Antivirus Inventor Says Security Pros Are Wasting Time

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

1/3 +

[globaljustin]

Tippett is right on with this, and I'd venture we could go further. Think of how much money is wasted on redundant security and the people to operate it, now add to that all the time and productivity wasted b/c rank and file employees have to navigate under such redundant incumberments.

I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'.

Existence is insecurity. The only way for something to be 100% secure is for it not to exist.

having a lock on my door

[circletimessquare]

is stupid because somebody can just kick in a window

except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

Re:having a lock on my door

[phliar]

The biggest effect these lowest level ineffective gratuitous "security" measures have is to annoy everyone and make lots of money for the security companies. Good security is a matter of quality, not quantity.

Let me give you an example: I work downtown in a building of 10 floors, surrounded by buildings of around 50 floors. There are only offices in this building, all very boring and white collar. We already have card-readers on the doors on each floor. You also have to swipe your card in the elevator or it won't take you to your floor. And last month they added BART-style card-reading barricades downstairs. All this expensive security for what? So that you forget your card, you can wait downstairs while someone from your floor can come escort you up to your floor, where you get your temporary day badge.

Exactly what benefit does all that extra security have? If I wanted to steal corporate secrets I wouldn't be doing it by trying to sneak into the building.

But it's the war on terra! 9/11 changed everything!!!

Dirty Little Secrets

[dschuetz]

Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

Here is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

Re:Dirty Little Secrets

[Aladrin]

You say 'crappy product' and I say 'so complicated there's no chance of eliminating all bugs.' (A ton of people just decided that I'm a Microsoft fanboy, and they're all wrong.) It doesn't matter what operating system you use, by its very nature, it is too complicated to completely remove all bugs in any meaningful timeframe. Nobody tries to say Windows, OS X or Linux are bug-free. Instead they talk about how fast bugs are patched after they are found and reported.

Of course they're bandaids on the real problem. So are cars, if you must have another car analogy:

The problem with distance is that it takes so long to travel it. Cars are a bandaid on the distance problem. We've been fighting that problem for a lot longer than 35 years. It's time we regrouped and found a better way to attack it.

The reason antivirus/etc exists is that we have never found a better solution. It's just that simple. I'm all for thinking and planning, but it's no magic. If we all put our heads together right now and work on -nothing- else, we might never find a solution. There's no guarantee that there -is- a better solution.

Re:PBKAC

[eln]

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

Re:What did I gain?

[profplump]

That depends on where you expect the attacker to be -- it's hard to read sticky notes on my monitor from across the Internet.

And it's hardly fair to assume that complex passwords are more likely to be shared than simple passwords. Sharing passwords is a separate behavior entirely. Not to mention the complex passwords are harder to share for the same reasons they are harder to remember.

How about a password generation algorithm that works like this: select two or more short dictionary words, append or prepend numbers to at least one of the words, and join them with punctuation/special characters. That produces passwords that are both complex to guess (even if you know the generation algorithm) and easy to remember.

The next step is to add a tool that generates good passwords and make it available from the password changing dialog box, so users don't have to come up with a good password on their own -- they can just copy one from the computer. OS X does exactly that, and it's a good time for everyone involved.

Re:PBKAC

[Speare]

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. What's interesting is that very little kids are having to be trained in this philosophy as well. Kids and daycare staff sometimes use a password in case there's an unforeseen pickup snafu. Now toy codes and login information (like WebKinz) can have big consequences if they're leaked. I felt good when my daughter tried to explain your point to her friend-- she didn't want to know her friend's login.

Re:PBKAC

[rickb928]

"If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security"

That's not the goal. Security's goal is to get PRODUCTION workstations up and running cleanly and bug free with pretty solid security.

The lab is easy. Let a few users have those machines for a week, visiting the casino sites, clicking on the latest e-greeting, and bringing the USB drive from home with those oh-so-important documents they were working on last night, right after their kids updated all the myspace pages.

Security is, indeed, fairly easy save for two variables. Users and attackers. As an analogy, you can put any sort of locks, grates, fences, alarms, dogs, and flaming trenches around your house. If the kids let in the cable guy without seeing some ID, none of it matters. If all the crook wanted was to steal your mailbox, you'll have to weigh the advantages of fencing it in vs. having mail delivered, or hardening it into a 1/4" plate steel box on a 4x6 I-beam, mounted into a 500-pound footing. Or just replace the damned mailbox when the kiddies bash it with a baseball bat driving by.

Oh, and the plate-steel mailbox? In rural Maine, those are a laugh a minute. Sometimes you see splinters on it, shards of a Louisville Slugger in the ditch, and a brief note in the local fishwrap about some kid at the ER with a broken wrist. Priceless. If only we could do the same thing to the script kiddies...

Re:"Attack trees" by Bruce Schneier

[morgan_greywolf]

That depends on what you're protecting.

For the U.S. military, protecting secrets of national security, only air gap security is considered secure. People who work on such systems are usually searched -- and, in many cases, strip-searched, as they enter the facility, not allowed to bring in so much as a notebook or pencil, let alone a cell phone. (If you need a notebook and pencil, you get one from the security guard. You get a new, blank notebook. When you leave, the notebook and pencil are confiscated.)

If you're protecting some financial and personal data on your home PC, maybe you only need a good off-the-shelf firewall, some antivirus/antispyware/antimalware software and some good common sense.

Re:PBKAC

[greenbird]

And I doubt this guy will have a job much longer if he's going around claiming that 100% security isn't the goal and that he only tries to keep out the 11 year old script kiddies

You missed his whole point. He didn't say anything about 100% security. He said spending exorbitant amounts getting a single aspect of your security working perfectly is a bad idea. For example spending $1,000,000 getting a patch system set up that is 100% effective in keeping every one of your computers up to the minute on patches isn't cost effective. The expense curve goes up exponentially as any given process approaches 100% effectiveness. Think in terms of uptime. You could spend $100,000 on a patch system that is 90% effective and spend the other $900,000 on other aspects of security. This results in a much more effective overall security level for likely a much cheaper cost. Oh, and 100% security is impossible unless you lock your computers in an electromagnetically isolated vault in Ft. Knox with a random vault key that no one knows. Any security experts who doesn't know this should be out of a job. Hmmm... even then someone would probably talk there way past the security somehow.

Re:PBKAC

[Stray7Xi]

My passwords were much stronger before they implemented something like this.

I used to have computerized randomized alphanumeric 10 digit passwords.

Now since I have to learn the password quickly and it won't last long, I have to have some pattern. Sure I now have symbols (because I'm forced to) but it's now vulnerable to dictionary attack. 22!!SOmeword (followed by ##NEwword11) is much more vulnerable then 92cT6Ars1b