Antivirus Inventor Says Security Pros Are Wasting Time

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

1/3 +

[globaljustin]

Tippett is right on with this, and I'd venture we could go further. Think of how much money is wasted on redundant security and the people to operate it, now add to that all the time and productivity wasted b/c rank and file employees have to navigate under such redundant incumberments.

I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'.

Existence is insecurity. The only way for something to be 100% secure is for it not to exist.

having a lock on my door

[circletimessquare]

is stupid because somebody can just kick in a window

except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

Dirty Little Secrets

[dschuetz]

Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

Here is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

Re:PBKAC

[eln]

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.