Slashdot Mirror
The Six Dumbest Ideas in Computer Security
Frater 219 writes "The IT industry spends a huge amount of money on security -- and yet worms, spyware, and other relatively mindless attacks are still able to create massive havoc. Why? Marcus Ranum suggests that we've all been spending far too much time and effort on provably ineffective security measures. It may come as a surprise that anti-virus software, penetration testing, and user education are three of "The Six Dumbest Ideas in Computer Security"."
Why, would you rather I leave the door open to get some light in the basement?
Be relentless!
Unless they ban the movie Hackers and eradicate all copies of it everywhere, they're not gonna make hacking uncool...
[o]_O
I thought the overall article was dumber than the six dumb ideas.
These people get the crap and then bring it into the cacoon, thus negating the hundreds of thousands of dollars of security infrastructure
What are some of the dumbest security *policies* you've encountered?
I worked for a firm earlier where we had to change our passwords every week where the password had to 1) be exactly 14 characters and 2) be ~60% different to the previous four passwords.
The result was of course that almost every user had their passwords on post-it notes.
To illustrate, ask yourself this question: why do most corporate computer users have permissions on their computer to download and execute arbitrary programs?
Now, it should be noted that even Linux gives the average user this capability. But that needn't be so.
Antivirus programs are a bandaid, not a solution. But most people treat them as a solution, and therein lies the problem.
If you really want to take care of security issues, you have to do so at the foundation.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Yeah, I'm taking all my anti-virus software off the computers right now. I don't know why I ever though it was useful anyway. It's more efficient to deal with the infections as they come in then it is to try to prevent it.
I'm gonna stop using condoms too while I'm at it.
Sometimes my arms bend back.
Woah, he's not talking about Slashdot?
In #4, "Hacking is Cool", he obviously means "cracker." Also, the last part of that section says that security professionals should not know how to crack. Bullshit. If you don't know how exploits are used, how can you block them? How can you write a secure program if you don't know what a buffer overflow is?
The article really fails to address any real issue with security. What the article really read like was something more along the lines of, "Six Things Dumb Management Sometimes Do In Relations to Computer Security". The real problem with technical computer security is the poor quality of software (software designed without security, or without enough security in mind), and the general lack of general system protection (NoExec memory, Stack Smashing/Active Bounds Checking, Targetted/Strict ACLs, etc). The damage worms/viruses/hackers can cause on a much stricter system is really far less than a normal system, if the penetration can even be achieved in the first place.
1) Default deny instead of default allow.
Actually, default deny is just as stupid as default allow, as if you have default deny, people just get sick of being asked if they want to allow something, and end up clicking "yes" on every box they see.
2) Enumerating Badness
So you want to write a virus scanner that somehow can recognise viruses without being told which programs are viruses. Modern virus checkers already mostly do this. With spyware it's very hard for a computer to tell the difference between a program you wanted installing and one you didn't. How do you expect it to tell?
3) Penetrate and Patch
So you are saying we should write code without bugs and holes? What a great idea that is? why did no-one think of saying that before?
4) Hacking is cool
You think people should learn how to stop hacking and intrusion without learning how existing hacks work? Then you are stupid. Shush.
5) Educating Users
So you are saying that we have to do security without teaching users how to do it. That just isn't going to work unless you never let users install their own applications or plug-ins. Yes teaching users is hard, but it has to be a vital part.
6) Action is better than Inaction
So, after saying the state we are in is rubbish, you now say we shouldn't actually change anything. Eh? Or are you saying "don't try something new without testing it first"? Well thats more than a little obvious.
This is just trolling, crap, and obviousness. Your average slashdot post really.
Combination - fun iPhone puzzling
I patch PHP to set a constant in the namespace of the script whenever a 'dangerous' function is called (eg: system(), shell_exec, the backtick operator etc., others
If the script is allowed to call the functions, all well and good, it's just logged. If not, the offending IP address is automatically firewalled. I purloined some scripts from the 'net that allow shell-level access to manipulate the firewall.
So, now I had a different problem - the webserver wasn't running anywhere near the privilege needed to alter the firewall, and I didn't want to just run it under sudo in case anyone broke in. I wrote a (java (for bounds-checking), compiled with gcj) setuid program that takes a command string to run, an MD5-like digest of the command, and a set of areas to ignore within the command when checking the digest. The number of areas is encoded into the digest to prevent extra areas being added. If the digest doesn't match, the program doesn't run. This is a bit more secure than 'sudo' because it places controls over exactly what can be in the arguments, as well as what command can be run. It's not possible to append ' | my_hack' as a shell-injection.
So, now if by some as-yet-unknown method, you can write your own scripts on my server (it has happened before, [sigh]), you're immediately firewalled after the first attempt - which typically is *not* 'rm -rf
Well, PHP and SQL injection of course, but the same script is used there - if the variables being sent to the page are odd in some way (typically I look for spaces after urldecoding them as a first step - SQL tends to have spaces in it
What would be nice would be a register within a PHP script that simply identified which functions were called. In the meantime, this works well for me...
Just thought I'd share, because it's similar to what the author is saying regarding only trusting what you know to work, and everything else gets the kick (squeaky wheel-like
Simon
Physicists get Hadrons!
- That DRM systems don't work
- That DRM systems are bad for society
- That DRM systems are bad for business
- That DRM systems are bad for artists
- That DRM is a bad business-move for MSFT
A very good read if you are in the position of explaining this to someone in a position to mandate DRM.http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002347.html
Dave's "Exactly 500 word essay on "Why hacking is cool, so that Marcus changes his web site"." http://lists.immunitysec.com/pipermail/dailydave/2 005-September/002366.html
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
is the permit by default tendency. This is like having a fence that springs out of the ground only when certain people are sensed approaching it. It needs to be up and topped with barbed wire and the only gate needs to be locked until someone is given a key to it. NAT routers are like that. They can only forward traffic when you bother telling it to and until then sit there stupid making you wonder why your new SSH installation won't talk to the outside world.
