Slashdot Mirror

← Back to Stories (view on slashdot.org)

Community Comments To Security Absurdity Article

Posted by kdawson on from the boiling-frogs dept.

An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"

7 of 190 comments (clear)

  1. Don't worry! by stoneycoder · · Score: 5, Funny

    Windows Vista will solve every security problem imaginable, flawlessly. Eliminating the need for IT security professionals and their absurdities, entirely.

  2. Randomly Generated Title? by skywire · · Score: 5, Funny

    Try to guess which one is a Slashdot headline:

    "Alteration Frequents From Space-Age Poetry Bannister"
    "From Tabletop Mannered Asterisk Will Age Understood"
    "Community Comments To Security Absurdity Article"
    "Likely Georgetown Under Wisely Instantiation If"

    --
    Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety.
  3. Re:We wouldn't be having this problem if... by chrisv · · Score: 5, Insightful

    Even of the items that I know about - which is most of them - that doesn't mean that I follow them. As far as them being common "geek" sense, they might be, but:

    • "Don't click on links in email messages. Type the URL in your browser manually." - bit overkill. Check to see where they're going first. And your mail client shouldn't have any active content enabled for viewing mail in the first place, so a JavaScript onmouseover/onmouseout/onclick handler attached to a link would have no effect anyway. If you're following the other suggestions on the list, this doesn't matter anyway, since your email is plain text and any links that appear in the body of the mail message are a result of the mail client automatically highlighting what looks like a link.
    • "Disable the preview pane in all your inboxes." - That's what you disable any sort of active content for in the first place - it should be the default in any reasonable mail client to not have any sort of active content running in your mail client.
    • "Read all email in plain text." - and this one as well.
    • "Don't open email attachments." - this falls into the category of something most people probably don't know about, but that's because they tend to trust their email. As far as it goes, though, don't open unexpected attachments seems more correct than not opening any attachments.
    • "Don't use Java, JavaScript, and ActiveX." - It's not Java and JavaScript that you need to worry about so much, it's ActiveX. And since the only browser that will run ActiveX is MSIE, that's already been taken care of by one of the other suggestions farther down this list.
    • "Don't check your email with Microsoft Outlook or Outlook Express." - which is perfectly acceptable in a personal context. Too many businesses, however, mandate Outlook and Exchange. Get businesses off of Exchange once a viable competitor becomes available and then getting them off of Outlook becomes easier.
    • "Don't display your email address on your web site." - or on any website, if you can get away with it.
    • "Don't follow links in web pages, email messages, or newsgroup without knowing what they link to." - That's the first point on this list, really.
    • "Don't let the computer save your passwords." - I'll agree with this one, but for places that I don't care about the password that I use, it still gets saved here on the computer, simply because I'll never remember the account name / password the next time I need to use it if I don't.
    • "Don't trust the "From" line in email messages." - perfectly reasonable.
    • "Never Use Internet Explorer and instead Switch to Firefox." - Don't I wish life were that easy? Reasonable idea, but talk 80% of the users of the internet into it... until then, it's not going away.
    • "Never run a program unless you know it to be authored by a person or company that you trust." - perfectly reasonable.
    • "Read the User Agreement thoroughly on all software you download to ensure it is not spyware." - this gets you approximately nowhere, since pretty much every EULA includes clauses that basically allow the distributor / author of the software to do whatever they want to your computer without any liability on their part.
    • "Don't count on your email system to block all worms and viruses." - this is one of those things that should be obvious to anyone who has been online for more than an hour.
    • "Get a Mac" - as much as I like this idea, that sounds like an idea that would just change the targets of viruses and worms from Windows-based platforms to Mac-based platforms. They might be more secure - but how frequently is a Mac targeted in preference to a Windows system?

    So really, most, if not all, of that list isn't a "never do that", but a "use common sense before you do that", and that's most of what it amounts to in the first place. Security would be better if it wasn't for the hideous defaults that we put up with - which in an ideal environment without worms and viruses and such would make for better usability, but since most people don't use their computers in a hermetically sealed room with no connection to the outside world whatsoever...

    --

    Dogma: Dead (mostly because your Karma ran it over)

  4. Re:Seems a little Windows-centric ... by dsci · · Score: 5, Insightful

    Yeah. When Apache running on Linux ever breaks through and becomes a highly visible target, LOOK OUT.

    Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.

    The "bigger target, more problems" arguement is flawed. The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period. You can argue about whether it is simply the default security model or braindead design all you want, but until that basic reality is accepted, this point of Windows market share is a deflection from the issue.

    --
    Computational Chemistry products and services.
  5. SP2 Firewall by Kadin2048 · · Score: 5, Interesting

    I'd love to hear a conclusive answer to this as well.

