The Effect of Snake Oil Security

← Back to Stories (view on slashdot.org)

The Effect of Snake Oil Security

Posted by timothy on Wednesday September 8, 2010 @12:12AM from the homeopathic-snake-oil-is-better dept.

Trailrunner7 writes "Threatpost has a guest column by Robert Hansen (aka Rsnake) about the long-term effects of snake-oil security products. 'I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"

110 comments

Min score:

Reason:

Sort:

Good, Bad and Ugly by hhawk · 2010-09-08 00:19 · Score: 4, Interesting

I think it's also a very hard concept that Good security can fail some times as well, so it's hard for some managers and others to understand the difference between good security failing and bad security having really never worked at all...
Good security can fail when new venerabilities are found, when risk assessments are not up dated in a timely manner, to do human / operator errors, etc.

--
http://www.hawknest.com/
1. Re:Good, Bad and Ugly by JeffSpudrinski · 2010-09-08 00:32 · Score: 5, Insightful
  
  It can also be hard for folks to understand that you need layered security and that sometimes what worked at one time should be replaced.
  We recently migrated from one solution (McAfee) to another (Sophos). Company management eventually bought in, but the question has been asked "Why were we running inferior stuff to begin with?" McAfee wasn't inferior when we went to it (eight years ago)...they just simply didn't keep up with the times.
  Threat vectors change over time and it is necessary to make yourself essentially a "moving target" by not relying on a single (or even the same) solution over time. If you do an audit and find something lacking...replace it.
  Just my $0.02
  -JJS
2. Re:Good, Bad and Ugly by ArsenneLupin · 2010-09-08 01:47 · Score: 3, Informative
  
  It's not vector as in math, but rather vector as in biology. Think fleas carrying diseases.
3. Re:Good, Bad and Ugly by CarpetShark · 2010-09-08 02:02 · Score: 2, Funny
  
  Think fleas carrying diseases.
  We're thinking, we're thinking! FFS give us a break, we're only little.
4. Re:Good, Bad and Ugly by AlecC · 2010-09-08 02:12 · Score: 2, Informative
  
  The term vector has been reused in other branches of science, with different meanings relevant to this subject. In epidemiology, which has a close analogic relationship to computer security, an infection vector is the means (parasite, contaminated water, sneezing) by which a disease spreads. This is actually a more exact derivation from the Latin original, which meant "one who carries". A threat vector is not the same as a threat, just as a bullet is not the same as a gun. The threat is malaria, the vector is the mosquito.
  
  --
  Consciousness is an illusion caused by an excess of self consciousness.
5. Re:Good, Bad and Ugly by Notquitecajun · 2010-09-08 03:14 · Score: 0
  
  IOW, Check your vector, Victor.
6. Re:Good, Bad and Ugly by Anonymous Coward · 2010-09-08 03:25 · Score: 1
  
  McAfee wasn't inferior when we went to it (eight years ago)
  McAfee has been inferior pretty much since they moved the product from DOS to Windows.
7. Re:Good, Bad and Ugly by Bigjeff5 · 2010-09-08 04:14 · Score: 2
  
  You should look up the word "vector". Maybe read up on a little biology. Pay particular attention to "viruses".
  Usually when you argue a point you are obviously ignorant about, you look stupid.
  Your post is no exception.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
Nice article, nice story by suso · 2010-09-08 00:19 · Score: 2, Interesting

Insightful article. It was worth it just to read the bear in the woods analogy, which will give you a good laugh.
1. Re:Nice article, nice story by tverbeek · 2010-09-08 00:48 · Score: 4, Funny
  
  I was disappointed that the bear-in-the-woods analogy involved neither shit nor the Pope, but it was insightful nonetheless.
  
  --
  http://alternatives.rzero.com/
2. Re:Nice article, nice story by Larryish · 2010-09-08 01:07 · Score: 0
  
  What does drinking beer in the woods have to do with security?
3. Re:Nice article, nice story by (Score.5,+Interestin · 2010-09-08 01:18 · Score: 3, Funny
  
  Insightful article. It was worth it just to read the bear in the woods analogy, which will give you a good laugh.
  
  Preved?
4. Re:Nice article, nice story by Joebert · 2010-09-08 02:11 · Score: 2
  
  Think about the bear analogy again. If you feed the guy next to you to the bear, now the bear is satiated. That's great for a while, and you're safe. But when the bear is hungry again, guess who he's going after? You're much better off working together to kill or scare off the bear in that analogy.
  
  Unless you're smart, like Betty White in Lake Placid.
  
  --
  Wanna fight ? Bend over, stick your head up your ass, and fight for air.
5. Re:Nice article, nice story by Anonymous Coward · 2010-09-08 02:35 · Score: 1
  
  If you're not secure enough while you're drinking in the woods, you'll get turned into bear shit.
6. Re:Nice article, nice story by Anonymous Coward · 2010-09-08 02:53 · Score: 2, Interesting
  
  Rudyard Kipling said it better...
  IT IS always a temptation to an armed and agile nation,
  To call upon a neighbour and to say:
  "We invaded you last night - we are quite prepared to fight,
  Unless you pay us cash to go away."
  And that is called asking for Dane-geld,
  And the people who ask it explain
  That you’ve only to pay ’em the Dane-geld
  And then you’ll get rid of the Dane!
  It is always a temptation to a rich and lazy nation,
  To puff and look important and to say:
  "Though we know we should defeat you, we have not the time to meet you.
  We will therefore pay you cash to go away."
  And that is called paying the Dane-geld;
  But we’ve proved it again and again,
  That if once you have paid him the Dane-geld
  You never get rid of the Dane.
  It is wrong to put temptation in the path of any nation,
  For fear they should succumb and go astray,
  So when you are requested to pay up or be molested,
  You will find it better policy to say:
  "We never pay any one Dane-geld,
  No matter how trifling the cost,
  For the end of that game is oppression and shame,
  And the nation that plays it is lost!"
7. Re:Nice article, nice story by tsalmark · 2010-09-08 03:08 · Score: 2
  
  With out WiFi you can not be hacked in the woods while drinking beer. How ever Rain, children with half melted marshmallows and chipmunks can all necessitate a trip to your local computer store.
8. Re:Nice article, nice story by Joebert · 2010-09-08 03:36 · Score: 1
  
  Bett White said it in less words. "Sick 'em crocko !"
  