OTOH, it is a collosal pain in the arse to deny all traffic and only allow what you want because so much code is network aware these days and designed to talk to some place across the net. Then again, it does tell you which apps are communicating in the first place.
On my Windows boxes I use Sygate Personal Firewall to create a specific list of allowed executables and block everything else with a block all entry at the bottom of the fall-through list. No match, no talk. Inbound and out. Combined with NAT it makes for very little traffic reaching my internal network. When I leave my desk for the night and Windows is running, remove a few check marks and save and it only allows the file sharing app to talk and I keep that updated and locked down at all times.
It also can be set to approve or deny execution of code that may have changed since last allow/deny challenge.
That which is not forbidden is not only not compulsory, but probably suspicious.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
# chmod +x naked_sluts.exe ./naked_sluts.exe /home/iclod/porn... /home/iclod/work... /home/iclod/Mail... /home/iclod... /home... /home: permission denied.
#
Removing
Removing
Removing
Removing
Removing
Error: cannot remove
* Entering phase 2
Scanning ports for viral spreading:
No suitable ports available.
* Entering phase 3
Accessing sendmail...
Mailing...
Mailing...
Mailing...
Error: mail blocked: too many recipients. Wait ten minutes and try again.
In short, users aren't a major problem because they should only be able to hurt themselves. The problem is that they often can and do hurt others. This is the result of poor design.
Password must be 10+ characters in length, contain upper and lower case letters, 3 numbers and 2 special characters.
Result:
Users keep their passwords on post-it notes stuck to their monitors.
2) Constant password expiration
Passwords expire every 3 months. New passwords can not resemble old passwords.
Result:
Users keep their passwords on post-it notes stuck to their monitors.
*head explodes*
noexec can be easily circumvented. Read here for more information.
/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev) ./date ./date: Permission denied /lib/ld-linux.so.2 ./date
Relevant example:
alex@joker:/tmp# mount | grep tmp
alex@joker:/tmp#
bash:
alex@joker:/tmp#
Sun Dec 3 17:49:23 CET 2000
Crime as a problem of context is studied in Gregory Bateson's seminal book Mind and Nature: A Necessary Unity. Bateson addresses two flaws in our court system. One is to treat a crime as something isolated and somehow measurable in penal terms. Taking a crime out of context, i.e., the makeup of the criminal, is blind to the forces that generate criminal actions.
Bateson speaks of (crime) "...as not the name of an act or action; it is the name of a frame for action. ...( he suggests)... we look for integrations of behavior which a) do not define the actions which are their content; and b) do not obey ordinary reinforcement rules." In this context he suggests play, crime and exploration fit the description. As long as we are only able to punish according to some sort of arbitrary eye for an eye method of bookkeeping we will be unable to root out crime.
Bateson's second criticism of our judicial system addresses it's adversarial nature. He writes... "adversarial systems are notoriously subject to irrelevant determinism. The relative 'strength' of the adversaries is likely to rule the decision regardless of the relative strength of their arguments. Bateson's second
He further goes on to a brilliant analysis of the Pavlovian study of dogs in terms of the dog's view of the context; and, how the dog's context is violated when the dog's view of a "game" of distinction is morphed into a game of guessing without there being any markers to tell the dog the context of the game has been changed. This switch in context drives neurotic and violent behaviour in the dog. I suspect much anti social behaviour is driven by the criminal's inability to read society's context markers.
"Academicians are more likely to share each other's toothbrush than each other's nomenclature."
Cohen
As the article rightly points out, and btw. if you had bothered to read it you would have been aware of this, there is no reason at all why joeuser should even be able to download and execute "naked_sluts.exe" on a companies network.
And I quote:
"Dealing with things like attachments and phishing is another case of "Default Permit" - our favorite dumb idea. After all, if you're letting all of your users get attachments in their E-mail you're "Default Permit"ing anything that gets sent to them. A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server where users can log in with an SSL-enabled browser (requiring a password will quash a lot of worm propagation mechanisms right away) and pull them down. There are freeware tools like MIMEDefang that can be easily harnessed to strip attachments from incoming E-mails, write them to a per-user directory, and replace the attachment in the E-mail message with a URL to the stripped attachment. Why educate your users how to cope with a problem if you can just drive a stake through the problem's heart?"
Try OSX. As of some update about a year ago, OSX stopped having "default permit" for launching applications by double-clicking. If you double-click and that leads to launching an executable that hasn't been run before, it pops up a dialog to ask you about it.
Thus, no more executables bearing viruses disguised as documents.
Can anyone tell me how to set my sig on Slashdot?
There is a way to fix security problems on end-user machines completely.
The solution is to keep the operating system and applications on read-only media. The end-user operating system of the future should be designed around this idea, and they should reboot from readonly media on a regular basis, this way viruses cannot spread and worms cannot get a foothold.
Its doable. Its feasable. Its the future, once engineers really decide to solve the problem.
Actually it was more like whatever you are writing don't expect that your code will exist in a secure environment. Whenever you can, do what you can to keep your modules secure. Don't give the OS or other moddules the benefit of the doubt.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Maybe he's a friend of ESR's or RMS's. Trying for his own elevation to 3 char alias fame...
Users aren't the problem. Allowing users to run unvetted executables is a problem. Relying on users to decide what executables are acceptable is a problem with their admins and with Windows.
