The Myths of Security

brothke writes "The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'" Read on for the rest of Ben's review. The Myths of Security: What the Computer Security Industry Doesn't Want You to Know author John Viega pages 260 publisher O'Reilly Media rating 8 reviewer Ben Rothke ISBN 978-0596523022 summary A contrarian provides an interesting look at the information security industry The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.

Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.

From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.

The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.

While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.

In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.

Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.

While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.

Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .

You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.

Myths of Security?

[erbbysam]

There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...

Re:Myths of Security?

[mcgrew]

There are no myth's of security

Sorry, but I'm going to have to send you to Bob's office.

Re:Myths of Security?

[Lord+Ender]

Your comment isn't very intelligible. Are you confusing cryptography with computer security, perhaps?

Re:Myths of Security?

[commodore64_love]

What's with the Day of the Triffids escapee? That flower looks mean.

Re:Myths of Security?

[Chris+Mattern]

Also, "there are algorithms"

Re:Myths of Security?

[smartr]

There's plenty of monetary incentive for math to come forth and reverse things. For all we know, P = NP and public key encryption is broken as a pure concept. But we don't, and no one is able to step up and take tons of money to prove one way or the other.

Re:Myths of Security?

[Forge]

There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...

I disagree.

There are many security myths that have made it into company policy etc...

For-instance the idea that forcing all staff in a mid sized to large company to update their passwords every months or two is somehow more secure than allowing them to keep the same password indefinitely.

In practice, this causes them to use simpler passwords that just barely make whatever limits are imposed (I.e. a single number and one capital letter) and to rotate throgh slight modifications of this weak password.
Password#1
Password#2
Password#3

Etc...

Or worse yet. Some just write down the password in a place that's easy to find.

As for those Algorithms. Sure they can be broken. As long as you update them faster than the old ones are broken you should be fine. What bugs me though is when a single bug in an OS is exploited by a thousand different bits of malware and instead of fixing the bug we have a dozen antivirus vendors producing a detector for each of the thousand bits of malware.

Re:Myths of Security?

[DomNF15]

Anything that is done by man can be undone by man. Yes, the algorithms can be reversed, just not quickly. That may change, but security has almost always been about making the potential "win" too difficult to achieve. Think about it. In medieval times, castles and fortresses were built on top of hills/mountains so they would be more difficult to breach. Were they ultimately defeatable? Of course, but the cost in either human lives, money, or both, was often too great to warrant an attack.

Re:Myths of Security?

[Gverig]

Your statement, that's a myth, one of many. Sure, there is no ABSOLUTE security, but nobody claims that. There is no absolute physical security either- with enough resources anything can be stolen and anybody can be killed. It's the understanding of how secure you are in any given situation and how to improve your chances of staying safe (in virtual or real worlds) is what defines security and surely, that exists.

Re:Myths of Security?

[ObsessiveMathsFreak]

I feel both you, and Bob, could do with a little perspective.

Re:Myths of Security?

[Lord+Ender]

Buffer overflows aren't about whether an algorithm can be "reversed," and there is a hell of a lot more to infosec than crypto and buffer overflows.

Re:Myths of Security?

[ipb]

Darn, now I need to change my password.

Re:Myths of Security?

[Thinboy00]

It is, at least in theory, possible to make a program with no buffer overruns at all. Now in practice, the probability of such a thing is too low to consider.

Also, see Quantum cryptography.

Re:Myths of Security?

[NeverVotedBush]

Naaahhh, nobody would ever suspect "Passwd#3".

What computer is this on? I'd like to pen test it... ;-)

Re:Myths of Security?

[binary+paladin]

"What bugs me though is when a single bug in an OS is exploited by a thousand different bits of malware and instead of fixing the bug we have a dozen antivirus vendors producing a detector for each of the thousand bits of malware."

Which in turn makes my machine run like it's running malware and requires an additional core just to handle all the "security" software I have installed.

Re:Myths of Security?

[chris44larsen]

You are absolutely correct.

Re:Myths of Security?

[firstnevyn]

Or worse yet. Some just write down the password in a place that's easy to find.

Is that so bad a good password that's written down is far better against a network based attack than a poor password that's remembered?

I often tell users to write their password on a postit and put it in their wallet imo that's safer than stored badly encrypted (think password protected excell spreadsheets) on a system thats on and network connected

Re:Myths of Security?

[dna_(c)(tm)(r)]

But with physical attacks, the attacker must make the effort to get physically close to you. Even in large crowds this means only a few potential attackers.

On the internet, by contrast, anybody can attack your system. That's several millions of potential attackers. The probability that you are under attack is close to 100%.

Re:Myths of Security?

[chris44larsen]

Ok, true.

but answer this.....

In the 150+ comments on this book review...... how comes almost zero of them have anything to do with the book review?

Re:Myths of Security?

[jonaskoelker]

I think the OP meant to say "There are no myth is of security" =)

Re:Myths of Security?

[KeithIrwin]

First off, there are cryptographic protocols which don't involve one-way-functions. Consider one-time-pad, for example.

Secondly, the bigger mistake you're making here is presuming that a lack of absolute security is a lack of security. Security isn't a binary predicate: something that you have or don't have. You could just as easily argue that you don't have any security because there are human being who run the programs and control authorization and human beings are fallible. Really, the lack of cryptographic primitives which can be proven secure without any assumptions (other than one time pad) is one reason why there's no such thing as absolute security. Other reasons are human fallibility and the impossibility of tamper-proofing.

These don't mean that there is no such thing as security, it just means that security isn't an absolute. Security is about risk mitigation. A proper security analysis looks at the likelihood of different things happening and the cost to the system if those things do happen and uses this to calculate an estimated risk (as best as we can). The goal of security is to minimize the risks. The goal is not to eliminate all risks because eliminating all risks is not possible.

Re:Myths of Security?

[KeithIrwin]

Not all public key cryptography is built on the assumption that P != NP, just most of what's in popular use. There has to be some assumption about what's easy and what's hard, but there does exist cryptography where they assume that E is easy and NE is hard. You could also make assumptions like "O(n^2) is easy, O(n^100) is hard". If you could find a trapdoor function which is O(n^2) to compute and O(n^100) to reverse, even though they are both polynomial, you can chose a key length which makes things computationally infeasible or at least guarantees that something won't be cracked for some chosen number of years (using Moore's law to estimate future computing power available).

Re:Myths of Security?

[dfxm]

I think you agree with parent. Their wallet is not an easy to find place for someone who has physical access to the computer. A Post-it note on the monitor, however, is.

Re:Myths of Security?

[dfxm]

There are many security myths that have made it into company policy etc... For-instance the idea that forcing all staff in a mid sized to large company to update their passwords every months or two is somehow more secure than allowing them to keep the same password indefinitely.

This practice protects against a specific threat: i.e. when a password has been compromised, the attacker will only have access to the account for at most a month or two. After that, they will have to guess again. The attacker probably would have gotten the password in the first place whether or not the policy to rotate passwords existed.

If the attacker got a password and the password never expires, then the attacker's access to the network will never expire either.

Security is almost always a trade off. A policy like this trades the risk of having a user create passwords that follow a pattern for locking out attackers who have already guessed correctly once. It's up to the security professional to decide which risk is greater.

Re:Myths of Security?