  --
  Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Of course by Anonymous Coward · 2010-09-08 00:19 · Score: 1

But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"
Of course.. look at Mcafee
In short by guruevi · 2010-09-08 00:24 · Score: 5, Insightful

Statistics can be made to show anything, managerial and C-level executives have to be more responsible and in the end it's cheaper to just let the customers eat the costs of bad security rather than fail trying to do something about it.
The main problem imho is that there are no real punishments when something goes bad. If somebody gets hacked the old adage of "it's happening more often throughout the industry" is used to redirect the blame from the gatekeepers to the attackers. If somebody doesn't get hacked while the competition is, the executives get praised even though they might not have done anything meaningful. Back in the day when castles (security products) were used to protect a lord (the data or the company) and the gatekeeper (managers and sysadmins) didn't do their job, the gatekeeper would get flogged, stripped naked and/or executed. The soldiers didn't blame someone else when somebody invaded their castle and they didn't pat themselves on the back as 'doing a good job' when the neighboring castles were ransacked.
Security procedures have nothing to do with the rest of the industry. Most likely they're unique to your company and structure, and one time, you're going to be up for a targeted attack and you should be ready at all times.

--
Custom electronics and digital signage for your business: www.evcircuits.com
1. Re:In short by John+Hasler · 2010-09-08 00:44 · Score: 2, Insightful
  
  ...in the end it's cheaper to just let the customers eat the costs of bad security rather than fail trying to do something about it.
  Not if the customers react by taking their business elsewhere.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:In short by jimicus · 2010-09-08 02:26 · Score: 2, Insightful
  
  Not if the customers react by taking their business elsewhere.
  They haven't yet.
3. Re:In short by Bert64 · 2010-09-08 02:32 · Score: 2, Insightful
  
  Which in many cases they can't do, since they're locked in.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
4. Re:In short by BobMcD · 2010-09-08 02:40 · Score: 3, Insightful
  
  The main problem imho is that there are no real punishments when something goes bad.
  This is quite true, but there's simply no viable alternative. Who would wield the power of 'real punishment' in the hypothetical 'fix' scenario? The government?
5. Re:In short by Anonymous Coward · 2010-09-08 03:04 · Score: 0
  
  That must be why the Windows OS market share has been steadily declining since the mid 90's. Oh, wait...
6. Re:In short by Anonymous Coward · 2010-09-08 03:05 · Score: 0
  
  Statistics can be made to show anything
  Statistics cannot be made to show anything. That's like saying calculus can be made to show anything. What I think you mean is that people frequently lie by omission and sometimes they present statistical figures while doing so.
7. Re:In short by Anonymous Coward · 2010-09-08 04:25 · Score: 0
  
  Oh, that would be me. Let me know who needs to be punished and I'll take care of it. No, no, don't thank me -- just trying to do my part.
8. Re:In short by DarwinSurvivor · 2010-09-08 19:02 · Score: 1
  
  I'm having trouble deciding whether you are simply vengeful or looking for a proven easy target...
9. Re:In short by DarwinSurvivor · 2010-09-08 19:03 · Score: 1
  
  Yes, and that's how they do it.
Password Post-It on the screen by Anonymous Coward · 2010-09-08 00:24 · Score: 1

Meh, everybody knows that a big fence grabs the attention, because you "must" have something to hide.
Anybody can kinda protect a Windows machine by just having spybot, a password and a firewall on his modem/router, for free.
But any big (I mean non free) antivirus will be useless against the stupidity of the end user.
- Do you really want to open pornIMG.exe ?
- YA RLY!
1. Re:Password Post-It on the screen by Dr_Barnowl · 2010-09-08 01:02 · Score: 4, Insightful
  
  Well, no. Most of them are configured to remove the possibility of that choice from the user - if they detect a virus, they quarantine the file and don't give you a choice. It's more that they can't detect everything. After that, it's not the virus scanners fault if users have poor digital hygiene.
  For what it's worth, I run my personal Windows boxes without anti-malware and anti-virus, respect a few general principles, and don't have problems. But explaining this to common users seems to be impossible. They seem to be unable to apply general principles, instead needing specific directions for every little circumstance.
  People will scoff at the idea that Unix has a more secure model, but really little things - like the executable bit, like not running as admin - raise the barrier for malware. .NET tried to implement a third way - by sandboxing applications - but it was realistically too much of a faff to configure, and not much good if you could still write all your malware in plain C.
2. Re:Password Post-It on the screen by hedwards · 2010-09-08 01:17 · Score: 2, Insightful
  
  That works well, until some jerk finds an exploit in Windows' TCP/IP stack and you get infected by a worm. Or a new attack vector comes out such as the ones that relatively recently allowed for images and PDFs to be infected. Running windows without antivirus and antimalware is irresponsible no matter how careful you are, it's not meant to preclude or replace and individuals responsibility, but it works well as a back up.
3. Re:Password Post-It on the screen by Bert64 · 2010-09-08 02:35 · Score: 1
  
  Antivirus is just a filter that will detect and stop the lowest hanging fruit...
  I have done incident response jobs for many many different clients, and without exception every single compromised machine i've ever looked at had some kind of av product installed at the very least. Aside from detecting the most trivial of attacks, it provides a false sense of security and encourages users to be less careful.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
4. Re:Password Post-It on the screen by Astatine · 2010-09-08 02:39 · Score: 1
  
  Running windows without antivirus and antimalware is irresponsible no matter how careful you are, it's not meant to preclude or replace and individuals responsibility, but it works well as a back up.
  No, it does not.
  The first thing that the cleverer worms and other malware do after getting a foothold on your machine is disable the AV. You might get a bunch of warnings out of it if you're lucky, but its cleanup routines won't work any more, and it won't warn you about any further infections. You still need that backup, because the only way to be sure you've got the malware off is to wipe and reinstall.
  That's not even considering malware the AV hasn't heard of yet.
5. Re:Password Post-It on the screen by tibit · 2010-09-08 02:49 · Score: 1
  
  I agree. I have no AV in my VMware image, and I have had no problems. I run an offline scan of the image's contents using clamav every once in a while, and there was never a problem. But I'd have a very hard time teaching anyone to follow safe browsing rules. People are very reactionary, and as soon as they see an antivirus warning, they go crazy, even if it's just a website warning. They believe, by default, that throwing money on the problem will fix it.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
6. Re:Password Post-It on the screen by mlts · 2010-09-08 03:09 · Score: 1
  
  I'd say that isn't the case. Exploits with browsers or add-ons can easily compromise a machine just as badly as an open port. Browser and add-on security is still in its infancy while network security has matured over a number of years. So even with the Maginot line of network stuff, all it takes is one add-on programmed by the lowest bidder to open internal systems wide open.
  The only real fix I know of? AdBlock is your first line of defense. If you want to be sure, run your Web browsing in a VM whose changes get dumped when you finish a browsing session.
7. Re:Password Post-It on the screen by pnutjam · 2010-09-08 03:21 · Score: 1
  
  No problems that you see...
  
  How do you know there is not a trojan or a virus lurking on your machine? Do you perform occasional scans?
  