SELinux is the solution.
"I assumed blithely that there were no elves out there in the darkness"
Number seven: taking advice from a security expert whose great claim to fame is an ongoing quest for even greater hyperbole.
Jeez, Marcus, are you always going to be a self-promoting twat?
Marcus, your list is crap. Here's a list:
1) No one is watching. IDS, firewall logs, doesn't matter - no one is watching.
2) Most security people don't get it. They run NFR and think that they're safe.
3) Security is a low priority. Time to market matters. Security ranks below documentation and above performance tuning.
Raising awareness of network security is a good thing. Doing it with bombast and self-promotion is just being a media whore.
='^)
Take the article for what it's worth. He makes some very good points, although it's hard to take him seriously when he doesn't even know what the word 'hacker' means... but still, some very good points. Security is something that needs to be designed in from the start, not patched on top later.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
From the article:
"On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don't understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me."
The author has a point here, but answer to his question is very simple - his computer doesn't ask for permission to execute most programs because most users would absolutely panic if their computer regularly asked for their input.
I base this on my own experience as a college tech, which is necessarily limited. That said, two points to consider:
I have never, ever seen a student running in a non-administrator account on their Windows PC, even though XP supports this feature. This would prevent much malicious software from running, and avoids the "default permit" behavior that the article author finds so odious. However, users do *not* want to see error messages when they try to run things, nor do they want to log into a different account to install their p2p flavor of the week. They want things to "just work". So, non-administrator accounts are fantastically unpopular.
Another example: Zonealarm. My school encourages students - in fact, tells students they are *required* to - install ZoneAlarm. So what happens? Zonealarm asks them if they want to let, say, AIM or Weatherbug access their network connect - and the user freaks out. They think it's an error, that their computer is busted, etc.
In short- desktop machines tend to be default-permit because desktop users are completely unwilling to deal with an alternative arrangement.
I'm the stranger...posting to
The weak spot in this is, that for it to work, the user have deny the executable from running. Most users don't. Especially not if the e-mail containing an the executable contains some plausible explanaiton why they should allow ti to run. E.g. telling them that it is an important secrurity update from Apple.
God is REAL! Unless explicitly declared INTEGER
You expect a user that's writing passwords on post-it notes to be that smart?
Why the hell would writing you password on post-its be a stupid idea? Everywhere I've worked the IT people didn't give a shit about the guy in the next room or cube getting your password. It was the people outside the building that mattered.
You are telling me that you could come up with a unique 14 character password every week and not have to write it down? Listen, I'm a pretty fucking smart guy, and I don't have that ability. With the number of passwords I have to manage these days, I'm lucky to remember where I wrote that one down.
When users are annoyed by questions they don't understand, support costs go up. Windows users really can't answer questions about whether to allow various TCP connections. Since only programs we approve can be installed on the "users" machine, there is no point in default deny.
Just like currency security doesn't try to identify all the different kinds of forgery, so the idea of "trusted" computing is that all programs are bad except the ones signed directly or indirectly by Microsoft.
To be effective, "trusted" computing must be airtight against workarounds by end users. That is why hardware enforcement is an integral part of the picture. The XBox project has been very effective in eliminating holes in the "trusted" computing hardware, thanks to the many volunteer hackers attacking it.
Currency security experts don't spend time on basement printing presses. They spend time on creating currency features that are expensive to reproduce on a small scale. End-user freedom is not an issue in the "trusted" computing paradigm. We simply want an airtight system that allows *only* Microsoft approved programs to execute, and a hardware enforced way to retroactively delete content when Microsoft makes a "mistake".
We want to ensure that defeating the hardware interlock on our machines requires resources way beyond what an individual or small company can muster. It doesn't matter if organized crime or Chinese corporations have the resources. Their exploits give us justification to tighten the screws on our captive users.
One of the main real selling points of our software is that we aim it at users who don't know or care about computing. They just want to use some applications. If our users had any desire or aptitude to learn about security, they would have defected to that "competitor" that shall not be named. Once we succeed in legally banning un-"trusted" hardware, any talk of user "education" will be banished to dark alleyways.
You say, "never let users install their own applications or plug-ins". Darn tootin. The whole point of "trusted" computing is to prevent users from installing their own applications or plug-ins. That is 99% of the security problem with Windows. If a user doesn't know whether to allow a TCP connection, they certainly have no idea whether some no-name (i.e. non-Microsoft) program is safe to install.
We have 100s of millions of machines running our software in the field. We have a nearly complete monopoly on desktop software. Knee-jerk actions are simply out of the question. The damage done by an insufficiently tested patch is far worse than the damage done by the nastiest malware - because our users will blame it on *us*. (The rebels blame the malware on us, but that is irrelevant.)
Default deny makes more sense when you think of it at the organizational level -- like a firewall. Both default deny and allow mean that you have to respond to new needs ... but default allow means you have to respond to new attacks (by blocking them) whereas default deny means you have to respond to new user needs (by allowing them). I've operated both sorts of firewalls -- and when you are in good communication with your user base, default deny is both more reliable and MUCH LESS WORK.
Ah ... you didn't read the article, did you? Every program that's running on your system that you didn't authorize to be there, is a problem. It doesn't matter if it's a "virus" or not, or if it's on Symantec's bad-guy list yet. Consider the following dialogue I had with a Windows technician:
Me: Windows host foo.example.org is cracked. It's portscanning out and trying to break into things. I've blocked it off the network.
Tech: I just ran an anti-virus scan on foo, and it didn't find anything. The user wants to get back to work; please put it back on the network.
Me: I didn't say it had a virus; I said it was scanning out and trying to break into things. It's still trying to scan out. I'm not going to put it back on the network.
