Antivirus Inventor Says Security Pros Are Wasting Time

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

PBKAC

[DigitalisAkujin]

Software / Hardware security is not too difficult to achieve. If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security.

The issue is usually the idiot that becomes the victim of a well done social hack.

As usual, the company is only as strong as it's weakest link.

Re:PBKAC

[GiovanniZero]

Agreed, the problem is usually the user. I recently got an email from someone that CCd everyone and when I told him in the future to BCC us he said "oh its ok, I trust everyone on the list not to spam us" I replied "that's great but do you trust them all to keep their machine's clean and free from spyware?"

Re:PBKAC

[boristdog]

Social Hacking is the main weakness of any system. And most of the time you don't even have to "hack" if you are perceived as "computer literate"

Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."

Re:PBKAC

You sir, are a moron.

Re:PBKAC

[Brian+Gordon]

Is it just me or is this article just total nonsense? What does arrow-proofing a car have anything to do with computer security? And I doubt this guy will have a job much longer if he's going around claiming that 100% security isn't the goal and that he only tries to keep out the 11 year old script kiddies

Re:PBKAC

Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."

[Posted anonymously for obvious reasons] Heck I work for a (non-computer) Fortune 500 company and when we did systemwide hardware upgrade swaps, they had everyone send their passwords in clear text email to the support desk mailing list!

Re:PBKAC

[eln]

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

Re:PBKAC

[somersault]

100% security is never possible unless you don't want to give anyone access, ever.

Re:PBKAC

[trolltalk.com]

Is it just me or is this article just total nonsense? What does arrow-proofing a car have anything to do with computer security? And I doubt this guy will have a job much longer if he's going around claiming that 100% security isn't the goal and that he only tries to keep out the 11 year old script kiddies

No kidding. The guy was pulling figures (and other sh*t) out of his rectum over and over again.

Re:PBKAC

[somersault]

Same. Everyone seems to think I know their password already but I try to tell them that I don't even *need* their password. Also a lot of users don't seem to get the whole 'network' thing and think that you need the normal user's username and password to be able to access a computer. And sometimes when people leave the company then others still use the account of the person that has left without letting me know, so when I remove the account I get questions on why they can't access the account anymore. *sigh* Thankfully they are learning, slowly, but I find it so hard to get into the mindset of those users that I'm never going to be able to anticipate all the moronic things they're likely to do..

Re:PBKAC

[techpawn]

100% security is never possible unless you don't want to give anyone access, ever.

DBA: We got the server running the best it ever has
Boss: Great! How'd you pull it off?
DBA: Well, we replaced all queries with 'Select * from tblQuery' which only has 1 row and 1 Column. Then stopped letting people call the queries!
Boss: You're fired...

Re:PBKAC

[Bloodoflethe]

It's called an analogy. It was a pretty good one too. He's basically asking why spend tons of cash for a negligible improvement in security. There's no such thing as an unbreakable system. That's why people use detection tools in conjunction with their security measures - if you can't stop em, find out who they are and prosecute them. But even that can be sidestepped with sufficient resources and intelligence on the part of the hacker. I mean, this guy was the inventor of one of the more prominent (and actually pretty high ranking on the lists) anti-virus programs out there. I would say it is safe to assume that he has a pretty decent idea of what you can do to improve security. Also, notice that he is the inventor actually counseling people not to waste money on costly upgrades on software like the software he created and gets paid royalties on! How often does someone admonish people for overusing something that gets him paid?

Re:PBKAC

[Brian+Gordon]

That's not what he was saying.

It isn't very likely, but it's possible.

He's opposing closing security holes that are obscure.. but by his own points, you only need ONE security hole. If you don't close the obscure ones it doesn't do you any good.

Re:PBKAC

[provigilman]

Yeah, the only way to 100% secure a PC is to disconnect it from the network, take out the power supply and then lock in a bank vault. Anything short of that, and it's still vulnerable. It might be the user getting up to use the washroom without locking his station, or it might be some 11 script kiddie...but it doesn't matter. As long as there's power running to it and/or it's hooked to a network, it's vulnerable. Security is just about mitigating the risk.

Re:PBKAC

[joeytmann]

I can't remember where I read this, and I am sure I am going to muck it up, but the only 100% secure system is on that is unplugged from any other device in a closet that only you have the key to.

Re:PBKAC

God your a tard.

Re:PBKAC

God your a tard.

Atheist, eh?

Re:PBKAC

Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

I wouldn't need to keep my password on a Post-It note if you IT guys didn't make me change it every two weeks!

Re:PBKAC

[somersault]

I think it would be better if nobody had the key, and the closet resided in the centre of a distant sun. Even then it's not 100% - that sun is gonna die if a few billion years..

Re:PBKAC

[Speare]

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. What's interesting is that very little kids are having to be trained in this philosophy as well. Kids and daycare staff sometimes use a password in case there's an unforeseen pickup snafu. Now toy codes and login information (like WebKinz) can have big consequences if they're leaked. I felt good when my daughter tried to explain your point to her friend-- she didn't want to know her friend's login.

Re:PBKAC

[madseal]

On top of that personally I make it a point to look away when people are typing their passwords on their computer just to make sure everyone knows I don't know any of them.

Re:PBKAC

[rickb928]

"If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security"

That's not the goal. Security's goal is to get PRODUCTION workstations up and running cleanly and bug free with pretty solid security.

The lab is easy. Let a few users have those machines for a week, visiting the casino sites, clicking on the latest e-greeting, and bringing the USB drive from home with those oh-so-important documents they were working on last night, right after their kids updated all the myspace pages.

Security is, indeed, fairly easy save for two variables. Users and attackers. As an analogy, you can put any sort of locks, grates, fences, alarms, dogs, and flaming trenches around your house. If the kids let in the cable guy without seeing some ID, none of it matters. If all the crook wanted was to steal your mailbox, you'll have to weigh the advantages of fencing it in vs. having mail delivered, or hardening it into a 1/4" plate steel box on a 4x6 I-beam, mounted into a 500-pound footing. Or just replace the damned mailbox when the kiddies bash it with a baseball bat driving by.

Oh, and the plate-steel mailbox? In rural Maine, those are a laugh a minute. Sometimes you see splinters on it, shards of a Louisville Slugger in the ditch, and a brief note in the local fishwrap about some kid at the ER with a broken wrist. Priceless. If only we could do the same thing to the script kiddies...

Re:PBKAC

[orclevegam]

I think the origional went something along the lines of "The only really secure system, though, is one that's been unplugged, sealed in cement and dropped to the bottom of the Marianas Trench."

Re:PBKAC

[cthulu_mt]

Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..." I had a woman call in once trying to retrieve her user credentials. She claimed to be having email issues and couldn't recieve the email I sent with the info. It's our stated policy not to provide info over the phone as we can't verify the users identity.

After explaining the policy the woman offered to give me her Social Security Number if I would read off her PAC. It did turn out that she was who she claimed to be so I wonder if she would have given me her real SSN.

Moral of the story: Some users get caught by phishers; other users are offering to sell the phishers dynamite and light it for them.

Re:PBKAC

[Kihaji]

The only 100% secure system is one that is disconnected from everything, in a locked room that no one has a key to, and no one can get in to.

Re:PBKAC

Just look under the keyboard. Passwords are written there half the time.

Re:PBKAC

[Caesar+Tjalbo]

The issue is usually the idiot that becomes the victim of a well done social hack.

You don't need an idiot to fall for a "well done social hack". If you're convinced you're smarter than every swindler out there, you'll be a victim soon enough.

Re:PBKAC

Where Cthulu could crack open the cement and get my data!

Re:PBKAC

[Bloodoflethe]

Actually from what I remember of the man, without crosschecking - I believe he works from a whitelist perspective - close it all and open what you need.

Re:PBKAC

[SoupGuru]

Well said. A policy preventing the sharing of passwords is not just for security reasons but for accountability reasons as well.

Re:PBKAC

[EveLibertine]

"The issue is usually the idiot that becomes the victim of a well done social hack." The victim of a well done "social hack" isn't necessarily an idiot. Clever people get tricked all the time; that doesn't mean they are idiots.

Re:PBKAC

[thsths]

> Software / Hardware security is not too difficult to achieve.

I think what the article is trying to say is that no single measure is perfect. So you have to look at a range of measures and they work together. The outside router/firewall is a perfect example for this. With only perfect systems behind the router, you need no filtering. And still filtering out unnecessary ports can reduce your exposure significantly.

> As usual, the company is only as strong as it's weakest link.

That has been the case so far, but it is time to think about approaches that combine several levels of security. As in more mature systems (transport, buildings, deposit boxes etc) there should be no single point of failure.

Re:PBKAC

uhmm... and usually the weakest link is either the gorilla called CEO or one of his pet monkeys in middle mgmt.

Re:PBKAC

[skiman1979]

not just for security reasons but for accountability reasons as well.

Very true, however, accountability is a subset of security in the same way that confidentiality, integrity, and availability, are all part of security. They're not separate.

Re:PBKAC

[Venik]

...security is not too difficult to achieve

And the main problem with computer security are people who think that security can be "achieved". Security is a system of processed - not a state. You cannot achieve security any more than you can achieve good health.

Re:PBKAC

[jon3k]

Let me get this straight. You can remember dozens of phone numbers, your bank pin, your social security number, your address, your wife's birthday, the final score in the last 7 super bowls but you can't remember an 6-8(ish) digit string of numbers, letters and a special character that YOU GOT TO CHOOSE?

Yeah, the sympathy train just left the station, buddy.

Re:PBKAC

[billcopc]

That's funny, I also consider that 100% security is not a valid goal, in fact it is impossible. It's yet another unreachable ideal that brings in tons of cash for nothing.

Far more important than any security contractor, is a proper risk assessment. There's no sense in building a million-dollar lock if it's only guarding a half-eaten twinkie. You look at the cost of various types of breaches, and the cost of a security measure times it's % efficiency, and pick the cheaper of the two.

In many cases, simply restructuring the network or the data it contains can buy you much more security than any product or policy. I've lost count of the number of times I've seen networks that were sealed shut from the internet, but wide open on the inside. All it takes is a jackass employee with a Wi-Fi hub and the whole thing goes to hell. Give your users what they need and nothing more, and you'll avoid a whole bunch of problems for free.

Re:PBKAC

[greenbird]

And I doubt this guy will have a job much longer if he's going around claiming that 100% security isn't the goal and that he only tries to keep out the 11 year old script kiddies

You missed his whole point. He didn't say anything about 100% security. He said spending exorbitant amounts getting a single aspect of your security working perfectly is a bad idea. For example spending $1,000,000 getting a patch system set up that is 100% effective in keeping every one of your computers up to the minute on patches isn't cost effective. The expense curve goes up exponentially as any given process approaches 100% effectiveness. Think in terms of uptime. You could spend $100,000 on a patch system that is 90% effective and spend the other $900,000 on other aspects of security. This results in a much more effective overall security level for likely a much cheaper cost. Oh, and 100% security is impossible unless you lock your computers in an electromagnetically isolated vault in Ft. Knox with a random vault key that no one knows. Any security experts who doesn't know this should be out of a job. Hmmm... even then someone would probably talk there way past the security somehow.

Re:PBKAC

[jeffasselin]

Anyone claiming he can implement 100% security is lying. The only 100% secure computer is the one buried 6 feet under in a cement block.

Re:PBKAC

[anthonys_junk]

Thank you for bringing some common sense to this argument, sir.

Re:PBKAC

[LooseBrie]

How often does your bank pin change? How often does your address and SSN change? GP is talking about two week enforced password change. When IT departments enforce an 'at least 8 digit, must contain lowercase, uppercase, numbers and characters' password for everything, it quickly gets stupid. I've seen that policy enforced for *printer sharing*.

Re:PBKAC

[Opie812]

The DBA should have been fired for prefixing a table with 'tbl'.

Re:PBKAC

[jon3k]

So you can't memorize a new phone number every 30-90 days? Also you can cycle these back after so many changes (usually 3 to 6). You can't memorize (up to) six 8 character strings? Really?

Do you think people in IT don't have to deal with the same problem? Don't you think we have far more passwords to maintain than you do?

I have about 80 passwords total that I have to maintain professionally and personally. So, like an adult, I accepted that responsibility and found a way to manage it. I use a piece of software called KeePass that I highly recommend it.

(Also I change my bank PINs quarterly, and I have about 8 different PIN numbers from different cards.)

Re:PBKAC

[djupedal]

So, let me get this straight...

Admin: not the problem
User: the problem
Hacker: not the problem

Is that what you're saying?

Re:PBKAC

So, they immediately change it from #melissa3 to #melissa4... way to go.

You can safely assume your Net.Admin knows your password - google l0pht some time.

Re:PBKAC

You sound real nice. Will you be my sysadmin?

Re:PBKAC

[dbIII]

It's because this work computer stuff is not important and if they do something stupid with the computer there is always somebody else to yell at and clean up the mess.

Re:PBKAC

[The_Wilschon]

So, what you're saying is that we should all just quit putting bugs in our software in the first place? That's brilliant! I wonder why nobody ever thought of it before . . .

Re:PBKAC

[BenoitRen]

machine's

http://www.angryflower.com/bobsqu.gif

Re:PBKAC

[Stray7Xi]

My passwords were much stronger before they implemented something like this.

I used to have computerized randomized alphanumeric 10 digit passwords.

Now since I have to learn the password quickly and it won't last long, I have to have some pattern. Sure I now have symbols (because I'm forced to) but it's now vulnerable to dictionary attack. 22!!SOmeword (followed by ##NEwword11) is much more vulnerable then 92cT6Ars1b

Re:PBKAC

[FailedTheTuringTest]

Nope, can't remember that other stuff either.

Re:PBKAC

[ozbird]

I wouldn't need to keep my password on a Post-It note if you IT security guys didn't make me change it every two weeks!

There, fixed it for you - IT guys get pissed off with frequent demands to change their password, too.

Re:PBKAC

[node+3]

Let me get this straight. You can remember dozens of phone numbers, your bank pin, your social security number, your address, your wife's birthday, the final score in the last 7 super bowls but you can't remember an 6-8(ish) digit string of numbers, letters and a special character that YOU GOT TO CHOOSE? Yeah, we get to choose, except you tell us not to choose any of those easy things.

Re:PBKAC

I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password.

They're all pressing cancel when your back is turned, stupid!

Re:PBKAC

[syousef]

Let me get this straight. You memorize dozens of phone numbers?

For phone numbers I know my wife's phone numbers, my mother's and my fathers. I also know my own work number and own mobile. That plus emergency services is it.

I don't know my tax file number, medicare number or anything else. (We don't have SSN in Australia). As for my wife's birthday I memorized that when we were first dating because the penalty for forgetting that is much worse than anything your local sysadmin would dish up.