  --
  Cheap storage VM.
8. Re:Password Post-It on the screen by HungryHobo · 2010-09-08 03:43 · Score: 2, Insightful
  
  antivirus software is useless for actual security, in general by the time the AV detects it you've already been infected and the virus has done it's dirty work.(unless you're lucky and it catches it as it tries to infect you)
  if it's a true worm chances are high you'll be infected before the AV company adds it to their database or before the update is downloaded.
  Antivirus software is an example of enumerating badness.
  You pay a company a few dollars a month to try to keep track of everything bad in the world.
  which is a terrible way to do security.
  even the best AV software has fairly crappy hit rates and will do nothing against a customized/targeted attack.
  it's only true value is as a performance metric.(which is a has value in itself)
  if the antivirus ever detects anything then it means all your real security has failed miserably.
  putting antivirus on a computer eliminates the need for real security in the same way that counting the money in the bank once a week eliminates the need for vault walls.
  it's a good thing to do but it's no substitute for real security.
9. Re:Password Post-It on the screen by sexconker · 2010-09-08 03:55 · Score: 1
  
  People will scoff at the idea that Unix has a more secure model, but really little things - like the executable bit, like not running as admin - raise the barrier for malware. .NET tried to implement a third way - by sandboxing applications - but it was realistically too much of a faff to configure, and not much good if you could still write all your malware in plain C.
  Data Execution Prevention was enabled in Windows XP SP2. (Shortly after CPUs with the ability popped up.)
  You haven't had to run as administrator since Windows 2000. You haven't had to run as administrator to have all your shitty programs work since Windows XP. You haven't run as administrator by default since Vista.
10. Re:Password Post-It on the screen by mlts · 2010-09-08 04:15 · Score: 2, Insightful
  
  TBH, the only thing that really helps with malware infections is having good backups, and a well practiced method of restoring data, either just grabbing a couple files, or a complete bare metal restore from boot media or a PXE server. The ideal media for backups is something that can be set to read-only like tapes or WORM media like optical. This way, malware can't alter the contents once written.
  AV programs are nice, and sometimes they do catch a Trojan or two, but I've cleaned a lot of systems where the AV service was happily running side by side with the botnet client. Since a lot of new Windows malware encrypts sectors and parts of the OS to screw up safe mode booting, the only real way to get rid of a lot of infections is to save as much data off to an external drive, dd if=/dev/zero of=/dev/sda to completely zero out the drive (or even better HDDErase), repartition, and reinstall the OS and applications.
  This is why I urge people to get a backup utility that is able to do backups daily automatically, preferably from a backup server.
11. Re:Password Post-It on the screen by Dr_Barnowl · 2010-09-08 07:15 · Score: 1
  
  Yes, you haven't HAD to run as admin. (since NT, which I remember). But the default config that Windows does for it's home editions is to configure the first user created as a member of the Administrators group. The pathetic lame-ass situation you describe with applications that require admin privs to even run has been fostered because Windows made it a pain in the ass to elevate privileges, so most software developers wrote all their code with a user in the Administrators group, because being a software developer on Windows without admin access is a chore, and many of them never tested their software on a limited user account. Unix makes it a pain in the ass to use root, and a chore to put files in system locations by default, and allows you to develop software without privileged access to the almighty central database of components available to the system (the COM section of the registry).
  UAC in Vista is an improvement. But there needs to be a tutorial on what it is you are actually doing when you click on a UAC confirm dialog. And it should show up every time you log in until you answer a quiz to turn it off. "Do you want to allow this program to make changes to this computer?" isn't strident enough. It should say "Do you trust this program?".
The nature of humanity? by lightspeedius · 2010-09-08 00:29 · Score: 3, Insightful

I think we will solve the issues of computer security about the same time we figure out how to deal with conflicts within ourselves and humanity.
1. Re:The nature of humanity? by mrclisdue · 2010-09-08 02:22 · Score: 1
  
  The '60s called: they want their LSD-25 back, man.
  peace,
2. Re:The nature of humanity? by Bert64 · 2010-09-08 02:37 · Score: 1
  
  The solution is for non technical users to have simpler devices that only serve their needs and don't provide anything else.... When was the last time you heard of a games console, printer, typewriter or microwave being exploited remotely, or being used to download malware?
  Having a general purpose computer with an excessively complicated OS is just asking for trouble. Such things are simply not appropriate for the general public.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
3. Re:The nature of humanity? by Anonymous Coward · 2010-09-08 03:25 · Score: 0
  
  Games Console, not per se, but iPhone, yes, they ahve been hacked.
  Microwave... Not sure too many microwaves have much in them besides a microprocessor.
  Printer? All the friggin' time. (e.g. printer spam)
I can guarantee nearly 100% security. by Anonymous Coward · 2010-09-08 00:38 · Score: 0

Encase your systems in concrete. On the moon. This security will mean you won't have any serious worries about being hacked. Anybody with the spare billions to spend getting access surely has better things to do with their time. It's practically foolproof when you think about it.
Actually using your system? Sorry, that's somebody else, I'm only offering security.
other side effects by tverbeek · 2010-09-08 00:41 · Score: 0

It can also act as a laxative, leading to anal leakage.

--
http://alternatives.rzero.com/
It's the OS, stupid by AHuxley · 2010-09-08 00:44 · Score: 1

Stop using MS. The "security" side is like asking if you like your snake-oil with extra cocaine, sugar or alcohol.
Get over the lecture, assistants in the crowd and find a tonic that works. Something based on folk remedies, homespun remedies which-by trial and error have proven to work.

--
Domestic spying is now "Benign Information Gathering"
1. Re:It's the OS, stupid by jimicus · 2010-09-08 01:00 · Score: 5, Insightful
  
  I'm afraid it isn't, and a bit of reading between the lines in the article would allow you to figure this out.
  The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass it on through the Internet.
  The main reason Windows is targeted by the malware authors - particularly on the desktop - is that a lot of the malware authors aren't doing it for interest, they're doing it for cash. What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?
  Let's assume a drastic drop in Windows usage. Are the world's malware authors going to shrug their collective shoulders and say "Ah well, it was nice while it lasted"? Or are they going to say "Well, there's still lots of computers out there with lots of ill-informed people using them for things like banking, even if they're not running Windows. Wonder if there's any way to exploit them?"
2. Re:It's the OS, stupid by Anonymous Coward · 2010-09-08 01:24 · Score: 0
  
