Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Inventor Says Security Pros Are Wasting Time

Posted by Zonk on from the think-outside-the-para-digum dept.

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

16 of 282 comments (clear)

  1. Double Eentendres by CowTipperGore · · Score: 4, Funny

    Peter Tippett thinks it's time for security professionals to wake up and stop wasting their energy. In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus... Peter Tippett invented the computer condom? You just know that his resume also lists a job somewhere in penetration testing.
  2. my root password is by FudRucker · · Score: 2, Funny

    a small poem (haiku style), it is difficult to type correctly because of intentional typos and a few numbers substituting for letters, i even get it wrong myself about 1/3 of the time even though i know it by heart...

    --
    Politics is Treachery, Religion is Brainwashing
  3. Re:What did I gain? by Seth+Kriticos · · Score: 3, Funny

    ..security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE.
    Um, I must have misunderstood you.. just thought, you want to say, that the IE is a secure browser..
  4. Re:PBKAC by Anonymous Coward · · Score: 2, Funny

    Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."
    [Posted anonymously for obvious reasons] Heck I work for a (non-computer) Fortune 500 company and when we did systemwide hardware upgrade swaps, they had everyone send their passwords in clear text email to the support desk mailing list!
  5. Re:Car Analogies by Farmer+Tim · · Score: 5, Funny

    That story has more car analogies than an average /. thread.

    Or to put it another way, if car analogies were like cars on a highway...

    --
    Blank until /. makes another boneheaded UI decision.
  6. Lost all credibility at... by Vectronic · · Score: 2, Funny

    "Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus"

    I'd be more prone to listen to security practices from the guy who...say...invented cheese string...

  7. Re:chicken egg? by swillden · · Score: 4, Funny

    From my password file:

    alex@ephesus ~ $ cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    [...]

    That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

    alex@ephesus ~ $ ll /etc/shadow
    -rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

    So what does the corresponding entry in the shadow file look like?

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. Re:PBKAC by techpawn · · Score: 4, Funny

    100% security is never possible unless you don't want to give anyone access, ever.
    DBA: We got the server running the best it ever has
    Boss: Great! How'd you pull it off?
    DBA: Well, we replaced all queries with 'Select * from tblQuery' which only has 1 row and 1 Column. Then stopped letting people call the queries!
    Boss: You're fired...
    --
    Ask not what you can do for your country. Ask what your country did to you
  9. Re:What did I gain? by tenton · · Score: 4, Funny

    And also to recognize that no system is perfect--there will always be the cantankerous guy who is inexplicably "invaluable" to the company who thinks that "fereng1" is an uncrackable password, for instance--and to take steps more along the lines of risk mitigation than risk removal.

    Crap. I'd better go and change my password.

  10. Re:PBKAC by Anonymous Coward · · Score: 2, Funny

    God your a tard.

    Atheist, eh?

  11. Re:PBKAC by somersault · · Score: 4, Funny

    I think it would be better if nobody had the key, and the closet resided in the centre of a distant sun. Even then it's not 100% - that sun is gonna die if a few billion years..

    --
    which is totally what she said
  12. Re:Actually by XanC · · Score: 5, Funny

    the one fact of the universe... "there is an exception to every rule"

    Except that one, of course. ...whoa

  13. Re:PBKAC by Anonymous Coward · · Score: 3, Funny

    You sound real nice. Will you be my sysadmin?

  14. Re:PBKAC by The_Wilschon · · Score: 2, Funny

    So, what you're saying is that we should all just quit putting bugs in our software in the first place? That's brilliant! I wonder why nobody ever thought of it before . . .

    --
    SIGSEGV caught, terminating

    wait... not that kind of sig.
  15. Re:PBKAC by FailedTheTuringTest · · Score: 2, Funny

    Nope, can't remember that other stuff either.

  16. Re:PBKAC by cthulhu11 · · Score: 2, Funny

    Yeah, the only way to 100% secure a PC is to disconnect it from the network, take out the power supply and then lock in a bank vault. You've never watched Alias have you?