Slashdot Mirror
Community Comments To Security Absurdity Article
An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"
Well, I would be with you, except that if you believe the numbers in TFA (the original, not in the comments), cybercrime is more profitable than the illegal drug trade. I assume there's probably even more money being spent trying to prevent and defeat cybercrime, and on security. That's a lot of money diverted from legitimate enterprise, and a lot of missed opportunities.
When people don't trust technology and don't use online banking, then banks don't spend as much on it. Venture capital and other sources of funding start to dry up; the pace of development slows.
It's not a problem that's probably going to result in a city being vaporized overnight, but that doesn't mean it's not a problem. It's like muggings in a large city: sure, you can wave it off and say that it only happens to tourists, rubes, and the unwary -- why should street-smart people care about it? -- but over time it starts to take its toll everywhere. The economic cost alone starts to act like a tax on everything, and it drives away customers and new business.
People who understand computers and know what precautions to take to prevent being victimized, cannot just put their heads in the sand about the current situation. Particularly since most people who are capable of understanding the problem, earn their living in some technology-driven field, it's those people who stand to be affected by the 'downstream' effects of cybercrime and a culture of insecurity.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Is this just a FUD ad for Microsoft's " Trustworthy Computing" or what?
Microsoft's work in training developers company-wide in secure coding practices is virtually unparalleled among major software vendors, and has resulted in their Security Development Lifecycle (SDL), a formalized process for incorporating secure coding and security testing into every phase of a product's lifecycle. Their Trustworthy Computing initiative so far looks like a success; one that has transformed Microsoft's and much of the industry's thinking about security in just four years.
Vista goes a long way in bringing protection mechanisms such as User Access Control, Kernel Patch Protection, Mandatory Driver Signing & Address Space Layout Randomization to mainstream computer users. If there is going to be any improvement of the current cybersecurity situation, it has to start with the operating system. In this regard, if Microsoft delivers on their promise to produce a secure operating system, it will be an important milestone for cybersecurity, and quite possibly a start to a security revolution. Vista also launches Microsoft's entry into the security space with anti-malware products and services such as Windows Defender, OneCare, and Forefront. The insufficiencies of today's anti-malware software have long been known. Microsoft's entry into the security space will force security vendors to innovate or be pushed out of the market. I, for one, applaud Microsoft's recent efforts and results. I predict that Vista will have quite a positive effect on the overall state of computer security and we may see a Vista Ripple Effect throughout the industry.
I'd love to hear a conclusive answer to this as well.
Also, I wonder what ports SP2 has open in its default, out-of-the-box configuration. Is it totally locked down, with no response to *anything* coming in from the outside? Or does it have a few services still running here and there that could be exploited? Plus, and perhaps this is a stupid question, if you're running a firewall on the local machine as opposed to on a dedicated box, isn't there always a problem of the firewall software having a vulnerability itself? Or the TCP/IP stack? (And why not -- stranger things have happened. Like firmware vulns.) I'm just thinking of everything on the machine that you could possibly overflow/break by sending malformatted packets, for example.
I suspect in the real world, most of the infections happen when users don't go straight to Windows Update right after taking their computer out of the box, and instead get excited and decide to browse around to their favorite forum or two. Since it's not unknown for vendors to load up PCs with all sorts of software, probably including compromised ActiveX controls, all it takes is a trip to the wrong site to get a rootkit/keylogger installed. From there, it's a one-way trip to reformatsville, at least if you're smart. (Which is a real trick, seeing as how many PCs don't even come with reinstall media, instead just taking a chunk of your hard drive for some shoddy "recovery partition.")
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I recently made a fresh install of Windows 2000. I connected to the internet (to download security patches) and within forty seconds, no-I-am-not-exaggerating, my computer was compromised and using all its' bandwidth to send god-knows-what. The installation saga ended after the third reinstall -- virus and malware scanners being completely ineffective -- on which I installed all the security updates from a CD before connecting. The phrase didn't actually come up at the time ("f*cking ridiculous" did), but looking back the situation seems like profound failure of a fairly high degree. It's odds on whether that or the time I ended up moving the CD reader head manually is my silliest install story, but the latter at least was caused by hardware failure.
I don't know about dire, but I wouldn't be surprised in the slightest if the sum economic impact of the situation is larger than some countries' GDP.
I wasn't claiming to have found the magic solution to all security problems. I was just claiming to have found three pretty simple solutions to one particular security problem referred to in the article: the situation where your brand-new computer gets owned while you're still in the process of downloading security updates.
What I object to about the article is that it makes it sound like security is a disaster for everybody. No, actually security is a disaster for everybody who hasn't learned certain skills. Those people happen to be more than 50% of all internet users, but they're still not everybody. The problem is that we're living in a world where a computer user has to be able to do the equivalent of changing the oil in his own car -- some people can, but most people can't.
Find free books.
No. Just no.
I hate this sort of comparison, because it's bogus. It's a classic apples and oranges situation. You are comparing the security of Apache to IIS, not Linux to Windows. Modern versions of IIS are pretty good from what I hear, and besides it's not very hard to be secure when all you run is a firewall and a web server.
