically, there has been no thought put into the IT policy at this company. The technology grew faster than the company could handle, and they have no control over their computers or their network. If corporate IT policies, even in medium-sized businesses like the one I describe here, had more thought put into them, computers everywhere would be much more secure.
The system was supposed to be "one password for all" so you didn't have to do exactly what I just described, but it never went that smoothly when you used it. Why is is that they can't deliver something so simple as a user friendly way to change a password?
Where does the Macintosh OS fit in to your scheme of things? By all measurements it seems to have been built with user friendliness in mind, however it's also generally regarded as being pretty secure by design also.
People keep saying that, and you even say there are "measurements". If you use a term like "measurements", surely somebody measured OS X usability relative to other systems. Can you point to such published measurements?
They were already suffering like they lived in some third world country. The poor areas of New Orleans were not pleasant. The environment was poisonous, the buildings infested with vermin, the inhabitants functionally illiterate.
In some twisted way, the hurricane is like a colonic. This was an area of the country we'd forgotten about, an area we'd let rot and stagnate. A lot of buildings that desperately needed replacing for health and safety reasons will now be replaced. Infrastructure will be updated. In some ways... this is a blessing.
http://www.microsoft.com/technet/prodtechnol/winxp pro/maintain/rstrplcy.mspx
The way that you get software onto Linux, the very nature of open source, is a trojan horse disaster waiting to happen.
.. what is all this make install gnu auto configu stuff?
With Linux, installation is endless. How I so wish that I could just get one fricking package from online for KDevelop or any other tool I use and run one installation process.
Instead I have dependency hell.
KDevelop wants a package called Graphviz, something called Arts (the SUSE version isn't good enough), a new kind of source control system. I have to go to fifty different web sites that I find by Googling just to try and figure out what to get?
This is fraught with danger.
If I'm a hacker, I wouldn't even bother trying to find a buffer overrun somewhere, I would just put up a legitimate looking web site claiming I have a binary for something like CVS or RPM or any of the myriad packages that Linux uses, stuff my own code in it, and wait. Some Linux nooby would download it, run the rpm as root, and I'm in.
Source code devotees stay silent. I could probably put a tarball out there with rm -rf / in the middle of a makefile somewhere and no one would notice. Hell, I could just delete one file.
Stupid stuff in RPMs would be useful.
a) the package should specify whether it requires root permissions
b) packages should have a list of certified sites for their dependencies. OR, there should be an https repository for ALL packages.
Until you eliminate people googling for dependent packages to be run as root, Linux is just as unsafe as Windows, if not more unsafe.
This is my sig.
I honestly wouldn't say that it would count as a dumb idea, because the basic concept isn't too bad when it comes down to it.
I dissagree, as disccussed in the presentation:
The basic concept with DRM is standard encryption. To securely communicate between A and B without E overhearing it. In DRM, B and E are the same person. In that way it is fundamentally flawed. The crypto is right infront of the user, decrypting things, which means it will always be weak. And then there is the analog gap. Not to mention it's very much something the consumer doesn't want.
For those reasons, I do count it as a dumb idea. The talk I linked too was very illuminating along these lines.
I've always thought the whole idea of antivirus was bad. Prevention is better than cure for one; and file recovery like ghost is always more effective.
But the mistake of user education was funny.
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
Half the article is irrelevant through age, which is amusing bacause it's one of his own criticisms on dealing with security.
The author is just paranoid! Although I agree on his remarks about exploits!
sex is better than war!
When I posted my latest status update that I was waiting for the app manager to coordinate the install, he followed up and said "don't wait on him, just go ahead and copy the app directory, set all these environment variables..." I pretty much just ignored this. Later that day during a phone conversation I mentioned copying and updating the previous profile wholesale if they were really in that big a hurry (there was no reason to be, but if they wanted to be I at least wanted it to go well). He went ballistic and came vanishingly close to ordering me to just do it his way -- he can't do that because even though he has seniority, he isn't someone I report to, and our mutual boss was on the call, but he clearly wanted to.