[Gverig]

Mmmm... Your statement is in parts wrong but more interestingly I don't get what you are trying to say. Could you clarify what part of my post you are refuting? I never said that physical and virtual security are the same thing (although some similar principles do apply). Are you saying that being under attack close to 100% translates into guarantee of being compromised? If that's the case, you are wrong. 15 minutes of thinking about your security (whatever you are protecting) will alleviate 99.9% of those attacks. From that point on it gets to be a battle of how much time/$$ you are willing to spend to protect vs. how much time/$$ attacker is willing to spend to breach. At some point one of you looses and I'd argue that for majority of services at the point cost of defending is much lower than cost of breaching- sad part is, very few invest enough time/thought (it's almost never about money) into security.

Re:Myths of Security?

[dna_(c)(tm)(r)]

I think that comparing physical security to (online) computer security is a bad analogy to base your security decisions on. Apples and oranges, you know.

The probability that you are under attack is close to 100%.

Just means that. It is being attacked, constantly. It doesn't mean it is a lost cause or that most attacks couldn't be thwarted by simple measures. But stupidity and ignorance gets punished...

Re:Myths of Security?

[b4dc0d3r]

Most people here haven't read the book to be able to comment on the review? Just a guess.

Of course, this is slashdot, so I'm surprised he hasn't been "corrected" a number of times already regardless.

Re:Myths of Security?

[Gverig]

You'd actually be surprise how much they have in common, especially as far as common faults.
* Assumption that an approach provides absolute security- is common in both realms and is as flawed is either.
* Plugging 'obvious' holes without comprehensive analysis- if it's easier to break the wall than open the door, somebody will break the wall
* Assuming that expertise is over-hyped and that anybody can just (install super-duper IDS | buy security system for 899.99 and install it) without understanding of attack vectors and stuff.
etc. The two definitely have as many dissimilarities but in the context of the original point ("security does not exist") IMO it was appropriate to illustrate that security is not about prevention but about delay and resources attacker would have to spend and it's also true for either realm.

The greatest myth of security...

[tacarat]

Security does not actually protect you, it delays others. If you don't implement enough delays to allow yourself to find out you're being attacked and to act accordingly, it's all useless.

Re:The greatest myth of security...

[NeverVotedBush]

Oh damn, but that means I have to read logs...

Most people simply don't think about security

[oldspewey]

Lots of friends and family - people who are otherwise thoughtful, intelligent, and clueful - simply don't think about security. That will always be the weak link. You can't "design around" the casual negligence of hundreds of millions of users.

Re:Most people simply don't think about security

[Omnifarious]

I try to educate people carefully and non-confrontationally every chance I get. It's an uphill battle, but one I think is worth fighting.

Re:Most people simply don't think about security

[fuzzyfuzzyfungus]

You might well be able to, actually. You just can't preserve the user's freedom while doing so.

Re:Most people simply don't think about security

[mraudigy]

The biggest problem and risk with computer security is ultimately the users. And, unfortunately, you just can't fix stupid...

Re:Most people simply don't think about security

[arminw]

...You just can't preserve the user's freedom while doing so....

Apple has found out about this and has implemented their app store as the only legitimate place to download software for the iPhone that has been filtered and approved. This does limit the users freedom, but it's about the best security that can be had in any computer system. I hope that they will extend the system to the Mac sometime soon.

Re:Most people simply don't think about security

[cusco]

Wow, just imagine the uproar if M$ tried something like that. I can't think of a single Windows user who wishes that Microsoft controlled access to every piece of hardware or software that would ever plug into a Windows machine, or who would be happy to pay Microsoft for that right. All I can say is, "Wow".

Re:Most people simply don't think about security

[jggimi]

The thieves can just ignore the lock and come-in through Windows.

Fixed that for you.

Re:Most people simply don't think about security

[lgw]

Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice. A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for. Hopefully people will focus on that, instead of the myth of the "educatable user".

Limiting what individual pieces software can do, rather than what the user can do, is key. Admin/root acount vs normal account is a first step, but no where near a last one, as it still requires too much user smarts. SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there. Taking a few more steps in this direction would be real research, and profoundly improve computer security.

Thinking that the answer is to improve the user instead of the system only makes sense from a religious perspective (and even them, half the religions would disagree that this is possible).

Re:Most people simply don't think about security

[fuzzyfuzzyfungus]

I'm sure MS would never do that (directly) to Windows; but that is basically the XBox360.

Now, getting people to cheer them for it is something that only one of the Steves can manage.

Re:Most people simply don't think about security

[s.bots]

"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin

I think your sig is a more valid contribution to the discussion than your comment... You can toss as many security obstacles on a computer as you can, but if your end user is a knuckle-dragger who loves his FREE PR0N! and VI@GR4, then your attempt at security is wasted.

Re:Most people simply don't think about security

[oldspewey]

Another problem is that security often comes with a trade-off to accessibility.

Another problem is that security comes at the expense of "free shit." People just love to load up their computers with screensavers, smilies, banzai buddies, cracked software ... doesn't matter that they'll never actually use 90% of it.

"What do you mean I don't know where that software came from? It came from the website where I downloaded it ..."

Re:Most people simply don't think about security

[snowraver1]

Ironically enough, my XBOX360 crashes more than my home computer, work computer and 5 lab computers all combined.

Re:Most people simply don't think about security

[oldspewey]

SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there.

In the broader sense, SE Linux fails because it is a fucking bear to configure and use, even for a relatively adept technical user. I can't imagine unleashing that thing on an "average" person.

Re:Most people simply don't think about security

[Thinboy00]

You cannot make hundreds of millions of users care about computer security. Until there is a direct, provable correlation between their actions and a loss they feel, people won't care. Until there is an exploit where they click on WebObjectX and money disappears from their bank account, people will not care.

But such exploits do exist! (Keyloggers)

Re:Most people simply don't think about security

[lgw]

It can't work if the user has to configure the per-process jails. The jail should come with the software, both from an authoritative source. Typical malware can only change the prcess, not the jail, so can do only limited damage (i.e., you can prove the malware could not install a rootkit). However, this ultimately fails because the malware will social-engineer the user into jailbreaking the malware. Still, that approach is better than the "root or not" model, because the finer-grained process permissions really can help. If the only choices for what you allow a process to do are "everything" and "nothing", far to many processes need "everything" and user's just get used to clicking "OK".

Still, it's clearly step 2 of N, for some large N.

Re:Most people simply don't think about security

[arminw]

....then your attempt at security is wasted....

Well yeah, for those users who don't care about security. However, the majority of iPhone and iTouch users DON'T jailbreak their gadgets, because they do care about security or maybe they are just too lazy to care. The vast majority of users would be content to get guaranteed secure solutions on their Macs, just like they get on the iPhone. The small minority of the rest, especially /.ers, would of course figure out how to load lots of pron and other malware on their jailbroken Macs.

Re:Most people simply don't think about security

[NeverVotedBush]

You forgot management...

Re:Most people simply don't think about security

[coryking]

knuckle-dragger who loves his FREE PR0N! and VI@GR4

The idea that people buy stuff from spam is a myth rooted back when spammers were small time chumps. Modern spam operations are basically a component of organized crime funded by some mafia or big government. These people don't make money off Pr0n or V1@gr4, they make money off pump and dump schemes and fucking with government and private computer systems.

