Slashdot Mirror
Community Comments To Security Absurdity Article
An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"
people would use common sense.
Yikes - I just saw some talking head on TV tonight referring to Iraq's security absurdity as "the Good, the Bad, and the Ugly", referring to a partition into Kurdistan, Sunnistan and Shiastan.
Not Kidding. Weird.
The 21st Century is wild at heart and weird on top.
--
make install -not war
Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.
The article doesn't have much to say outside of the world of Microsoft Windows. MS-Windows security (or lack of it) is certainly a huge issue in IT security, but it is not the only OS in the world. The number of areas where Windows is 'the only game in town' is rapidly shrinking. Switching to other platforms to the degree possible is certainly one way to cut down on virus/spyware woes and insulate yourself from the vast majority of 'in the wild' exploits.
A system that is perfectly secure, and has no vulnerabilities is not necessarily a good thing for freedom, liberty and man.
For example, the soviet government, the east german government all tried to acheive perfect security. Had they succeeded it would have been a disaster. Had their Nazi documents been impossible to forge, how many of the persectued would have been unable to flee?
How secure is it when all "security" means is that a select group of people can do you harm if they suddenly so determine or need to "sacrifice" you?
A system of perfect "security" is less resilient to a tyrannical regime change.
Yeah, when there's background noise of people able to work around a system.
Honestly, that's it's truly secure.
Anyways, hope what I am saying never makes sense.
Wait I AM naked! GD VPN!!!
||| I still can't believe Parkay's not butter.
Try to guess which one is a Slashdot headline:
"Alteration Frequents From Space-Age Poetry Bannister"
"From Tabletop Mannered Asterisk Will Age Understood"
"Community Comments To Security Absurdity Article"
"Likely Georgetown Under Wisely Instantiation If"
Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.
Then it is true: Windows Vista is Bill Gates' secret doomsday weapon, the final piece of his twisted plot for total domination, which will destroy humanity and bring about the rise of the machines in our place!
I always knew that paperclip looked shifty.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
We're taking the wrong approach to security. You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure. Or you can fight a cause and however much it costs you that problem is solved for good.
Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.
This entire class of low-level flaws can be solved completely. Then it's just the higher-level problems like impersonating web pages, xss, some trojans, that kind of thing. Still a problem, yeah, but without the entire class of automatic propagation it is so much less of one.
I assume the operating system was Windows? Solutions:
Find free books.
I'm not sure we are experiencing a "profound failure" of security. "Profound" is a pretty extreme description. To me it implies a whole lot more problems than we really see. Hacking multiple power utilities to fail an entire country's grid might apply. What we really see is the failure of a fair number of ignorant individual users to secure their systems and some odds and ends type of security breaches of business and government entities. It's not like the major stock markets of multiple countries are being brought down or nukes have been launched. That could always potentially happen but what kind of really dire (profound) consequences have been seen?
I reserve the right to think for myself. Others' opinions are optional. Puppy on lap = typos...not illiteracy.
You can fight the symptoms like we have been doing and this will cost a LOT and never really make the system secure.
Where I come from, they call this "securing your revenue stream."
Seems like the security companies are doing A-OK there; they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.
Like all arms races, if you're in the arms business, you can laugh all the way to the bank. (Until someone decides to rob you, that is.)
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Well, I would be with you, except that if you believe the numbers in TFA (the original, not in the comments), cybercrime is more profitable than the illegal drug trade. I assume there's probably even more money being spent trying to prevent and defeat cybercrime, and on security. That's a lot of money diverted from legitimate enterprise, and a lot of missed opportunities.
When people don't trust technology and don't use online banking, then banks don't spend as much on it. Venture capital and other sources of funding start to dry up; the pace of development slows.
It's not a problem that's probably going to result in a city being vaporized overnight, but that doesn't mean it's not a problem. It's like muggings in a large city: sure, you can wave it off and say that it only happens to tourists, rubes, and the unwary -- why should street-smart people care about it? -- but over time it starts to take its toll everywhere. The economic cost alone starts to act like a tax on everything, and it drives away customers and new business.
People who understand computers and know what precautions to take to prevent being victimized, cannot just put their heads in the sand about the current situation. Particularly since most people who are capable of understanding the problem, earn their living in some technology-driven field, it's those people who stand to be affected by the 'downstream' effects of cybercrime and a culture of insecurity.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.
Wow. That simple statement also sums up the War on Drugs.
disclaimer: USED to work in Law Enforcement as part of said "war"...