It later turned out that there was authentication data that we needed and didn't know, but which was cached in the profile. His solution was "analyze the configuration data to find where the username and password are." Or, I said, I could just copy the profile over and then I don't need to spend hours looking for this data (that we aren't supposed to actually have -- it's a database login provided by the app management team, input directly by them into the app instance and saved in the profile, I presume in an encrypted form).
This same guy once pushed out a broken Windows group policy to our userbase to test it (that's when we found out it was broken). He's a pretty talented guy, and we apparently went to some length to keep him after his student eligibility expired, but at least once a week he recommends something totally braindead like that and I have to either ignore him or explain to him (and often others) why it's really not a good idea to do it his way.
-- Old Man Kensey
Fixed!
Trusted Computing would be excellent for organizations that want to secure their network if the organization gets to determine what is allowed.
How the part in italics will work out in Windows is not quite clear yet:
When Vista hits the market, will the IT department of your company have the tools to allow/disallow certain applications? Or will they have to suck up what Microsoft delivers?
If it is the former, Trusted Computing might be good for companies (but still not recommended for the private user).
If it is the latter, avoid it like the plague.
C - the footgun of programming languages
While I admit, designing a system from the ground up to be secure is important, it's really quite hard to expect most software companies to do that. However, I don't feel that the patching game is all that worthless. If a product was totally static, then yes, it would eventually have most of its flaws patched, or so one would expect. However, products are changed, overhauled, and often completely rewritten. This always seems to introduce a lot of new security flaws. If Microsoft simply stopped adding so many 'useful' new features to their software, and concentrated on locking down their software, it would probably be much more secure. However, they are driven to 'innovate', and we end up with features like system restore, which can actually make it so you can't delete some worms... Also, a 'complicated' program does not have to be a 'bloated' program. I remember the good old days when Opera would add functionality and *reduce* the binary size & memory usage.
Why doesn't people think of vitual security as they do about physical security in life in general?
The approach here is to make it harder than average (but not impossible because that is - well, impossible to achieve) to break in (like the old joke about outrunning the bear). That way the burglar is likely to move on to a less difficult target. This is combined with things like neighbourhood watch (makes getting arrested more likely), alarms and a general moral education that makes burglars less cool. This doesn't eliminate burglaries completely but will reduce the likelyhood significantly.
An important point is that absolute security doesn't exist. Sure, you can remove all access points and even send your house into orbit, but it still doesn't eliminate the risk completely. But you have succeeded in making your house completely useless.
Security at the price of complete uselessness is the most stupid idea ever. Therefore the only really potent point in this article is the one about making things secure by design and structured coding.
Buffer overflows, cross site scripting etc. are the the result of stupid people posing as programmers doing what they do worst. It is so simple to write a little wrapper that checks boundaries before allocating memory or similar, or to strip away everything unexpected in input (especially from command lines or URL queries), and then to call that wrapper everywhere you need such resources. You wouldn't believe how many times I've seen the same piece of code repeated again and again in languages where functions are readily available, and in some places some checks are made while in others it looks like the original prototype code with no checks whatsoever. You end up with huge source files filled with unpredictable code. It's impossible to maintain and basically needs a complete rewrite.
On the other hand, a well-structured program is easily secured because it's basically like a Lego-construct. Check all the building block types and build new simple sub-structures that again are checked on the basic level - and so on. If the blocks are named wisely the main program reads like a macro definition or similar and is easily understood by new maintainers. This method is actually taught in basic computer science at the universities but so very few takes it with them into the private sector. An example of a program written somewhat like that is Bernsteins qmail MTA - it contains hundreds of small functions and each is no more than a few lines long. Also it is broken up into several small modules each with a well-defined security stance and most runs with no special privileges. So far there has been no breaches despite it being almost a decade old. Compare that to good'ol sendmail, a monolithic application with lots of huge constructs hundreds of lines each - very hard to secure.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
There is at least one other way to improve security...
e s/dilbert2813960050912.gif
http://www.comics.com/comics/dilbert/archive/imag
Get a clue. Sumeria *is* Irak. Or at least a significant portion of it is. Take it from an old Civ hand.
Something bad is coming when people are suddenly anxious to tell the truth.