Re:Most people simply don't think about security

[epine]

"Think about how careless the median person is. Now, realise that half of them are carelesser than that." - George Carlin amended

Strangely I had just finished reading a PDF by Allison Randall about tagmemics when I stumbled across the line

A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for.

Now, finally, I understand etic and emic.

Re:Most people simply don't think about security

[RobinEggs]

Never, ever underestimate how stupid and petulent you look when you refer to Microsoft Corp. as "M$".

Many, many people who already hate Microsoft think you look like a whining fool; those who don't mind the company or don't know about the skeletons in the closet think you look like an absolute prick.

You will never help any anti-Microsoft cause one bit with the "M$" abbreviation.

Re:Most people simply don't think about security

[cusco]

??? I'm certainly not anti-Microsoft, I work there all the time. They pay a big part of my salary (I actually was on the Redmond campus when I wrote that, waiting for a process to finish). They're just the world's richest software company, the $ seems appropriate.

Re:Most people simply don't think about security

[lysergic.acid]

You make some valid points, but I don't think the myth of the "educatable user" is a myth at all. There's a reason why most security experts, and AV-software vendors, emphasize the need for educating users. It's not to deflect responsibility from the software. It's not to undermine their own business model. It's because you need, both, reasonably secure software and reasonably educated users. Sure, you can't expect users to be perfect; even the security experts themselves are fallible. But without basic user precautions and some level of basic security sense, even the most security-hardened system will still be as vulnerable as if no software security had been implemented at all. Otherwise, you're basically only left with the option of making "idiot-proof" software that one would use by choice.

Let's face it, perfect security is often impractical or just infeasible. Many people have to work with Windows and outdated versions of the IE browser in environments where the principle of least privilege just can't be practically implemented. In those cases it makes sense to minimize risk by educating users and setting the appropriate company policies. Heck, it makes sense to do so even outside of such extreme cases. It's about having a balanced security implementation (not putting all your eggs in one basket).

Just recently there was a story on /. about how some penetration tests were conducted, demonstrating the vulnerability of financial institutions to (relatively unsophisticated) social engineering attacks. If you're in the financial/banking industry and you have "uneducatable users" in your company, then they need to be replaced immediately, as they're the biggest threat to your system. It's cheaper, easier, and more realistic to train (or replace) an employee than to try to design a security system that is idiot-proof or is immune to social-engineering attacks.

So the problem isn't the myth of uneducatable users, but rather the complacency we've developed towards walking attack vectors on the company payroll. Perhaps if companies didn't resign themselves to the fact that users have to be stupid, this wouldn't be such a self-fulfilling prophecy. Spend a little more money to attract/hire higher quality job candidates if you have to. All the stories in the news of massive data leaks and other security breaches should be enough to convince most intelligent company execs that this is not something that an organization to whom security is crucial should skimp on.

And who knows? If people start losing their jobs because they're downloading and running executables from unknown sources, or they're giving their password to anyone who bothers to ask, or are otherwise computer security illiterate, then perhaps they'll start making an effort to learn. This isn't the 1990's. Personal computers have become an everyday appliance like the TV or telephone. There's an entire generation of workers out there today who've been brought up on computers and the internet. It's not very hard to find an accountant, or secretary, or VP of sales, etc. who are tech-savvy enough to not open up your network to outside attackers every time they're at a computer.

Re:Most people simply don't think about security

[PainKilleR-CE]

It's not quite the same as trying to educate a whole office full of users with different ideas and levels of knowledge about computer security, but my wife has taken quite well to basic home user computer security in a way I never really expected to see from someone that didn't grow up with it. She still needs a little work in regards to browser use (Firefox vs. IE) and the sites she visits (coupon sites are evil), but the basics of dealing with email and attachments, clicking on suspicious links, and keeping reasonable passwords on most of her accounts have set in pretty well.

Of course, she also doesn't have to spend much time on a completely open internet connection, either.

Re:Most people simply don't think about security

[Fred_A]

I can't think of a single Windows user who wishes that Microsoft controlled access to every piece of hardware or software that would ever plug into a Windows machine, or who would be happy to pay Microsoft for that right. All I can say is, "Wow".

I can't think of many that would care. Most of them would probably consider it convenient. After all a fair number of those very same people manage to hose their machines with worrying regularity. And that's among both home and corporate users.

I know I'd love it if Microsoft set up a Linux distro style repository with some half-decent quality checking. I'd have much less work to do for people around me fixing their broken machines (even though I hardly know anything about Windows).

Re:Most people simply don't think about security

[jonaskoelker]

Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice.

Somehow that makes me think of the name "Theo". I don't know why. Must be some coincidence. ;-)

Re:Most people simply don't think about security

[commodore64_love]

>>>simply don't think about security.

Perhaps because we know "locking" our computer is as pointless as locking the car or locking the house. The thieves can just ignore the lock and come-in through the window. Most our safety relies upon the fact that 99.9% of our neighbors are moral and don't want to break-in.

Re:Most people simply don't think about security

[vertinox]

I can't think of a single Windows user who wishes that Microsoft controlled access to every piece of hardware or software that would ever plug into a Windows machine, or who would be happy to pay Microsoft for that right. All I can say is, "Wow".

I don't think any windows user wishes actively to do so either, but do they really care enough to know any better?

The majority of windows users get windows computer simply because its cheap. There are a subset that really need windows for compatibility issues but the majority of joe sixpacks in the world go down to best buy and look at the laptops and think on cost of purchasing (not total cost after wards) so if they take the laptop home and have to use an app store I'm sure some will take it back but many just don't know any better.

Re:Most people simply don't think about security

[Phurd+Phlegm]

Apple has found out about this and has implemented their app store as the only legitimate place to download software for the iPhone that has been filtered and approved. This does limit the users freedom, but it's about the best security that can be had in any computer system. I hope that they will extend the system to the Mac sometime soon.

That would be a shame, since it would be the last time I'd own a Mac--and we've been all-Mac for ten years. I have an iPhone and my biggest gripe is that there isn't a way for me to run whatever the hell I want without hacking it. It is a nicely-done piece of tech and I love it, but Steve can keep his filthy fascist mitts off my computers. (And I promise to buy another iPhone tomorrow if it has a preference I can set for "run unapproved software.")

Re:Most people simply don't think about security

[Omnifarious]

But, since attacks on computers can be so easily automated that fact is no longer any protection. Even if only 0.001% of the population wants to break into your computer and do something nefarious, that means your computer will likely be broken into.

Re:Most people simply don't think about security

[arminw]

....That would be a shame....

If you wanted to install and run an unapproved program, you would of course still be able to do that, but you would get a warning that the software you all are about to install could make your computer sick or steal your personal information. As part of that warning you would get a dialog box that would say yes or no to install any software you wished. Then, for power users and /.ers you'd just go ahead and install whatever.

Re:Most people simply don't think about security

[arminw]

...if Microsoft set up a Linux distro style repository...

Except that they would also have to include some methods of payment and figure out a way, such as with commissions, to pay their expenses at least. Apple has had all that worked out for quite a long time already. To translate the Ubuntu system to the large-scale that will be required for windows is quite expensive.

Re:Most people simply don't think about security

[Fred_A]

...if Microsoft set up a Linux distro style repository...