Yes I do know my own address but I don't move very often.

Anything else I look up on my computer or on my mobile. I enter the numbers in each so I don't have to remember them. If I'd lived before computers were popular I would have had a pen and paper address book.

Now how many passwords do you think I use at work? Well I'm counting them right now because I have to let some new starters know. I have around a dozen unique passwords, many of which change each month, and some of which I need to be able to do any support. Non-unique passwords, I'm up to about 30 now, but I'm not finished counting.

So you want me to memorise 12-30 new numbers (after all they shouldn't be unique) every month, when that's as much data as I've had to memorize my whole life? You know where you can stick your sympathy train.

Re:PBKAC

Nope. Agrammatist.

Re:PBKAC

[mspohr]

For important passwords, I make up a simple phrase such as 'quick brown fox jumps over the fence' and use the first letters. This yields a seemingly random string of characters. You should also throw in numbers, symbols, and random capitalizations. But much easier to remember...

Re:PBKAC

[iivel]

I've posted this before, but it works very well for myself and my users. Print out the card and keep it wherever you'd like. I always use the same key(s) for different sites & change all passwords at the same time (typically every 4 months). I get to remember my 'key' forever ("bank for bank, school for school, office for @ work, etc.) and still keep strong passwords. The script is simple, convenient and as long as nobody socially engineers my key words out of me, they'll have a hellava difficult time cracking a password where my 'key' is between 5 and 8 characters. Enjoy: http://www.levii.com/cipher.php

Re:PBKAC

[Ed+Avis]

What do you mean, the problem is usually the user? That's like disclaiming responsibility for a roof that leaks when it rains by saying 'the problem is the weather'. No, we all understand that users are stupid, and it is the security professional's job to design a system that works even when faced with stupidity. Not to speculate about an ideal world where stupidity does not exist.

In this particular case, why should it be a risk to disclose your email address by ccing everyone? What kind of broken system exposes you to malware or spam just because your address is publicly known? Surely the whole point of having an address is that you can disclose it safely. On the other hand, if you decide that email addresses should not be disclosed and that cc'ing everyone is a security risk, why does the mail client provide an easy option to do it?

Re:PBKAC

nope. that's what palm pilots are for.

Re:PBKAC

[Branko]

In this particular case, why should it be a risk to disclose your email address by ccing everyone?

Because you are not just disclosing your address (to all the people on the CC list), but addresses of all the people on the CC list (to all the people on the CC list).

Re:PBKAC

That's why my password is written in the windows wallpaper.

Re:PBKAC

[GiovanniZero]

because they hadn't thought of BCC yet :p And I do suppose that misspoke, I should have "bad user habbits are a greater risk to security than most holes." As for email it's not a risk for security to let everyone in the world know your email address it's a risk to sanity. I don't want no spam.

Re:PBKAC

[angus_rg]

Consider yourself lucky. I had a future employer send me a security clearance form to update via email, that I had already filled out, physically handed it to them, and made sure it was not faxed anywhere, leaving evidence of it on any storage media in the fax machine. Why? It had my social security number all over it.

And they wonder why I decided not to work for them. In this day and age, it doesn't pay to be paranoid, but it can save you time and money.

Re:PBKAC

I think it would be better if nobody had the key, and the closet resided in the centre of a distant sun. Even then it's not 100% - that sun is gonna die if a few billion years..

Pfft.... Once the sun incinerates the data, nobody can have access. Hence, it is 100% secure.

Re:PBKAC

[ToasterMonkey]

hardening it into a 1/4" plate steel box on a 4x6 I-beam, mounted into a 500-pound footing I grew up in rural Maine, and those are meant to protect mail from snowplows, not baseball bats or thieves. Really, identity thieves in rural Maine? We rarely even lock our front doors.
Let me guess, the I-beam protrudes quite a ways out from the base towards the road too, huh? You think that was to save it from a drive-by and a teen with long arms and a welding torch?

Sometimes you see splinters on it, shards of a Louisville Slugger in the ditch Ever seen a mailbox hit by a snowplow?

You new to Maine or are you the one smashing people's "secured" mailboxes? ;)

Re:PBKAC

[rickb928]

I was born in Maine, and lived 50 of 52 years there.

In rural Maine, you put your mailbox on a long rail, to let the plow clear it. Clever ones have a hinge to pull the box right up out of the way. Of course, it's been a while since we had that much snow, but 2004 was pretty much the 'old days' snowpack.

Closer to the city, the kids tend to go out on mailbox patrol a bit more. And the plows don't wing back the snow so far, so your mailbox can survive a few years before a plow driver gets sloppy and nails it. I haven't seen many mailboxes smacked by the plow. They uusually end up either down the road, buried in the bank, or blown clean out into the woods. Sad, the carnage...

But the cast-iron mailbox in Eddington claimed two plow blades before the town made the owner take it out. He settled in the end for a mailbox on a swivel. It took the batting pretty well, and was easily replaced. It's just that the kids never seem to grow tired of this. Mostly in the summer, so the iron box comes out with the end of mud season and goes in around Thanksgiving. The i-beam post was vertical, and supported the mailbox. Not a plow guard, which most towns don't permit. Seems their plows are more expensive than the mailboxes they obliterate. I'll Ask my sister, a town manager in the Midcoast area. She will have a story to tell me.

I got tired of smacking mailboxes pretty quick.

ps- We locked our doors in South Portland, and in Bangor. More so now, with the influx of new people. Leaving the fishing camp door unlocked used to be ok, too. Maybe in Milo or Stueben you can get away with that, but not in Sanford or Ellsworth. You haven't lived in Maine for a while I gather. It's just not the same.

Re:PBKAC

[jon3k]

Much worse - your information security administrator.

Re:PBKAC

I believe, that as long as you have a long, secure password, you don't have to change it much. I change mine every 1-2 years and I purposely use multiple different passwords for different systems. Any admin who requires a password change shorter than 3 months is stupid. Post-it-notes and wallet cards are the ideal places for frequently changing passwords. Mine are never written down and aren't part of anything obvious from my desk or surroundings.

I change my passwords when I do something that I know will definitely be insecure. I frequently check all systems I log into for hardware keyloggers. Software keyloggers are harder to install on systems I control. I have numerous systems that I log into, but I keep them logged in from 1 secured system only. From, offsite, I just remote desktop to my one system which has multiple other remote desktop and ssh shells open as well as a few VNC over ssh to some OSX boxes. The one advantage of having to reboot for the monthly MicroSoft Denial of Service Patching is that it forces me once a month to think about my passwords.

Eventually, I want a very lightweight, very portable device that I can carry around everywhere, used solely for remote access to my always on, always available system on the internet. I don't want to carry data with me that may be confiscated, especially by brain dead customs officials. I don't carry my laptop around too much because it's not portable enough. I have to keep an eye on it. It's just not convenient enough.

Re:PBKAC

[paeanblack]

What do you mean, the problem is usually the user? That's like disclaiming responsibility for a roof that leaks when it rains by saying 'the problem is the weather'.

A roof is designed to withstand the weather within predetermined limits. It's perfectly reasonable for a roofer to say, "I guarantee this roof won't leak until the winds hit 130mph. After that, you lose the roof, and I'll blame the weather."

User stupidity is not so easily quantifiable. Admins can't say, "I guarantee this system to properly handle Stupidity Levels I to VI. Once it hits Level VII, all bets are off, and the breach is the user's fault."

Re:PBKAC

It's your lucky day. If I could remember passwords I would have an account and if I had an account I would mod that down along with 10 other posts of yours.

Re:PBKAC

[cthulhu11]

Yeah, the only way to 100% secure a PC is to disconnect it from the network, take out the power supply and then lock in a bank vault. You've never watched Alias have you?

Re:PBKAC

[toiletsalmon]

"You know where you can stick your sympathy train."
*Applause*

Good One! That's pretty much what I wanted to say. Choo! Choo! ;)

Re:PBKAC

[atamido]

You should be a very proud parent indeed for a child that shows such intelligence.

Re:PBKAC

[Bloodoflethe]

Way to take something out of context.
your GP stated that:

He's opposing closing security holes that are obscure

I'm just pointing out that he *wants* to close it all, both security wise and access-wise. You know, paranoia, like we here at /. have. I'm just saying that you'd probably agree with him, if he were as far from the limelight as you.

Re:PBKAC

[The_Wilschon]

I think you (and my GP) are misunderstanding him rather badly. Almost all instances of a "security hole" are bugs in code, not ports or file permissions or other things that you can simply "close" at will and without too much effort. Hence my mockery of the suggestion that we close everything, and only whitelist what we need. This implies that we should write code without bugs, and then only put in bugs that we actually need.

What did I gain?

[krovisser]

I "gained" 3,000 passwords that the hacker won't get. So we should all have short passwords, huh? Since there's obviously no point.

Re:What did I gain?

[moderatorrater]

That's not the point. The point is that instead of making everyone have long passwords, you could take that same time and effort and train them about security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE. The chances of an attacker getting the password file are lower than the chances of a user doing something that will infect their computer because the user hasn't been taught correctly, so why focus on the passwords?

Re:What did I gain?

[krovisser]

True, but he mentions it like it's almost completely useless.

Re:What did I gain?

[KublaiKhan]

And also to recognize that no system is perfect--there will always be the cantankerous guy who is inexplicably "invaluable" to the company who thinks that "fereng1" is an uncrackable password, for instance--and to take steps more along the lines of risk mitigation than risk removal.

Re:What did I gain?

[torkus]

What's more secure?

12 digit change-montly lower+upper+number+ symbol passwords written on sticky notes (or similar) for 75% of users and freely shared due to complete lack of security training

or

6 character passwords that only prohibit patters and the username from being used changed every 6 months that people know not to write down or share?

Re:What did I gain?

[techpawn]

What's the only adage? "It is hard for the users it's going to at least be that much harder for the hacker"?

Yes, they only need one password to get in, you only need one crack in the armor to deliver a damaging blow... But if you have strong armor around you, you look like a less appealing target as to try to find the one weak scale under your wing. People are more likely to jump on an open WAN then try to break into a hidden one with at least WEP. It sounds more like a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

This guy wrote security software, there may be a conflict of interests here too...

Re:What did I gain?

[Seth+Kriticos]

..security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE.
Um, I must have misunderstood you.. just thought, you want to say, that the IE is a secure browser..

Re:What did I gain?

[moderatorrater]

Bruce Schneier wrote about the long password requirement and how it can backfire because users can't remember them. My dad keeps his passwords in a text file on his desktop because his job requires them to change it every month, have letters and number and be different from the last 6 passwords. While that's good in theory, it's counterproductive because he doesn't (and can't) keep the passwords safe. Besides, as seen by myspace and phishers, the strength of the password is rarely the weakest link, it's the security skills of the people. In 90% of the cases, strict passwords are completely useless because they're not the weakest link, other parts of the system and the users are.

Re:What did I gain?

[raddan]

Long passwords are trivial to enforce. In Active Directory, for instance, you simply set a policy. Done. Sure, whining users-- get used to it. It's your job to make sure the company has the resources it needs, and if they go down, it's your head on the chopping block.

The more common scenario that he does not mention is that people who are trying to gain access are trying to brute force a login through a network protocol. NOT running something like rainbowcrack on your password hashes. If they've gotten to that point your passwords are essentially worthless already.

BUT this is where defense-in-depth comes in. Security is NOT A PRODUCT. It is a mindset. So if your user accounts aren't all administrators and someone finally manages to brute force a network login, at the worst, that person now can do as much damage as one employee. You do have access controls on your employees, right? Not to mention, most "secure" network protocols nowadays make brute-forcing much harder. SSH, for instance, will timeout the connection after X failed login attempts. They now have to work a lot longer. The login prompt in Windows does the same thing.

So you apply this thinking to everything. Stop using a VPN. Make only the services you want available through your firewall. Do egress filtering. Use a DMZ. Prevent LAN clients from talking to any hosts other than the gateway and servers. When I started, my company originally used VPN to check email on an Exchange server. BAD! Passwords were usually the same as the username. Someone could trivially walk in and have access to the entire WAN. I pointed this out to them and got "But we're using a VPN. Checkpoint says it's secure!" If you have Exchange, take advantage of RPC-over-HTTPS, and then proxy that! There are lots of things you can do. As this guy points out, none of them are perfect, but you never know-- one of those little things might save your ass.

Re:What did I gain?

[Vectronic]

I think he meant telling them to use a web browser other than IE, not that using another browser is less secure than using IE.

Or you could look really far into it, and maybe the Admin had some security setup that relied on IE, and by using another web browser would make that security ineffective.

Re:What did I gain?

[AmaDaden]

a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

Tippett warned that about a third of the work that security departments do today is a waste of time.

He didn't say stop doing these things he is saying work smarter not harder. Taking the time to educate people about what is safe is far more effective then using that same time to deal with the constant password problems you would have with a high security password policy.

Re:What did I gain?

[Beyond_GoodandEvil]

BUT this is where defense-in-depth comes in. Security is NOT A PRODUCT. It is a mindset.
Actually, it's a cost item that gets in the way of the money making work. That is how most people view it.

Re:What did I gain?

[orclevegam]

The chances of an attacker getting the password file are lower than the chances of a user doing something that will infect their computer because the user hasn't been taught correctly, so why focus on the passwords? Because getting all the users to follow basic security procedures is about as likely to happen as porcine aviation? Essentially it's taken as a given that some moron is going to compromise the system, and strong passwords are equal parts convincing upper management that you're doing something about security, and actually doing something about security that you can control. It's also about corporate CYA with the shareholders, because if your system is compromised you can always say you're following established best practices to get them off your back and let you actually investigate and figure out how to really improve security.

Really a better approach then improving passwords is to ensure that a single compromised system won't be able to do too much damage, but after that's done, enforcing stricter passwords standards will probably lead to a better gain in security then trying to pound sense into the users for the simple fact that a 2% security improvement is better returns then a theoretical 30% improvement that will never happen.

Re:What did I gain?

[orclevegam]

I would argue that a security setup that relied on IE wasn't really a "security" setup. If it depends on the client, it's pretty much by definition not secure.

Re:What did I gain?

[techpawn]

Taking the time to educate people about what is safe is far more effective

"Educating" users is like herding cats. As soon as you think you're getting somewhere with it, they all scatter. As much as I hate it, sometime you need to be heavy handed with policy in order to get anyone to learn. It also gets more difficult as an organization gets larger.

Re:What did I gain?

[Bloodoflethe]

Yeah, I gave up IE a while back, but most users never noticed. I also managed to get corporate to allow me to train new users on information security. It doesn't work on everyone, but thankfully most get it after a few good examples.

Re:What did I gain?