Computational Chemistry products and services.
Is this just a FUD ad for Microsoft's " Trustworthy Computing" or what?
Microsoft's work in training developers company-wide in secure coding practices is virtually unparalleled among major software vendors, and has resulted in their Security Development Lifecycle (SDL), a formalized process for incorporating secure coding and security testing into every phase of a product's lifecycle. Their Trustworthy Computing initiative so far looks like a success; one that has transformed Microsoft's and much of the industry's thinking about security in just four years.
Vista goes a long way in bringing protection mechanisms such as User Access Control, Kernel Patch Protection, Mandatory Driver Signing & Address Space Layout Randomization to mainstream computer users. If there is going to be any improvement of the current cybersecurity situation, it has to start with the operating system. In this regard, if Microsoft delivers on their promise to produce a secure operating system, it will be an important milestone for cybersecurity, and quite possibly a start to a security revolution. Vista also launches Microsoft's entry into the security space with anti-malware products and services such as Windows Defender, OneCare, and Forefront. The insufficiencies of today's anti-malware software have long been known. Microsoft's entry into the security space will force security vendors to innovate or be pushed out of the market. I, for one, applaud Microsoft's recent efforts and results. I predict that Vista will have quite a positive effect on the overall state of computer security and we may see a Vista Ripple Effect throughout the industry.
I'd love to hear a conclusive answer to this as well.
Also, I wonder what ports SP2 has open in its default, out-of-the-box configuration. Is it totally locked down, with no response to *anything* coming in from the outside? Or does it have a few services still running here and there that could be exploited? Plus, and perhaps this is a stupid question, if you're running a firewall on the local machine as opposed to on a dedicated box, isn't there always a problem of the firewall software having a vulnerability itself? Or the TCP/IP stack? (And why not -- stranger things have happened. Like firmware vulns.) I'm just thinking of everything on the machine that you could possibly overflow/break by sending malformatted packets, for example.
I suspect in the real world, most of the infections happen when users don't go straight to Windows Update right after taking their computer out of the box, and instead get excited and decide to browse around to their favorite forum or two. Since it's not unknown for vendors to load up PCs with all sorts of software, probably including compromised ActiveX controls, all it takes is a trip to the wrong site to get a rootkit/keylogger installed. From there, it's a one-way trip to reformatsville, at least if you're smart. (Which is a real trick, seeing as how many PCs don't even come with reinstall media, instead just taking a chunk of your hard drive for some shoddy "recovery partition.")
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
For most people, I would think that computer security just isn't that prominent. A friend of mine works in network security, and if I talk to him, of course it sounds like computer security is a huge problem. But that's his job - what he looks at day in and day out. Talk to a plumber, you'll probably hear about how much damage is caused by clogged drains.
Maybe we've been lucky, or maybe we just don't know that spyware is installed - but out of a few dozen Windows machines (hidden behind a firewall) and a couple of linux boxes, all haphazardly maintained, we have very few malware/virus problems. I think I've seen 2 since 2000 (one, a web browser exploit that displayed ads all the time; another, a worm that exploited SMB on Windows). Annoying, but not all doom and gloom.
Now, security does seem to be poorly done. But firewalls/NAT devices seem to take care of most of it for now - at least until IPv6 rolls out and everyone's directly exposed on the network.
The figure in the article - that the take from computer crimes is now more than that from illegal drugs - is shocking. But, it seems like it is mostly a problem for banks...not something that is very obvious to us end users.
lunes, martes, miércoles, jueves, viernes, sábado, domingo
Gonna have to dig deeper.
This issue is a bit more complicated than you think.
* Don't click on links in email messages. Type the URL in your browser manually.
Too much work. I bought this computer to make my life easier.
* Disable the preview pane in all your inboxes.
How do I do that? I'm not smart like you when it comes to computers.
* Read all email in plain text.
I wouldn't get to see the pictures my friends send me if I did that.
* Don't open email attachments.
What? And miss out on the lasest web games my friends are playing?
* Don't use Java, JavaScript, and ActiveX.
No problem. I don't even know what those are. I'm not smart enough to learn all that fancy software.
* Don't check your email with Microsoft Outlook or Outlook Express.
But Outlook is what my computer came with. I can't afford a new computer this month.
* Don't display your email address on your web site.
Unacceptable. My customers need to be able to contact me.
* Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
How do I know what it links to before I click?