Except that they would also have to include some methods of payment and figure out a way, such as with commissions, to pay their expenses at least. Apple has had all that worked out for quite a long time already. To translate the Ubuntu system to the large-scale that will be required for windows is quite expensive.

On the "bright" side, Microsoft is anything but cash-starved. Not that I expect them to even consider to ever start this kind of thing. There would certainly be legal implications.

Re:Most people simply don't think about security

[jonadab]

I know replying to signatures is off-topic, but in this case I can't resist (and I can afford the karma hit).

Your sig quote displays just about as much ignorance of statistics as it would be possible to pack into a single quote. The average (in technical terms, the arithmetic mean) is almost certainly NOT the same as the median value. Depending on your sample population, it is entirely possible that 90% of the individuals are smarter than the average, although I have to confess that in the population of the whole world I suspect it's more the reverse, and that the overwhelming majority are significantly dumber than average. In any event, the Carlin quote is ignorant nonsense.

Re:Most people simply don't think about security

[jonadab]

> A security model that allows users to be their usual flaky selves

Such a security model is ipso facto highly insecure, if the users have any useful capabilities at all. If, for instance, the user has the ability to send messages to other users, then malware will be able to exploit the user's account and send spam to everyone.

Common Problem

[SilverHatHacker]

Security is only one of many issues that could be vastly improved if people cared more than they currently do.

Re:Common Problem

[migla]

Security is only one of many issues that could be vastly improved if people cared more than they currently do.

Yes. And this raises the question of what issues can't. What are the issues we should postpone, because they only require some polish? I'd love to see a prioritized list of all the issues.

Re:Common Problem

[Meshach]

Security is only one of many issues that could be vastly improved if people cared more than they currently do.

I think you have identified the major problem with security: people do not care. They do not want to spend time setting up a firewall, evaluating sites, or patching a system. They want a computer to be like a toaster: you take it out of the box and it works right away. And it keeps working with no intervention. Until computers get to that point it will be a continual problem.

Re:Common Problem

[Chris+Mattern]

The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

Re:Common Problem

[bberens]

I'm sure I'll be modded down for this, but I don't see why a company or person SHOULD concern themselves more with security than they do currently. A simple cost/benefit analysis of what it actually entails to become "secure" shows that it's simply not worth it. It's the same math that goes into determining whether to do a vehicle recall and whether or not to install a home security system. If you look at it in those terms, you'll see we're dramatically over-spending on security.

And yet... I'm often considered paranoid by my peers (IT and otherwise) with respect to my personal information.

Re:Common Problem

[Meshach]

The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

Re:Common Problem

[plopez]

Part of the problem is building it in from the beginning. There is much more fun and/or marketing appeal to build in eye candy, support the latest games, multi-media capabilities, mobile devices support etc. than to design in security.

A vendor or kernel programmer group should design it in from the ground up. But there isn't really any money in it for vendors and few programmers think of it as fun. With the exception of these guys maybe http://www.openbsd.org/security.html

So in other words, many people are dropping the ball for a variety of reasons, commercial interest, lack of skill or plain disinterest.

Security should be "plug and play". The user shouldn't have to think about it at all, other than put in the correct key (physical or virtual). Which I think is also part of your point.

Re:Common Problem

[Thinboy00]

The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

I know everyone here hates it, but that's what Ubuntu is for.

Re:Common Problem

[TemporalBeing]

The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

Ironically, most major Linux distributions provide exactly that - the least effort to system maintenance, hiding the things users' really don't care about and providing what they do. uBuntu is very good about it; and I'd imaging RHEL and SLES are too.

P.S. I always wondered why Novell choose to go with SLES - it's just so easy to say as "sleaze" and doesn't make a good pnuemonic impression.

Re:Common Problem

[lennier]

"They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part."

And that's not a bug in the user, it's a feature. If we're not using computers to *decrease* our cognitive load, but to increase it, then both we and the software designers are doing it wrong.

A nifty command that doesn't do what you want is not actually as nifty as it thinks it is.

Re:Common Problem

[Maximum+Prophet]

These people didn't spend too much on security. (At least the right type of security)
http://en.wikipedia.org/wiki/Barings_Bank

Barings Bank (1762 to 1995) was the oldest merchant bank in London[1] until its collapse in 1995 after one of the bank's employees, Nick Leeson, lost £827 million ($1.3 billion) speculatingâ"primarily on futures contracts.

After that, many banks implemented rules to prevent that. Some were cheap, "Make sure every employee takes at least 2 weeks vacation at a time". Some were expensive like making dozen of people sign off on every decision.

There are cheap ways to achieve the most benefit from your security dollars. There's also a lot of expensive security theater.

My Cheap and fullproof method

See, I have no security. Anyone can access my data. Folks come across the data and think, "There's no security. This can't be real!" I throw in some names like "Dick Hertz, Harry P. Ness, Mike Hunt, Haywood Jablowme, etc..." and the data thieves think it's bogus.

I call it "Security through rudenss."

Re:My Cheap and fullproof method

[WindBourne]

Odd; Those were made up names? 53
# pages, including Harry V. Ness
Mike Hunt is all over Nebraska.
And of course

Re:My Cheap and fullproof method

[shirotakaaki]

That just makes it more ingenious! The attacker is sitting there going "Either these are made up names or he is just trying to make me think they are made up names to confuse me or he thinks that I will think he made up the names even though they are real names but he altered them slightly so I would think they were real or perhaps that is what he wants me to think." Now my heard hurts.

Do we really need to read it..?

[castironpigeon]

If the book can be summarized in those last three sentences is it really worth the read? I think /.ers will realize before turning the first page that even the most ridiculously complex security system can be thwarted by stickies posted to people's monitors.

Re:Do we really need to read it..?

[kalirion]

I think the solution is clear - we need biometrically protected stickies!

Re:Do we really need to read it..?

[yali]

I think /.ers will realize before turning the first page that even the most ridiculously complex security system can be thwarted by stickies posted to people's monitors.

What I suspect many /.ers do not adequately consider is that the most ridiculously complex security systems are especially likely to be thwarted by user behavior.

The folks who design security systems need to realize that human beings are part of the system (i.e., pay attention to usability and to the peculiarities of human cognition, motivation, and behavior). If they cannot get past blaming users, they will simply continue to design computationally elegant but functionally ineffective security systems.

Re:Do we really need to read it..?

[jaysonsings]

He did a summary, he didn't say not to read it.

Evolution will produce security

[onionman]

While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.

Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Power Grid" ideas will have "Intelligent" power meters in most homes and businesses... imagine what a security failure in a widely deployed "Intelligent" power meter could do!

Falling on deaf ears

[lbalbalba]

Most people prefer 'ease of use' over 'security' (of course, until something 'bad' happens). They would prefer an unlocked door over the trouble of having to find the keys and unlocking the door every time they want to enter their house, until they get robbed of course. Sad but true, but it appears to be human nature.

Most SHOULD NOT think about security...

[nweaver]

It is a great failing in our industry that its viewed as a problem that "most don't think about security".

Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them.

EG, a good succes story is the modern car key. 10-20 years ago, it was trivial to steal a car. You break the steering lock, put two wires together, and drive off. We had horrible cludges like "the Club", and people had to think all the time about it, in theory.

Now our carkeys have RFID transponders which are cryptographically keyed to the car's computer. It is vastly harder to steal a modern car (either bring a tow truck or swap the computer), but the actual cognitive load for most people is vastly less. You do the same thing you did before, but now your new car is far more secure.