[moderatorrater]

Long passwords are trivial to enforce. Are you making sure that they're not keeping the passwords on a post it note on their monitor? Or as a text file on their desktop? Enforcement isn't enough if the users aren't on the same page.

Re:What did I gain?

[tenton]

And also to recognize that no system is perfect--there will always be the cantankerous guy who is inexplicably "invaluable" to the company who thinks that "fereng1" is an uncrackable password, for instance--and to take steps more along the lines of risk mitigation than risk removal.

Crap. I'd better go and change my password.

Re:What did I gain?

[Rhaize]

Long passwords are trivial to enforce. In Active Directory, for instance, you simply set a policy. Done. Sure, whining users-- get used to it. It's your job to make sure the company has the resources it needs, and if they go down, it's your head on the chopping block

the number of passwords I see around my office on post-it-notes verifies this as a very valid approach. 12 character 2 up 2 down 2 symbols and 2 #'s that changes every 45 days is great. It insures that passwords will be forgotten and written down, that the overtaxed help desk will reset more passwords. You idiots in IT need to realize that computers are a TOOL to be used to make the job easier. Business doesn't exist to justify an IT budget. Good security is a balance between usability and security. The tighter your security, the more strict you are about "locking down them stupid users" the more likey they are to have to circumvent as much of it as possible. A good rule of thumb, in my opinion is to look at your IT staff's machines, if they have disabled your SMS, turned off vital suite, modified their antivirus, and set themselves to admins on your machine, you likely need to rethink your strategy, because your users are doing the same thing.

Re:What did I gain?

[Bloodoflethe]

Thank you, for step one of social hacking. I am about to proceed with a step two: find the most cantankerous person at your workplace. Then Step 3: I'm in your networks, reading your data!

Re:What did I gain?

[idontgno]

"It is hard for the users it's going to at least be that much harder for the hacker"?

Up to a point of diminished returns, at which point it's impossible* for the legitimate user, so they cheat and defeat the whole scheme. (Witness the archetypal "I can't remember this stupid password" sticky-note-under-the-keyboard situation.)

(*"Impossible" is dependent on the user's level of apathy, forgetfulness, or hostility to the security regime.)

But if you have strong armor around you, you look like a less appealing target as to try to find the one weak scale under your wing.

That presumes an equal level of interest and intent between the "soft" target and the hardened one. If the hard target contains the more valuable goodies, well, that's just "crunchy on the outside, tender and tasty on the inside."

Also, for some in the cracking community, an apparently-hard target is an personal challenge to their 1334 hax0r skills, and quite appealing.

People are more likely to jump on an open WAN then try to break into a hidden one with at least WEP.

Again, assuming the values of the targets behind the protection schemes are equal. If all you want is free wireless, then one WAP is as good as another. If you want that WAP for a particular reason, you'll target it no matter what its apparent hardness. Every security scheme is fallible; the real value is measured in terms of effectiveness versus the value of what's protected.

It sounds more like a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

I suspect the author is arguing that we should strengthen our defenses by implementing effective measures (non-self-defeating, like the too-complicated password example above; or "security theater" measures that sound tough and look effective but can be easily defeated by ignoring their fundamental premise, like complete isolation from the outside except for trusted partners, but then trusting those partners unreservedly--if they get pwn'd so do you)

Re:What did I gain?

[orclevegam]

Actually, it's a cost item that gets in the way of the money making work. That is how beancounters and upper management view it. There, fixed that for you.

Re:What did I gain?

[profplump]

That depends on where you expect the attacker to be -- it's hard to read sticky notes on my monitor from across the Internet.

And it's hardly fair to assume that complex passwords are more likely to be shared than simple passwords. Sharing passwords is a separate behavior entirely. Not to mention the complex passwords are harder to share for the same reasons they are harder to remember.

How about a password generation algorithm that works like this: select two or more short dictionary words, append or prepend numbers to at least one of the words, and join them with punctuation/special characters. That produces passwords that are both complex to guess (even if you know the generation algorithm) and easy to remember.

The next step is to add a tool that generates good passwords and make it available from the password changing dialog box, so users don't have to come up with a good password on their own -- they can just copy one from the computer. OS X does exactly that, and it's a good time for everyone involved.

Re:What did I gain?

Actually the chance of our users doing something to infect our computers is zero since we don't use anyd of the hugely vulnerable software put out by Microsoft.

Re:What did I gain?

[rifter]

I would argue that a security setup that relied on IE wasn't really a "security" setup. If it depends on the client, it's pretty much by definition not secure.

This is true, but given the nature of web attacks danger is going to be relative to the safety of the client. If the admin has used group policies and such to lock down IE it can theoretically be made secure. Firefox is more secure in some measures but it does have holes from time to time and no real central management facility like IE. You could deliver firefox+noscript and updates to people's systems, but AFAIK you can't enforce, distribute, and lock in changes. I'd do both (lock down IE and deliver Firefox + updates) and push them to firefox, but that's up to the admin as far as where they are going to focus resources. It probably would not be a bad idea to have the internal dns server block (return 127.0.0.1 or a negative result) some list of known bad pages that was updated... (or drop the connection at the firewall, preferably both) come to think of it there must be an rbl out there that covers malware pages .. Firewall/dns blocking is going to be your only non-client-dependant figleaf against web attacks, and that is not really a full solution.

Re:What did I gain?

[orclevegam]

Arguably the purpose of long passwords is to increase the difficulty of penetrating the network from the internet, not to protect peoples machines from someone already in the building. A good password on a post-it-note is more secure then a weak one someone memorized as long as the buildings security is good. Even better is a good password on a piece of paper in your wallet.

That being said, the requirements for passwords at most places go well beyond "good" right into ludicrous (queue spaceballs "they've gone to plaid!" quote). A good password is 8 or more characters, with letters and numbers, and doesn't include personal or easily guessable information. Can optionally be changed every 30 to 90 days, but I'm not convinced that actually adds any real security.

Re:What did I gain?

[raddan]

Before you call IT people idiots, you might want to try walking in our shoes a bit. Some of us have hundreds or thousands of users, and oversee even more devices than that.

Now, obviously, I can't speak for all IT people. There are the BOFHs out there-- I work with a couple. There are also a fair number of real idiots out there. But in general, of course we understand that computers are a tool for performing work. What happens more often, however, is that users cannot userstand that they are not the only important people in an organization. I have had more than my fair share of ire directed at me for my choices, but I've found that once people have gotten all of the anger out of their systems, I can sit down with them and educate them. Yes, long passwords suck. No, you should not write them on Post-It notes. Here's why. Think of a simple game to help you remember your passwords. In virtually every case, I've been able to bring them over to see the issue from my side.

Now, it sounds to me like you've been burned by an IT department. Hey, I don't blame you. Before I was in charge of our network, in fact, before I was an IT worker, I used to rail against these "IT assholes". My picture was probably printed on the urinal cakes near the Help Desk. But working in IT was a real revelation for me. It turns out, people are less trustworthy than you think. You need to protect other people and the company from these untrustworthy ones. That's basically how the thought process gets started. I suggest you try to have some dialogue with your IT staff. Chances are they know other ways to solve your problems, and that way might even be better.

Re:What did I gain?

[rifter]

Re firefox, what I meant was that you cannot enforce, distribute and lock in configuration changes.

Re:What did I gain?

[KublaiKhan]

Fortunately for my present place of employment, I'm speaking of someone at my previous place of employment. ;-P

Re:What did I gain?

[bkr1_2k]

FTA-- Security awareness programs also offer a high rate of return, Tippett said. "Employee training sometimes gets a bad rap because it doesn't alter the behavior of every employee who takes it," he said. "But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn't that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?"

He specifically states that companies should reconsider spend $1 million on an antivirus/security upgrade when they could spend $10K and get a much better return on their investment. He's not trying to win customers by being sneaky.

Re:What did I gain?

[c_woolley]

I think people are missing the point of a very single and important statement the OP made. He said that all he needs is to get 1 password to compromise thousands. Much of security depends on a weak product...People. How many times in a movie have you seen those security guards watching a perimeter with those eagle-eyes of theirs, and spotting someone immediately. Well, usually in real life, after a few weeks on the job, those eagle-eyed guards turn into the other type of guards you see in movies...the ones with donuts and are asleep. The point is that people become lazy and do things like leave a password out in view, or easily found (ie. ANYTHING not memorized). People talk on the phone when troubleshooting and give out passwords to "help" get back into systems, and then are slow to change them afterwards, or don't change them at all. People are...human. They make mistakes. The point he is making is that he only needs to exploit a single user who fails to be vigilant from day one. After that, the network becomes his playground. Also, although I agree that security is a mindset, it is a product as well. There is a dollar figure attatched directly to it. If you did not purchase it, you don't have it. That's why I get paid. Also, don't think I am picking on you for it, but SSH timeout is almost worthless. All it does is slow you down a small bit. Yes, if I fail login three times, it will boot that session, but unless you have other things set up for reporting/detection and response (again something that you most likely have to pay for), all that needs to happen is that script run continuously, establishing a new session each time, until it sees a prmopt appear. Do not stop using VPNs. VPNs can greatly enhance your network security from site to site. What you should enforce is visibility before reaching your LAN. In other words, terminate your VPN above a firewall, IDS/IPS, etc. Have a security plan that includes public facing IPs that are protected by another router or firewall as well. Yeah, it can be costly, but the security provided is greatly increased as well, and you can effectively communicate and control traffic both inside and outside of your LAN. It isn't without flaw, but as the article is pointing out, there really isn't anything out there that is without flaw.

Re:What did I gain?

[spikedvodka]

Re firefox, what I meant was that you cannot enforce, distribute and lock in configuration changes. You can indeed distribute and lock down configuration changes - I'd point you to http://kb.mozillazine.org/Locking_preferences as a start

Re:What did I gain?

[xero314]

Actually what you gain by having complex strong passwords is more user writing their passwords down or putting them on stickies attached to their monitors. It is well documented elsewhere that strong passwords actually make a system less secure in the number of users is significant.

Allow me to paraphrase an associate of mine, "Good security comes down to lawyers and baseball bats, everything is is just jerking off."

Re:What did I gain?

[orclevegam]

Re firefox, what I meant was that you cannot enforce, distribute and lock in configuration changes. To be fair any restrictions on IE could be gotten around, but I do see your point that it would increase the security of a system where the user wasn't actively trying to get around the restrictions. Of course on the other hand a flaw in the IE parser that allows privilege escalation isn't going to be stopped by a policy file preventing the user from changing their homepage or whatever. The lack of a policy tool for Firefox was actually one of the top listed reasons why corporations are hesitant to standardize on Firefox. There are a couple third party tools to perform centralized management of Firefox, but the Mozilla foundation has gone on record as saying they won't officially support any of them because they don't feel it's their job to provide OS specific nanny tools. See for instance Firefox MSI and FirefoxADM

Re:What did I gain?

[orclevegam]

Also, don't think I am picking on you for it, but SSH timeout is almost worthless. All it does is slow you down a small bit. Yes, if I fail login three times, it will boot that session, but unless you have other things set up for reporting/detection and response (again something that you most likely have to pay for), all that needs to happen is that script run continuously, establishing a new session each time, until it sees a prmopt appear. Fail2Ban will fix that for you.

Re:What did I gain?

[jandrese]

Long passwords aren't so bad as long as you replicate them across your entire enterprise. Of course that is a security risk because once someone gets one password they have access to everything, but businesses where everybody has to have a different password for the 15 different systems they might access in a month, with the passwords changing every month is a recipe for having post-it notes full of passwords everywhere, and more often people just using the same password everywhere anyway (or a variant of it). Worse, they'll have old (expired) passwords on some systems that might be less secure than their current password due to leaks/reuse.

IMHO, sufficient password security is a checker when you create them that insures the password isn't based on a dictionary word (or a mutation of one) and has maybe a digit or some punctuation in it. Basically, a checker that makes sure a dictionary guesser won't get it. Then enforce password attempt timeouts (no more than 3 passwords per 30 seconds or something) on every system to prevent brute force attacks. Passwords should be changed every 6 months or so. Anything more gets well into the realm of diminishing returns IMHO.

Re:What did I gain?

[STrinity]

Bruce Schneier wrote about the long password requirement and how it can backfire because users can't remember them. My dad keeps his passwords in a text file on his desktop because his job requires them to change it every month, have letters and number and be different from the last 6 passwords. While that's good in theory, it's counterproductive because he doesn't (and can't) keep the passwords safe.

Which is why Schneier wrote Password Safe, so people can create arbitrarily long passwords and store them in an encrypted database.

Re:What did I gain?

[Dragonslicer]

My dad keeps his passwords in a text file on his desktop because his job requires them to change it every month, have letters and number and be different from the last 6 passwords. While that's good in theory, it's counterproductive because he doesn't (and can't) keep the passwords safe. That's not even good in theory. If you're talking about theory, restrictions of any kind are bad, since they reduce the size of the space.

Re:What did I gain?

My biggest fear of password insecurity is what happens when we impose all kinds of minimum change intervals, numeric and punctuation, length, and the final frontier -- random gibberish. At some point, the user (who resumably has work to do that requires a computer), will avoid the administrative hassles by writing their password on a Post-It note and stick it to the monitor. Sure, that 5353jkdrweuitip**^^&& is a "hard password" and will satisfy the illustrious auditors. Unfortunately, it's not enough to stop the cleaning crew, if they bring pencil and paper to write it down.

Re:What did I gain?

[Geoffrey.landis]

Exactly! As far as I can tell, the security policy here actually makes us less secure with their idiotic mandatory policies that passwords be changed frequently, and have numbers and garbage characters so that they can't be memorized. This guarantees that pretty much everybody writes down their passwords-- they have to. What an idiotic policy!

What in the world is the alleged security benefit of a requirement for frequent password changes? I assume that they are thinking of stopping a brute-force attack. But that'd dumb, because of course any given password change is just as likely to change the password into the range currently under attack as it is to change it out of the range under attack. Password changes don't affect the differential probability of a brute force attack from succeeding at all. Even if the hacker is focussed on breaking just one account (instead of, say, attacking ten thousand accounts) and has unlimited time to do it, the average time to break in is independent of whether the password changes frequently or not.

If I were making a security policy, I'd emphasize that the single biggest security hole is using the same password on multiple accounts. (Because then a phishing expedition that hooks one password hooks them all). But security here never seems to care about or mention that.

Re:What did I gain?

Iwasbornin1985, Mydogis8yearsold, Idrivea2008BMW7series, 11.5ismyshoesize, thelastfourofmyphonenumberis3425, 2024isthefirst4ofmyphonenumber, Ilovegr33n0nions, Mysecretarywearsa38Dbra, WindowsXPSP2sucks, Mydoghas99fleas, TheGiantswonSuperbowl42, TheSt33l3rswonSuperbowl13, Icanmake1000smoreofthese, Ibr0wseSlash0tt00much, Ib3at0ff5tim3saday, Mysupervis0r1sac0pletefuckingl0ser, Bitchesaintshitbuthosandtricks

Use a phrase as a password. It works, they are long, and they is easy to remember.