  True, but I do think, with the linux model it will still be easier to defend against the threats. Users will need antiviruses for linux in the event it's popularity goes up. However, odds are the antiviruses will have more potential to be effective. In general most of the time I see malware on a windows system, even if it hasn't been given actual root privilages, it still very commonly manages to incapacitate the current AV that or just plain hide from it/dance in front of it, not sure what hole they commonly use for this, but I would imagine a hole of this style would likely be patched quicker in the open source world as soon as, or even before it is being exploited.
  Linux's security model is not flawless, and yes AV's will be needed for users who aren't smart enough to follow basic procedures, there is no magic box that will prevent users from mindlessly running user level code. However, anti-evil code actually staying higher level then the bad code, can at least make removing/detecting easier.
3. Re:It's the OS, stupid by kilfarsnar · 2010-09-08 01:29 · Score: 1
  
  As a frequent Windows user I'll go with the extra cocaine, thanks.
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
4. Re:It's the OS, stupid by Stumbles · 2010-09-08 01:37 · Score: 3, Interesting
  
  What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?
  That's just the same old numbers argument... when really it is way easier to compromise a Windows box than just about any other OS around. If the situation were reversed and the alternative OSes still retained their level of security I do not think you would see the same level of threats as you do with Windows. That is of course assuming the increased number of users using alternative OSes do not do stupid shit like run as root or change login users to have root level access.
  
  --
  My karma is not a Chameleon.
5. Re:It's the OS, stupid by slyguy135 · 2010-09-08 01:40 · Score: 1
  
  > That is of course assuming the increased number of users using alternative OSes do not do stupid shit like run as root or change login users to have root level access.
  Which was grandfather's point. [My ol' gramps always was a smart one].
6. Re:It's the OS, stupid by Stumbles · 2010-09-08 01:41 · Score: 1
  
  I would have to disagree with that for the most part. The significant difference between Linux and Windows when it comes to dealing with viruses is that the Linux world will not hesitate to really fix the underlying cause; where as with Windows, they just put a bandage over it and hope for the best. AFAIK there is really only one "real AV" for Linux, and that is Clamav and the only reason it exists is to filter out the nastiness found in the Windows world.
  
  --
  My karma is not a Chameleon.
7. Re:It's the OS, stupid by Alex+Belits · 2010-09-08 02:15 · Score: 3, Insightful
  
  Users will need antiviruses for linux in the event it's popularity goes up.
  Because Linux software automatically runs executables downloaded from the Internet, right?
  The idea of "antivirus" is idiotic to begin with -- analyze something you already have on your computer in hope to recognize something that already infected millions of computers before you (or otherwise how McAfee would know it?). Security comes from lack of vulnerabilities in your permissions/access model -- something that is pretty easy to accomplish as long as you develop such a policy in the first place. For example, modern Linux desktop environments handle .desktop files in an insecure manner, and this can be easily fixed by treating them as executable script files (no execute bit means you can't execute it) even though they are not scripts from kernel point of view. The fact that web browser always runs under a user ID of a user who started it is another thing that should be fixed, as it's too large to be a trusted program. However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.
  
  --
  Contrary to the popular belief, there indeed is no God.
8. Re:It's the OS, stupid by jimicus · 2010-09-08 02:25 · Score: 1
  
  Erm.... actually it wasn't. In fact, I was so concerned my point would be missed I spelled it out explicitly. Maybe putting it in bold will help.
  Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root.
  All an attacker has to do is persuade something to run arbitrary code. The obvious way that we all know and hate is to trick the user into double-clicking an email attachment - which in Linux doesn't work very well, particularly if the user's on a desktop with every partition they can write to mounted with noexec. But there are other ways to run arbitrary code, and they're ways we see on /. pretty regularly. Some other application (eg. web browser, PDF reader, random library that is linked into lots of applications) is exploited to run it.
9. Re:It's the OS, stupid by jimicus · 2010-09-08 02:33 · Score: 2, Informative
  
  However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.
  No it's not. In fact, it's arguably better than Unix, insofar as you have much finer granularity in terms of what you can allow or disallow and who you can allow it to.
  What is broken is that most applications utterly fail to respect it, hence the implementation in many organisations winds up screwed. You could argue this is because of history (Applications that were written in the days of '9x and have never been updated to account for a security model), because of laziness (too many software houses giving their devs admin rights) or because it's simply too complicated for its own good, but there's only one of those arguments which might reasonably be translated as meaning that the model is broken and unfixable.
10. Re:It's the OS, stupid by VGPowerlord · 2010-09-08 02:41 · Score: 1
  However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.
  The Windows security model would be fine, except for two things:
  Many, many Windows apps were not written with it in mind, and demand to be run with higher privileges than they actually need. Games in particular are bad about this, and they go to lengths to require said permissions even if you've adjusted the file permissions for the directories they need.
  
  UAC was introduced to make this as annoying as possible to get developers to stop doing this. Surprise, it didn't work!
  All files are given the Execute permission by default.
  --
  GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
11. Re:It's the OS, stupid by turbidostato · 2010-09-08 03:06 · Score: 1
  
  "Because Linux software automatically runs executables downloaded from the Internet, right?"
  Interesting question. Is there anything really impending Linux to automatically run executables downloaded from the Internet? I bet not.
  So, on one hand we have that "the year of Linux on desktops" haven't reached yet because "cumbersome" limitations that make it "dificult for average joe" to use it, so "Linux isn't attacked by so many threats because it's more profitable to attack the wider Windows base"; in the other hand, as per current "analysis" from "experts" in order for Linux to take the desktop it should implement the same Windows easiness that allows for both "average joe" and the worms to take advantage of the platform.
  Of course, the idea that successfully operating a (basically) complete turing machine requires some kind of training is out of question.
12. Re:It's the OS, stupid by HungryHobo · 2010-09-08 03:25 · Score: 2, Insightful
  
  linux has had a hell of a lot of security problems over the years.
  I like linux, I like open source but it isn't magic.
  pick an unpatched reasonably out of date linux system and you can find security holes in it.
  linux seems to get patched slightly faster but that's about it.
  it also seems to attract some of the more anal security nuts as devs for some crypto focused applications who err on the side of security vs usability since they can do it how they want rather than how some marketing manager wants.
  it's biggest advantage is that linux tends to attract the kinds of users who keep their patches up to date and know to avoid some of the more foolish things you can do.
  it's next biggest advantage securitywise is that attackers who are in it for the money are going to go after the largest pool of targets and simply put linux is still on the margins.
  but linux is not a magic bullet.
  if you replaced all windows machines in the world overnight with linux machines and put the same people in charge of them linux would fare little better vs the malware authors.
13. Re:It's the OS, stupid by wshs · 2010-09-08 03:54 · Score: 3, Insightful
  
  Most recent attacks have been via stupid users, not buggy OS. The reason Linux hasn't been targeted is threefold: 1) next to nobody uses it, thus a waste of effort to write malware for it; 2) its users aren't retarded; 3) each distro is completely different, unlike different Windows versions.
14. Re:It's the OS, stupid by Anonymous Coward · 2010-09-08 03:55 · Score: 0
  