Re:Most SHOULD NOT think about security...

[fuzzyfuzzyfungus]

On the minus side, while your car may be safe, having to get one of the keys replaced will make you feel like your wallet has been stolen. Obviously, that isn't intrinsic to the technology, a similar system could have been implemented as a cheap industry standard; but that moment of technological change(while it did increase security) also allowed the vendors to strengthen their positions.

Re:Most SHOULD NOT think about security...

[clang_jangle]

Modern cars are actually a pretty bad example. Your new car is "far more secure" against the average destitute crackhead non-pro thief, but cracking codes and cloning RFIs is actually pretty trivial for a pro. So it appears reasonable to conclude that (to paraphrase an old saw), "even the best security only works against the honest and the incompetent".

Re:Most SHOULD NOT think about security...

[quickOnTheUptake]

Yes, but with the car you still have trust issues. As in, when I give my keys to the valet, I have to trust that he actually works for the hotel and isn't just going to go for a joyride when I step in the door. Or when I give my keys to a friend I have to trust that he has good judgment and at least basic driving skills.
Many of the run-of-the-mill infections are based as much on misplaced trust ("I wanna see dancing bunnies") as they are on weaknesses in the system itself. And trust isn't something a computer can judge (although systems can reduce the number of times we need to trust, e.g., by using the principle of least privilege, centralized software distributions, etc). At the end of the day you will always have to choose between severely limiting what the user is able to do and opening the door to social engineering and user error.

Re:Most SHOULD NOT think about security...

[quickOnTheUptake]

BTW, this is to say nothing of the dumbasses who leave the keys in the car while they run into the store and the like. As they say, you can't cure stupid.

Re:Most SHOULD NOT think about security...

[bbernard]

"It is a great failing in our industry that its viewed as a problem that "most don't think about security".

Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them."

Strictly speaking about IT security systems, I agree, security systems should be much more "automagic" then they are today. But if you're relying on an IT system for security you're already half way to screwed.

People (not users, people) are the start and end for security. It wasn't that long ago that people advised you to engrave your SSN on your valuable, like your bicycle, so you could get it back if lost or stolen. If I want service from my electric company, they ask for my SSN. We think nothing of tossing credit card applications into the trash whole. Heck, we still allow our mail to sit in an unsecured box a the end of the driveway. We people have so many insecure habits to unlearn. (Don't forget to post those pics from the vacation you're currently on at your publicly accessible Facebook account.)

We can't expect an IT solution to save us from ourselves.

Re:Most SHOULD NOT think about security...

[dkleinsc]

If you are smart enough, organized enough and motivated enough to clone RFIs, you probably won't steal cars though. Instead you might use your skill to, say, gain physical access to somebody's point-of-sale system and steal a few thousand credit card numbers.

Re:Most SHOULD NOT think about security...

[dkleinsc]

As in, when I give my keys to the valet, I have to trust that he actually works for the hotel and isn't just going to go for a joyride when I step in the door.

Or that he does work for the hotel but still won't just go for a joyride.

Re:Most SHOULD NOT think about security...

[PainKilleR-CE]

Actually, one of the problems is that it's non-trivial for most users to even discover that the security of their system has been compromised, on any operating system, until it's far too late (or has been compromised in so many different ways that the system succumbs and fails to function in the expected manner).

If someone comes along and steals your car, it's not there when you get back. If they steal the car stereo, there's probably glass all over the place and the stereo's gone. Even if the take it for a joy ride and return it there may be clues, like the position of the seat and mirrors, the odometer reading, the amount of gas in the car, or a change in the position in which it is parked.

If your computer becomes part of a botnet, the best thing for the controlling interests to do is make sure that it's very hard to tell that your computer is infected. A virus or worm might sit on the machine for months infecting other systems before finally unleashing a destructive payload, for the simple reason that this makes it more effective. Tracking malware will hide itself in order to have more time on the system to gain more information for the advertisers that bought the information.

So the most effective, and damaging for the overall security of the network, forms of malware are those that are hardest to find. If the system doesn't tell you that there's suspicious behavior going on, and most users don't know how to see what processes are running on their system (and don't know what processes should be running on their system), then all of the security looks like hand waving, because they don't see a difference between the compromised and secure systems.

Half of the functionality in security products is alerting the user to potentially harmful activity taking place on their computer or network. Of course end users hate when these alerts get in their face and require action on their part, so if they're given a chance to disable them, they do so. The trick is alerting the user without annoying the user, and making it easier to disable a security warning when it's being overly paranoid than it is to disable the entire security system.

My simple analogy is not for a car, but rather my house: if I had to use the older style of home alarm system where I keyed in a security code and then attempted to exit the house while it armed itself, or come into the house and key in the code before the alarm went off, I would never use it. I'd rather depend on the keys that are only effective against those that would probably be stopped just as easily by the fact the door is closed. However, since my house's alarm has a keychain remote like most cars do, it's a simple matter of locking up the house and arming or disarming from outside. Additionally, the alarm is obnoxiously obvious when someone opens/breaks a window, trips a motion sensor, or opens a door. There's simply no chance of someone getting into the house without me knowing it unless they find a way to bypass the system.

Bypassing the system may turn out to be fairly easy for someone that knows how to do so, I really don't know. However, the system is there to handle a higher percentage of possible intruders than the simple lock that my wife can bypass in 30 seconds or less.

Make it easier for the user to understand what is really going on behind the scenes on their machines. Let them see the network traffic, where it's going, and what processes are using it. Make it easy for them to figure out what is supposed to be running on their system and what is not.

Re:Most SHOULD NOT think about security...

[netbarber]

Right on Nick! Here's how I look at it http://kirkendale.com/securitytales/impervious.html

Thanks!

[viega]

Ben, Thanks for the positive review. I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection). But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old. John

Re:Thanks!

[ivanmarsh]

So this book was written to educate fanboys about their bad habits? I don't need another book on security that assumes I'm an irresponsible, apathetic, zealot. Your apparent attitude has just unsold this book for me.

Re:Thanks!

[kevjava]

But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old.

The thing is, you're not convincing me that the book is out of date. There is plenty of material in the Internet that is over a decade old and is still relatively current. I read the Cathedral and the Bazaar for the first time last month, and drew a good amount of benefit from its words, even if I'm not ready to swallow it whole. The Mythical Man Month shed quite a bit of perspective on project management in a field that our industry has fifty or so years of experience in, and yet we still do terribly at.

The principles of cryptography are still the same today as they were in the days of the Roman Empire and the Caesar Cipher, with all the bits about Alice and Bob with Mallory in the middle. Our toys are much more advanced today, and their rate of advance continues to increase, but just what is it that makes our pulling of information from a 10+-year-old book harmful?

I'm no Schneier "fanboy", and haven't actually read the book; I just genuinely want to know.

Re:Thanks!

[blueskies]

Our toys are much more advanced today, and their rate of advance continues to increase, but just what is it that makes our pulling of information from a 10+-year-old book harmful?

The field moves very fast because it is an "arms race." On that alone, i think it warrants having someone go back and re-evaluate the underlying assumptions that were in play during the last edition.

Re:Thanks!