I suspect he's hung up on Windows, where this is in fact the case. But even on a proper operating system (ah, the joys of OS snobbery) I believe (I'm away from Linux atm) that things you download in a tar file or similar keep the permissions that the creator set them to. I could be wrong - I'll check when I get home - but, if something like this is in fact the case, I could well imagine something misrepresenting itself as a document being accidentally executed. It'd take a fairly stupid user to pull that off, but when have we ever had a shortage of those?
;-)
:P
And yes, IAAM - I Am A Mathematician. At least that's what it says on several of my college degrees, so I guess I must be one.
Bah, and I'm stuck as a student for another year or two. You don't have a spare college degree you don't need, do you?
For the love of God, please learn to spell "ridiculous"!!!
And just food for thought -- #6 (test the waters) conflicts with #3 (redesign) and #4 (don't crack).
#3 because redesigning code has a tendancy to just reopen old wounds as much as fix potential problems -- you're trading the well-known for the cutting edge, which is exactly what #6 advises against.
#4 because you can't expect people to know how to do things "right" without first learning from others' mistakes -- learning current security problems and how they are exploited *is* important. It has nothing with being "cool". It's useful information.
Sorry, but you're wrong. #6 specifies that you shouldn't rush out to do change something without thinking about it first. And that's what design is all about, *thinking* about what the software should do and how. A secure design won't open up old wounds, it will throw them out before even starting to code. A blank sheet of paper doesn't have any old wounds.
As for number 4, there is a big difference in knowing how to avoid e.g. a buffer overflow, and how to exploit one. Know how to avoid it by checking your input (and no, using a hyped "secure" language isn't enough, you still need to check input), instead of learning how to find out where in the input to place your code, and how to calculate the return address.
This article lost most of its credibility when I saw that his graph for enumerating badness came from the "department of vague pseudo-scientific statistics". Humorous though it may be, I don't think people should be making up charts to illustrate their "data" when there aren't real numbers to back it up. It's worse than providing 6 significant digits in a measurement for which you only measured two, in my opinion. It makes me doubt that any research or real data went into any of the rest of this article, and suspect that it's just one guy's opinion.
There have been plenty of little kids who were told off by their parents for playing with matches in their room, and they probably thought their parents were mean, power-tripping, control-freaks, just out to spoil some good clean fun.
And if there are those who believe their computer at work is their responsibility: who pays for the time required to fix the computer when it goes wrong? The company, not the end user.
Linux/Open Source/Anti Microsoft News
"of barely clothed females." As opposed to nude pictures of fully clothed females?
Oh come one... Someone's got to say it....
1 Windows 3.1
2 Windows 95
3 Windows 98
4 Windows NT
5 Windows 2000
6 Windows XP
Tada !
If you don't mind your computer system not being able to DO anything! This guy obviously does not work in the setting he is writing for.
Deleting all EXEs from EMail will cause people to lose legitimate information, and when the CEO doesn't get that self-executing ppt slideshow in his EMail, it's your fault for deleting it and giving no warning. Of course, the alternative to this would be educating the users... which is also a bad idea, according to this dumb motherfucker.
Sure, some of the points are good, but if you were to implement them all, your system (for most businesses) is a very expensive pile of plastic, silicon, and metal that can't do anything useful.
As for the patching one, sorry to burst your little fantasy bubble, but bugs in software happen. His claim that entirely secure software is easy to write is complete BS. Assuming, of course, your software does something that requires accessing some other source of information, there will be bugs. Shit happens.
"We're not a target" - yes you are
Guess what, jackass, sometimes, someone ISN'T a target. No one wants to break into the Bummsville True Value hardware store servers. Oh, and worms being able to spread to your system does NOT mean you were a target. You are a civilian casualty.
My favorite non-sequitur of the article
"We don't need a firewall, we have good host security" - no, you don't. If your network fabric is untrustworthy every single application that goes across the network is potentially a target. 3 words: Domain Naming System.
WHAT THE FUCK DOES DNS HAVE TO DO WITH FIREWALLS??? Is he suggesting that a firewall would do shit against a DNS Hijack/Attack? Does he know what a root server is?