Re:What did I gain?

[pigwin32]

Let me tell you an easy way to do long passwords that you can remember. Everyone has some document attached to the wall next to their computer. Pick enough consecutive words near the beginning to meet minimum length requirements. Drop spaces. Add two or three digits at syllable breaks, not word breaks. Capitalise word breaks. Done. When your password expires choose the next consecutive words. No post-it's under the keyboard and even when you come back from holiday it shouldn't be difficult to figure out how to login.

Damn now I'm going to need a different document.

Re:What did I gain?

[jon3k]

I much prefer KeePass, which I store in TruCrypt on a thumb drive (also backed up in multiple locations).

Re:What did I gain?

neither, as the third option of an easy to remember passphrase with 2 or 3 easy to remember, unusual character substitutions which will be unique to each user is far better than both.

i know, because when an email from a nigerian technology company provided a link to test the security level of my password, it told me it was very secure, so i sleep very well at night.

sheesh, the quality of slashdotters is in the tank - doesn't anyone know tech anymore?

Re:What did I gain?

[blincoln]

What in the world is the alleged security benefit of a requirement for frequent password changes?

It's so that if your password is compromised, whoever else has it can only use it until you have to pick a new one. If your password never expires, then someone else can have access to whatever you do for as long as you use that system.
This assumes of course that there is no easy way of obtaining your password. If it can be easily obtained, then there is no point in having it expire frequently.

Re:What did I gain?

I dunno if there is something similar for other OSes than Linux but for storing my passwords in a secure way I use Revelation. One really good master password that needs to be learnt by heart, all the rest is trivial.

Re:What did I gain?

[Geoffrey.landis]

That might work... except that I need about 50 password (and, yes, I make them all different)... and they all have different schedules for being changed... and they all have different allowable lengths (some can't be longer than 8 characters... some can't be shorter than 8 characters)... and they all have different specifications for what characters they must contain, and what characters they must not contain (some accounts require special ch@r@c+er$... some can't accept them... some can't accept anything but Caps and smalls)...

Re:What did I gain?

[zippthorne]

No, beyond is right. In an ideal world where no one wants to take advantage of others and respects privacy and whatnot, we wouldn't need passwords. You'd just tell the computer who you are so you don't have to deal with everyone else's stuff.

Software would still need to be written well, the common exploitable bugs are still bugs. But security per se would be unnecessary, so no one would take the time to bother with it. Or pay for it. It's a cost of doing business, like locks on the doors are a cost of doing business for a physical store.

The only people who can turn costs of doing business into profit centers are the Phone companies. No one else has enough institutional evil experience.

Re:What did I gain?

[iivel]

Hope this isn't a double post --- my proxy server is acting wonky today. I've posted this before, but it works very well for myself and my users. Print out the card and keep it wherever you'd like. I always use the same key(s) for different sites & change all passwords at the same time (typically every 4 months). I get to remember my 'key' forever ("bank for bank, school for school, office for @ work, etc.) and still keep strong passwords. The script is simple, convenient and as long as nobody socially engineers my key words out of me, they'll have a hellava difficult time cracking a password where my 'key' is between 5 and 8 characters. Enjoy: http://www.levii.com/cipher.php [levii.com]

Re:What did I gain?

[Mark+Trade]

Well, it is good in theory. The first "restrictions" mentioned are lower bounds to make sure there actually is something like a key space. The restriction not to use any of the last 6 passwords reduces a largish key space by a really small number of keys in exchange for being safe against formerly used keys that might be compromised. If you didn't use such a restriction, insisting on the users to change their passwords on a monthly basis would be pointless because this would let them change the password each time by the password they are currently using (so - no change at all). The effect of this would be: if an attacker compromised a key she could use it until the end of time.

To put it differently: what good is an infinitely large keyspace if you let people use keys in the (small) subset that is searched first by an attacker? ("love", "sex", "secret", "god" (and "joshua") - but not necessarily in that order)

Schneier actually suggests somewhere to use a really large password that you can't possibly remember, write it down on paper and subsequently treat it like a physical key. Of course he does not suggest to put it in an unencrypted text file on your (networked) computer.

chicken egg?

[El_Muerte_TDS]

If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network

Why would the hacker need to guess one password from a list of password hashes when he already broke in and was able to elevate his rights to read the password hashes file? He might was well add his own password entry.

Re:chicken egg?

[somersault]

Can't everyone read the password hashes file? On Linux at least. You aren't protecting the file, you're protecting the keys that were used to generate the hashes in the file. Biiiiig difference between read and write access to a password file.

Re:chicken egg?

[Penguinisto]

He might was well add his own password entry.

True, but the idea is that if he's working from a SAM or shadow file written to pilfered backup tape, or got the password DB by use of a whole host of tools designed to suck out a Windows AD SAM from a server to your laptop over, say, a wifi network connection made in the parking lot or somesuch... e.g. you have the hash file, but don't have a clue as to what it contains. A lot of tools are designed to exploit holes in Windows' Active directory to get a copy of the SAM without all the bother of logging in (most required physical access to the box and a reboot, but IIRC there were some that didn't, depending on the exploit used).

In the corporate espionage type break-ins, it makes more sense to not poke around too much and break stuff as you go, but instead concentrate on finding the means by which you can return to the network with your presence all dressed up as a legit user or three. This way, you have relatively more time and leisure with which to poke around in. If you add your own account (modify a file) and give it privs, you're liable to get someone's attention (self-audits, internal file integrity sweeps such as AFICK provides, etc...). If you merely copy a file, there's less of a potential fuss.

The tangents and possibilities can go on and on, mostly because security and breaking-in can become less of a science, and more of an art form. :)

/P (who sees bits and pieces of it from time to time)

Re:chicken egg?

[gnick]

Can't everyone read the password hashes file? On Linux at least. No. That was true 15 years ago, but things like .shadow files have made things much trickier for the average user.

Re:chicken egg?

[ealex292]

No. The /etc/passwd file does not actually contain passwords, despite the name. It used to (hence the name), but hasn't in a while, since letting people read the hashes lets people brute force breaking the passwords a lot more easily (basically, hash every word in the dictionary, save it in a file, and compare those hashes against the one in the password file --- though this is less effective if salting is used).

From my password file:

alex@ephesus ~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]

That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

alex@ephesus ~ $ ll /etc/shadow
-rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

Re:chicken egg?

[Vellmont]

Can't everyone read the password hashes file? On Linux at least.

Absolutely not. Shadow password files became common on Linux 12-15 years ago, and other Unix variants around the same time. Only root is allowed to see the hash. If you have root privs, seeing the password hash wouldn't gain you much.

Re:chicken egg?

[swillden]

From my password file:

alex@ephesus ~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]

That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

alex@ephesus ~ $ ll /etc/shadow
-rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

So what does the corresponding entry in the shadow file look like?

Re:chicken egg?

Heh, nice try!

Re:chicken egg?

[crowemojo]

You are proving his point!

By the time an attacker has the hashes, the game is essentially over! Do you think a 10 character password is really going to be that much weaker then a 14 character password in the situation where an attacker does *not* have hashes? (And simple controls such as account lockout features are enabled?)

I think Tippet would prefer passwords to be only complicated enough that they aren't susceptible to brute forcing when account lockout features are in place. His point is that anything past that is not netting you any practical security gain, and I think he's dead on.

I've heard the speech that this article is referring to and I have to tell you, it's pretty interesting. He talks a lot about trying to take a more practical approach to security, especially security research. Asking questions like "in a given environment, which controls result in an appreciable difference in security?" "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?" Putting aside how you answer such questions (it's not an impossible task) I have to admit that the answers themselves are relevant!

One of Tippet's messages he stresses in this talk is that the security industry does things differently then other industries and it doesn't make sense. He draws a lot of comparisons to the medical industry because he is a medical doctor as well. In medicine, when we want to know how effective something is, we study it, we design trials, we examine the effects in the field. In security, we tend to go straight from the theoretical realm, debating ideals and their implications, straight to hard and fast rules, without the testing in between. We do ourselves a disservice by doing so. Straight from thinking "Antivirus updates are important and need to take place daily" to a general believe that "if you don't update daily, you are stupid, and insecure" without the in between step of asking "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?"

Re:chicken egg?

[DaleGlass]

Sure, you can see mine if you want:

root:!:13916:0:99999:7:::

If you manage to crack that, try it at 127.249.17.156

Re:chicken egg?

[neurovish]

From my password file:

        alex@ephesus ~ $ cat /etc/passwd
        root:x:0:0:root:/root:/bin/bash
        [...]

That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

        alex@ephesus ~ $ ll /etc/shadow
        -rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

So what does the corresponding entry in the shadow file look like? root:$1$kR3d2v6a$DdWEe8U2vYnze0cBNMnsS0:13866:0::::: ?

Re:chicken egg?

Here you go..

    $ ypmatch root passwd
    root:m4Qhxf9WPs/tL:0:0:root:/:/bin/sh

Re:chicken egg?

[swillden]

Sure, you can see mine if you want:

root:!:13916:0:99999:7:::

If you manage to crack that, try it at 127.249.17.156

Wow, your root password is the same as mine! I logged right in!

Re:chicken egg?

[doxology]

cozzy@cozzy:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
cozzy@cozzy:~$ ls -l /etc | grep shadow
-rw-r----- 1 root shadow 1656 2008-02-01 01:30 gshadow
-rw------- 1 root root 1647 2008-02-01 01:29 gshadow-
-rw-r----- 1 root shadow 1617 2008-02-03 18:21 shadow
-rw------- 1 root root 1617 2008-02-03 18:09 shadow-

Re:chicken egg?

[hesaigo999ca]

I concur, even going so far as to copy a file , only shows up minimally in the event viewer as type of action which is related to the explorer, but not what was actually done, copied delete etc...

Re:chicken egg?

[xmod2]

Nice try, fortunately Slashdot has built in protection against scams like that. When you type in your password it automatically stars it out.

**********

See?

Re:chicken egg?

[RealUlli]

So what does the corresponding entry in the shadow file look like?

It doesn't look at all.

If I can read the shadow file, i can also write the password file, which might gain an entry:

noot::0:0:root:/root:/bin/bash

Which should allow me to log in with root privs...

Ulli

Car Analogies

[FreakinSyco]

That story has more car analogies than an average /. thread.

Re:Car Analogies

[Farmer+Tim]

That story has more car analogies than an average /. thread.

Or to put it another way, if car analogies were like cars on a highway...

Re:Car Analogies

[techpawn]

That story has more car analogies than an average /. thread.

Yeah, but he wanted to make sure everyone was getting what he meant
Like when the check engine light comes on and...

Re:Car Analogies

[1+New+Orleanian]

And bad analogies at that. Cars can be made arbitrarily safe. Race car drivers rarely die anymore - and they don't use titanium seat belts or arrow catchers. They use 15g roll cages, flame proof suits, non-flamable interiors, fuel cells, tubes inside their tires, helmets, - and 5 point nylon seatbelts. Of course, most of us do not want the expense or bother of all that. There are some well understood differences between secure and insecure systems. This speaker has not done anything to improve awareness & understanding of the important issues.

A sane voice is heard...

[Jennifer+York]

I've had enough of the Security Vendors and their rhetoric. I'm constantly bombarded with requests to attend sales presentations on the latest intrusion detection pizza box appliance, or spam firewall thingy, etc. The value of these products are only so that the execs can point to their "security initiatives" and "best practices" when a breach of security is discovered. If they look like they've made an effort to curtail the risk, then they still get their big bonus.

Re:A sane voice is heard...

[SCHecklerX]

Couldn't have said it better myself, which is one of the reasons I left my last job where I was the lead security analyst.

Re:A sane voice is heard...

[ssummer]

Unfortunately that kind of thinking which you condemn is present in just about every facet of industry and society. It's called CYA (Cover Your Ass). Its why we have to take off our shoes at the airport, its why doctors order unnecessary tests, its why millions of tons of "expired" food is destroyed every year, its what runs the Legislative and Executive branches, its why we are still in Afghanistan and Iraq, its...

Re:A sane voice is heard...

[zdickinson]

Really? The value to me is that I don't get as much SPAM and am now protected from the majority of attacks.

I forget

[jojo1835]

Why does my company have a list of passwords again? We need to get out of the thought that each individual device needs a password, and get to the point where passwords are part of an account a user has. Then we don't need to keep a list, we just need to enforce security on the directory storing passwords.

Tim

Re:I forget

[tepples]

We need to get out of the thought that each individual device needs a password, and get to the point where passwords are part of an account a user has. Good luck paying cell phone minutes for all the time that a battery-powered device is turned on. Not all devices are connected to a wired or Wi-Fi network at all times.

Corporate mouthpiece

[Space+cowboy]

So, at first I wondered why an anti-virus man was basically blowing huge holes in the usefulness of his industry by coming out with quotable nonsense, for example:

But if a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000,"

No. If you mandate long passwords on the server, there are no short passwords. That's sort of the point.

But then, I read on in the article (yeah, I know, it's /., but what the hell), past the flawed car analogy and it became clear - he's making nonsense statements at the start to try and hide his introduction of the meme that an anti-virus program that doesn't really work is still a "really good thing"(TM).

Now, don't get me wrong, *any* protection is obviously better than none, but this is basically a surrender - instead of selling the common (wrong, but common) "I have an up-to-date anti-virus package, I am protected" perception, they're now moving towards "Hey, we did the best we could; all those *old* virus's/virii(+) are *definitely not getting through". Woo Hoo.

So perhaps I'm being overly cynical, but it seems to me like a corporate piece with quotable sound-bites (so it gets wide distribution) that tries to deliver the message "hey, we suck, but keep on buying our software", in a more acceptable-to-the-people manner...

Simon

(+) And with this, I hope to equally annoy the grammar and spelling nazis out there. [insert random deity] those people piss me off.

Re:Corporate mouthpiece

I can fully understand your cynicism, I share a lot of it. However, Peter Tippett does not work for Norton any more. He works for Verizon Business in their Risk Intelligence, and he has spent the past several years doing actual research on risk on an Enterprise level.

Maybe he's wrong, but he isn't trying to sell you any software.

Ben

Re:Corporate mouthpiece

[Penguinisto]

What did you expect? This is the same website that gives a periodic voice to Rob Enderle as if he were some sort of security expert... :/

/P

Re:Corporate mouthpiece

[maxume]

It depends a little bit on how close your definition of a long password is to his definition of a long password. If is saying long password in the context of what he thinks is common practice, and he is basing the 2000/5000 on how many would likely be cracked before they were changed, he probably has a point.