* Don't let the computer save your passwords.
Sorry, I don't have a photographic memory like you techno-geniuses. And don't tell me to write it down either, I'll just lose the piece of paper.
* Don't trust the "From" line in email messages.
Then how do I know who sent me the mail?
* Never Use Internet Explorer and instead Switch to Firefox.
I've used Internet Explorer for years. I have a busy life, I don't have time to learn Firefox or else I would.
* Never run a program unless you know it to be authored by a person or company that you trust.
How do I know who wrote the software, it just shows up on my computer?
* Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
Yeah right. Those are longer than the internal revenue code, even my computer nerd brother doesn't read those.
* Don't count on your email system to block all worms and viruses.
Then what do I count on? And why can't a big company like Microsoft figure out how to block viruses?
* Get a Mac
At home? I can barely keep up with gas prices let alone get a new computer. At work? The company makes us use Windows, we don't have a choice.
Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
It's amazing that he can do such a great job of documenting failure but then recommend vaporware from a disreputable company over proven and easy to use solutions.
Bull! Free software and Mac both offer easy fixes that are available today. My life is much easier because of the way free software deals with the problems he mentions. Kmail displays all of my mail in plain text but an html rendering is only a button click away. There's not much I can do about all of spam my neighbors send me, but I know I'm not sending it and what little gets through my ISP and then my own filters is not going to make a bot out of my machine. Oh yeah, whitelist filters in my mail client make sure that mail I care about gets put where it belongs. I'm not going to delete a letter from my mom while cleaning out the inbox because my client puts the mail in a folder labled "mom" leaving the spam behind. For those that complain that installing and using free software is too hard because there's not enough vendor support (thanks to M$!), I recommend a Mac. Apple has brought a lot of the technical achievements from the free software world to the public. It's a shame they don't also give them their freedom, and that does reduce Apple's ability to keep ahead of the bad guys, but the platform is usable and safe for "normal" use by non experts. At less than $600, the mini is also affordable. That and or the big $0.24 it costs to burn a Mepis CD are all it takes to escape the Windoze dissaster.
Why is it that he overlooks these two excellent options and praises an OS that's still as buggy as all hell from a company with a history of empty security prommisses amped by billions in advertisement spending?
Friends don't help friends install M$ junk.
I know what you're thinking, mods. But it isn't just another "don't use Windows" post. TFA seems to concentrate on the dominant OS, so i will do the same.
I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.
How about this: Virtualisation is a reality on most machines nowadays. Why doesn't MS use this technology to set up a simple one-time VM to connect and download from a single SSL connection, the public key of which is compiled into the VM, ignoring all other traffic with the single focus of fetching the patches for the worst vulnerabilities, those which have remote exploits? If this were mandatory before enabling the general TCP/IP stack for WAN connections, Joe Sixpack wouldn't be participating in quite so many botnets. Hello! New connection not in my private address checklist. Disable TCP/IP and get the updates before releasing the user to the big, bad Internet. Please wait whilst I sort my ragged arse out and stop you from becoming another statistic...
Or have I simply made the problem too simplistic in my own mind? It seems to me that a single connection from a single port over SSL with no intermediate DNS or man-in-the-middle stages makes sense, even more so if part of the download is the MD5 hash of the update image and the VM rejects any image not matching that.
Bear in mind that the above idea works only for machines using a direct non-RFC1918 or draft-manning address for Internet connections. Those using routers should already be protected from the worst culprits, attack vectors which utilise services running by default, as these usually cannot traverse NAPT, but the feature should include the option to enable manual initialisation over such connections.
Too simple?
Resistance is futile. Reactance buggers it up.
Auto-magically? And here I was looking for a fortified "barrier" spell to cast. Thank god I don't have to pretend to read and speak Latin, waive a pen in the air, and draw pentagrams on my boxes. Phew.. Dodged some bullets. Thanks. Thanks a lot.
... but I was under the impression that most "brand new expensive computers" would be running Windows XP with SP2 pre-installed, and that comes with a firewall which, while not exactly a suit of platemail, will certainly suffice to make sure that any security vulnerability exploited on your own machine came in from a connection you authorized.
Somebody tell the security writer what "trojan" means, by the way. I mean, I might have abandoned my history major halfway through, but I don't remember the moral of the story being "Beware when large wooden horses are outside your wall, because that means when you go on a coffee break the large wooden horse will teleport inside your wall, and then disgorge Greeks".