  Until you arrive at the desk where the user sits.. because those same windows users that install limewire, and download 232kb executable files claiming to be "the latest music/movie/dvd/game" will willingly not only click on it, but do it repeatedly and when it doesnt work they will download another and another and another...
  This cannot be "fixed" by running an alternate OS, because its user behavior that is the problem.. not anything right or wrong with the security model of the OS, or any particular vulnerability.. It is *just* as easy to get an idiot sitting at a Linux/OSX/BSD/etc desktop to install a package that gives me full control of their machine remotely to do with as I please, as it is to get a windows user to do it.. But why bother targeting linux/osx when the windows world is so much more convenient (phenomenon called Low Hanging Fruit.. look it up)
  The concept of Anti-Virus is to scan what you download to be sure it is what it says it is.. You are aware that "virus" does not mean an "attack" right? you are aware that these are simply programs that the user chose to execute because they where socially engineered into doing so ? You really do not believe that Linux is immune to "bad packages" right? The idea that "autorun" is bad and that by just throwing a program that does "bad things" silently on a usb drive/cd/floppy/etc and getting computer to execute it.. is a bad design in general, but its still not a "vulnerability" in the sense that it needs to be hacked to be abused.. its simply a design thats easily useful for those wishing to do bad things..
  When you learn the difference between a vulnerability and a virus and a poor design.. come back and chat, until then go do some reading and lose the fanboy anti microsoft frenzied posting.. its attitudes like yours that created the windows zombies of the world (I have norton i am safe and can do whatever i want omg omg omg.. which is just as bad as "there are no virus in the wild for linux or mac i dont have to worry where i browse or what i do I am safe SUCKAS")
  Meh
15. Re:It's the OS, stupid by Bigjeff5 · 2010-09-08 04:27 · Score: 1
  
  What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?
  Hold on, since when does Linux have 6% market share? Try 30-60 times the number of potential victims if you go after Windows.
  Frankly, unless you have a grudge against Linux, you'd have to be an idiot to attack anything other than Windows. Macs are an ok second choice, but even if 80% of Windows users were well informed in computer security, there would still be more ignorant Windows users than there are total Mac users, so even that is a stupid choice. And you can be sure that 80% of users are not well informed about computer security.
  Based on numbers alone, Windows is the only OS worth attacking, whether you're in it for money, fame, or just to hurt as many people as possible. For every class of malware, Windows is the only OS worth breaking, regardless of how secure it is or isn't.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
16. Re:It's the OS, stupid by Anonymous Coward · 2010-09-08 04:34 · Score: 0
  
  Maybe it's the same old numbers arguement because it's true? Or do you blame someone else who can't flap their arms and fly away of making "the same old gravity arguement"?
17. Re:It's the OS, stupid by Bigjeff5 · 2010-09-08 05:25 · Score: 1
  
  You're just ignorant about Linux and security - that's the only way you can seriously make that statement.
  Yes, Linux has always defaulted to slightly better security policies than Windows, but to think that somehow means it cannot be compromised is idiotic.
  
  --
  Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
18. Re:It's the OS, stupid by Blakey+Rat · 2010-09-08 05:29 · Score: 1
  
  That's just the same old numbers argument... when really it is way easier to compromise a Windows box than just about any other OS around.
  Can you prove that? OS X seems to be the first to fall, any time there's a OS compromising competition...
  If the situation were reversed and the alternative OSes still retained their level of security I do not think you would see the same level of threats as you do with Windows.
  We'll never know, until the situation reverses itself. Until then, it's pretty damned hypothetical.
  But, remember, you don't just get the computer savvy Windows users, you get the naive ones as well. Are the other OSes nearly as good at handling naive users? I doubt it-- they haven't *had* to be. (Except OS X.)
  That is of course assuming the increased number of users using alternative OSes do not do stupid shit like run as root or change login users to have root level access.
  Haha! If you assume that, then Windows would be just as secure as everything else!
  
  --
  Comment of the year
19. Re:It's the OS, stupid by Blakey+Rat · 2010-09-08 05:35 · Score: 1
  
  UAC was introduced to make this as annoying as possible to get developers to stop doing this. Surprise, it didn't work!
  Sure it has. I only know of a single program that hasn't yet fixed it's "pointless UAC" errors. Every other program I use that had UAC errors when Vista came out is patched now.
  Maybe my experience isn't typical, but I think at the bare minimum you have to admit it's helping.
  
  --
  Comment of the year
20. Re:It's the OS, stupid by Alex+Belits · 2010-09-08 05:49 · Score: 2
  
  No it's not. In fact, it's arguably better than Unix, insofar as you have much finer granularity in terms of what you can allow or disallow and who you can allow it to.
  1. No, it's not. ACLs are available on Linux, however no one uses them because they are a stupid idea.
  2. More complex system of permissions and restrictions is not what makes a system secure. To make system secure you have to have consistent policy and consistent implementation -- fine-grained control merely creates more possible ways to bypass things.
  
  What is broken is that most applications utterly fail to respect it, hence the implementation in many organisations winds up screwed.
  Applications are not supposed to respect it -- system has to force it upon applications. The fact that plenty of Windows applications still can't be brought to a condition when they don't break horribly under any sane security model, is another problem, and that problem that is specific to Windows.
  
  --
  Contrary to the popular belief, there indeed is no God.
21. Re:It's the OS, stupid by Alex+Belits · 2010-09-08 05:56 · Score: 2, Informative
  
  Interesting question. Is there anything really impending Linux to automatically run executables downloaded from the Internet? I bet not.
  It's executable permission bit. If a file is downloaded by anything other than package manager, it remains non-executable until the user explicitly sets it on the command line or in a scary-looking permission setting screen. Since all applications are installed in a package manager, the only time when user will want to touch executable bit by himself is when he is really sure he has to run a file.
  
  So, on one hand we have that "the year of Linux on desktops" haven't reached yet because "cumbersome" limitations that make it "dificult for average joe" to use it, so "Linux isn't attacked by so many threats because it's more profitable to attack the wider Windows base"; in the other hand, as per current "analysis" from "experts" in order for Linux to take the desktop it should implement the same Windows easiness that allows for both "average joe" and the worms to take advantage of the platform.
  Oh, I see. You are either a Microsoft astroturfer or an idiot, so you just copy-paste some of your "discussion examples" to make it look like you have something relevant to say.
  
  --
  Contrary to the popular belief, there indeed is no God.
22. Re:It's the OS, stupid by Alex+Belits · 2010-09-08 05:57 · Score: 1
  
  He can click on the executable until he is blue in his face -- it won't run because executable bit is not set.
  