If you want to do a real comparison you should compare the Linux desktop to the Windows desktop. Your average Linux desktop is a security nightmare. Firstly there's no active security whatsoever, it's all passive. IE there are no virus scanners/anti-malware tools in common deployment. If the passive defences fail you are screwed, you cannot easily distribute signatures etc to clean up the mess. Secondly, the Linux security model is simply the UNIX security model, which was designed in the 70s for a totally different set of threats. Your average desktop is not a mainframe and does not need to protect users from one another - instead it's decayed into some kind of trivial black/white coarse grained security model in which "root" has absolute power and "users" have less power.
Unfortunately, Linux trains the user to enter their password all the time, given an essentially random set of situations. You have to enter your password to install software, remove software, configure hardware, set the system clock and worst of all to install security updates. The tasks that require root are to the average user totally unconnected. If you are a UNIX geek you can probably figure out why something might need root, but you're in the minority. So users are trained to just enter their password whenever they are asked to, making it trivial to phish it out of them.
Even if you can't get root - who cares? On a modern Linux desktop you can do anything you need without it. Want to crack bank details? Go right ahead, Firefox runs as user and you can ptrace() it to your hearts content. Want to hook into startup so you always run? KDE and GNOME will be happy to oblige. Want to "hide" yourself without modifying the kernel? No problem either, just inject yourself into the address space of each program as it starts and then hook the syscalls at the libc level. Childs play.
So to put it simply - you are dead wrong. The underlying problem at the system level is the system, which is basically the same regardless of whether you use Windows, MacOS or Linux. The UNIX/NT security model is incapable of solving the problem of malicious software, period.
Yes, Mike. Not rocket science *for us*, but we seem to continue making the same mistakes most IT pros make when dealing with technology: That because it's simple for us, it's simple for everyone. It's not. Firewalls aren't understood by everyone. Heck, a lot of post-September users think fairies [1] deliver web pages.
o ks/faq/funnies.html with apologies to Paul from the UK mailing list for quoting him out of context.
The reason I suggest a VM is to jail the security update network stack from the main kernel. If you have, for example, a buffer overflow that allows arbitrary code execution in kernel space TCP/IP, you really don't want that running in your main kernel with a public connection; you want it jailed and only when the data is verified and checked against its hash do you want to apply the update image. If the jailed or virtual kernel becomes corrupt, it can be killed without harming the host OS. Detecting the jail doing something nasty should be simple; it should simply talk to one IP and download an image and hash file. If it starts opening other ports, kill it immediately. In fact, simply make the jailed process capable of only talking to the one host on one port. Useless for users and crackers, but just enough to update the OS safely.
I know it's heretic of me in the extreme to suggest the OS takes away a choice, that of diving into the big electronic blue without care or conscience, but a lot of Windows users (and maybe a few others) need these safety nets, if for no other reason than to keep the rest of us safe and our mail servers from fending off spam floods from botnets.
Doing this retroactively isn't an option; users of Windows up to and including Vista gold are now SOL for this idea, which is sad, especially given that Vista has a working out-of-the-box IPv6 stack. You think it's bad now? Just wait until every new machine has it's own publicly routable IP.
The idea, or any such protection mechanism, *must* be implemented in the first RTM version of the OS to work effectively, or at the very least a service pack or point release that OEMs will pre-install. That means in the future, but it is imperative now that IT pros start thinking long-term rather than trying to tidy up their mistakes of the past. These problems cannot be solved by dwelling on mistakes made, just mitigated by exploiting obsolescence and helping time heal.
[1] http://www1.uk.freebsd.org/doc/en_US.ISO8859-1/bo
Resistance is futile. Reactance buggers it up.
What if every time I got on the subway it was my job to check to see if the wheels were about to fall off?
Well if you're driving a car (which is probably a better analogy) then it is your job. There are certainly measures that can be taken by programmers and network admins to make things better, but the freedom to go anywhere on the web will always come with the price of some degree of responsibility, both for your own well-being and that of other users (again with the car-driving analogy). Surely using a computer to browse the web is too complex an activity to be made completely idiot-proof, without removing a significant amount of the freedom that makes it so worthwhile.
First, most of the desktop (and non-desktop) development going on in the world is stuff that you do not see. It's going on inside businesses for their own use. And as a rule it's overwhelmingly Java and now .NET.
.NET haven't yet taken over the traditional desktop app share yet. But they are not about raw performance and haven't been for many years.
Second - What makes you think that you can optimize anything better than a compiler, much less one that profiles your application *as it runs* and makes adjustments on the fly? This has been proven over and over again - Java's garbage collection is in most cases *faster* than hand coded garbage collection. How is that possible? Because Java has more *information* about what is going on at runtime than you do at compile time. It can put very very short lived objects on a special part of the heap, it can do all kinds of things that you cannot do statically.
There are many reasons that Java and now
Pat Niemeyer
Author of Learning Java, O'Reilly & Associates