Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Inventor Says Security Pros Are Wasting Time

Posted by Zonk on from the think-outside-the-para-digum dept.

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

6 of 282 comments (clear)

  1. 1/3 + by globaljustin · · Score: 4, Interesting

    Tippett is right on with this, and I'd venture we could go further. Think of how much money is wasted on redundant security and the people to operate it, now add to that all the time and productivity wasted b/c rank and file employees have to navigate under such redundant incumberments.

    I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'.

    Existence is insecurity. The only way for something to be 100% secure is for it not to exist.

    --
    Thank you Dave Raggett
  2. having a lock on my door by circletimessquare · · Score: 5, Interesting

    is stupid because somebody can just kick in a window

    except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

    same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

    that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  3. Dirty Little Secrets by dschuetz · · Score: 5, Interesting

    Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

    We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

    Here is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

    1. Re:Dirty Little Secrets by Aladrin · · Score: 3, Interesting

      You say 'crappy product' and I say 'so complicated there's no chance of eliminating all bugs.' (A ton of people just decided that I'm a Microsoft fanboy, and they're all wrong.) It doesn't matter what operating system you use, by its very nature, it is too complicated to completely remove all bugs in any meaningful timeframe. Nobody tries to say Windows, OS X or Linux are bug-free. Instead they talk about how fast bugs are patched after they are found and reported.

      Of course they're bandaids on the real problem. So are cars, if you must have another car analogy:

      The problem with distance is that it takes so long to travel it. Cars are a bandaid on the distance problem. We've been fighting that problem for a lot longer than 35 years. It's time we regrouped and found a better way to attack it.

      The reason antivirus/etc exists is that we have never found a better solution. It's just that simple. I'm all for thinking and planning, but it's no magic. If we all put our heads together right now and work on -nothing- else, we might never find a solution. There's no guarantee that there -is- a better solution.

      --
      "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  4. Re:PBKAC by eln · · Score: 5, Interesting

    I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

    Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

  5. Re:PBKAC by rickb928 · · Score: 3, Interesting

    "If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security"

    That's not the goal. Security's goal is to get PRODUCTION workstations up and running cleanly and bug free with pretty solid security.

    The lab is easy. Let a few users have those machines for a week, visiting the casino sites, clicking on the latest e-greeting, and bringing the USB drive from home with those oh-so-important documents they were working on last night, right after their kids updated all the myspace pages.

    Security is, indeed, fairly easy save for two variables. Users and attackers. As an analogy, you can put any sort of locks, grates, fences, alarms, dogs, and flaming trenches around your house. If the kids let in the cable guy without seeing some ID, none of it matters. If all the crook wanted was to steal your mailbox, you'll have to weigh the advantages of fencing it in vs. having mail delivered, or hardening it into a 1/4" plate steel box on a 4x6 I-beam, mounted into a 500-pound footing. Or just replace the damned mailbox when the kiddies bash it with a baseball bat driving by.

    Oh, and the plate-steel mailbox? In rural Maine, those are a laugh a minute. Sometimes you see splinters on it, shards of a Louisville Slugger in the ditch, and a brief note in the local fishwrap about some kid at the ER with a broken wrist. Priceless. If only we could do the same thing to the script kiddies...

    --
    deleting the extra space after periods so i can stay relevant, yeah.