Slashdot Mirror
The Six Dumbest Ideas in Computer Security
Frater 219 writes "The IT industry spends a huge amount of money on security -- and yet worms, spyware, and other relatively mindless attacks are still able to create massive havoc. Why? Marcus Ranum suggests that we've all been spending far too much time and effort on provably ineffective security measures. It may come as a surprise that anti-virus software, penetration testing, and user education are three of "The Six Dumbest Ideas in Computer Security"."
#1) Posting your password on a forum
#2) Going into a shady carding IRC channel, telling everyone there that you are an undercover FBI agent, and then saying "you are all dumb! Hack me! HAHAHHHA!!!"
.....
Woah, he's not talking about Slashdot?
Or use a wireless network for the laptops, going through a separate server, and put extremely restrictive firewalls on that server.
It's not as fancy, but it works. Just use decent encryption.
I think you misunderstood his point with #4. My understanding of what he was saying was that time spent learning how to hack into a system with xyz could be better spent simply learning about good security practices (such as how to prevent a buffer overflow). Rather than spending the rest of your life learning about each new exploit, you simply focus on why those exploits are occuring, and fixing them at the source, rather than trying to simply keep patching.
As the article rightly points out, and btw. if you had bothered to read it you would have been aware of this, there is no reason at all why joeuser should even be able to download and execute "naked_sluts.exe" on a companies network.
And I quote:
"Dealing with things like attachments and phishing is another case of "Default Permit" - our favorite dumb idea. After all, if you're letting all of your users get attachments in their E-mail you're "Default Permit"ing anything that gets sent to them. A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server where users can log in with an SSL-enabled browser (requiring a password will quash a lot of worm propagation mechanisms right away) and pull them down. There are freeware tools like MIMEDefang that can be easily harnessed to strip attachments from incoming E-mails, write them to a per-user directory, and replace the attachment in the E-mail message with a URL to the stripped attachment. Why educate your users how to cope with a problem if you can just drive a stake through the problem's heart?"
Think of it this way:
int isPrime( long primeSuspect)
{
if(primeSuspect == 2 || primeSuspect == 3 || primeSuspect == 5 )
return 1;
return 0;
}
How would you patch it? Test it for every prime and then add them to the check list? Or would you realise that the design is crap and change the design?
He wants you to change the design, rather than just fix the aparent flaw that 7 returned false.
We do not live in the 21st century. We live in the 20 second century.
I think that what we're mising here is that applications SERVE the needs of a business. "Let's build it right in the first place" is pretty much a no-brainer, but if a business has a need for a particular application, whether that app is hack-proof or not is not something that senior business managers tend to give a flying fuck about, in my experience. The requirements phase of any project tends to include a "don't let this app take it up the ass" clause, but that's subservient to the overall aim of the project - whatever it may be.
Slow down and read my fucking post.
The point was this:
- This was supposed to be a list of security ideas that suck
- My fucking point in my original post was that the first dumb idea (i.e. "security idea that sucks") -- "Default Permit" -- isn't even a fucking security idea
- To go extra slow for the Really Big Retards, therefore, what is idea # 1 even doing on the list?
You can apologize now, asswipe.No GNU has been Hurd during the making of this comment.
Try OSX. As of some update about a year ago, OSX stopped having "default permit" for launching applications by double-clicking. If you double-click and that leads to launching an executable that hasn't been run before, it pops up a dialog to ask you about it.
.jpg file expecting it to open in Preview, but another application is launched instead. You'll get a message that reads, "You are opening the application 'mysterious suspicious program' for the first time. Are you sure you want to open this application? ....to see the application in the Finder without opening it, click Show Application."
Actually, this will not stop you from launching an application (that is, an executable) by clicking on the application icon, it only prevents documents from opening applications that you have never run before. Say you double click what you think is a
You can open the application by clicking it directly, and it will run without first presenting you with any warning. If I remember correctly, this was introduced by Apple to prevent users from inadvertently launching new (possibly malicious) applications that had somehow tricked the OS into associating certain file extensions with them. However, it's useless if you open a "document" that is actually an executable in disguise, as these will run without prompting you.
There were precisely two cool things about Hackers.