Tech: Antivirus software says clean!
Me: snort says scanning out!
Tech: Antivirus software says clean!
Me: tcpdump says scanning out! Go get Clueful Tech to look at it.
Clueful Tech: Oh yeah, it's got all these processes called "fuck.exe" running. It's hosed. I'm reinstalling it.
Me: Thank you, Clueful Tech.
If you need antivirus software, your problem is not viruses -- it is that you don't have any control over what programs are getting to run on your computer. Get that control, and you don't need antivirus software.
Anyone who tells you that all software has bugs is being honest. Anyone who tells you that all software is equally buggy is trying to sell you Microsoft IIS. We can go a long way towards "code without bugs" just by observing the history of software and going with those options which have proven to need much less patching in the past.
We can also -- and more importantly, I think! -- favor software that is architected in such a way as to minimize security exposure. That means privilege separation and least privilege. Running your Web server as root is a brain-dead idea. It means not using more complicated software than you need -- if boa or publicfile serves your needs, don't use Apache.
It's interesting, but it isn't essential to the job. What you need to know is that attacks work by exploiting mistakes in the design and implementation of programs. What you need to know about buffer overflows, for instance, isn't how to exploit one for fun and profit -- but rather, that any C program that uses gets() is broken ... and that programs written in higher-level languages that have checked strings can't suffer from them.
There is a place that I've found that "hacking knowledge" is useful -- in demonstrating incontrovertibly that a problem exists. Joe Moron has a Windows-based embedded print server that's vulnerable
I was working as an IT Manager for a mid-sized company for a while. The main problem with "locking down users" is, that nowadays there is no respect for IT Administrators anymore. Especially in small/mid-sized companies, where every single employee goes directly to his/her boss or even worse to the CEO just to complain about their "inability to work", because of the locked down computer. "The bad admin locked down the computer and I can't work anymore!". Sure, the PHB, CEO, HR won't understand the difference between user/admin rights.
...), there were another ten or twenty complains.
I have a pretty strong personality and a thick skin, but after a while, I gave up. Even brand-new interns complained about the situation that they were not able to install their "favourite software" or about the blocked ports at the corporate firewall.
After a while, the HR manager came to me and said, that in four years, half of the employees complained about me. Whenever I tried to change something (firewall, user rights,
All of the users are working as administrators on their computers at home - I know that, because most of them told me about the troubles they have with spyware and viruses, but they would never accept to have lower permissions at work. The common sense is, that the computer at work is actually theirs.
The same with company laptops. Everyone connects it at insecure networks at home, friends, hotel rooms, other companies and so on and after a business trip, you have to either reinstall the machine or remove spyware/malware.
It's just the lack of understanding, the habit to always work with admin rights at home and the lack of respect for the job of an IT administrator/manager.
Actually, the permission-to-launch dialog does not protect against malicious applications disguised as documents. If you double-click an app it will launch without question. What the dialog box defends against is an automated exploit that involves sending an application and a document to a system and then a request that the document be opened, which would launch the app before this dialog was introduced.
...the idea that it is only the ubiquity of a system (not its design & implementation) that is the greatest determining factor behind the likelihood of exploit.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Sugar coat it however you want, but using any version of Windows is by far the single largest security risk, period. Partially this is because Windows is the predominant desktop OS, but it is also because *nix is generally secure by design, whereas Windows is user friendly by design.
If you install Windows, you are making a conscious decision to open yourself up to a plethora of attacks that simply aren't possible on any other platform. Maybe the benefits outweigh the risks, but don't pretend that the risk isn't there or that it's some outdated joke.
Try OSX. As of some update about a year ago, OSX stopped having "default permit" for launching applications by double-clicking. If you double-click and that leads to launching an executable that hasn't been run before, it pops up a dialog to ask you about it.
.jpg file expecting it to open in Preview, but another application is launched instead. You'll get a message that reads, "You are opening the application 'mysterious suspicious program' for the first time. Are you sure you want to open this application? ....to see the application in the Finder without opening it, click Show Application."
Actually, this will not stop you from launching an application (that is, an executable) by clicking on the application icon, it only prevents documents from opening applications that you have never run before. Say you double click what you think is a
You can open the application by clicking it directly, and it will run without first presenting you with any warning. If I remember correctly, this was introduced by Apple to prevent users from inadvertently launching new (possibly malicious) applications that had somehow tricked the OS into associating certain file extensions with them. However, it's useless if you open a "document" that is actually an executable in disguise, as these will run without prompting you.
You do realize that you can do essentially everything you are suggesting with SE-Linux without the overhead of maintaining a whitelist. This basically means turning the computer into an appliance.
Now in this case, with SE-Linux, you can even specify what files a given application can load. This can be used to limit scripting languages to known good scripts, or to prevent confidentail information from being sent via email.
The SE-Linux information is stored in the inode, so it is specified by the administrator at file creation time or inherits properties according to policies. This avoids the issues you see with trying to maintain a whitelist of hashes and apps.
The point is that the user cannot be given something like the pointless SSL certificate browser warnings that allow a user to click "I don't care, let me in anyway". Default Deny, not Default No.
And if someone in AR forgets to pay Thawte for your SSL cert and it expires for a critical server (say internal app for credit card processing), users will be locked out. Cute. I am a firm believer in manual override capabilities. That will never happen, you say. All I have to say is domain name registration exiration for Hotmail....
Here is the problem. People think of security in a vacuum. Real security is a piece of a larger availability/security/usability problem. You have to tackle all three at once and ensure that one does not preclude the others within reasonable parameters.
LedgerSMB: Open source Accounting/ERP
Really good points.
I worked in "security research" field for 10 years. I loved it.