> "We can't stop the occasional problem" - yes, you can. Would you travel on commercial airliners if you thought that the aviation industry took this approach with your life? I didn't think so.
This guy is actually suggesting there are no problems with the airline industry??? AND HE CLAIMS HE WAS A CEO AT ONE POINT??? Obviously this CEO never left his office... or has never seen a stand up comedian... or late-night talk show host, or a sitcom... you get the point.
And finally, sometimes the "whizz-bang idea of the week" really is a good idea. It's rare, but it happens. If I look at something and think it will actually help, I'm going to freaking buy it, regardless if it's pretty darn new!
That's a biggie, but I think it's one of the two biggest problems. The other is that, by default, it is maximally easy to run (at all, as any user) even the most breathtakingly untrustworthy code, i.e. that which arrives as an e-mail attachment from a unknowable source. There have been various attempts to patch this, but the main line of defense still seems to be that the poor user is ultimately responsible for deciding which attachments are safe to open and which are not -- and this has been more than amply shown to just plain not work.
If the one-click-to-open-an-attachment model did not mean, for an executable attachment, to execute the attachment, email viruses would be a minor problem, not a sweeping epidemic. (Realistically: how often does anyone receive a legitimate executable program in the mail and expect to be able to run it right out of their mailbox?)
Deny by default. Depends on the situation. For a firewall that is a great idea. For executables it is a dumb idea. I think he has no clue just how many executable programs he uses. It isn't the 8 or 9 he cites. Linux for example has thousands of programs that most people never see - cat, cut, paste, grep, join, link, etc. Get rid of those problems and see if you can even boot. Even for programs that he does run - like an internet browser, not running remote executable code limits his ability to do much. Lots of javascript, java, and so on.
Enumerating baddness? WTH is he talking about? Nobody I knows enumerates baddness except idiots and companies trying to tell you how good they are.
Penetrate and patch: Still a good idea and this fits into his first suggestion - get rid of executables that you don't need. So he is contradicting himself. How do you know if something is running unless you do a penetration test? Pen tests can also show you if your configuration is set up right or if you managed to screw up the configuration file and therefore the program is doing something you didn't intend.
Hacking is cool: He suggests that people not understand how hacks work. This is a dumb suggestion. By looking at how mistakes were made by others you can therefore avoid those mistakes. Most holes were not there intentionally, it was because the programmer didn't think of how the code could be compromised. By learning these techniques, they can be avoided. Indeed again to his previous point.
Educating users: I can't believe he is suggesting that users not be educated. Most people are the equivelent of "Just off of the turnup truck." They don't know to not take the Nigerian scam or many of the other social engineering tricks. Most people are trusting by default. It is like allowing people to walk through a very bad part of town and not telling them about it.
His minor dumbs are what he should have put in the top. I see those far more often. I have to wonder if this is something he had to do for a writing class at school. Looks like it.
1. Trying to fix flaws in technology with more technology.
I'm really glad to hear someone else echo the stupidity of "enumerating badness/default permit" as the author puts it.
But you're hip-deep in the mud.
One of the points basically comes down to "write perfect code".
Nowhere does he say that; what he's saying is that we should try -- try! -- to do better. In fact, one of the things people who take security seriously realize is that their code will not be perfect -- and then figure out ways to limit the damage.
Well, duh, why didn't I think of that before?
The "duh" is on you, I think. You, like most of the software industry, regard bugs and rampantly imperfect code as inevitable, and you pooh-pooh anyone who dares to suggest that we could do better. You refuse to take seriously models other than "default permit" and "reflexively patch", models which guarantee an escalating arms race and a neverending stream of vulnerabilities and an epidemic of real, actual, time-wasting and money-costing and data-losing security problems.
I can't say that you're wrong, because so much of the industry agrees with you, which is why computer security is the horrible mess it is. But it doesn't have to be that way.
SELECT quote.text AS sig FROM quote NATURAL JOIN attribute WHERE attribute.description = 'witty';
0 rows returned
To illustrate, ask yourself this question: why do most corporate computer users have permissions on their computer to download and execute arbitrary programs?