Help poke pirates in the eyepatch, arr.
There is a thing called email which is far more useful and has been around longer - you also can use mbox files readable even by a text editor instead of some weird database that requires shareware to fix when it gets corrupted. If Microsoft provided tools to support their own products properly I would recommend it - but no, conventional email servers available from a lot of different sources are superior in almost every way. Even the horrible sendmail configuration file is superior to weird registry hacks to change the behavior of exchange.
Disclaimer - I've only looked after 3 MS Exchange servers and one bare metal rebuild from backup to recover old mail (nightmare that would never be required with a sane mailbox format - the whole thing is just too fragile and finicky and required an install with the same service packs, identical company info strings in the install, same registry hacks etc). Open relay by default with one patch too aparently - or perhaps that just has to be fiction because they could not be that stupid could they?
From http://www.ibiblio.org/pub/linux/docs/HOWTO/Advoca cy
Failure? It hasn't even been released yet. And how can you call it vaporware? Have you used the betas or RCs??
Kmail displays all of my mail in plain text but an html rendering is only a button click away. [...] Oh yeah, whitelist filters [...] client puts the mail in a folder labled "mom" leaving the spam behind.
ROFL, WTF?? Wow, none of the Windows-based email clients do that! That's amazing!!
Why is it that he overlooks these two excellent options
What, buy a Mac Mini or... install Mepis? Are you joking?
M$ [...] escape the Windoze dissaster [...] still as buggy as all hell
Man, is this the new breed of "intelligent advocacy" coming out of the FSF? That's so sad.
Using Firefox, Thunderbird and plus some antivirus program (like kaspersky) will save your ass. Of course I do not use my online banking accounts with windows.
And average Windows user does not know other than IE, Outlook, Office etc.
This is main problem, they do not know hot to protect themselves...
[My english is better than most other people's Turkish, so please point out mistakes politely. Thank you.]
Yes, this is clearly over the line. I mean, had it at least been child pornography, that would have been acceptable, but noo, they had to go all the way.
FTA: "Often critical patches released by Microsoft which are intended to protect their customers, instead causes system hangs and crashes."
And one example is provided, about an HP shell program that didn't work after a patch. Count me confused why this is described as, "often...". Credibilitiy is lost for the entire angst-ridden piece. God! where is Phil Donahue in all this? Messing with the text size doesn't score well, either.
Vista will employ a new paradigm of security based on this article; it will be known as Security Through Absurdity.
OK, that's enough. When you start telling people that they shouldn't use hyperlinks or preview panes, then we're talking about moving backward.
I'm not sure I agree with this notion of putting all the security onus on the end user at all. What if every time I got on the subway it was my job to check to see if the wheels were about to fall off? Or if every time I sent a letter through the regular mail it was up to me to make sure the envelope was unopenable by anyone but my intended recipient?
When you start having the list of "common-sense" security measures taking up more than a paragraph, that means there's something wrong somewhere up the food chain from the end user.
I know it can be done. I work at a small University and I haven't seen a single spam in my inbox in the last year. I get a list every so often of what the spam filter caught and it's amazingly accurate. And this from a system that's run by the usual half-bright academic computer services staff member.
And what about an operating system that's basically a leaky boat? Before it wastes another minute on giving me transparent windows, Microsoft needs to make Windows impenetrable to spyware without the help of half a dozen spyware catchers, firewalls and adware monitors. If an operating system can't provide basic security, then what good is it anyway?
A huge percentage of the traffic in the internet's tubes goes through a limited number of systems and providers. They might start doing their part too.
And before you lazy bastards who are making a living at "internet security" tell me "you don't know anything about internet security"... You are goddamn right I don't know anything about internet security, and I have no interest in learning. In fact, I own a house and I don't know anything about motion detectors or satellite surveillance (well, actually, I do, but I shouldn't NEED to) to be able to secure my house. I lock the front door and feed my mastiff and that takes care of it.
I am getting impatient with the ever-lengthening list of security measures regular end-users are supposed to take to use the internet. And I'm way past impatient with security measures that involve giving up utility, such as "don't click on hyperlinks, type in your URLs".
Now you there, with the bad skin and "/." t-shirt. Get to work and figure this security thing out and leave me alone with your "common sense".
You are welcome on my lawn.
This isn't any surprise that Windows sucks.
What I'm more concerned about is, "How much of this problem extends to Mac/Linux?"