Then companies got involved, certifications/courses/books appeared, pentesting became a business...
I moved to another field, for the very reasons MJR explained in his editorial.
Everyone wanted to be "secure", but noone wanted to invest time or brains in order to achieve that goal.
In 4 years of pentesting (and I'm talking about BIG players and companies with bright people, big budgets), I have only ONCE seen a company that actually took SERIOUS measures in order to improve its' security. I'm not talking about adding another layer of firewalls or installing new toys, but actually redesigning their security infrastructure/thinking.
All the others wanted signed paper which says "You are secure now".
I ended up pointing all of them to MJR's Ultimate Firewall
The author may be right that the things he listed are dumb ideas for mission-critical ultra-secure systems. However, he seems to be advocating the five dumbest ideas for usable systems.
.PNG format sent to them by family (where .PNG was not a whitelisted attachment, nor was email from a random gmail account).
The price of Default Deny is loss of flexibility. If it is easy to avoid denial (e.g. automatic addition to a whitelist), it's just Default Permit by another name. If it's really hard, it will keep you from doing everything except that which you already know you want to do--in other words, nothing new, nothing clever, just the same stuff over and over. This would turn computers into the equivalent of a stereo system. They do thsoe narrowly-defined tasks that they were engineered to do, and nothing else.
People are going to occasionally want to do something new. When they do, there are certain things that they almost certainly *don't* want to do. Thus, you enumerate badness to help protect them when they want to use their computer as a flexible general-purpose device.
It's better to have systems that are secure by design. Duh. The point is, though, that even systems that are secure by design are likely to have flaws. If you look for flaws, and fix them, then you have a chance of staying ahead of other people who are looking for flaws to exploit them.
The coolness of hacking has nothing to do with security. Hacking is cool because it demonstrates our ability to manipulate our environment, to do things that are supposed to be impossible through ingenuity. In a factory of mindless corporate drones, hacking is not cool. But if you live in the real world where programs have flaws, there is even a security use for people who enjoy finding ways to use the flaws to accomplish things that the creators didn't intend.
Educating users is ridiculous--his point is that users should't be educated because they should be educated before you hire them. Okay, and how did *they* get educated? What happens if you have to hire real people who are talented but they haven't all gone to this magical security training school? His point *should* have been that there are only some things that can be taught, and that you shouldn't assume you can teach completely counterintuitive behavior. But you might be able to teach someone enough to avoid clicking on strange attachments without deleting photos in
I don't want a secure, useless system. I want a secure, *useful* system. And that means compromises need to be made between security and usability. Reading this article gives very little clue as to how to construct a good balance.
I also stopped using condoms, since I limit my activities to my wife. I'm also free from those sorts of infections because I was fortunate in my choice of a partner. This also has a cost, I'm sure that sex with other partners could be enjoyable. I also know that the 'zipperless f*ck' is more common in fiction that in my world, so I'm willing to stick with my spouse.
I know you are being tongue in cheek, but there is an error in thinking if you cure the symptom rather than the root cause. If you can't trust your partners to be safe, why don't you consider finding safe partners? In this regard, Microsoft is like the town *****. If you can't trust your partners, or if you are unwilling to live with some restrictions, by all means install antivirus software and use a condom.
Think global, act loco
While I agree with some of his other points, I think it's really dangerous to just give up on the idea of educating users. In the long run, no matter how secure you make the rest of your system, the user is always going to be a potential weak point -- they can disable or work around your carefully implemented "perfect security" because they NEED this ability to be able to use the system. On home systems, for example, even if you go with a white list, default deny policy, the user still has to be able to add new programs. Watch them download x fancy new shareware game, give it execute and net access permissions, and totally screw your entire careful security setup.
To make a point using the author's own analogy... while flying on an airplane, it's basically common knowledge that you don't want to walk up to the door and pull the big silver lever. Bad things happen if you do. However, if the plane has crashed and you need to get out, that's exactly the action you want to take. We don't have fire sensors that only enable the handles if the plane cabin exceeds a certain temperature... we rely on user education to make people only use this option at the right time.
Even the author's own solution, of scraping off all email attachments and saving them via url doesn't help. If someone sends out a virus, and it gets saved to a remote server, the user can still copy it to their system and run it. But if the user is educated about the kinds of thing that can happen when they do this, and about the dangers of running software from unknown or even partially untrusted sources...
Slashdot needs a "-1, Wrong" moderation option.
The Urban Hippie
A gret program yes... but (L)users don't want to be bothered to THINK about anything.
They won't read the box that comes up. they'll mindlessly click "Allow" even if the message said "This program would like to kill your wife and rape your dog. Would you like to allow it?"**
Whatever it takes so they can get on teh intarweb!!1
**Just like not reading EULA's. A while back company (don't remember who) made a EULA that actually said you get money if you call them. Several THOUSAND people installed the program before one guy actually called.
No unauthorized use. Trespassers will be shot. Survivors will be shot again.
I don't disagree while the program is in developement, but there comes a time when the code should be bug free. Humans make mistakes, but they also need to correct them. Sloppy code is not acceptable.
Have you hugged your penguin today?
I'm confused by the title. Is this meant to be *dumb* ideas, or a dumb *list* of ideas? "Hacking is cool" and "Educating Users"?
WTF!
And where the hell is "Security by obscurity" on that list?
Do what I say, cuz I said it.
-Meatwad
The idea that security is about technology.
It isn't. Sure, certain engineering and design principles can help security a great deal, but when it comes down to it, security is about the human brain. If you don't run the system intelligently, it doesn't matter how well designed it is, or how well the design is implemented. You will get p0wned.