[DamnStupidElf]

Anyone who draws security inferences from a book without taking into account the papers due to be published next week is hopelessly out of touch.

Re:Thanks!

I met John Viega at defcon and he seemed put off that people didnt know him. Hes got a chip on his shoulder - especially about Schneier - Viega doesnt have anything but derivative works to his name and knows it.

This books is basically a manifestation of his personal self esteem issues, hes making up a windmill to tilt at. If theres any myth about security - its him. Hes a hack repeating other peoples ideas to create a place for himself.

Re:Thanks!

[lennier]

"On that alone, i think it warrants having someone go back and re-evaluate the underlying assumptions that were in play during the last edition."

I'm not convinced either. If the fundamental underlying assumptions of a field change completely in ten years, then surely they weren't fully understood to begin with and we shouldn't listen to what the new trendy ideas are either. Come back when you've got something to say which won't be invalidated in the next patch release.

Trends and fashions and demographics change. Mathematical principles don't.

My impression of modern computer security, having watched the Internet develop over the last fifteen years or so, is that it's an insanely fashion-conscious, short-term, trend-driven thing - and that's not a compliment. Patches are not a solution, and neither is 'keeping up with the arms race'. If you even have to think like it's an arms race, you're doing it wrong to begin with.

Re:Thanks!

This book would have been better off as a series of blog posts. At least then people wouldn't expect things like internal consistency.

Seriously, was publicly disclosing what you consider to be a harmful vulnerability two chapters after your rant about how bad full disclosure is intentional irony? Or did you just not proof read your own book?

Re:Thanks!

[blueskies]

If you even have to think like it's an arms race, you're doing it wrong to begin with.

Tell that to antibiotics, MRSA, and such...The "wrong" way is sometimes better than no way.

Trends and fashions and demographics change. Mathematical principles don't.

But that is the problem. Mathematics won't solve the security problem. Security is a people problem.

The math might not have changed. But the engineering principles are based on what is feasible on today's (+10 years) hardware. So the math behind public-key encryption won't change, but suppose someone discovers a way to easily factor large prime numbers?

Re:Thanks!

[Helevius]

"I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection)."

"Sacred cows" have nothing to do with it. The book just isn't that interesting.

Re:Thanks!

[mattr]

At the risk of sounding fanboyish here is a real-world question. Recently here there was an interview with an impressive female security researcher, sorry I forget the name but talking about VMM security. She said she has a Mac and uses no antivirus software, instead she uses IIRC three vmware style windows instances called red, green and yellow. The innermost one is for Internet banking, the outermost one is used for ordinary websurfing and is zeroed each time it is launched. What do you think about this kind of approach?

Don't care or plain lazy?

[burnin1965]

I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.

Case in point, SQL injection attacks on web applications. A very common attack vector and one that has seen extensive work in methods and code to make applications more robust, and yet most applications avoid the most basic security feature provided by a database engine backing an application, database user permissions.

Analysis of many web applications will reveal that they implement a single database user for all queries and this database user is often times the owner of the database with full privileges. A mistake in the application code that allows an SQL injection attack provides the attacker with the power to access or change any information in the database that pleases them.

Implementing multiple users with varying levels of access to the tables in a database does require some additional work but is very feasible and yet the response I have received from some developers when presenting such an idea as a way to protect a web sites database is often "it would be easier to just do database backups and restore a trashed database". Simply lazy.

Re:Don't care or plain lazy?

[sydb]

I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.

Don't blame the developers, at least not the ones that are told what to do by a boss. If security is specified in the NFRs, the implementation is tested against the NFRs and consequent defects are placed before the developer for resolution before the product is released then the developer will code for security.

If any of this is left to chance then blame lies with management.

Re:Don't care or plain lazy?

[turbidostato]

"many developers will just dismiss the extra work."

Or it will be their managers?

What about physical security?

[jeffasselin]

The problem is not computer security but security, period. Most physical security (locks, alarm systems) is based on obscurity, barriers to entry that are easy to leap, and overall bad design. Why would it be different for computer security?

Re:What about physical security?

[PeterM+from+Berkeley]

Physical security and securing your Internetworked computer are actually qualitatively different issues.

Sure, your network security can be circumvented if physical access is easy.

However, ANY criminal ANYWHERE in the world can get at your insecure Internetworked computer. Furthermore, they can often do it in automated fashion with minimal risk!

Physical access, on the other hand, requires that the criminal show up in person. That vastly limits his scope for criminal behavior and vastly increases his risk. Given that, I'm not sure it really makes sense to compare the adequacy of physical security measures to network security measures.

--PeterM

--PeterM

Re:What about physical security?

[chris44larsen]

Also, Most physical security people are 101% clueless when it comes to computer security. If you go to an ASIS, THE physical security powwow of the year, most of the vendors still don't integrate their physical security solutions with an IP solution.

It can protect you

[davidwr]

If it raises the cost of hurting you to higher than the adversary is willing to spend, it protects you.

The trick is knowing how much security is worth paying for.

If the adversary is willing to spend $1000 to attack you, and you have to spend $100 a month to raise the cost of an attack to $1001, and if a successful attack will cost you $1 and the number of successful attacks will be 1 per decade because face it, you don't have much to offer, then it's not cost-effective. On the other hand, if an adversary is willing to spend the same $1000 and it will cost you the same $100 a month to make yourself too expensive to attack, but each breach will cost you $500 and there will be about 1 breach per month if you don't invest, then suddenly things look different.

Re:It can protect you

[tacarat]

It is a form of protection, but it's more like comparing camouflage to bullet proof armor with camouflaged bullet proof armor being the ideal. Too many folks think that better armor is the only solution.

Re:It can protect you

[gd2shoe]

In contrast, far too many people feel that better camouflage is the only solution.

(And far too many people think that reincarnation is the only solution... Have I taken this analogy a bit too far?)

Re:It can protect you

[tacarat]

That'd equate reincarnation to fixing a hacked box with a full system rebuild, so no. That's actually spot on in many cases. Hopefully they get it right the next go around.

Re:It can protect you

[ogma]

Robert Strange McNamara is that you? Aren't you supposed to be dead?

Re:It can protect you

[gd2shoe]

Within the analogy, getting it right on the next go around would be a hybrid of armor, camo, and reincarnation. Too many people believe that the system rebuild process is sufficient all on it's own. It doesn't protect against data loss, data theft, or future attack. It's vital, yes, but it's not the panacea that many people see it as. (That was my point.)

Re:It can protect you

[tacarat]

Panacea. It's better at breakfast ;)

Re:I have a full-proof security code

[cheros]

Actually, during the last Access-all-areas held in London I brought along a Samsonite briefcase with a digital lock.

Someone spent the ENTIRE weekend trying to open the lock and didn't manage, which was due to a bit of evil from my side. The lock has 4 digits, so I entered a code and opened/closed it - he tried everything from 0000 to 9999 and didn't manage.

The reason was me pretending to press keys. That case had a cute feature: you didn't have to use all 4 digits, so the actual combination was just "9" with me pretending to hit other buttons :-)

Ah, those where the days..

PS: that lock had a major weakness anyway so I didn't use it long - it was just amusing..

Just stole the book

[Runaway1956]

From the book: "Even though I recently retired from McAfee, I still believe it is doing far better than the rest of the security industry for a few core reasons."

