Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Inventor Says Security Pros Are Wasting Time

Posted by Zonk on from the think-outside-the-para-digum dept.

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

2 of 282 comments (clear)

  1. Valid points from article by whitehatlurker · · Score: 4, Informative
    1) Not all "vulnerabilities" are dangerous. Yes, there are a lot of junk security warnings out there. Part of the security officers' duty is to separate the chaff from the kernels.

    2) You're only as secure as your weakest password. We knew that.

    3) This guy shouldn't talk about seatbelts.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  2. "Attack trees" by Bruce Schneier by khasim · · Score: 5, Informative

    http://www.schneier.com/paper-attacktrees-ddj-ft.html

    Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

    If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.

    You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.

    There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?