Re:Corporate mouthpiece

[b0nafide]

Having worked in the trenches fixing computers for people for well over 16 years now, I am mostly in agreement with you... except in case of norton antivirus especially - NO protection IS better than none. In fact, in the last computer shop i worked in we had a piece of paper that never left the wall of the tech bench. it read: "Rule 9: If it has Norton AntiVirus, it has a virus at the very least." Rule 9 held true - admittedly we did deal with a high volume of virus infected machines anyway. the bottom line was - Norton A/V doesn't seem to be working. We figured that Norton was working in tandem with microsoft to provide a security hole, y'know, when needed, for law enforcement and whatnot. To hear a defeatist attitude and car analogies from somebody who invented a program a long time ago that flags headers of files only indicates to me that the only constant in this industry continues to be change and that this security researcher is a dinosaur who has profited all along from the ignorance and frustration of others. firewall? bah. client push.

Re:Corporate mouthpiece

[srck]

A small amount of measurably good protection is, to be sure, but badly implemented protection is worse than none, because you think you're safe when you're not. Two businesses I inspected lately...

- one used some cockamamie patch management tool, which told them that "SYSTEM1 - PATCHED", when in fact system1's patch deployment agent was identifying the successful "return=0" of the deployment script, not the (failing) installation.

- one boasted of their comprehensive AV coverage, and were horrified to discover that - as a small business - their (unmanaged) AV coverage was sketchy at best, relying on internet-based updates which were falling on their collective rear ends more than half the time.

Decisions are made on these flawed beliefs, which in turn magnify actual business risks by many times. In the case of #2, they opted for "unfiltered" (i.e. unscrubbed by inline AV) internets, on the basis that "we don't need it, so let's not spend the money".

One piece of WELL-MEASURED AND MANAGED protection is worth ten unmeasured and unmanaged pieces.

Re:Corporate mouthpiece

[xanthines-R-yummy]

Off-topic, but who cares... I'd be interested in knowing how his research is going. I believe he holds both an MD and a PhD, making me think that he's probably a pretty smart guy!

Re:Corporate mouthpiece

[mattpalmer1086]

"No. If you mandate long passwords on the server, there are no short passwords. That's sort of the point."

He doesn't say there's a mixture of short and long passwords. He's saying that with long passwords, the attackers only get a few of them, not all of them. But they attackers only need a few of them. So long passwords (set on the server or wherever!) don't help as much as you'd like to think. In that specific threat scenario, anyway.

"to try and hide his introduction of the meme that an anti-virus program that doesn't really work is still a "really good thing"(TM)."

He ends by saying that there are better things to spend money on that more anti-virus. I don't know where you're getting it from.

Re:Corporate mouthpiece

Hey, don't you dare to curse in the name of Boldogasszony!

Re:Corporate mouthpiece

[Jaxoreth]

they're now moving towards "Hey, we did the best we could; all those *old* virus's/virii(+) are *definitely not getting through".

(+) And with this, I hope to equally annoy the grammar and spelling nazis out there. You mean by using a plus sign instead of an asterisk?

Double Eentendres

[CowTipperGore]

Peter Tippett thinks it's time for security professionals to wake up and stop wasting their energy. In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus... Peter Tippett invented the computer condom? You just know that his resume also lists a job somewhere in penetration testing.

Re:Double Eentendres

[iknownuttin]

Peter Tippett invented the computer condom?

That's not the only thing. Apparently his guy has a problem with others stealing his ideas. I always thought Peter Norton invented the Norton Anti virus. What, now you're going to tell me that he's not related to Ed Norton?

Re:Double Eentendres

[vandegraff]

Looking at AV from 50,000 feet:

Problem #1 why would anti-virus software which is added after the fact for protection really "know" what was good or bad in the context of the operating system? Why should it be trusted as much as the operating system itself?

Problem #2 signature based detection does not work when threats are polymorphic.

Re:Double Eentendres

[damium]

Actually I don't believe there is a polymorphic threat out there that signature detection doesn't work on. The code isn't complex enough, you can always detect the signature of the code that is doing the morphing. The real problem is that signature detection only works on *known* threats, there are plenty of unknown threats and uncommon threats that will not be covered.

That efficient?

[Rampantbaboon]

About 3/4 of the work done by the average corporate department is useless. Congrats on the efficency, security people.

Re:That efficient?

[b0nafide]

heheheheheheheh "stop wasting effort security researchers - your efforts are only making people safe from the impending, expensive threat of norton antivirus"

Dr. Tippett's old analogy

[SCHecklerX]

Wow,

10 years ago he was saying exactly the same thing. It's still relevant, but nobody has been listening.

Re:Dr. Tippett's old analogy

Or, it's not relevant at all, and that's why nobody has been listening.

Seriously, Dr. Tippett makes some good points from time to time, but he has been going on the same rant for years now regardless of the actual state of the security industry. He has become a self-appointed elder statesman because he was part of the early AV industry long ago, and his interpretation of this role is to 1) state the obvious and 2) make attention-getting, seemingly contrarian statements that are supported only by flawed analogies. (Oldsters on this thread will remember this as the modus operandi of John McAfee and most other leaders of the early security industry, as well as a few modern security pundits.)

His papers and speeches usually fail a close parse and the consultants in his own companies, much less the security community at large, pay no attention to him.

Re:Dr. Tippett's old analogy

[Sancho]

The security landscape is definitely changing, though, and not for the better.

The ubiquity of encryption, fast processors, and fat pipes has lead to malware which is harder to corral. Storm Worm is a perfect example--it uses encryption so that the traffic from the worm is hard to detect. It's all just random chatter on UDP ports. The binaries themselves are encrypted and they auto-update in order to avoid detection from anti-virus software. I haven't seen heuristics engines detect it with any consistency, either.

More and more malware will move to this sort of tactic, and education is just about the only way to fight it. Unfortunately, it's hard to sell education. I've seen people walk out of a computer security training class and get infected, because they couldn't apply even simple concepts (like not opening unexpected attachments) to their real, day-to-day work.

1/3 +

[globaljustin]

Tippett is right on with this, and I'd venture we could go further. Think of how much money is wasted on redundant security and the people to operate it, now add to that all the time and productivity wasted b/c rank and file employees have to navigate under such redundant incumberments.

I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'.

Existence is insecurity. The only way for something to be 100% secure is for it not to exist.

Re:1/3 +

[b0nafide]

clearly, things continue to exist even after the original 1990 release of norton anti-virus, which should have simply written zeros to all available media as a precaution against impending security threats...

Re:1/3 +

[jcnnghm]

You call it redundant security, I call it layered. For example, between most of my servers and the public internet, there are at least three firewalls, generally edge, zone, and host. In the past I've found individual firewalls in the stack that were misconfigured and would have let through traffic that they shouldn't, had there not been two other layers to enforce policy. Additionally, I've seen firewall layers fail to firewall traffic completely, for whatever reason. Had there not been layered security, it's quite possible that a system could have been compromised.

Computer security isn't really like 9/11 in the sense that there really are actual, plausible, real, consistent, constant, determined threats. Put a clean install of XP online without patching with a public IP and no firewall, and see how long it takes to be compromised. In an environment that is absolutely hostile, no doubt about that, layered security is the way to go if for no other reason than the attacker has to break into multiple systems to get what they are really after. This gives me (and my IDS) multiple chances to figure out something isn't right and fix it, and makes the attack take much longer. Additionally, if there are much easier targets, they probably won't pick me. You can still steal the car with the club on it almost as easily as any other, but it isn't really worth the extra effort if there is a car without the club sitting right next to it, plus you look a lot more suspicious when you're sawing through the steering wheel.

Re:1/3 +

[The+Mighty+Buzzard]

At least they're making an effort now. If we had `95 era security as the standard in today's malware bloated security environment the damage done would be catastrophic. On the up side, anyone with an Ubuntu disk would be worshiped by everyone (except us slack users, who would continue our jeering. oh and gentoo users who wouldn't notice because they're busy having to do system recovery yet again.).

Re:1/3 +

[MazzThePianoman]

I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'. People will spend just about anything to "feel" safe. Just look at air safety and the billions being spent there. All that money and inconveniences and yet more people die from lightning strikes than during air travel.

Re:1/3 +

too many people feel that complexity == security. It is a shame.

Re:1/3 +

[bitrunner]

I think that's right. 'security' seems to be a hype. I see measures being taken and wonder. Security is something subjective and relative. Throw some money at it buy some stuff that you don't know if you need it, how to use it or if it would even be effective. But it sure makes you and others feel good and that's what counts. After the money is spent you can show in a report (by attaching receipts) that you did everything possible. Make sure you hire the 25K sysadmin instead of the guy that knows what he is doing but you can't afford, that way you can additionally prove you're efficient too. Of course that doesn't work, we know all that, but hey that's why you need to hire some acronym (a CIO or so), with a good solid mba or history degree or something like that, who says he knows what he is doing. Of course that doesn't work either.. *S* but you're 3 years down that track now and need that new generation of software and hardware to really make it work. right ? what about that that CIO you hired ? heck just swap it with some peer organization.. they probably have one that would love to work at your place. Am I disgruntled ? Heck no.. I am not even part of that circus, but I see it happen all the time. Let's face it, no one is really interested in security, it is annoying and restrictive. Buying stuff that doesn't really do anything (but also doesn't harm anything) is the best way to CYA. It is relatively easy to come up with something that is more effective and efficient. The problem with that is though, nothing is 100% foolproof and/or safe, so what if something goes wrong and you don't have these k's (or m's) of $$$ receipts to show what you did everything to prevent disaster from happening ?

Re:1/3 +

[Kazoo+the+Clown]

Capitalism 101-- you need to know how markets work. People buy things based on perception and hope, not on facts and reality. Products don't have to work, they just have to sell. If people want something that does not and cannot exist, those facts do not matter-- it remains there is a waiting market for that impossible thing, and enterprises can still thrive producing products that appeal to such a market.

having a lock on my door

[circletimessquare]

is stupid because somebody can just kick in a window

except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

Re:having a lock on my door

[mapsjanhere]

I was thinking the same; yes, I still would like to cut the company president and half the PhDs off the internet half the time, but nevertheless I sleep better with with automatic patches, AV and long passwords. Sure it's not defense against a dedicated hacker or the NSA, but it beats relying on people actually listening to you in the security briefings, especially the "I don't have time for this" and the "I know better" crowds.

Re:having a lock on my door

[phliar]

The biggest effect these lowest level ineffective gratuitous "security" measures have is to annoy everyone and make lots of money for the security companies. Good security is a matter of quality, not quantity.

Let me give you an example: I work downtown in a building of 10 floors, surrounded by buildings of around 50 floors. There are only offices in this building, all very boring and white collar. We already have card-readers on the doors on each floor. You also have to swipe your card in the elevator or it won't take you to your floor. And last month they added BART-style card-reading barricades downstairs. All this expensive security for what? So that you forget your card, you can wait downstairs while someone from your floor can come escort you up to your floor, where you get your temporary day badge.

Exactly what benefit does all that extra security have? If I wanted to steal corporate secrets I wouldn't be doing it by trying to sneak into the building.

But it's the war on terra! 9/11 changed everything!!!

Re:having a lock on my door

[Firethorn]

having a lock on my door is stupid because somebody can just kick in a window

Personally, I think it'd be more along the lines of putting a X09 lock on your door.

Even a fairly cheap lock is going to hold up better than a window - of course, like different methods compromising a computer network, there are variances in detectability, cost, danger, etc... Opening a door is cheap, bypassing a handle-lock takes more skill but is generally hard to detect, a deadbolt even more expensive. Long before you get anywhere near the X09, kicking in the door or a window becomes the obvious solution.

Besides, with the X09 you might find your family members not locking it because it's too much of a pain to open again - resulting in LESS security. I've seen it with passwords - they jacked the password requirements way up and the rate of writing them down skyrocketed - that's not more secure.

that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

I think that the point he was trying to make is that you can't make any one feature of your program 100%, so just do the best you can given the budget - and that's generally by shoring up your deficiencies rather than building on your strong points.

Re:having a lock on my door

[jozmala]

Actually what Tippet claims in using the same house analogy that you used.
Is that people spend their money on bullet proof windows, and heavy steel doors with half a dosend different locks required to open it, and do not teach their children on NOT leaving their (ground floor) windows open when everyone leaves the house. Or leave the balcony door open ...

What he claims is that we are not working on the best solution.

Re:having a lock on my door

[TheDreadSlashdotterD]

Take heart in the fact that no matter how strong a lock you put on your front door it can be opened with a sledgehammer.

Re:having a lock on my door

[greenbird]

having a lock on my door is stupid because somebody can just kick in a window

Your missing his point completely. He's not saying don't put a lock on your door. He saying spending $100,000 on a titanium door with 12 1" think locking pins and three biometric + keycode unlocking mechanism is stupid because they can just kick in the window.

Warning, meaningless automotive metafoor's ahead..

dont even bother reading tfa..

Defense In Depth

[ThaNooch]

No one is trying to create an Iron Curtain. Security departments (most of them hopefully) are taking numerous measures to prevent breaches. Including access controls preventing one compromised computer from getting all the marbles via role-based or well-configured discretionary access controls, appropriate traffic filtering and intrusion detection techs.

Risk management is the specific practice of minimizing the greatest risks (what will do the most harm and will be the most likely to happen). And for the most part everyone realizes that no risk can be completely eliminated, so we mitigate them as best we can and rely on fundamentally sound access controls et. al. to limit the effect of any breach and hopefully know about and plan for unforeseen circumstances by planning for certain categories of attacks.

Hopefully I'm right, because if I'm not... I'm scared.

Not totally clear ..

[lorenzino]

The 2000 vs 5000 password problem is not really clear to me. Anyone can explain better ? And I partially agree on the other things he said, basically inbound and outbound default DROP/DENY and investing on teaching to workers rather than spending money on antivirus software only ..but does that mean he is out of antivirus business ? Why would HE suggest that ?

Re:Not totally clear ..

[Christianson]

I think his point might be this: when you enforce strong password policies, you reduce exposure but you do not prevent someone gaining access to your systems. They only have to be lucky once. Strong password policies make it harder for them to be lucky, but not impossible. What do you gain with a strong password policy? You make it much more difficult for someone to use a dictionary attack. Aren't there other ways to protect against that?

What do you lose with a strong password policy? Good user habits. They will start writing passwords down, or reusing them, and in general starting to do thinks we know you shouldn't. The policy starts becoming a direct impediment to the users, and so they naturally do their best to work around it. You may have reduced your exposure to brute force attacks, but you've opened yourself up to social engineering, and it's not clear that you've won by doing so.