Maybe because contrary to what most IT Nazis believe, the rest of us at your company are actually trying to get work done. And that often involves more than reading our email. And no, you may not take 2 weeks of my time to certify every application I download.
Mad Software: Rantings on Developing So
So...tell me just how you'd send something to someone in an attachment, and all they had to do was click (or double-click) it to open it?
Thing is, on OS X, they have to at the very least take the steps of unzipping the attached app bundle to an appropriate location, or mounting the attached disk image, then finding it in the Finder and double-clicking it to run it. You can't simply attach an app, because it's a folder.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
Man is that wording pretensious... but anyways...
I use a little program called "Little Snitch" it is your basic network filter except it is active and dynamic. By this I mean that I don't have to go through huge documentation bibles looking up port number / protocol combinations to create a list of 'goodness'... I just let Little Snitch run, block every port on my machine and when one of my apps needs access to the outside Little Snitch asks me if I want to permit it!!!!!!
LS also asks me what sort of rules I want to apply to the application, ie: give appXYZ access to selected port/ all ports : selected server/ all servers : for just this once/ until the app quits/ forever.
It does the same thinng for incoming access requests.
This means that blocking all my ports by default doesn't impact the utility of my machine at all.
I recommend that anyone should check it out.. it provides all the power of having a dedicated network sysadmin for my local machine without the issues of another person trying to guess what i want to do all the time.
So to summarize, "Enumerating Goodness" is possible and indeed is a viable solution when you have a tool that lets you do it on the fly as you need it, instead of trying to precognitively guess what applications will be needed down the road.
The only case I can think of that could cause trouble is if you were to download a trojan that first altered your network filter to allow it access before doing it's dirty work. This is where a good AV tool that checks incoming connections through trusted ports like 80 and 25 would be required.
A fool throws a stone into a well and a thousand sages can not remove it.
All we have to do to make software unhackable is write unhackable software!
Oh my GOD! The *simplicity*! The JOY!
I don't have them stuck to my monitor, but I do have passwords on post-its. At least for a shotr time. When I create (or receive) a new password that doesn't follow my story-rule* in my head, then I write it down. I remember it better that way. But I write it down amongst other words/doodles/passwordy words/etc so it doesn't stand out as a password. Once I remember it, it goes into my txt file of other passwords, stored in a password protected zip file, and the paper is destroyed. That zip password is never written down, and one I'll always remember. (see story-rule*) Of course, the file is named something like meeting_minutes.zip or notes.zip or something boring looking.
* My story-rule is something I came up with to create passwords. You build a story around something, and your password comes out of that. It morphs from there, to where even knowing the original story won't get you the password. Hypothetical example: I read Slashdot. Slashdot has this thing called karma. I always liked the phrase "my karma ran over your dogma". Make password karmaoverdogma. Too plain. Rule: remove all vowels, except a. password is karmavrdgma. Now capitalize the first and last letters. Password is KarmavrdgmA. Once I get the story down, it is easy to recreate the password. Really all I have to remember is "karma over dogma", and the rules.
Now, next time I have to change my password, I can either change a rule (capitalize the 2nd letter from the front and back - kArmavrdgMa) or I can institute a new rule - stick a double digit at the end. KarmavrdgmA11. Next time, I could change it to 22, then 33, etc.
Part of the power in this is the reminders. In the password file I mentioned that I have, I don't actually put the passwords. I put keys to the story. So this one might be "My karma ran over your dogma, a, cap, 11". I like these kinds of methods because they would be hard to crack, and I can remind myself without giving away too much info. I could write down my reminders and it would be virtually meaningless to anyone but me.
I still remember a password that an intern set up back in '94. It was "CIrpotb,". The first letter to the words in the Pearl Jam song Jeremey "Clearly I remember picking on the boy," (with the comma at the end.
My beliefs do not require that you agree with them.
Why not do it like car insurance companies do: give users more rights when they did not have virusses and spyware for a month, and take rights from the user when they got a virus or spyware.
If you double-click and that leads to launching an executable that hasn't been run before, it pops up a dialog to ask you about it.
