Slashdot Mirror

← Back to Stories (view on slashdot.org)

Antivirus Inventor Says Security Pros Are Wasting Time

Posted by Zonk on from the think-outside-the-para-digum dept.

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

3 of 282 comments (clear)

  1. having a lock on my door by circletimessquare · · Score: 5, Interesting

    is stupid because somebody can just kick in a window

    except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

    same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

    that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  2. Dirty Little Secrets by dschuetz · · Score: 5, Interesting

    Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

    We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

    Here is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

  3. Re:PBKAC by eln · · Score: 5, Interesting

    I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

    Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.