Which is why (I think) he makes the point about user education. Getting users to follow good security procedures would likely solve more problems than any possible technical solution. This in turn requires a recognition that there are certain technical solutions you simply cannot put in place if you want people to use your system in a secure fashion.

Re:Not totally clear ..

[lorenzino]

Thanks :)

my root password is

[FudRucker]

a small poem (haiku style), it is difficult to type correctly because of intentional typos and a few numbers substituting for letters, i even get it wrong myself about 1/3 of the time even though i know it by heart...

Re:my root password is

[gnick]

Wow... That sounds a little overly-paranoid unless you're worried about being heavily attacked by a well-funded government. Even really dedicated crackers quit at the 14-char letter/number/special char rainbow table level...

Re:my root password is

my password is 'You'll never guess my password!!!111!!!eleven' Easy to remember, nobody would even guess it, and i doubt people would let their brute force algorithm work long enough to break it....

Re:my root password is

[Bloodoflethe]

haiku style

it is difficult to type correctly because of intentional typos
and a few numbers substituting for letters
i even get it wrong myself about 1/3 of the time even though i know it by heart

This is closer to haiku, but haiku-style? No, sir.

Typing bad is hard
Letters, numbers confuse me
Though I know: Error!

Haiku!

Re:my root password is

[sheph]

That's fine if you're at home and have nothing better to do then spend your time logging in. But when I'm at work and the boss is brething down my neck to find out why some service isn't running I sure don't want to be sitting there for 5-10 minutes trying to get my "haiku" right.

Valid points from article

[whitehatlurker]

1) Not all "vulnerabilities" are dangerous. Yes, there are a lot of junk security warnings out there. Part of the security officers' duty is to separate the chaff from the kernels.

2) You're only as secure as your weakest password. We knew that.

3) This guy shouldn't talk about seatbelts.

Re:Valid points from article

[celtic_hackr]

Not quite true.

2) You're only as secure as your weakest entry point. Whether that is a password, an unsecured port, an unpatched vulnerability, or that idiot down the hall that falls for every virulent email and social hack that comes his way.

Recently I changed the accessibility of my ssh port and it is amazing at how fast the servers attempting to break in learned to forgo further attempts at cracking it. Connections are now only allowed from certain ips. I know, I should have done this from the start, but I had my reasons for having it wide open.

Re:Valid points from article

[darrenkw]

I always install denyhosts on new installs. That will block access after X failed login attempts. It's sure nice to have a shorter list of failed attempts to look over. This wouldn't stop a determined attacker but it sure helps with the drive by login attempts.

Re:Valid points from article

[whitehatlurker]

Yes, you're right. I sit corrected. Thank you.

he had me until

[caserio]

"Security teams need to rethink the way they spend their time, focusing on efforts that could potentially pay higher security dividends, Tippett suggested. "For example, only 8 percent of companies have enabled their routers to do 'default deny' on inbound traffic," he said. "Even fewer do it on outbound traffic. That's an example of a simple effort that could pay high dividends if more companies took the time to do it."

This is on every Pix ever made. What is the point of any firewall if it does not block all then let some through.
I agree that education is probably the best security practice! There does not exsist a product that can secure stupid.
However you MUST have AV/long passwords/IDs/IPS and a host of other things to create layers and let you know what is going on in your network. If you just throw your hands up you are not doing your job!

Re:he had me until

[CowTipperGore]

This is on every Pix ever made. What is the point of any firewall if it does not block all then let some through. In the quote you included from TFA, Tippett is talking about routers. Also, a PIX does not deny outbound by default, only inbound.

AV programs can even be counter-productive

[pyrr]

One of the silliest things I've seen in my IT career was an old memo regarding some employees' desire to upgrade their Macs to OS X 10.2 (from OS 9.x). One of the notable objections was along the lines that "OS X is very new and we don't have Symantec AV for it, so computers running OS X would be at-risk".

Nevermind how pointless an AV program is on a *nix platform to begin with, I'm a bit horrified at the false sense of security that having an AV program installed on a Macintosh provides as well. Sure, there have been some recent exploits found, but most of them still rely on the end user making exceptionally poor choices and being tricked into granting escalated privileges to malware. If anything, the fallacious impression of being somehow "protected" could encourage users to make even more risky choices.

And yes, FWIW, the memo was produced by MCSEs...

Wasting Time

Seems I wasted my time reading this article. Lots of hyperbole and zero information.

Analogies

[Nikademus]

It is funny how these analogies are totally flawed..

"If I sat up in a window of a building, I might find that I could shoot an arrow through the sunroof of a Ford and kill the driver,"

And if I put a bomb in the basement of your IT company, I could destroy all your data. This is critical.

"But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don't have to be perfect to be helpful in your defense."

If automakers could build seatbelts with 100% efficiency, they would. And they improved seatbelts by putting airbags.

"If we made seatbelts out of titanium instead of nylon, they'd be a lot stronger. But there's no evidence to suggest that they'd really help improve passenger safety."

They would be stronger, and raise the fatalities number. Seatbelts are voluntarily made distortable so they can help diffusing kinetic energy.

Re:Analogies

[gnick]

"If we made seatbelts out of titanium instead of nylon, they'd be a lot stronger. But there's no evidence to suggest that they'd really help improve passenger safety."
They would be stronger, and raise the fatalities number. Seatbelts are voluntarily made distortable so they can help diffusing kinetic energy. Not to mention the fact that, in this case, the security measure is strong enough to successfully mitigate the threat. When is the last time that you remember hearing about a wreck when the occupant tore through the seatbelt and proceeded through the windshield?

Re:Analogies

[SCHecklerX]

He used to do a better analogy with the car roof. That it wasn't as structurally strong as, say, the front, because the likelyhood of a boulder falling on the car was pretty slim, so the engineering goes there, and not to the roof. Still somewhat flawed (cars roll over), but it was better than the arrow one.

"Long" passwords???

[keysersoze_sec]

"In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000" What does "long" mean for that guy?!

Dirty Little Secrets

[dschuetz]

Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

Here is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

Re:Dirty Little Secrets

The same can be said of home security, and the timeframe on that is in the hundreds or thousands of years, yet no one seems to rail against homebuilders for still building homes out of wood with easily breakable windows.

I am not saying we shouldn't be striving to build bank-vault secure type code, but I doubt anyone would really want to pay for the expense of their homes being built like a bank vault, and the same rings true for the software they buy, except financial/banking software.

The real problem here is I feel that programmers are often the recipients of the finger of blame, yet somehow no one notices that this criminal behavior is really the root of the problem.

Re:Dirty Little Secrets

[Aladrin]

You say 'crappy product' and I say 'so complicated there's no chance of eliminating all bugs.' (A ton of people just decided that I'm a Microsoft fanboy, and they're all wrong.) It doesn't matter what operating system you use, by its very nature, it is too complicated to completely remove all bugs in any meaningful timeframe. Nobody tries to say Windows, OS X or Linux are bug-free. Instead they talk about how fast bugs are patched after they are found and reported.

Of course they're bandaids on the real problem. So are cars, if you must have another car analogy:

The problem with distance is that it takes so long to travel it. Cars are a bandaid on the distance problem. We've been fighting that problem for a lot longer than 35 years. It's time we regrouped and found a better way to attack it.

The reason antivirus/etc exists is that we have never found a better solution. It's just that simple. I'm all for thinking and planning, but it's no magic. If we all put our heads together right now and work on -nothing- else, we might never find a solution. There's no guarantee that there -is- a better solution.

Re:Dirty Little Secrets

[dschuetz]

It doesn't matter what operating system you use, by its very nature, it is too complicated to completely remove all bugs in any meaningful timeframe. Nobody tries to say Windows, OS X or Linux are bug-free But it's not just about bugs, it's also about design. At its core, following good software programming practices both to avoid bugs or unforeseen vulnerabilities, but also to ensure that systems are actually designed with security in mind in the first place.

I can't think of a good example offhand, but imagine building a to-do application for yourself, then letting other people use it, then deciding to make it a true multi-user product and bolting on some kind of user authentication system. It's almost certainly not going to be as secure as it would have been if it were designed from the start as a secure, multi-user program. (does that make sense?)

A lot of security problems seem to be the result of shortcuts -- "trusting" a particular piece of input data to be within reasonable bounds, or "assuming" that the session ID provided by the user is actually *their* session ID and not someone else's, etc. Not necessarily bugs, but laziness and bad design.

You start attacking the problem at that level, and I contend that even very large systems of software (like an operating system -- which, despite its complexity is still just a collection of lots of smaller pieces of software) -- even very large systems will benefit from increased security.

Re:Dirty Little Secrets

[Aladrin]

That's great when designing from the ground up, for the first version of a software. Any complex piece of software that is still as initially designed is not used very much.

You're correct in everything you said except for thinking that you can design software with every possible use or change in mind. It's just not possible, and to suggest that that is the 'fix' for the problem is wrong at best.

Re:Dirty Little Secrets

[sammydee]

You mean this one?

Re:Dirty Little Secrets

[Headw1nd]

The problem with distance is that it takes so long to travel it. Cars are a bandaid on the distance problem. We've been fighting that problem for a lot longer than 35 years. It's time we regrouped and found a better way to attack it. The problem with your car analogy, if I'm correct in that your were trying to use it against what the previous poster said, is that it is actually true. We have used automobiles as a band-aid solution to our habit of putting things wherever is cheapest, without looking at the actual logistics that entails. For many locations, that method is reaching a breaking point, and planners are forced to look for a new solution, rather than add a few extra lanes to the interstate. So if your analogy is true for cars, it may be true for security as well.

Re:Dirty Little Secrets

[Aladrin]

Yes, it's true that cars are a bandaid on the distance problem. 'Inventions' are mostly bandaids on problems. Very few inventions actually 'solve' the problem. (Solve meaning that the problem no longer exists.)

But I used the car analogy because it is pretty clear that a bandaid is the best we'll ever have for the problem. We may think and think and think, but our next best solution will -still- be a bandaid. There is no way for us to be in 2 places at once or travel instaneously. At best, we might create a device that lowers it to a few minutes instead of hours or days. (The distance problem involves the entire universe, not just this planet. Once we can travel anywhere on earth in seconds, we will reach for the stars if we haven't already.)

So yes, the same is true for security. We can continue to create bandaids for security, but we will never 'solve' the problem.

My point was that there is a proper amount of time and effort to spend on security, and we're probably pretty near that point. (I think we have a little ways to go yet... Many people still aren't security-minded.)

A whole talk, with snippets taken out of context.

[Vellmont]

There may be something of value here.. it's really hard to say as the article author chose to take a bunch of analogies out of context, and give few details. Essentially this article is useless. The only thing I got out of it is "we're focusing on the wrong things in security, for example passwords and viruses." That's probably true, but it sure doesn't tell me much.

Not only that.

[khasim]

But he's confusing ATTACKING a specific company with INFECTING various machines.

They are not the same. The defenses are not the same. There may be overlap (a workstation at a company gets infected and sends out spam vs a workstation at a company gets cracked and is used to crack other boxes at that company) but that is all.

All in all, he's 100% backwards on his comments. Just what you'd expect from someone trying to push a specific product from a specific company.

Re:Not only that.

What company? What product? The guy may have founded a security company, but he doesn't work for one now. May be, you should read the actual article before turning on the outrage.

Sounds like a Paid by Microsoft Commercial

Okay, so long passwords don't work - why make a cracker have to work to get that one password out of 5000 that lets him in? Go ahead, use your last name and birthday for a password or your puppy's name.

Open sun-roof's on cars are not protected because there's not an archery community out there bent on slinging an arrow thru every sunroof they see. However, there are many very sophisticated organizations and individuals out there that take great glee at finding and exploiting software flaws. We lock our doors to keep intruders out because there are intruders that may want in. We leave our sunroof's open when we drive because, well, no one is firing arrows thru them. Just wait until this speech of his inspires and creates an anti-sunroof arrow-shooting community and suddenly sunroof-hair will cease to be in short order...

His criticism of the tossing of buggy security software, comparing it to seatbelts that only save most lives but not all, illuminates his desire for us to all come back to Norton, even tho it is abysmally flawed and often is the root cause of many of the problems I've had to repair.

He says "studies" have shown that giving time to keeping your system patched and updated doesn't correlate to higher security - however omits any references to those "studies".

Ironically, his last paragraph illuminates EXACTLY why we SHOULD pay attention to fixing flaws and proper passwords and whatnot. It's not about 100% bulletproof security, which is impossible unless you leave your Microsoft servers turned off, but about not making it easy for intruders in the first place. He's acting like we need to toss bug-fixes and smart password policies altogether, and yet he recommends routers to deny inbound traffic. Er... what if those same routers have, say... an exploitable flaw???? Cough. His argument is scattered and poorly made and without any legitimate basis. Security covers a wide range of topics from ensuring your secretary doesn't brainlessly give out passwords to crackers-posing-as-techs to ensuring that your software is up to date, ensuring your firewalls are set correctly, routers are updated and secure, passwords are not easy-to-guess abominations, and your employee's don't run every executable that comes thru their inbox.

Oh - and it means that you most certainly run, not walk, but run screaming wildly away from anything Norton.

After all, while there's only the most remote chance that we'll get in an accident, we still put on our seat-belts every time we drive.

Lost all credibility at...

[Vectronic]

"Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus"

I'd be more prone to listen to security practices from the guy who...say...invented cheese string...

The problem is management

[SCHecklerX]

What Tippett is saying is already well known by security professionals (at least the ones who know what they are doing...risk analysis is part of the CISSP exam, is it not?). The problem is that despite this, we are forced to do expensive and less useful (useful at all?) stuff by management because they are the "decider". Companies that actually have a CISO with competent staff have a decent chance at doing it right, but in my experience, many companies don't, so you end up deploying stuff just because management likes to deploy new 'security systems' rather than actually address the security posture of the company.

"Attack trees" by Bruce Schneier

[khasim]

http://www.schneier.com/paper-attacktrees-ddj-ft.html

Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.

You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.

There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?

Re:"Attack trees" by Bruce Schneier

[DMUTPeregrine]

A 15 minute delay after 3 attempts is very annoying if you forget your password/break a finger and cant type/etc, etc. A 1 second delay between attempts will be just as effective at stopping brute force attacks without annoying the user.

Re:"Attack trees" by Bruce Schneier

[morgan_greywolf]

That depends on what you're protecting.

For the U.S. military, protecting secrets of national security, only air gap security is considered secure. People who work on such systems are usually searched -- and, in many cases, strip-searched, as they enter the facility, not allowed to bring in so much as a notebook or pencil, let alone a cell phone. (If you need a notebook and pencil, you get one from the security guard. You get a new, blank notebook. When you leave, the notebook and pencil are confiscated.)