  --
  Contrary to the popular belief, there indeed is no God.
23. Re:It's the OS, stupid by cbhacking · 2010-09-08 12:12 · Score: 1
  
  Actually, it often does (for the same approximate value of "automatically" that you're applying to Windows). If I download a .sh file, I'm offered the option of running it in bash - even if it isn't marked executable, that just means it means it needs to be passed as a parameter to a shell. If I download a .rpm or .deb, I'm asked if I want to open it with my package manager, which will happily open the file, copy its contents onto my filesystem, execute its scripts, etc. Sure, the installation will probably require root privileges, but that's true on Windows as well; it's not my (or Microsoft's) fault if you're running with those privileges already.
  Technically executable binaries won't execute until you mark them executable, but that means absolutely nothing; nobody distributes raw binaries for Linux. Instead, they distribute .sh files that dd a bunch of binary from within themselves into a separate file, chmod that file, and execute it.
  Trojans, which constitute the vast majority of Windows malware and have for years, will work just fine against Linux (or OS X) users too. Indeed, the very assumption that "Macs don't get viruses" has led to cases of users installing bootleg software from shady sources, and getting their Macs taken over. It hasn't happened often, but that's certainly not because it's difficult to do - it's just much more lucrative to do the same thing for Windows.
  
  --
  There's no place I could be, since I've found Serenity...
24. Re:It's the OS, stupid by turbidostato · 2010-09-08 13:10 · Score: 1
  
  "It's executable permission bit. If a file is downloaded by anything other than package manager, it remains non-executable until the user explicitly sets it on the command line or in a scary-looking permission setting screen."
  And that happens exactly why? Because there's an almighty law impeding any program but `chmod` to set the exec bit? Or is it that there is exactly *nothing* impeding Linux to automatically run executables downloaded from the Internet, except the good sense of developers... to date?
  "Since all applications are installed in a package manager [...] Oh, I see. You are either a Microsoft astroturfer or an idiot"
  I think you'd better reassess the limits of your own knowledge prior to call names to unkown people that might be a bit more knowledgeable than you think.
  Look: even on Microsoft environments, by the days of Windows 3.1 plus trumpet winsock plus Eudora (you know, that's about twenty years ago -yes, I was already wandering the intertubes by then, and operating unix too) you needed to go through a lot of steps in order to load an attachment as an executable. But, hey, you don't need to do it anymore. You know why? because there wasn't any law forbidding it and the marketing guys at Microsoft thought it would be a great idea.
  Now, there is exactly the same limitation on Linux that there were on Windows: exactly zero. There's nothing intrinsically avoiding a, say, Thunderbird extension for looking at the mime-type of an e-mail attachment and call an external program to execute it on behalf of the user. And that's exactly the kind of things that the "linux is difficult" advocates expect to see.
  Now try that from your beloved linux command line:
  echo "echo hello, world" > test.txt
  ls -l test.txt (see? no execution bit -I assume your umask is set to a sane value) /bin/sh test.txt
  OH, WONDERFUL THING, LOOK AT THE OUTPUT!!!
  hello, world
  On one hand you see how a file without the execution bit can be "executed"
  On another hand you see how a file not coming from a package can be both installed and executed
  On the third hand (yes, third hand, so what?) given that my "helping program", the shell, is running on behalf of my UID it can access (and modify, and delete) ALL my data from ALL my hard disk. That would also be the case for ANY other program (firefox, thunderbird... you name it) that would happen to run under my UID.
  The ONLY thing avoiding that to happen is not the almighty god from the unix of older days but the common sense from developers. The very day those developers (maybe pushed by some company's greed and money) forget about that common sense you can bet you'll see exactly the same kind of worms and virus attacking linux as there are in windows-world. And, so it seems if your hear the "experts", for linux really having "a year for the desktop" that's exactly what should happen.
25. Re:It's the OS, stupid by mjwx · 2010-09-08 14:39 · Score: 1
  
  The types of attack which Windows is most infamous for - true self-replicating viruses and trojans that require you to be running as a local admin for them to work - are an endangered species. Newer attacks don't self-replicate like viruses and don't necessarily require you to be running as a local admin. Indeed, you can do quite a lot on any modern OS, be it Linux, some other Unix or Windows without being admin/root. You can certainly do enough to gain access to all sorts of juicy information and then pass it on through the Internet.
  
  The main reason Windows is targeted by the malware authors - particularly on the desktop - is that a lot of the malware authors aren't doing it for interest, they're doing it for cash. What's the point in writing an exploit that will give access to a Linux desktop when you could write the exploit for Windows and target about fifteen times the number of potential victims?
  To extend on this, the most common attack vector these days is social engineering. You literally convince people to install your virus and send it to others. This means no OS is effectively immune to viruses. But virus makers know that their hit ratio is going to be low (as smart people can detect BS) to they target 1, the most popular platform and 2 the dumbest users. So viruses come hidden in $Celebrity_Sex_Tape_OMG!!!.exe or pirated programs because people often dont check these things.
  
  So if all the dumb people switch to Mac, all the virus writers will target Mac because that has the highest rate of success. What is needed to secure modern OS's is not SUDO but SUDO combined with checks on what API's the program accesses and or what functions it's performing (such as sending out hundreds of emails or starting a DDOS) and stop it or ask me if I want to let it continue. Of course this kind of detection needs to be a hell of a lot smarter then current AV.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
26. Re:It's the OS, stupid by DarwinSurvivor · 2010-09-08 20:51 · Score: 1
  
  Your post seems to imply that writing security and crytography software according to the whims of a marketing manager is a "good" thing...
27. Re:It's the OS, stupid by DarwinSurvivor · 2010-09-08 21:05 · Score: 1
  
  The execution bit was not designed to prevent applications from being "able" to execute them, they were to prevent users from accidentally executing something that they did not expect to be an executable (naked_girls.jpg.exe). When a user downloads something they expect to be opened by an application (image viewer, adobe acrobat, etc) without realising they have been duped into downloading an executable, unix will either open it in a text editor (scripts) or present an error (binary executable). Windows on the other hand will simply present a password prompt (OK button in vista) and the "click it till it goes away" crowd will happily type in their password without so much as a pause. THAT is why executable bits should never to applied to downloaded files.
28. Re:It's the OS, stupid by HungryHobo · 2010-09-08 21:19 · Score: 1
  
  Listening to someone who says "our customers aren't going to understand how to do that or why you would do that or what config files are or what the command line is, they just want it to work" can sometimes be a good thing.
  Which of course has little to do with security except where security gets degraded slightly because people who don't understand what they're doing end up being able to make their system insecure without understanding what they're doing.
  It can however allow a larger portion of the human race to use the product.
29. Re:It's the OS, stupid by DarwinSurvivor · 2010-09-08 21:20 · Score: 1
  
  As someone who has written linux applications from python scripts to QT applications to low-level socket programmer, no, there is very LITTLE difference between linux distros unless you want to use their package manager. How many windows viruses do you find listed in "Add/Remove Applications"? In fact, the networking (most complex part of any virus/trjan) is so standard accross distros, an application written for ubuntu will easily run on FreeBSD and the only part that needs to be customized is the final package layout (installer).
30. Re:It's the OS, stupid by Anonymous Coward · 2010-09-09 01:17 · Score: 0
  
  Stop using MS. The "security" side is like asking if you like your snake-oil with extra cocaine, sugar or alcohol.
  Get over the lecture, assistants in the crowd and find a tonic that works.
  