./myProgram goodRecipe.script vs ./myProgram badRecipe.script?
Does "shell" count as an executable? If you allow it to run once, it doesn't ask again? What about perl, or other interpreters? Or is it based on the entire command line: "java programA" gets checked even if java has been executed before? Or does it also depend on the directory from which the command was executed? Does it catch
And my favorite from Windows: Should a user permit "c:\Program Files\Microsoft\Windows\system32\svchost.exe" to run or not?
./myProgram < goodRecipe.script vs ./myProgram < badRecipe.script
. . . to a situation that you do not wish to acknowledge, or you are not aware of the caliber of [poverty] indicated by the presence of [an Indian reservation as] your community."
The poorest places in the United States have been on the reservations since they were started. Running water, electricity, or telecommunications of any kind (no smoke signal jokes, please) would be a large step up in infrastructure.
This is not to suggest that slums in New Orleans, or other large cities didn't/don't have problems of their own, but there are poorer and less priveliged people in this country.
Politicians pretend to care about other minorities because there are large populations, or concentrations of those populations in valuable states. If the people that pretend to care about racial and minority injustice really cared they would worry about the American Indians first, then worry about the more populous minorities (bit of an oxymoron there).
"Trouble. We got lots and lots of trouble."
P.S. I am neither a Native American, nor an American Indian. (Mother born in Idaho, Father born in Mexico, I was born in Japan.)
P.P.S. This post is not meant to suggest that any policies change, but to expose the hypocrisy inherent in many people that pretend to care about minorities.
P.P.S. This is a too much rant-like. Please think about it, but don't take it too seriously. I am posting as AC, after all.
Only allow a white list of programs to run?
:p.
;)
Sounds a bit like DRM.
Be careful what you wish for.
Also be careful what others want you to wish for.
BTW who cares about really dumb ideas anyway, there are plenty around, too many to list.
Keeping to the spirit on things, maybe there should be a default deny on all ideas, and we should only get to see the good ones
That'll be double plus good wouldn't it?
"Security Through Obscurity"
If somebody at my company set up a proxy at home, and encrypted and redirected their traffic through their home machine in order to circumvent security policy, they would be fired in a heartbeat. And if they actually showed me the Playboy site on a work computer, I'd escort them to the door myself. You are part of the problem by not following procedure, and you are introducing new security holes that the administrators now have to deal with. You may think you are smart because you have the knowledge to do this, but start paying attention to the law. If you are knowingly circumventing security mechanisms against policy, you are nothing but a hacker. Your administrator should also be fired for allowing you to get away with such blatent violations of company policy and, very likely, the law.
The problem with DRM is that it does by machine rather than by person. It would be more fair and less prone to piracy if you identified which person can run a media file instead of which device the person can run it on.
Then the person could take the media to any device and could play it as long as he identified himself to the device.
I'm not sure how this would work, but it would be more fair than the current system. Perhaps a random encyrption key based off the users thumb print etc etc...
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
Using an all in one proxy server (ala Blue Coat) as a security device.
It can be a peice of the puzzle, but for your network's sake please buy seperate best of breed for spyware/av/contentfilering etc. Don't try to do it all in one device.
"In fact, if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run..."
I thought Trusted Computing was a bad idea? No?
"And the meaning of words; when they cease to function; when will it start worrying you?"
Only for 28 years.
Seriously people. I thought you were real nerds!
Pal, no offense, but you've really got to read some books on social history. Yes, that's the first US copyright law. But it's an 18th century copyright law, based on 18th century morals and society, not a 21st copyright law based on 21st century morals and society. Even though it isn't strictly speaking fully a social history book, I'd recommend the first few chapters of Battle Cry for Freedom by James McPherson to a get a sense of the social forces shaping society between the 1840s and the Civil War, and how Jeffersonian Democracy became obsolete.
If you want to talk original morals, all the blacks in the US are covered under property rights and considered subhuman, and all of the women are brainless dolls who shouldn't be forced to work their minds, because they can't take that, and it's unreasonable to force it on them. There's a reason the United States doesn't have Jeffersonian Democracy anymore - for its day it was revolutionary, but from the perspective of the here and now it would be worse than Apartheid.