If you're protecting some financial and personal data on your home PC, maybe you only need a good off-the-shelf firewall, some antivirus/antispyware/antimalware software and some good common sense.

Re:"Attack trees" by Bruce Schneier

[Rakishi]

You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file. BS, that whole argument assumes no other vulnerabilities including relatively minor ones. I mean the whole bloody POINT of only storing encrypted password is so that a hacker doesn't gain everything from getting such a list. Want a perfect example? Disgruntled ex-IT employee with a copy of the encrypted password list.

My high school had half it's user passwords cracked (including the principal's) by someone because they got access to the passwd file. Thankfully the network admin was not stupid enough to have a short password. The file was shadowed after a previous incident however a number of new computers were installed were it was un-shadowed.

Re:"Attack trees" by Bruce Schneier

[blincoln]

A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

With a Windows-based network, the lack of salting of the domain password hashes means there is a much bigger vulnerability.

I performed a simulated attack against a Windows domain a few months ago. I started out with nothing other than physical access to a domain controller, and ended up with the domain password hashes which I was able to feed into OphCrack which cracked them offline without ever showing up in an auditing log. As long as you can get physical access to a domain controller, it's easy:

1 - Take the domain controller off of the network (not hard in environments with many distributed DCs, e.g. at remote locations with no on-site technical staff).
2 - Boot off a floppy or CD using the Offline NT Password & Registry Editor.
3 - Use the software to reset the "local" Administrator account's password (which is the Directory Services Restore Mode admin account on a DC).
4 - Boot the server in Directory Services Restore Mode and log on using the account you just reset the password of.
5 - Follow Sebastien Francois's instructions to create a Windows Service which will dump the domain account information at the next bootup.
6 - Reboot the server, letting it start up normally. Wait a few minutes for the service you just set up to do its job.
7 - Reboot the server back into Directory Services Restore Mode, and log on with the admin password from step 3.
8 - Copy the account/hash information file to a USB key or other portable device.
9 - Remove the service you added.
10 - Reboot the server, reconnect it to the network and let it power back up normally.
11 - Take your copy of the hashes home and run OphCrack against them. Depending on which set of rainbow tables you are using, you will get most or all passwords of less than 15 characters.

The only traces this attack leaves are the offline state (which can be blamed on a power outage), the reset DSRM admin password (which most people will just assume had been set to a nonstandard value by someone else when the server was built), and potentially the Security event log entries (which will roll off within a few hours to a few days depending on how many logon requests that particular DC handles).

Re:"Attack trees" by Bruce Schneier

Might I suggest a much simpler attack

1 - Reboot the DC into Knoppix (or anything else with NTFS read ability)
2 - Copy SYSTEM and SAM files onto a USB Key (somewhere in c:\windows usually (It's been a long time since I've done this))
3 - thow these files into l0phCrack

The only traces this attack leaves are the offline state (which can be blamed on a power outage)

Re:"Attack trees" by Bruce Schneier

[xouumalperxe]

A delay on login attempts is a very *very* tricky thing indeed. If you make the attempt counter (and delay) separate for each IP, you're still somewhat vulnerable to botnets. If you don't make it separate, congratulations. You just made yourself a denial-of-service attack vector that a 5-year old could exploit.

Re:"Attack trees" by Bruce Schneier

[xouumalperxe]

Isn't it common wisdom that physical access = game over?

Re:"Attack trees" by Bruce Schneier

What's to stop the attacker from kidnapping your CEO's daughter and demanding...

She's spoilt and she's ugly and she thinks having sex with a kidnapper is romantic and sexy.

Re:"Attack trees" by Bruce Schneier

[blincoln]

Isn't it common wisdom that physical access = game over?

Yes, but not everyone realizes that with a Windows domain, the "game over" is for everyone who has a domain password of less than fifteen characters, and the "physical access" includes "to any domain controller on the domain".

I did forget to mention that you can use an OphCrack boot CD in an attempt to crack the DSRM admin password (instead of resetting it) which is what I actually did in my simulated attack. However, it takes a lot longer and is not guaranteed to work, so someone in a hurry is better off resetting that one (very infrequently-used) password, then afterwards maybe damaging the drives to make the system unbootable so that it looks like it was caused by the power outage and no logs are ever read.

Re:"Attack trees" by Bruce Schneier

[imipak]

(a) user credentials get exposed in the unlikeliest places. VPNs, outlook web access, web applications using the corp AD as auth database,..

(b) No-one but multinational banks and government agencies has the spare money floating around to pay someone to sit reading log files. "So buy a system to do it for you!" See previous answer. "Build one yourself!" See previous answer. "Demonstrate the need by showing management evidence of all the attacks!" See previous answer.

Sorry, do I sound bitter? Well, can you guess what I do for a living? ;)

Security

[BigJClark]

Hate to blow everybodies arse right off the map, but I don't use any anti-virus software at all.

I find it to be resource-hoggish, slow-loading bloatware that is better off-loaded onto a seperate processor. I say these things, because I actually know a dev lead at symantec, and I recommend this solution to him, and he said his company is already working on it.

Anyways, you're probably asking yourself, what is my IP, and how do I protect myself. I hide behind a good router, have a bit of a honeypot setup, and am very careful what I download. So, no russian pron for me.

Serious people, viruses are for suckers.

It's the "war on viruses" (and spam)

[recharged95]

I think Tippett's right, most corporations are living in a house of cards--it's securing the net in some cases and in others it's the reverse--most firms are taking a shotgun approach with vulnerability research and patching.

I see it being more related to the medical field, prevention is great idea (and has been a popular topic lately), but treatment is just as important and not to be forgotten.

I think he's really suggesting that business practices slow down--for instance, sure it's a painful to have a 15 letter password, but I'm pretty sure using 1 15 letter password for all your 7 important accounts is more secure that 7, 5 letter passwords...

Norton?

That is/was the most crappy "anti-virus" application I have ever used. It sucked up resources like a high-paid prostitute. It tried to take over my whole system like a wife takes over a mans life. I don't think anyone that created Norton Anti-Virus should be given a platform to stand on and talk about "security". I guess he got his payday from Norton and now can spew bunk?

Last time I checked, I couldn't go out and buy a box of "security". It is a process. Implementing different safeguards and educating users. End of story.

re: a sane voice? Depends....

[King_TJ]

The problem I see with the entire "computer security" issue is that there are lucrative jobs and big money to be had, hawking it to people.

The best examples I can think of of genuinely valid and useful security practices all involve things that don't cost much, if anything. (EG. TrueCrypt 5.0 is free software, yet you can encrypt a whole notebook computer's drive with boot-time password protection with it. This adds an obvious and practical layer of security. Configuring a proxy server to disallow downloading of files with "high risk" extensions on them, such as .scr files, costs you nothing but a few minutes of your time, yet can prevent all sorts of potential issues for your Windows users in a corporate setting.)

Yet, like you say, the people at the top of the corporate ladder, who have the most to risk from security breaches (but conversely, have the least "technical knowledge" about such situations) want to essentially "pay for scapegoats". Free, practical security solutions don't give you someone you can demote/fire, file a lawsuit against, or at least point a finger at as responsible if something does go wrong. A highly paid "security consultant" or "I.T. Security Specialist" in the firm, however, can be the "fall guy", and an expensive network appliance that's supported under a paid contract? Again, there's a place to direct blame.

Routers, "default deny," and training

[yuna49]

I found this figure rather implausible as well. I suppose it's possible that only 8% of routers connected to the Internet deny inbound traffic by default, but I thought that was a fundamental aspect of firewall design as well. Even consumer routers are designed this way.

But if the base for the 8% figure is all routers in, say, the top 2000 companies, then I might believe it. It's not uncommon to trust all internal traffic, even though a stricter security model might be more appropriate there as well. Converting internal routers from accept to deny raises the possibility that applications will suddenly stop working. For overworked network administrators this alone probably provides a sufficient disincentive to implementing internal security. The miscreant Tippett describes in TFA who spreads out across a network after breaking a single password will have a harder time if the internal routers block his path.

I'm also not surprised to hear that "techie" stuff like vulnerability testing gets a disproportionate share of security spending while employee training gets short shrift. Code vulnerabilities have an empirical reality about them that training doesn't offer. You can fix a hole in code or install anti-virus software on all your workstations. Your chances of "fixing" employees by making them adopt better security practices is a lot more hit or miss.

Actually

[DaedalusHKX]

Actually, he seems to be more clear thought than you.

He's saying "aim for as much security as you can get" not "aim for 100% impregnable", there is no such thing. Even Open BSD isn't impregnable, despite their claims. Nothing is impregnable to a determined and resourceful attacker.

He is correct in saying, "rather than bunkering up, strive to be indigestible to AS many potential predators and parasites as you can"... i.e. he is admitting the one fact of the universe... "there is an exception to every rule, just because you haven't found it, doesn't mean it doesn't exist somewhere else, in some form.

The arrow through the roof, for those with the intellectual openness to understand the metaphor is an unlikely incident, but if it does happen, what then. Peter is using that concept, to teach those willing to learn/understand, that for a car to be 100% impregnable, it would have to be arrow, bullet, cannon, nuclear weapon, weather and everything proof, including driver and other driver error proof, road proof, etc. However, the COSTS involved, and the final results are out of reach of even the rich, would make for a rather heavy, expensive and CLUMSY vehicle, and judging by risk, the benefits would far outweigh the costs. Its like flu shots. I travel, talk, do meetings, etc. I get sick very rarely, yet I see so many immediately taking "flu vaccines" out of fear that the flu will kill them. I've never had a relative who either died of the flu or had complications. Neither have I known anyone in my personal life who had these complications, and I have associates who have lived in first, second as well as third world scenarios.

Thus, in similar vein, driver training gives better results than building the bullet proof car. Don't surf porn with internet explorer is FAR better advice than installing the latest antispyware, and "don't accept email except in plaintext format" is far better advice than trying to balance a proper load of antivirus (which the user might not allow to update, or might become broken, etc). There have been plenty of virus samples that hijacked the latest Symantec and McAfee antivirus, why? Because they tried to be everything to everyone, and when you over extend your coverage, you end up leaving holes in your defenses.

Properly trained users is like having the original Citizen Militia, not truly powerful, but if properly trained in guerilla warfare and survival, and properly equipped, they can make ANY invading army's life, VERY difficult, to the point where the invading country finds the "host" or "prey" country to be "indigestible."

Nothing is unassailable, but plenty of plants are poisonous to their consumers, so as to make it a known thing that they are indigestible. The one size fits all solution, from antivirus, to security departments, to everything else, is STILL the same age old problem. No risk can be reduced to 0%. But it can be minimized and compensated for. This is what Peter talks about.

Its disappointing, I expected that those frequenting this board would've had the ability to apply metaphors in design. Good book for all to read. The Art of War. Get it bundled with The Prince. Good way to learn how to think.

Re:Actually

[XanC]

the one fact of the universe... "there is an exception to every rule"

Except that one, of course. ...whoa

Re:Actually

My wife is 70 years old, YES she *IS* impregnable!

Re:Actually

[crywolf]

To be more accurate, there are at least two exceptions to every rule. Except for this one.

Re:Actually

[hackerjoe]

Its like flu shots. I travel, talk, do meetings, etc. I get sick very rarely, yet I see so many immediately taking "flu vaccines" out of fear that the flu will kill them. I've never had a relative who either died of the flu or had complications. Neither have I known anyone in my personal life who had these complications, and I have associates who have lived in first, second as well as third world scenarios.

What a terrible argument! "I don't know anyone it happened to so it doesn't matter". I've never been in an air crash, and I don't know anyone who has, but I'm damned happy that aircraft design, certification and maintenance is done very carefully even if it is a little inconvenient, because I'd really rather keep it that way.

Anyway, influenza probably won't kill you as long as you're young and healthy, but it's well-documented that it does kill people, especially older people and the immune-compromised. The flu shot isn't just to keep yourself from getting sick, it's a public health concern: you're preventing yourself from being a carrier and getting other people sick. The argument that you don't usually get sick is missing the point.

This is all completely ignoring the facts that flu pandemics have happened in the past (3 in the last hundred years, according to Wikipedia), that the only thing different today is that we have vaccines (do I have to point out that they're useless if nobody uses them?), and that in these days of global travel, if a particularly nasty strain were to break out it could be immensely devastating internationally. It's not like flu shots are exactly onerous... I spent probably 20 minutes lining up and getting mine this past fall. If they hadn't done a free clinic at work it would've been maybe a couple hours out of my life, tops, and $15.

I mean, don't live your life in fear... but don't use bad logic to justify skipping things that hardly cost you anything and provide a measurable benefit to yourself and to society.

Re:Actually

[pugugly]

I can get design metaphors.

I can't get how you got that design from those metaphors.

Okay - I get it, it's actually April 1st and you used a virus that changed every date everywhere while dragging the planet out of orbit by two months. Hah Hah, very funny, now put the earth back where it's supposed to be be before the orbital decay starts. It's all fun and games until the planetary crust melts.

Pug

Re:Actually

[debatem1]

Art of War sucked. If you want a book on how to think for security, get House of Leaves.

Re:Actually

[node+3]

Actually, wouldn't that be the exception?

Oh wait...

Re:Actually

[DaedalusHKX]

We can each argue what we wish. I will check out your recommendation. Thanks for the tip.

Re:Actually

[Ed+Avis]

He's saying "aim for as much security as you can get" not "aim for 100% impregnable", there is no such thing. Even Open BSD isn't impregnable, despite their claims.

I don't think the OpenBSD people have ever claimed that; only that they have a fairly good track record of not shipping exploitable code.

But anyway, the fact that 100% security is not possible does not mean that it isn't a worthwhile target to aim for. Looking at the sorry state of most computer security, I don't think its problems are caused by aiming too high; quite the opposite.

A better approach to security:

[MMC+Monster]

Instead of long passwords, how about random user names. Not usernames based on their real names or on a simple sequential number. If they cannot figure out a person's user name, password cracking is pretty hard.

Re:A better approach to security:

[ToasterMonkey]

Yuck, at that point, why not just implement secure access cards?

Antivirus 'Inventor'?

[jrothwell97]

As I understand it, the first antivirus program ever to have existed (although not marketed as such at the time) was the UNIX rm command. This was followed by clones in other UNIXes, and in the popular DOS operating system in which it was invoked with del.

Used in conjunction with the killall command, it is a very powerful tool indeed. Beats Norton anyways.

AntiVirus is outdated technology

[8400_RPM]

This author is a moron. Antivirus is amost worthless at this point. In 5 years it will be of no use. Antivirus is good for catching old viruses that were made for the masses. Antivirus will NOT stop custom made viruses, targeted viruses, new viruses.

And on top of that, its very very easy to bypass antivirus if you know what you're doing.
I can make any virus pass through AV in with about 15 minutes of work.