  Last time I checked, Cocaine worked pretty Goddamn well.
31. Re:It's the OS, stupid by wshs · 2010-09-12 05:29 · Score: 1
  
  How do you get something to run at boot on Gentoo? On Redhat? On Ubuntu? Hint: it varies widely with distro. The combination of startup scripts, configuration files, home directories, and even binaries leaves your trojan hunting for all these things. Combined with the fact different distros have different libs, means if the distro doesn't have the exact libs needed, the trojan won't run in the first place. As someone who has written primarily C for the last 12 years, I find networking to be the easiest part of a program. Dealing with the unknowns (rc.d? init.d? rc.local? /home? /usr/home? /etc? /usr/local/etc? /etc/conf.d? /opt/bin? /usr/local/bin? kde 3? kde 4? xfce? fluxbox? etc) is infinitely more difficult.
32. Re:It's the OS, stupid by Alex+Belits · 2010-09-13 02:13 · Score: 1
  
  If I download a .sh file, I'm offered the option of running it in bash - even if it isn't marked executable
  In what environment? I have never seen this except on the systems where it was set manually by the user as one of the handlers.
  
  --
  Contrary to the popular belief, there indeed is no God.
My nuts are secure! by Narcocide · 2010-09-08 00:44 · Score: 1

Suck it, squirrels! You can not have them!
1. Re:My nuts are secure! by Joebert · 2010-09-08 02:24 · Score: 1
  
  Never taunt a squirrel with bear nuts.
  
  --
  Wanna fight ? Bend over, stick your head up your ass, and fight for air.
2. Re:My nuts are secure! by Anonymous Coward · 2010-09-08 05:40 · Score: 0
  
  Never taunt a squirrel with bear nuts.
  Especially when they're still attached to the bear.
I Use Their SSL Certificate by Anonymous Coward · 2010-09-08 00:52 · Score: 0

Snake Oil Security? I use their SSL certificate to lock down all my Apache boxes.
http://httpd.apache.org/docs/2.1/ssl/ssl_howto.html#certauthenticate/
Who needs security ... by tgd · 2010-09-08 00:57 · Score: 3, Insightful

When your webserver dumps its cargo at the first sign of an Imperial Cruiser ...
not just security by Tom · 2010-09-08 01:09 · Score: 4, Interesting

It isn't just security. I supervise the IT audits in our company, and I can't list anymore how often fake procedures have been tried to pass of as actual processes. Right now, our software development managers try to tell everyone how "agile" they are - but the real work their people do has nothing to do with agile development whatsoever. I've seen so-called "change management" that wasn't worthy of even being in the same room with actual change management, and "access controls" that were essentially bullshit in paper form.
There are usually two causes for this: Malicious people who are greedy for either power and/or money, or incompetent people who don't understand what they're doing (or managing) but are too afraid to ask for help and too stupid to find it on their own. Both kinds of people try to pass off what they're doing as the real thing and will respond to any attempts at questioning or changing it with hostility. In fact, that hostility is a pretty good indicator of both snake oil and incompetence.

--
Assorted stuff I do sometimes: Lemuria.org
1. Re:not just security by Anonymous Coward · 2010-09-08 01:23 · Score: 0
  
  ... will respond to any attempts at questioning or changing it with hostility...
  That is handled by change management. Remember, CM also involves changing the attitudes. You need to guide them to this, not just walk in saying "You're doing this all wrong!" Educate them gently.
2. Re:not just security by Tom · 2010-09-08 01:46 · Score: 1
  
  I know, I'm being too impatient. Half a decade is not long enough, I shouldn't be so hasty...
  
  --
  Assorted stuff I do sometimes: Lemuria.org
3. Re:not just security by Runaway1956 · 2010-09-08 01:59 · Score: 2
  
  "Educate them gently." That's why I carry a billy club. A Colt .45 is just to much for some people.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
4. Re:not just security by pinkushun · 2010-09-08 02:08 · Score: 1
  
  Yup, its amazing how 'buzz words' for all the important business processes, work flows and logic layers are meaningless, when they're not taken seriously.
5. Re:not just security by Garwulf · 2010-09-08 02:37 · Score: 4, Interesting
  
  I can vouch for that...
  I used to work in the public sector. A few months before I left to return to school, we changed computer consultants to a new guy, and to this day I swear he was deliberately creating problems so he could bill us for solving them.
  It started off with a computer audit. Now, I'm not a professional computer consultant, but I've been around computers pretty much my entire life, and my father used to be a consultant. My idea of an audit is to generate a list of what programs are running, what anti-virus programs are in place, what firewall is in place, what processes are running, etc. So, when I found out that my computer was about to be audited, I was prepared to be away from it for half an hour to an hour.
  Instead, he checked the Windows version, and moved on.
  Now, to understand this story, one of the things you have to understand is that I was an unofficial IT guy in the office. And, I had taken a couple of steps for basic security (this was back around 2003), such as moving everybody away from Outlook Express and onto Netscape mail. It was a small Windows 2000 network in a small office, and so long as it was kept behind a hardware firewall and nobody did anything terribly stupid, it was fine aside from the occasional software glitch.
  The first recommendation that he put in, and management enforced, was to take everybody off Netscape and put them back onto Outlook Express. Massive infection of the entire network followed. Then, as I was the guy who started complaining that something was wrong here, he tried to blame me for hacking the system.
  Now, this wasn't the main reason I left to go back to school (one of the problems with working in social services is that it can be very soul destroying work, and I had reached the point where I just couldn't continue any further), but it definitely gave me a good dose of snake oil before I left...
  