1. Angelina Jolie.
2. Airbrushed keyboards.
Sneakers, on the other hand, Hollywoodified an already absurd idea..
They could just give out free copies of Antitrust instead.
I think he meant Mac as part of *nix
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
"As if" they're in a Thirld World country? You ARE a thirld world country! You've got a ruling class that can do no wrong in the minds of the sheep, corruption to the core, feet-of-clay syndrome, you morally and intellectually bankrupt Americans are so oblivious in your SUVs and McDonalds to the reality; you are on the way out. You're over. Finished.
The idea that security is about technology.
It isn't. Sure, certain engineering and design principles can help security a great deal, but when it comes down to it, security is about the human brain. If you don't run the system intelligently, it doesn't matter how well designed it is, or how well the design is implemented. You will get p0wned.
I'd trust an all Windows 98 network without a firewall, run by someone who knows what they are doing, over an OpenBSD network locked down against everything run by my mom.
Uneducationable users will always be the main security problem with computer systems.
I find it hard to believe that users still run random attachments to emails.
After 10 years people are still doing it.
You can't just remove all attachments from emails, so what should one do about it?
Software is not here to make up for the stupidity of people, it's here to help them utilises their intelligents. If you're not intelligent enough not to run random attachments to your emails, then you probaly won't find a computer very useful.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
thus negating the hundreds of thousands of dollars of security infrastructure
They didn't negate it. The stateful firewall still stopped traffic at it's border etc... What they did was expose the lack of hours spent planning the security. here is what I do and you are free to do it, improve it or ignore it (that makes it free). In my company every network jack that does not have a direct attached device on it is plugged into a bank of switches that are seperated from my network by a pixfirewall. The firewall has rules that allow basis e-mail, web and specific application data to go accross. Most traffic is denied. If anyone plugs a laptop in they are able to do those things but are unable to do Windows file share, domain login etc... If they need to use those I have to be given control of the box and it does not leave the building.
I appreciate the difficulty of dealing with users installing lots of software, but I have experienced the "lockdown solution" in three different organizations (two of them very large), and feel it worked poorly for me in all of them.
Here's why:
(1) Response times. When I made a request for installation of, or permission to install, software needed for my work responsibilities, response times ranged from 45 minutes to a couple days. 45 minutes is little enough time to find something else to do in. A period of days is not. I have yet to encounter a tech desk that can reliably respond to even such a simple request in a timely manner, never losing it.
(2) Interconnections. Those times when I installed a piece of software were often followed shortly thereafter by the need to install some other, related (or substitute) program. That meant another delay of 45 minutes to a couple hours (or more). Chain a few of those along, and you easily waste a day or two.
(3) Questioning and denial. Large organizations have a list of "approved" software and biases toward denying the use of anything not on the list. For example, at one point I had a strong need to do some time series analysis. Appropriate tools for this include SAS, SPSS, Matlab....and GNU R. The first three, since they cost thousands of dollars, would have required cost review, tech review, et cetera. Installation for those types of packages took months. (I think that Matlab took about 3 1/2 months when we bought it). We needed results within a week or so, so R was the obvious choice. But of course, few sysadmins have (and none of ours had) heard of GNU R. Before we could get it installed we went through a long and frustrating round of "what is this?" and "why do you need it?" and "why can't you use X instead". Had the sysadmins just trusted that we had done our research, it would have been far less painful.
It doesn't take more than one or two such experiences for the users to develop a deep distaste for dealing with a lockdown.
In security circles, mjr has had 3 char alias fame for quite a while now.
Marcus is the guy who built the first commercial firewall (Gauntlet) and the first commercial IDS (NFR). Yes, he's arrogant, brash, and opinionated. But he's made contributions of code and ideas to the field that few can match.
On a point of pedantry, if you did try and move the big silver lever in flight, you wouldn't be able to open the door anyway. Airliners generally use plug type doors. To find out the force required to open one in flight, take the surface area of the door, multiply by the pressure differential (say, 8 psi) and work out how many tons of force the puny human trying to open it would require.
Oolite: Elite-like game. For Mac, Linux and Windows
SELECT quote.text AS sig FROM quote NATURAL JOIN attribute WHERE attribute.description = 'witty';
0 rows returned