In summary, the author is a moron.

Dr. Suess Anti-Virus

[b0nafide]

If a security researcher is bummed out about how they are wasting their time, perhaps it's just because he recalls allowing the FBI to record keystrokes using his product- ie. Magic Lantern http://en.wikipedia.org/wiki/Magic_Lantern_(software)

oh, is that a hacker recording our keystrokes? nah, it's just the FBI. they would never steal our passwords. they're so cuddly.

Norton Antivirus is a waste of computer resources

[MazzThePianoman]

Does this guy know the program he made created one of the worst sappers of computer processor and hard drive performance seen in the anti-virus market? http://www.thepcspy.com/read/what_really_slows_windows_down/5

Working the Analogy through...

[thepustule]

The comparison of shooting an arrow into a Ford sunroof is interesting, but to take the thought process to conclusion, you have to think about script kiddies. In this analogy, someone has created a machine that you can mount in the window, which will keep firing arrows down into the street at random, 24hours per day. Eventually, someone IS going to get killed. That's the problem with information security - it's so easy to keep trying to break in.

Don't knock the pizza box appliance

Our company ordered one, and we didn't receive it within thirty minutes. So we got it for free.

I agree with the general tenor...

[JerryLove]

Password rules have long been a specific complaint of mine. Multiple, changing, complex passwords mean that 2/3 desks here have their PWs written down on their monitor, under their KB, etc; And service accounts, some of the most powerful, are immune to the resetting requirement and, often, fail the password strength rules.

Even worse, some of the password rules are counter-productive. I know of a company that requires a specific special character be in their 8-charater passwords. Know it (easy enough to find), and it's functionally a 7-letter password.

There's a saying about exercise that I think applies to security: The best exercise is which ever one you will actually do. We are attempting ever more complex technical solutions to what is an increasingly human problem.

Make sure that your passwords can sync across all of your systems. Make passwords complex but easy to remember. Let's be honest, if 5 failed logins locks you out, and I've assigned you a password like "bluefish", how likely is that password to be hacked by an automated system? About zero. But since it's short, simple, memorable, and universal: I can train you to not write it down. I'm convinced that's better security.

The Perception of Security

As Bruce Schneier recently commented, the unfortunate reality of this world is that we not only need real security, but also the perception of security. Some of the "best practices" that we often see only provide the perception half of security.

Examples:
Forcing users to change their password regularly. The new password is never any stronger that the previous one. Usually, it's the same as the previous one, but with one digit incremented.

Fingerprint scanning. Current fingerprint technology simply doesn't provide anything more than the perception of security. Which is more difficult: brute forcing a strong password, or forming a gelatin mold from a lifted fingerprint?

Cost benefit

[Wheely]

I am glad someone from the security industry is talking a least some sense.

Security has become a mantra and almost a religion. I have been in the industry for many years and even worked on C1/B2 secure systems in the past.

In industry people seem to forget the cost benefit. What is the cost of an intrusion set against the cost of bringing your systems down once a month to patch them?

Obviously it can depends. However, the risk of a seriously damaging intrusion is significantly less than just an inconvenient one and even that is low with basic security policies in place. This calculation is rarely made and consideration of the negative effect on users less so.

Really tight security is extremely expensive to the business who are often shown dramtic examples of grabbing a users web sessions to basically instill a largely unrealistic fear. For a few oraganizations extreme security measures maybe profitable but for most, basic security and good firewalling is probably all that is required.

that's why everyone should know obscure alphabets

[ClioCJS]

I write my passwords that I can't remember on my whiteboard - in runes.

Out of reality

[ThePhilips]

[...] security pros are wasting time.

That's what I hate most in security guys - they are out of reality.

Because any real guy from real world with functioning brains would have said:

[...] security pros make everybody else waste their time.

It's just little hint that the guy - Peter Tippett - is not with us (mere mortal users) but with the "security pros."

That's why you also have a USERNAME (!)

[zukinux]

So you wouldn't be able to guess one password, but you'll have to guess a specific password for a specific user. Since you cannot get indication if the password was okay but the username isn't (and also otherwise), it's either you have both, or have only the username (incase you have the user-name, at all). I think this guy thinks it's 1993 or so.

Any protection is NOT better than no protection

[Gnavpot]

Now, don't get me wrong, *any* protection is obviously better than none

That is not obvious. It's even wrong.

There are several examples of protection software which actually weakened the host PC because the software added new vulnerabilities which were open for remote exploits. A quick Google search revealed these examples:

Norton Anti-virus: http://blogs.zdnet.com/threatchaos/?p=334

Clam Anti-virus: http://www.zerodayinitiative.com/advisories/ZDI-05-002.html

Kerio and Tiny Personal Firewall: http://www.derkeiler.com/pdf/Mailing-Lists/securityfocus/bugtraq/2003-05/0099.pdf

NOD32 Anti-virus: http://www.frsirt.com/english/advisories/2007/1911

Check Point Firewall-1: http://secunia.com/advisories/10794/

Nice try

[jon3k]

"In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."

Strawman argument spotted!

Long passwords are not designed to stop this attack. They are designed so that jsmith in accounting doesn't have the password "1234" or "password" so no one can guess a valid account (let's say, authenticating against some edge device like a vpn termination point) and waltz right into your network.

Then he goes on to say:
"But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don't have to be perfect to be helpful in your defense."

This guy is walking contradiction. Clearly flamebait. Nothing to see here, move along.

The problem is education!

[KleinKlone]

Read Foiling the Cracker; A Survey of, and Improvements to Unix Password Security - I published it nearly 20 years ago, and people are still arguing over password security? My personal password is 15 characters long. My root password is 20 characters long. Both are trivial for me to remember, and effectively impossible to crack (they're passphrases containing upper ad lower case, numbers, punctuation and obfuscation of multiple words not found in any permutation dictionary. Users on my system are REQUIRED to have strong passwords of their own devising (so that they can remember them). What's so hard for people to understand about that? You can't have good security and be lazy.

Marcus Ranum's Six Dumbest Ideas

[NoBozo99]

Software / Hardware security is not too difficult to achieve. If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security.

The issue is usually the idiot that becomes the victim of a well done social hack.

As usual, the company is only as strong as it's weakest link.

...in Computer Security.

Dumb Idea #3

#3) Penetrate and Patch

There's an old saying, "You cannot make a silk purse out of a sow's ear." It's pretty much true, unless you wind up using so much silk to patch the sow's ear that eventually the sow's ear is completely replaced with silk. Unfortunately, when buggy software is fixed it is almost always fixed through the addition of new code, rather than the removal of old bits of sow's ear.

"Penetrate and Patch" is a dumb idea best expressed in the BASIC programming language:

10 GOSUB LOOK_FOR_HOLES
20 IF HOLE_FOUND = FALSE THEN GOTO 50
30 GOSUB FIX_HOLE
40 GOTO 10
50 GOSUB CONGRATULATE_SELF
60 GOSUB GET_HACKED_EVENTUALLY_ANYWAY
70 GOTO 10

In other words, you attack your firewall/software/website/whatever from the outside, identify a flaw in it, fix the flaw, and then go back to looking. One of my programmer buddies refers to this process as "turd polishing" because, as he says, it doesn't make your code any less smelly in the long run but management might enjoy its improved, shiny, appearance in the short term. In other words, the problem with "Penetrate and Patch" is not that it makes your code/implementation/system better by design, rather it merely makes it toughened by trial and error. Richard Feynman's "Personal Observations on the Reliability of the Space Shuttle" used to be required reading for the software engineers that I hired. It contains some profound thoughts on expectation of reliability and how it is achieved in complex systems. In a nutshell its meaning to programmers is: "Unless your system was supposed to be hackable then it shouldn't be hackable."

"Penetrate and Patch" crops up all over the place, and is the primary dumb idea behind the current fad (which has been going on for about 10 years) of vulnerability disclosure and patch updates. The premise of the "vulnerability researchers" is that they are helping the community by finding holes in software and getting them fixed before the hackers find them and exploit them. The premise of the vendors is that they are doing the right thing by pushing out patches to fix the bugs before the hackers and worm-writers can act upon them. Both parties, in this scenario, are being dumb because if the vendors were writing code that had been designed to be secure and reliable then vulnerability discovery would be a tedious and unrewarding game, indeed!

Let me put it to you in different terms: if "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer by now. What has it been? 2 or 3 a month for 10 years? If you look at major internet applications you'll find that there are a number that consistently have problems with security vulnerabilities. There are also a handful, like PostFix, Qmail, etc, that were engineered to be compartmented against themselves, with modularized permissions and processing, and - not surprisingly - they have histories of amazingly few bugs. The same logic applies to "penetration testing." There are networks that I know of which have been "penetration tested" any number of times and are continually getting hacked to pieces. That's because their design (or their security practices) are so fundamentally flawed that no amount of turd polish is going to ke

Conclusions do not follow...

[argent]

"Only 3 percent of the vulnerabilities that are discovered are ever exploited," he said. "Yet there is huge amount of attention given to vulnerability disclosure, patch management, and so forth."

And it does not occur to you that this may not be part of the reason that only 3% of vulnerabilities disclosed are exploited. In fact, I would say that three percent is a rather high number considering how many vulnerabilities are patched before being disclosed (at least in the open source world). Concluding that the success of vulnerability management is a sign that it's wasted effort does not seem to be entirely justified.

These vulnerabilities are not at all similar to "firing an arrow through the sunroof of a Ford and kill the driver". An automobile body is not designed to stop arrows, in the first place, and there's little incentive for someone to make such an attack, and there are mechanisms to deter any such potential attacker in other ways. Computer vulnerabilities are similar to being able to push a button and have the car send the contents of its trunk or glove compartment to the attacker... untraceably. Shoudl automobiles suffer such flaws, I am sure that people would be most interested in having them discovered and fixed!

Since the operation

My wife is impregnable!

All my passwords since the new policy change:

[blueZ3]

They're comments on the IT guys and the company's new password policy. I log on to my Windows box with WhatALoadofCrap! (apropos of both Windows and the policy), onto the intranet with IT-sucketh-mightily and into some of the restricted applications with PassThis,MF and IhatelamePWPolicies.

Of course, I've carefully written each password on a PostIt affixed to the side of my monitor.

Re:All my passwords since the new policy change:

[jawtheshark]

Similar to my passwords.... However, I know my insults by heart and don't need post-its.

30% wasted on useless practices ...

[NotZed]

... and the other 70% wasted on useless software like crappy anti-virus programs.

15 clubs

[globaljustin]

We're talking apples and oranges.

You can still steal the car with the club on it almost as easily as any other, but it isn't really worth the extra effort if there is a car without the club sitting right next to it

Your club analogy. Ok, you're talking about one club. What I (and TFA) are talking about is putting 1 Club on your car steering wheel vs. putting 15 Clubs on your steering wheel. There's a point of diminishing returns. Then there's a tipping point where security measures are so bloated they actually have *negative* effects. That's the topic under discussion.

Re:that's why everyone should know obscure alphabe

[Mr_eX9]

But if everybody knew runes they wouldn't be obscure, thus defeating the purpose....

And if the sky fell, we'd all be dead.

[ClioCJS]

But it's not, so we're not. And, similarly, everyone doesn't know runes, so it works. I happen to believe putting your passwords in a text file on your computer is far worse than writing them down. Writing down is the lesser of two evils. And for true security, every password should be different. Could you really memorize 10 passwords like: IeOuu8p 0oP!84 ... Or worse, an assigned password that you didn't create? Probably not. We all have our limits. Writing down is necessary. The whole point of this article was that it's not worth worrying about 100% compliance, but rather attacking problems from different angles. Using an alternate alphabet is one of those angles. And when I left, I wrote "See ya, but I wouldn't want to be ya" on my whiteboard. It took them weeks to decypher it, haha. Though I used the variation with W and P reversed from what they looked up, so they thought it was "See ya, but I wouldn't pant to be ya", which delayed their translation :)

Furthermore, people don't know it's a password. Do you go around translating every foreign character you see? Didn't think so.

Re:And if the sky fell, we'd all be dead.

Preaching to the choir? GP was pointing out the flaw in your plan, farfetched as it is.

Imperfect memories are for the weak. Get a better brain.

His logic doesn't seem very clear here

[pugugly]

Seriously - it's more like the logic you see in global warming denial than anything else I've seen. To start with he compares something that I've never heard of (Knocking an arrow through the sunroof of a car) which could only be done deliberately by someone with consummate skill to something that happens on a regular basis (Exploiting a security hole in software) which can be done by any scriptkiddy.

The password length thing is just silly too. If guessing passwords was an arithmetical progression (i.e, it was twice as hard to guess a 16 letter password as an 8 letter password) it would make sense, but it's not - a minor change in length makes a major change in password security. Even assuming that, of all the passwords used, the one the hacker cracks *has* network access - better security increases the chance that this isn't the case.

This sounds like someone trying to sound like he's thinking ahead of the curve and brilliant, but the info presented here just doesn't follow. Or maybe I'm just not smart enough.

Pug

Did you RTFA?

[mattpalmer1086]

I can't see anything in the article that suggests he's saying that. And I don't see him pushing a product either.

Computer != Ford Rover

[nog_lorp]

This seems like "collection of bad analogies between computer security and car safety."

About passwords, if you've enforced strong passwords, and used a non-shitty hashing algorithm, it doesn't matter if someone gets your password file. With the best passwords, it doesn't mean a cracker will "only get 2000 of the 5000", it means he will be lucky to get ONE in his LIFETIME.
As for the "arrow in the sunroof" analogy, I'm sure this possibility would get plenty of attention if, say, you had an average of thousands of arrow-assassination attempts per day.

"If a product can be cracked, it's sometimes thrown out and considered useless," he observed. "But automobile seatbelts only prevent fatalities about 50 percent of the time." If a product can be cracked, it will result in "security fatalities" 100% of the time. Given those odds, we wouldn't be using seat-belts.

I Call Chewbacca Defense!

[oldbamboo]

The article was dull, and mendacious(that car analogy is entertaining for a few seconds until you try and draw a parallel with anything other than whether Chewbacca lives on Endor or Kashyyk.) Sure, there is crap security out there, but anyone who calls out 'best practice' as flawed is being deliberately obtuse. Bodies of Knowledge like ISO17799 and COBIT aren't pills to be swallowed whole, they are frameworks, and picking out recommendations within them with the purpose of showing them as ineffective is not very challenging. Hey here's one; your wifi must have WPA enabled, but 'we havent got wifi in our dept' ...How we all laughed.... crazy IT monkeys! Nothing to see here people.... oh, and don't bang on about the books you've read either mate, especially Sun Tzu and Machiavelli, if you're going to be a prick, be creative about it, don't rip it off from the business aisle!