    Also, I wonder what ports SP2 has open in its default, out-of-the-box configuration. Is it totally locked down, with no response to *anything* coming in from the outside? Or does it have a few services still running here and there that could be exploited? Plus, and perhaps this is a stupid question, if you're running a firewall on the local machine as opposed to on a dedicated box, isn't there always a problem of the firewall software having a vulnerability itself? Or the TCP/IP stack? (And why not -- stranger things have happened. Like firmware vulns.) I'm just thinking of everything on the machine that you could possibly overflow/break by sending malformatted packets, for example.

    I suspect in the real world, most of the infections happen when users don't go straight to Windows Update right after taking their computer out of the box, and instead get excited and decide to browse around to their favorite forum or two. Since it's not unknown for vendors to load up PCs with all sorts of software, probably including compromised ActiveX controls, all it takes is a trip to the wrong site to get a rootkit/keylogger installed. From there, it's a one-way trip to reformatsville, at least if you're smart. (Which is a real trick, seeing as how many PCs don't even come with reinstall media, instead just taking a chunk of your hard drive for some shoddy "recovery partition.")

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  6. Response from Joe Luser by britneys+9th+husband · · Score: 5, Insightful

    * Don't click on links in email messages. Type the URL in your browser manually.
    Too much work. I bought this computer to make my life easier.

                    * Disable the preview pane in all your inboxes.
    How do I do that? I'm not smart like you when it comes to computers.

                    * Read all email in plain text.
    I wouldn't get to see the pictures my friends send me if I did that.

                    * Don't open email attachments.
    What? And miss out on the lasest web games my friends are playing?

                    * Don't use Java, JavaScript, and ActiveX.
    No problem. I don't even know what those are. I'm not smart enough to learn all that fancy software.

                    * Don't check your email with Microsoft Outlook or Outlook Express.
    But Outlook is what my computer came with. I can't afford a new computer this month.

                    * Don't display your email address on your web site.
    Unacceptable. My customers need to be able to contact me.

                    * Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
    How do I know what it links to before I click?

                    * Don't let the computer save your passwords.
    Sorry, I don't have a photographic memory like you techno-geniuses. And don't tell me to write it down either, I'll just lose the piece of paper.

                    * Don't trust the "From" line in email messages.
    Then how do I know who sent me the mail?

                    * Never Use Internet Explorer and instead Switch to Firefox.
    I've used Internet Explorer for years. I have a busy life, I don't have time to learn Firefox or else I would.

                    * Never run a program unless you know it to be authored by a person or company that you trust.
    How do I know who wrote the software, it just shows up on my computer?

                    * Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
    Yeah right. Those are longer than the internal revenue code, even my computer nerd brother doesn't read those.

                    * Don't count on your email system to block all worms and viruses.
    Then what do I count on? And why can't a big company like Microsoft figure out how to block viruses?

                    * Get a Mac
    At home? I can barely keep up with gas prices let alone get a new computer. At work? The company makes us use Windows, we don't have a choice.

    --
    Hear recorded Slashdot headlines on your phone! New service beta testing. Just call (248) 434-5508
  7. Re:Seems a little Windows-centric ... by IamTheRealMike · · Score: 5, Interesting
    The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period.

    No. Just no.

    I hate this sort of comparison, because it's bogus. It's a classic apples and oranges situation. You are comparing the security of Apache to IIS, not Linux to Windows. Modern versions of IIS are pretty good from what I hear, and besides it's not very hard to be secure when all you run is a firewall and a web server.

    If you want to do a real comparison you should compare the Linux desktop to the Windows desktop. Your average Linux desktop is a security nightmare. Firstly there's no active security whatsoever, it's all passive. IE there are no virus scanners/anti-malware tools in common deployment. If the passive defences fail you are screwed, you cannot easily distribute signatures etc to clean up the mess. Secondly, the Linux security model is simply the UNIX security model, which was designed in the 70s for a totally different set of threats. Your average desktop is not a mainframe and does not need to protect users from one another - instead it's decayed into some kind of trivial black/white coarse grained security model in which "root" has absolute power and "users" have less power.

    Unfortunately, Linux trains the user to enter their password all the time, given an essentially random set of situations. You have to enter your password to install software, remove software, configure hardware, set the system clock and worst of all to install security updates. The tasks that require root are to the average user totally unconnected. If you are a UNIX geek you can probably figure out why something might need root, but you're in the minority. So users are trained to just enter their password whenever they are asked to, making it trivial to phish it out of them.

    Even if you can't get root - who cares? On a modern Linux desktop you can do anything you need without it. Want to crack bank details? Go right ahead, Firefox runs as user and you can ptrace() it to your hearts content. Want to hook into startup so you always run? KDE and GNOME will be happy to oblige. Want to "hide" yourself without modifying the kernel? No problem either, just inject yourself into the address space of each program as it starts and then hook the syscalls at the libc level. Childs play.

    So to put it simply - you are dead wrong. The underlying problem at the system level is the system, which is basically the same regardless of whether you use Windows, MacOS or Linux. The UNIX/NT security model is incapable of solving the problem of malicious software, period.