Google "Who is John Viega" I get this: John Viega is CTO of the SaaS Business Unit at McAfee and the author of many security books, including Building Secure Software

Sorry folks, but I don't believe that McAfee is the end-all and be-all authority on security. I'll read the book, and see what I can learn, but McAfee and I go back a long way. It's been one crummy relationship.

Re:Just stole the book

[multipartmixed]

> McAfee and I go back a long way. It's been one crummy relationship.

I dunno, man. Back in the early 90s, their e-mail tech support was top-notch.

Re:Just stole the book

[jaysonsings]

who said he is the end-all? not even he. he is 1 voice, of many. do u hear the voices :)

Re:Just stole the book

[Runaway1956]

You should see your therapist. I'm reading a PDF. If you are hearing voices from a PDF, you MAY just have a problem. Or not, as the case may be. Jean D'Arc did well with hearing voices, until the very end.....

Re:Just stole the book

[jaysonsings]

ahah!!!

These are not the tech specs you're looking for...

[AutumnLeaf]

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Sometimes I think my technical ability is an obstacle to choosing products. A lot of security products are wrapped in marketing cheese-whiz that make them sound better than they are. From my point of view, I just want to know how security product Y is doing what it's doing, but to tell me that is to reveal details about the implementation, so they re-cast using something like a firewall as "anti-packet technology". WTF is anti-packet technology?

I'm curious to know if Viega touches on the fact that most modern anti-virus products in-essence do to your OS what the bad guys are trying to do (mini root-kits with haxored network drivers). I think the proposition of modern anti-virus tools these days is "let us own your box before a bad guy does."

It's the soft stuff on the inside.

[chazd1]

It is a common understanding that the weakest link in information security is people. Until we are able to tell what people are thinking and protect ourselves from either their malice or ignorance it will be a problem.

Education of users is clearly a fundemental pillar in information security. I am sure social engineering schemes will continue to improve in their effectiveness in exploiting vulnerabilities.

Working againist this cause is that no one will be able to concretely say that an information security program created revenue (except of security product suppliers). The only real hook that keeps executives funding security is the criminal and civil exposure they deal with. Keeping the execs out of jail is worth funding.

Re:The only way to truly achieve security

[Abstrackt]

The only way to truly achieve security is to remove the power cord of the systems involved. That will prevent anyone from breaking into them, or anything else...

Reminds me of the story about the consultant that was hired to audit a company's security. He walked out of the building with their server not five minutes later.

Re:I have a full-proof security code

[sydb]

Someone spent the ENTIRE weekend trying to open the lock and didn't manage

I knew security geeks were people with high boredom thresholds but this takes the biscuit.

Re:I have a full-proof security code

[xrayspx]

And it's 1, 2, 3, 4, 5.

... senses working overtime ...

Re:Joke

[blueskies]

Chapter 31: People like to believe in absolutes. Some people will believe their computers are completely safe and others think security is a complete joke. In between those two sets of people are a large number of reasonable people.

What *they* don't want you to know!

[luddite47]

How many books have this stupid subtitle?
It must work...

Re:What *they* don't want you to know!

[luddite47]

1,166
http://www.amazon.com/gp/search/ref=sr_nr_i_0?rh=i%3Astripbooks%2Ck%3A%22don't+want+you+to+know%22&keywords=%22don't+want+you+to+know%22&ie=UTF8&qid=1251753910

Re:What *they* don't want you to know!

[chris44larsen]

67

Re:What *they* don't want you to know!

[cybernanga]

How many books have this stupid subtitle? It must work...

They don't want you to know ;)

Re:These are not the tech specs you're looking for

[Locklin]

From my point of view, I just want to know how security product Y is doing what it's doing, but to tell me that is to reveal details about the implementation, so they re-cast using something like a firewall as "anti-packet technology"

If the vendor can't explain how their security works without compromising it, then it's not security, it's obscurity and it's also probably snake-oil.

The irony of IT security is practically axiomatic

Your job is make access impossible for a motivated, resourceful and knowledgeable attacker, yet dead simple for an unmotivated, uninformed and careless user.

Corollary:

If you fail, you get blamed / fired / sued, not the user, not the attacker.

This is why IT people are so "paranoid" - they are usually entrusted with this impossible responsibility (impossible because it's not theirs alone but shared by the users), yet their ass is on the line (perhaps others as well, but definitely theirs) if something gets compromised.

Re:Joke

[dandart]

Hey hey, only some of it is a joke. SMTP is, hardware encryption isn't. WEP and WPA is, private-public key pairs aren't. See? I'm reasonable.

WTF?

[AmigaMMC]

> the state of information security can be summed up in the book's final three sentences What the F***?! It totally spoiled the end for me, without even a "SPOILER" warning. I don't wanna read the book anymore.

No Need

[omb]

Well I have read the book and the much funnier "Secrets and Lies" AC about 3 times and Secrets and Lies more. First AC is in the nature of a scholarly review book and introduction to mathematical and procedural cryptography. It says nothing DEFINATIVE about particular ciphers but DOES make the point that all cryptography depend on mathematically difficult problems that Mathematicians have an annoying problem of simplyfing, and this is the nature of the MD5 and SHA1 attacks, and the advice to "walk not run to the exits". Rijndael aka AES is much better than 3 x DES and the new hash will be better than the SHA family.

This stuff is not snake oil, but you need to understand it at a mathematical and process level to get good results and you need to test, see the Debian SSL fiasco.

So, for example SHA1 is more than fine for all practical purposes in the version control system 'git' where only accidental collisions are concerning. For all the security bruhaha about SHA1 no one can tell you how to forge the message that you would like to send with a given known SHA1. Most people will notice if they see a message "send a cammel ein milliarde swietzerish franken to the First Crooked Bank of Nigeria" (deliberate errors). So unless you can fix the SHA1 with spaces and <CR> <LF>, in small numbers, and you can not you are SOL.

And any valid process encrypts both the message plain-text AND the hash, and to be useful the HASH better depend on the senders private key and be de-cryptable by their published keys (fingerprint freely available) eg

sig. omb GPG Key ID: 0xy0481D676FBC700y, old PGP Key Id: 0xy97186Ay

Finally, the idiot pols in the USA and UK could do just one thing useful, issue everyone a high grade X509 cert for free and sign the Social Security or NHS number using the private key.

This looks, at first case badly flawed, since all private keys are known and held by government whereby they can be mis-used or lost.

I leave it as a simple, excercise to the reader to turn this into a very cheap, foolproof security system which absolutely stops identity theft.

Re:Joke

[jaysonsings]

>>>Security is a complete joke that is absurd. prove it!

And yet, most linux distros are an app-store

[coryking]

You think a the mythical "normal joe" is ever going to go "outside the box" and install stuff that isn't in the Ubuntu repository? I doubt it. If Ubuntu suddenly had 50% market share, 49.5% of that market would be installing applications only from the repository.

How about this model?

[Ungrounded+Lightning]

A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for.

How about this security model:

Hunt down the people who deploy malware and take them out of circulation.

Or they care, but the policy sucks

[coryking]

Perhaps the policy sucks and the people implementing the policy dont understand "security". Places that like to have you change your password once a month. Worse, websites that have you create a password with punctuation and a huge length. These things aren't secure. All they do is force people into writing the password down or saving it as a text file.