I'd trust an all Windows 98 network without a firewall, run by someone who knows what they are doing, over an OpenBSD network locked down against everything run by my mom.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Uneducationable users will always be the main security problem with computer systems.
I find it hard to believe that users still run random attachments to emails.
After 10 years people are still doing it.
You can't just remove all attachments from emails, so what should one do about it?
Software is not here to make up for the stupidity of people, it's here to help them utilises their intelligents. If you're not intelligent enough not to run random attachments to your emails, then you probaly won't find a computer very useful.
- Jesse McNelis
...and that is all I have to say about that.
http://jessta.id.au
You know, I've heard this hogwash from the MS camp many times, so let's just examine it for a minute, shall we?
Usually when someone drags out this tired old argument, they are referring to the number of *desktop* machines. I'll grant that the vast majority of desktops run Windows. Anyone would be a fool to argue otherwise. However, what value do these machines represent to the cracker other than spam & DDOS zombies? Why would anyone want to crack Joe Sixpack's PC to steal one credit card number when there are commercial sites out there with thousands of accounts? I'll tell you why: Because it's too hard for the average script kiddie to do. Consider this:
According to Netcraft, Apache runs aproximately 70% of all web sites. This number has been fairly consistant for several years, so we will assume the number is reasonably accurate. Next, if we look here we see that without exception, ALL of the Apache sites holding the top uptimes are running on some flavor of Unix -- mostly *BSD with a few running Solaris or Linux. IIS obviously only runs on Windows and the table (at least at the time of this writing) has only a single Windows site in the top 50. Personally, I believe that the majority of sites that run Apache also run *nix, but to make the MS crowd happy lets assume the whole web is 50/50 -- half *nix and half Windows. According to Netcraft's September 2005 survey, the web currently has something like 71,723,098 web sites. Using our assumed 50/50 ratio, that means that there are over 35,000,000 *nix machines hooked up to the Internet and serving up web pages. Now, you expect me to believe that 35,000,000 machines isn't a large enough target to attract the virus & worm writers? Especially since a great many of those machines are big, fat jucy businesses targets? I don't think so.
The simple truth, whether or not *you* are too ignorant/cocky/stuborn to admit, is that Windows is targeted not because it's so ubiquitous, but because it's so easy to crack.
YooHoo/2U2
Agreed.
Further, points 1 and 2 are essentially the same things, just reworded.
Point 4 is somewhat mistitled. I do think learning the basics of how exploits work is important to creating sturdier code. Otherwise, you'd just write stuff that's vulnerable to buffer overflow constantly.
Point 5... Where do I begin? The problem is NOT self-correcting. I work for a university, and every year we get students asking us how some bank got their university e-mail address and "Should I respond to them?" For every one that does that, probably 10 actually respond. He also seems to think that there is a technical solution to "attachments and phishing" but never explains the technical solution to phishing. Presumably it is to only allow e-mails from a whitelist, given his default-deny ideas. Well frankly, that isn't going to work for most people.
Point 6 I agree with to an extent. The problem comes when everyone adopts this strategy--no innovation actually gets implemented! Also, technologies that are developed to fill a need often cannot be "waited on" in the manner that he describes. Also, on the patch-level, this may not be workable either. If you have a critical vulnerability, you can't afford to wait until everyone else has tried the patch. You definitely want to test it before deploying it, but that's along a different line of thought.
Overall, some interesting ideas, but as you say, many aren't really security ideas. They're SOP for lots of companies, though.
>> Humans make mistakes, but they also need to correct them. Sloppy code is not acceptable.
Have you ever written code for idiots?
When I'm creating software I have to hide my work in progress from management. By that I mean, show them chunks only. I can never let them see something that looks like an operational product till its' been up and running and tested six ways from Sunday, because if they see a working prototype, they'll try to force me to roll it out as productive immediately. Telling them it's "not done" doesn't work either - I've come it to work and found a demo project distributed as productive. I mean wtf? - Some PHBs just don't get it at all. You tell them its' running against a test database, needs 3 more weeks work and bang, its' out the door. - It's not on fire right now so it must be done, right?
In those circumstances, I don't really give a sh*t if it fails and costs them money, except the blame (and 3 am phone calls) fall to the team that wrote it.
You're %100 right, there is no exuse for buggy code, but there is tonnes of it out there, being used productively that was never really finished. Sometimes it's got less to do with the lazy developers than managers who don't listen.
http://request-header.info
#2: Enumerating goodness.
Guess what. You've just pretty much gone back to the dark ages. Everyone has a set of programs installed on their computer by the priesthood, and that's all they can run. Might do something about viruses. Definitely reduces the utility of the machines.
#3: Hacking worthless
Holding your adversary's skills in contempt is generally not a good idea. Refusing to learn them is just plain stupid. And, of course, hacking (even the black-hat sort the PC prefer to call "cracking) isn't what he says it is. Learn a particular exploit? Any script kiddie can do that. Figuring out how to identify holes and develop exploits, that's another thing entirely, and as useful for a security professional as lock-bypassing is for Medeco.
#6: Sit on your duff and let the other guy take the lumps.
Sure, you CAN do that. But there's reward as well as risk in adopting the new stuff. And consider that if everyone took that strategy, progress would be entirely stifled. His IT exec who waited two years to put in wireless may have saved money -- but he also had two years without wireless, which may have cost him more.
That is really a point worth considering. There are many Dilbert cartoons that use it as a punchline but I never paused to think that that ALL security have a negative productivity aspect (not necessarily net negative, but there is always something negative) to them. Perhaps a standard part of any security procedure should be to list negative aspects because I think people are too idealistic as with "Hey! Lets change passwords everyday!"
Your CPU is not doing anything else, at least do something.