Phishing obviously does and can be avoided with sufficient electrical shock treatment.
But what about the bots and such? I have a lot of hardware sitting online 24x7.
lets say the article is right
does it matter?
so far as i know, neither I, nor any member of my family, nor anyone i know, has actually been seriously hurt by malware, except for a few minutes removing viagra ads, and for me, spambayes does most of that pretty well
as we know, the whole id theft thing is a media exaggeration, like missing children: most of the id theft is from family or friends, and most of the missing children are out for a walk with their parents
"lets say the article is right does it matter?"
It does in that people will be wary of doing online commerce and that will hit the bottom line.
"so far as i know, neither I, nor any member of my family, nor anyone i know, has actually been seriously hurt by malware"
You must be the only one on the planet then.br>
"as we know, the whole id theft thing is a media exaggeration"
"An Emmy-winning film producer whose life was disrupted after hackers stole her Social Security number"
was Re:does it matter
davecb5620@gmail.com
Security Professionals are in the best position to create change and that is why we are responsible for this situation. If we lack certain laws then it is Security Professionals that can help politicians understand this and advocate for better laws. If software vendors are producing insecure products then it is Security Professionals that can assist (or pressure) them to improve their coding practices. If Universities lack security courses then it is Security Professionals that can raise awareness and promote security education at Universities.Security Professionals, as a class, are not really interested in create change that would be prejudicial to their bottom line. Period.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
The article doesn't have much to say outside of the world of Microsoft Windows.
Actually, he dismisses ALL things outside Microsoft and hypes Vista. "Get a Mac" is placed in his list of absurd recommendations along with manually typing links to your browser. Free software is is only implied as a passing part of his core thesis that "security" is so bad that you have to be a computer expert to do normal things with your computer. Putting that onto Mac use shows how absurd the omissions are. Paradoxically after showing just how bad M$ has made the world for us, he praises Vista as a potential savior of the masses.
That kind of advice is terrible and leads to more of the same. A diversity of strong and easy to use platforms is the ONLY solution to the problem. People can and should migrate to other platforms which are secure now and for the foreseeable future. If they don't migrate, M$ will continue to run the vast majority of the world's computers, something that's already a dissaster. If they don't migrate the other platforms will never be as easy and cheap as they should be and M$ will adjust their incompetence to match - they will never do more than they have to. In short, he's ignored viable options to hype one that's sure to fail. I'd call that an advertisement.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.
Is it true that OpenBSD was written in C# and that's why it's so secure? I had no idea they had ported C# outside M$OS and i386 but there it is on sixteen different hardware platforms. Here I was thinking that Steve Balmer would have trouble naming more than two hardware platforms and would get them wrong, "Intel and AMD" - bzzzt, "Thanks for playing Steve!" C is so terrible to work with, it must be the root of all computer evil that does not exist outside the Windoze world.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Viruses and worms are now more commonly used for commercial gain then mere bragging rights. It's much easier to target the large, clueless Windows population (especially since so many are still running Windows 9x) then it is to target the much smaller Linux and Mac populations.
(NOTE: I did not say all Windows users are clueless. I merely said that there is a large population of Windows users who ARE clueless.)
I am completing my degree program in network security, and this weekend we held our "wargames" to attack and exploit each team's network. The end result was a total and complete farce. Each team demonstrated a fundamental lack of understanding of networking and security, which isn't surprising because they're the kind of poeple that think daddy a deposit down on their degree that they get to collect at the end of four years. Nobody learned a damn thing and even when we tried to spell out what went wrong they wouldn't listen or couldn't understand.
Your average retarded security-ignorant end user in a company should at least be protected from himself to some degree by a trained IT security professional. The article mentions apathy of "professionals" when it comes to protecting their networks, but what about full blown ignorance? 75% of my graduating class couldn't outwit a used tea bag, but their social connections and rich parents will see to it they get a job where the 25% of the class that knows what they are doing (and has to work their ass off to stay in school) will be struggling at the end.
Home users are even worse. I have the priviledge of working in tech support to pay my way through school and I deal every day with the fucktards who think their computer is a magic box that brings porn and games. I get asked security questions all day but I have to lie becaause a) the truth will take too long to explain to someone that doesn't know how to find the radio switch on his laptop and b) the truth will get me fired.
You want security? It's your responsiblity.
Good lord, "Micro$oft" - that's hilarious. Pure genius. You realize it automatically invalidates whatever it was you were trying to say, correct?