Seriously, get some historical perspective on what's happened in society over the last 220 years, and start looking to the future rather than the past.
Robert B. Marks
Author, Demonsbane in Diablo Archive
zerg (Score:5, Funny) by Lord Omlette (124579) <omlette@@@gmail...com> on Sunday September 11, @05:45PM (#13533623) (http://www.omlettesoft.com/)
Unless they ban the movie Hackers and eradicate all copies of it everywhere, they're not gonna make hacking uncool...
-----
Bad Security Idea #7:
Mistaking the "Subject" field for the "Password" field on all your Slashdot posts. (Check his posting history...)
1) Just eliminate "default permits" - don't use anything that you haven't used before. There's no reason any of your people will need anything else, because everything useful has already been written.
Anything new that is useful can be cleared by the sysadmin, who will have plenty of time to check every individual program needed by every individual user, having eliminated all security flaws on the network.
2) Enumerate goodness - follows exactly from eliminating default permit (to be fair, all his stuff pretty much does). Since you know exactly what's on your network, you don't need to leave any wiggle-room for changes.
3) Write it right the first time! Because all those Unix and Windows junkies that wrote the original holes did so because they weren't paying attention and wanted to promote their job security by discovering the buffer overflow. By the way, all possible security holes have now been discovered - there are no new ones out there being caused by modern coding techniques waiting to be discovered. Because they've been perfected now.
4) Hacking is not cool. People who take things apart to see how they work are inherently bad, not a feature that can be used for good or ill, nor do those that use it for ill ever mature past it to redeem themselves. Glad that's settled.
5) Educating users is dumb. Just hire ones that already know what they're doing. Because someone else will educate them. Or they'll educate themselves. Something like that.
6) Inaction is better than action. Never be an early adopter. Noone . EVER!!!!!!!
Sorry - 5 & 6 fail the "What if every did exactly what he advised" test.
4 completely ignores that hacking is a learning experience that follows from the curiosity of a working mind and leads to, well, educated users that you don't need to train. No hackers means there are no users educating themselves, and you don't have to worry about being an early adopter because no ones designing anything new anyway.
3 is a platitude. True, yet silly. Yes, code needs to be written better, particularly at the OS level. Known mistakes are avoidable, and things that should be acceptable as applications programs should be avoided at deeper level, but that's a matter of sane training and review.
1 & 2 are complementary, obvious, and according to him easy. I've never had the benefit of working on a network or computer, windows or linux, in which it was feasible to both clamp down on every program and port, and yet leave individual users with the ability to deal with the unforeseen. I've seen places that have done exactly that and decided users don't need to do anything outside the defined scope of their jobs, at least on the network. These are the same places that don't understand that the reason their people don't go above and beyond is because they've gone to so much effort to make it impossible to do so.
Or perhaps my lack of vision is why I'm not making the big bucks. It's conceivable.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
I wasn't trying to be an ass about it. I was just trying to give an easy way to remember the spelling. It's the mnemonic that I use myself when spelling "definitely."
Frankly, I don't understand why people get so offended when others try to help them communicate better. Are you so obstinate that you don't want any help to better yourself? Are you that attached to looking like a fool every time you write something down? Part of the reason published works go through an editing process is to correct spelling and grammar. Why do you think that is? Why do you think we have language rules in the first place? It aids communication.
So why get ruffled when someone tries to help you? If it was just the implied tone, I'll try to do better at conveying a nonconfrontal one in the future. If you're against the idea that maybe we could raise the bar here on Slashdot, let me know so I can mark you as a foe. Thanks for your help.
--
Promoting critical thinking since 1994.
It's amazing how a little evidence that Copyright isn't "property" can bring out the venom...
I reinstalled SUSE 9.3 last night, and I realized that doh! I had to turn everything on. With that done, I downloaded the matching KDE RPMs from KDE's mirror and unpacked and was done.
This is my sig.
If everyone used this strategy, there would be NO guys who ever did any sort of deployments of anything, because the largest company would always be waiting for someone to have done it.