"Blame it on the user" is always a cop out. Blame it on the idiot paranoid sysadmin. Blame it on the idiot programmer who can't be assed to design a useful security system. Blame it on anybody, but dont blame it on the user.

Re:The only way to truly achieve security

[chris44larsen]

Is that true or an urban myth?

Self-perpetuating BS

[NateTech]

Now reviewers of books on Slashdot shill their own books as proof of their own credibility as a reviewer? Awesome.

Re:Self-perpetuating BS

[chris44larsen]

Not sure what you are basing that on? what do u mean?

Re:Self-perpetuating BS

[chris44larsen]

and what is the BS?

Re:Self-perpetuating BS

[NateTech]

Down near the bottom of the review, there's a link to the review author's own book. As if it had anything to do with the book being reviewed?

Re:Self-perpetuating BS

[NateTech]

That computer security (in the current environment) isn't just a never-ending revenue stream for book-writers who tell us what we already knew: People don't care enough to do it properly because it's too inconvenient and expensive.

Re:Self-perpetuating BS

[chris44larsen]

who makes money off these books? what I mean is that most of these don't sell enough for people to quit their day jobs.

Re:Self-perpetuating BS

[chris44larsen]

wats da big deal? it is part of the guys bio. nearly every writer does that as part of their byline.

Re:Self-perpetuating BS

[NateTech]

Hmm, good point.

Re:Self-perpetuating BS

[NateTech]

It's just shameless self-promotion of his book in a review of someone else's book. As someone else pointed out, neither guy is probably making any real money off of either book, since they're both telling us all the obvious.

Re:Self-perpetuating BS

[chris44larsen]

Only a few books, like bruce schneiers and the hacking exposed series have sold in the mega amounts. most of the other books sell a few thousand copies. i know since a a buddy of mine wrote a book. he made $$ off it, but he said that if he took the hours he worked, based on the royalties, he would be making like $7 an hour.

Re:Self-perpetuating BS

[chris44larsen]

'shameless self-promotion' that is a little over the top. he mentions it at the end of the review. ok, if he mentioned it a few times, and to buy his book. but to call it shameless, that aint true.

Re:Self-perpetuating BS

[NateTech]

Labor of love, for sure. The guy that started SANS has a house on a Hawaiian island now, or so I've heard...

Books go out of date too fast, but starting up a "school" where the students write all the curriculum while you speak on how "great" your training organization is... was brilliant!

Re:Self-perpetuating BS

[NateTech]

He has no shame about it, and it's self-promotion. What's the problem with calling a spade a spade?

I didn't say he OVER promoted himself.

Just said it has nothing to do with the review...

Re:Self-perpetuating BS

[chris44larsen]

yes, but the hacking exposed books have nothing to do w/ SANS.

Re:Self-perpetuating BS

[chris44larsen]

dude, get a grip. using a term like 'shameless self-promotion' is a bit over the top. >>>He has no shame about it shame? he wrote a book, and he said he did. what's the big deal? ever hear off an authors byline? Well, that was it. >>and it's self-promotion. and what's wrong with that? as long as its not over the top. get a cold one man.

Re:Self-perpetuating BS

[NateTech]

Nah, I was just talking about the "security industry" in general. Good coding practices could put the entire "security industry" out of business overnight... but we all see how well that's working.

Re:Self-perpetuating BS

[NateTech]

Only the misuse of the term "shameless self-promotion" makes it seem "over the top". People use that phrase too much when they mean, "He's an ass and over-promotes himself." I don't.

Re:Self-perpetuating BS

[chris44larsen]

>>Good coding practices could put the entire "security industry" out of business overnight Sorry, that is a myth. ever hear of clueless end-users?

Re:Self-perpetuating BS

[NateTech]

Ahhh, crap. Good point. :-) So as long as computers are run by humans... hahaha... oh well. Been fun chatting about it anyway. I'd settle for having a few "network administrators" who call our support line actually having a working knowledge of TCP/IP! ("What's a port? You're talking over my head!"... from someone with the title, Network Administrator. And no, not from a small company either...)

Re:Self-perpetuating BS

[chris44larsen]

where is the over promotion? or are you over-jealous of other peoples accomplishments?

Re:Self-perpetuating BS

[chris44larsen]

what world do u live in? what u say is just aint like what reality is.

Re:Self-perpetuating BS

[NateTech]

Never said "OVER" promotion. Said "self-promotion". I don't think the reviewer needed to mention that he had his own security book at all. Wasn't relevant to the review in the slightest.

Sorry I guess I just remember when places like Slashdot weren't just here for the money, and when reviewers did it to help others out, not to put a link in the review to where someone could buy their book.

If I wanted to see the guy's reviewer credentials, I could Google his name.

Even cooler, was when commenters would take care of it for the guy... "Hey, pay attention - this reviewer also wrote a book [here] and he knows what he's talking about."

The guy didn't have to link in his review of someone else's book to his own book at all. He chose to self-promote by doing a review. Lame.

Re:Self-perpetuating BS

[NateTech]

LOL. It was once. Only those with the ability to work on the technology had that kind of title. I know, it died over a decade ago. Call me old-fashioned, but I miss it.

Re:Self-perpetuating BS

[NateTech]

Note the Slashdot ID number on my username. Yeah, I've been doing this a long time.

Re:Self-perpetuating BS

[chris44larsen]

sorry, did not know i was in the presence of a /. elder.

Re:Self-perpetuating BS

[chris44larsen]

ok, i guess we have to agree to disagree. one can look at it two ways - self promotion, or validating that the person is qualified to review a book, since he was the author of another book. i looked at other bylines of book reviews in other magazines/web sites. 95% of them were like the one here. OMG!!!! they self-promote!!!!!

Re:Self-perpetuating BS

[NateTech]

LOL... yeah, as if being a /. elder matters or counts for anything. That and $3 will maybe get me a cup of coffee at *$. Hah.

Re:Self-perpetuating BS

[NateTech]

Yeah, I hear ya. I just think it's tacky. If the guy REALLY is that good, we'd all know who he was. Like Schneier, say? I get it that he's gotta make a living somehow, though.

I think the best security folks are probably slogging it out somewhere out there in the trenches (I know a few) and because their lawyers say so, they can't talk about what they're working on anyway... what they're doing isn't in books.

You can't handle the TRUTH!

[Chelloveck]

Regardless of the quality of the book, I can't bring myself to read anything with such a trashy subtitle. Anything claiming that it's "What ${SOMEONE} Doesn't Want You To Know" comes off as paranoid conspiracy-theory crap. ${THEY} don't want you to know about homeopathic remedies or engines that run on water; it's not surprising that ${THEY} don't want you to know the TRUTH about COMPUTER SECURITY either!

I'm ashamed of you, O'Reilly. You used to be good. I do notice that the subtitle in the image of the book's cover (here, on Amazon, and on the O'Reilly site) reads "The Ultimate Insider's Guide to Network Security", which, aside from the hyperbolic "Ultimate", is much better. I hope the paranoid version was a working title, and got changed to the sane one before publication.

Re:You can't handle the TRUTH!

[chris44larsen]

yes, that is an over the top title. but hey, everyone makes mistakes, even the good folks at oreilly

Re:I have a full-proof security code

[cheros]

I must admit I actually admired his tenacity, grin. I myself have occasionally the attention span of a hamster on speed :-).