The first point is entirely on the money. At least 10 years too late, but totally accurate.
The second is just too overreaching: would you like a computer which can run 30 programs from a master list and nothing else? There are many cases where "enumerating goodness" is exactly the right thing to do, and - guess what - that's exactly how such cases are done, for example, sudo.
The rest of the article is basically boils down to this: if you don't want your system to be hacked, don't make it hackable. Sure thing. Don't debug your programs, just write them correctly. Don't install airbags into cars, just avoid crashes. Stupid us, doing all the precautions and safety things for years. Just don't make mistakes, see how easy it is?
This guy has a couple good 'no duh' points and several really stupid ones. Let me elaborate:
#1) Default Permit
This I agree with, in the case of firewalls in a corporate environment, where the input/output can be predetermined and controlled. Everything should be blocked except for the handful of things that need to get through.
#2) Enumerating Badness
This idea BLOWS for desktop applications, which is what he advocates. Why is it bad? Because while he only has "30"-or so applications he uses, as most people do, those 30 are different for most users. You can't enumerate all legit software, it can't be done. You can enumerate most of it. But then you get to a list comparable to 70,000 virus signatures you are trying to leave behind. Besides, if I write my own application, my anti-virus software would need an accurate, detailed signature of what the application looks and acts like to be able to identify and allow it... Something I cannot reasonably do. Which is why we have companies creates the signatures, for the (comparably) finite number of viruses and trojans. Default Deny on a desktop, especially personal ones, is a broken, unmaintainable, BAD idea.
Even in a corporate environment, which has more home-grown apps, you would need custom signatures for each internal app to function. Something not practical for an IT department to create. The idea just doesn't hold on a PC.
#3) Penetrate and Patch
His argument: if you had designed it securely, you wouldn't need to pentest it.
Ok, but how do you know your implementation was complete to the design, or that your design didn't have a hole in it? Well, you have to test it... pentest it, that is.
Yes, it is a great idea to securely design your apps, with secure-by-design principles. Afterwards, you STILL need to test it in a live environment to ensure you didn't forget or miss any steps. That is only a logical step. Pentesting even the most secure of networks is critical, to be able to PROVE they are secure. You can't just say 'because I said it was!' and expect that to fly.
#5) Educating Users
He contradicts himself. He says that you shouldn't have to educate users because they should already be educated... Which is a chicken/egg problem he never admits to. You should do both: hire competent, smart people, AND train them in the policies and guidelines of their environment.
The way that you get software onto Linux, the very nature of open source, is a trojan horse disaster waiting to happen.
.. what is all this make install gnu auto configu stuff?
With Linux, installation is endless. How I so wish that I could just get one fricking package from online for KDevelop or any other tool I use and run one installation process.
Instead I have dependency hell.
KDevelop wants a package called Graphviz, something called Arts (the SUSE version isn't good enough), a new kind of source control system. I have to go to fifty different web sites that I find by Googling just to try and figure out what to get?
This is fraught with danger.
If I'm a hacker, I wouldn't even bother trying to find a buffer overrun somewhere, I would just put up a legitimate looking web site claiming I have a binary for something like CVS or RPM or any of the myriad packages that Linux uses, stuff my own code in it, and wait. Some Linux nooby would download it, run the rpm as root, and I'm in.
Source code devotees stay silent. I could probably put a tarball out there with rm -rf / in the middle of a makefile somewhere and no one would notice. Hell, I could just delete one file.
Stupid stuff in RPMs would be useful.
a) the package should specify whether it requires root permissions
b) packages should have a list of certified sites for their dependencies. OR, there should be an https repository for ALL packages.
Until you eliminate people googling for dependent packages to be run as root, Linux is just as unsafe as Windows, if not more unsafe.
This is my sig.
While I admit, designing a system from the ground up to be secure is important, it's really quite hard to expect most software companies to do that. However, I don't feel that the patching game is all that worthless. If a product was totally static, then yes, it would eventually have most of its flaws patched, or so one would expect. However, products are changed, overhauled, and often completely rewritten. This always seems to introduce a lot of new security flaws. If Microsoft simply stopped adding so many 'useful' new features to their software, and concentrated on locking down their software, it would probably be much more secure. However, they are driven to 'innovate', and we end up with features like system restore, which can actually make it so you can't delete some worms... Also, a 'complicated' program does not have to be a 'bloated' program. I remember the good old days when Opera would add functionality and *reduce* the binary size & memory usage.
There is at least one other way to improve security...
e s/dilbert2813960050912.gif
http://www.comics.com/comics/dilbert/archive/imag
Well, for what it's worth, I just did a measurement of my Mac OS desktop which is 24.7 cm wide while my KDE desktop is 40.5 cm.
This was done with the time tested scientific method of sticking a ruler on the screen.
I'll let you interpret the result however you see fit.
May contain traces of nut.
Made from the freshest electrons.
This article lost most of its credibility when I saw that his graph for enumerating badness came from the "department of vague pseudo-scientific statistics". Humorous though it may be, I don't think people should be making up charts to illustrate their "data" when there aren't real numbers to back it up. It's worse than providing 6 significant digits in a measurement for which you only measured two, in my opinion. It makes me doubt that any research or real data went into any of the rest of this article, and suspect that it's just one guy's opinion.
Actually, I think the basic problem is more complex than users execing files unpacked from a tar or zip file. The major reason for so many "accidental" execution of outside software on Windows systems is that many Windows programs execute things without the user being aware that this is happening. The most obvious culprits are mail GUIs, where you "open" an attachment by merely clicking on its icon. There's nothing in the word "open" that implies executing a program, but if the attachment is labelled as executable, that's what happens. So the user may know better than to execute a strange program, but they think they're just opening (i.e., viewing) a document.