  --
  Robert B. Marks
  Author, Demonsbane in Diablo Archive
Homeland Security's Moto Is Now Public Knowledge by GooberToo · 2010-09-08 01:30 · Score: 1

It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"
What if.... by Anonymous Coward · 2010-09-08 01:37 · Score: 0

What would happen if Microsoft did what Apple did in bringing out OS X. What if they put out a new Windows OS built from scratch based on UNIX? What if security is their first focus and everything else branches from that, rather than security being patched in a non-secure environment? Also, what if they made their OS open source and allowed any IT expert to review and make suggestions to their source code? I live in a fantasy world though, none of the above would ever happen :/
1. Re:What if.... by Anonymous Coward · 2010-09-08 02:04 · Score: 0
  
  Perhaps in an alternate universe, where Gates is a real philanthropist, and not a self-proclaimed fake steered by his wive.
  Wait... I get this feeling that our universe, is the only one with MS Windows. Damn!
2. Re:What if.... by Alex+Belits · 2010-09-08 02:21 · Score: 1
  
  Microsoft core strategy is to develop a system that software can not be ported away from. If they will fix it, they will have to reuse other systems' interfaces, so they will lose the only advantage they have -- that once something is made for Windows it's a massive pain in the ass to port it anywhere else.
  Also Windows software developers would no longer be fucked in the head from internalizing insane Windows design, so they will be capable of developing software for other systems whenever they want. Microsoft can't allow this to happen.
  
  --
  Contrary to the popular belief, there indeed is no God.
3. Re:What if.... by jimicus · 2010-09-08 02:36 · Score: 1
  
  Well, the first thing that would happen is that virtually all Windows applications would have to be rewritten because a compatibility layer (like Apple did with Classic) would break most of what they'd be trying to achieve.
  The second thing that would happen is that Microsoft would be competing on a much more level playing field - the only thing keeping Windows in lots of small businesses is the applications running on Windows, if they go away then suddenly Apple and most Linux distributors would find it much easier to get taken seriously.
4. Re:What if.... by AHuxley · 2010-09-08 11:44 · Score: 1
  
  What would happen if Microsoft did what Apple did in bringing out OS X.
  A lot of nice people in tech support would be out of work?
  The NSA and GCHQ would have to do real work again :)
  
  --
  Domestic spying is now "Benign Information Gathering"
Security by obscurity is security by any other nam by Anonymous Coward · 2010-09-08 01:38 · Score: 0

The question here is really to coin the phrase "If you always did what you always did, you always get what you always got" So the major problem I see in my consultancy and security engineering is that middle and upper managers do not fully grasp security as a whole. They keep their eyes on a very smaller prize (CYA). If it is PCI, HIPAA or State Legislation the consensus I get is that "WE MUST BE COMPLIANT" the whole time not seeing the actual goal at hand "Protect and secure the data and network!"
What is more funny is the mindset that if the item is out of side it is out of mind because folks cannot grasp the concept of an outsider becoming an insider. "It wont happen to me, or Not on my watch" the whole time not realizing they are actually practicing the whole Security by Obscurity which they profess is the devil.
Next, they often ask in meetings why are we not going to be compliant? Well in short you knew that using application X was a problem 5 years ago, have there been any tests or efforts to either correct the application or migrate to a new platform ?? NO well if you always do what you always did how can you expect any other outcome then what you always get? It is like dropping a cat they always land on their feet if you do not change something in the way you drop the cat it will always land on its feet....Security is the cat!!!!
Slashdotted by Anonymous Coward · 2010-09-08 01:40 · Score: 1

See: the original blog entry
This one liner you learn must, Luke. by Anonymous Coward · 2010-09-08 01:56 · Score: 2, Insightful

Security is a process, not a product.
Every time, I mean *every damn time*, someone tells you only to buy this or that product to get more security, he/she is fooling you. Security is a process that needs knowledgeable people with the right tools and the right amount of time available, not just colorful boxes sold by well dressed salesmen. Unfortunately most execs still can't grasp that simple concept.
1. Re:This one liner you learn must, Luke. by funwithBSD · 2010-09-08 02:17 · Score: 1
  
  The only truly effective security product is a pair of wire clippers, applied generously.
  
  --
  Never answer an anonymous letter. - Yogi Berra
2. Re:This one liner you learn must, Luke. by nospam007 · 2010-09-08 03:28 · Score: 1
  
  I had a client who bought a sticker with an angel on it, which had to be placed on the computer to protect it from all viruses, ever!
  And it did cost only a couple of hundred bucks.
3. Re:This one liner you learn must, Luke. by Anne+Thwacks · 2010-09-08 06:07 · Score: 1
  
  Better value than Make-A-Fee then!
  
  --
  Sent from my ASR33 using ASCII
Springfield Bear Protection System by quetwo · 2010-09-08 02:06 · Score: 2, Insightful

Ever since we installed the Springfield Bear Protection System, there haven't been any bears in our neighborhood! It works great!
1. Re:Springfield Bear Protection System by PitaBred · 2010-09-08 03:49 · Score: 1
  
  Yeah? That's great. I've got some rocks that repel tigers if you're interested. Letting them go for well below cost.
  
  --
  My blog. Good stuff (when I remember to update it). Read it.
Software by Joebert · 2010-09-08 02:27 · Score: 1

I was just thinking the other day about how antivirus software has been the number one download at Download.com for years. I would think that if the woftware works, the download counts would go down.

--
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
extracting oil from snakes is difficult by Anonymous Coward · 2010-09-08 04:57 · Score: 0

not like it used to be, which was extremely difficult. which may be why providing 'security' for snake oil may have been challenging back then? people wanted it?
all the snake oil one might be able to consume would not serve as well as a glass of home made Kombucha, a strange brew that really IS good for you. wards off zombies etc....
Iraq comes to mind by Anonymous Coward · 2010-09-08 05:29 · Score: 0

The Republicans were quite successful with security theatre in 2002 and 2004. It has cost this nation over $1 trillion so far.
Or How I Learned To Stop Worrying And Love by Anonymous Coward · 2010-09-08 05:29 · Score: 0

The Evil One.
Yours In Moscow,
K. Trout
which evil do you turn to? by Mr.Fork · 2010-09-08 06:00 · Score: 1

I whole agree with the article in it's entirety. As a former CSO and retired military, most organizations don't take us seriously until you point out a few social engineering hack attempts. How I implemented security wasn't snake oil, as it was the design of the entire team IT. Our honey-pots were a great tool for finding out what hackers are after, but the 'paid' crackers are we were most scared of - not companies selling us fake products. It's up to IT staff to effectively evaluate any product or service to our organization, not some sleazy sales moron who's selling us fake stuff.

Lets face it - most companies can become complacent quite easily unless something happens to change their perception of IT security. For me, it was a simple and cheap $5000 test and the data I came up with scared the CEO and VP's out of pants. The article author also didn't mention that IT security is something ALL us IT geeks are continually thinking about... Just a thought.

--
Management is doing things right; leadership is doing the right things. - Peter F. Drucker