;-). Usually such features are controlled by an on/off option setting, but the default is "on", because that's more powerful and convenient for users.
;-)
This problem did pop up in unix software in the early 80's. Several mail readers (usually also editors) got a new "feature" of being able to automatically execute scripts embedded in messages. The user communities' reactions to this were immediate: They understood right off the danger, and insisted very loudly that this misfeature would be fixed right now. Companies found their sales on hold until this serious security breach was fixed. The problem was fixed in weeks, and whenever someone reintroduces such clever features, the same sort of blowup occurs until the vendor understands and repairs the damage.
The Windows user community is a different culture. They have accepted such misfeatures, because they don't understand the problem. Microsoft sees no reason to fix such problems, because few users are objecting (and it's not Microsoft's problem
It really does come down to ignorant vs. knowledgeable users, of course. Unix users tend to know a lot more about their computers than Windows users do. No surprise there; we've always had that divide in the computer field. But I wouldn't call Windows users "stupid". Many of them are quite smart - in some other subject areas. The word is "ignorant", and we're all ignorant in most subject areas. There simply isn't time to become knowledgeable in all subjects.
You don't have a spare college degree you don't need, do you?
Y'know, I've often wondered about that. I've never used my high-school degree or my B.A. (math) from college. Nobody ever asks you about any degree except the highest one. The rest are sitting there unused. So why not sell them to someone who needs one? I'd think that the "market" people, from whom we hear a lot these days, would strongly approve of this.
OTOH, I suppose one could argue that this is "Intellectual Property", and as such, there's a strong move afoot to outlaw resale of all IP items. The recording industry doesn't want you to be able to resell your old recordings. The movie industry is getting the same idea. Microsoft's EULA alread outlaws resale of the software that you bought with your computer, so if you donate your computer to charity, the license for the software doesn't go along with it, and your charity org has to pay for the software again. Similarly, you can't resell old degrees that you're no longer using.
So why shouldn't all of these be resellable on the Open Market?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Postfix was designed so that failures are compartmentalized. No one ever said it was immune from failure -- just that the damage from an eventual failure would be contained.
The article you cite shows a bug which allowed a LOCAL USER to delete other people's mail. While this is indeed a flaw, the damage is completely contained to the mail system -- it is not remotely exploitable, does not allow privilige escalation, does not compromise root, and is trivially solved by not granting users shell accounts on the mail server.
Compare this bug to the numerous Sendmail bugs which allowed a REMOTE user to gain ROOT priviliges on the box. There is a HUGE difference in severity between a limited local denial of service attack and a remote root exploit.
Congradulations on proving the point you were trying to refute.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Deny by default. Depends on the situation. For a firewall that is a great idea. For executables it is a dumb idea. I think he has no clue just how many executable programs he uses. It isn't the 8 or 9 he cites. Linux for example has thousands of programs that most people never see - cat, cut, paste, grep, join, link, etc. Get rid of those problems and see if you can even boot. Even for programs that he does run - like an internet browser, not running remote executable code limits his ability to do much. Lots of javascript, java, and so on.
Enumerating baddness? WTH is he talking about? Nobody I knows enumerates baddness except idiots and companies trying to tell you how good they are.
Penetrate and patch: Still a good idea and this fits into his first suggestion - get rid of executables that you don't need. So he is contradicting himself. How do you know if something is running unless you do a penetration test? Pen tests can also show you if your configuration is set up right or if you managed to screw up the configuration file and therefore the program is doing something you didn't intend.
Hacking is cool: He suggests that people not understand how hacks work. This is a dumb suggestion. By looking at how mistakes were made by others you can therefore avoid those mistakes. Most holes were not there intentionally, it was because the programmer didn't think of how the code could be compromised. By learning these techniques, they can be avoided. Indeed again to his previous point.
Educating users: I can't believe he is suggesting that users not be educated. Most people are the equivelent of "Just off of the turnup truck." They don't know to not take the Nigerian scam or many of the other social engineering tricks. Most people are trusting by default. It is like allowing people to walk through a very bad part of town and not telling them about it.
His minor dumbs are what he should have put in the top. I see those far more often. I have to wonder if this is something he had to do for a writing class at school. Looks like it.
SELECT quote.text AS sig FROM quote NATURAL JOIN attribute WHERE attribute.description = 'witty';
0 rows returned
Man is that wording pretensious... but anyways...
I use a little program called "Little Snitch" it is your basic network filter except it is active and dynamic. By this I mean that I don't have to go through huge documentation bibles looking up port number / protocol combinations to create a list of 'goodness'... I just let Little Snitch run, block every port on my machine and when one of my apps needs access to the outside Little Snitch asks me if I want to permit it!!!!!!
LS also asks me what sort of rules I want to apply to the application, ie: give appXYZ access to selected port/ all ports : selected server/ all servers : for just this once/ until the app quits/ forever.
It does the same thinng for incoming access requests.
This means that blocking all my ports by default doesn't impact the utility of my machine at all.
I recommend that anyone should check it out.. it provides all the power of having a dedicated network sysadmin for my local machine without the issues of another person trying to guess what i want to do all the time.
So to summarize, "Enumerating Goodness" is possible and indeed is a viable solution when you have a tool that lets you do it on the fly as you need it, instead of trying to precognitively guess what applications will be needed down the road.
The only case I can think of that could cause trouble is if you were to download a trojan that first altered your network filter to allow it access before doing it's dirty work. This is where a good AV tool that checks incoming connections through trusted ports like 80 and 25 would be required.
A fool throws a stone into a well and a thousand sages can not remove it.