Slashdot Mirror
Why "Designed For Security" Is a Dubious Designation
itwbennett writes The list of products designed to be security enhanced that turned out to be anything but seems to get longer by the day. In just the latest instance, reported by Wired last week, the crowd-funded privacy-enhancing home router Anonabox had to be recalled after an independent researcher discovered serious security flaws in the product. But security experts caution that the real problem may be bigger than vulnerabilities hidden in application code: "Designed for security products don't just have to be good. They have to be beyond reproach," explains John Dickson, a Principal at the Denim Group. "All it takes is one guy with a grudge to undo you."
OpenBSD proves the claim to be wrong.
Just Do It
Despite a few discovered problems over the years, for the most part, OpenBSD's security reputation holds up quite well, especially in comparison with other projects and products, open and proprietary.
You promise something, you don't deliver, what do you expect to happen?
At least Linus says he's not going to warranty his shit fit for anything.
security is the possibility to not do something.
The phrase "designed for" is irrelevant. It does not matter what something is "designed for". The important part is the implementation. "Designed for security" is not the same as "secure".
So, you are the Republicans hate us troll. Thank you for outing yourself, now you can receive justified scorn.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Did I argue anything? I am confused.
No I don't believe anyone hates "us", but projecting hatred specifically on Republicans when the Democrats are just as guilty is very naive. It just shows your partisan blindness on the issue.
http://en.wikipedia.org/wiki/P...
Take a look at everyone who voted for it in 2001 and renewed it in 2011. Are they all Republicans? Than it isn't just Republicans that are against privacy.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Greenwow posts as themself fairly regularly.
Systems submitted for evaluation under TCSEC B2 and better had to be designed for security - layering, TCB minimization, ... were all mandated in addition to support for trusted MAC functionality. When I am designing for "SECURITY" I want to simplify the critical protocols so that they can be described by a state machine and then implement them in silicon.
I've found that the more you tout that you have good security, the more recreational hackers come out of the wood work who would otherwise have no interest in your product other than you make it sound like a challenge. If you want good security, do your encryption, do your trip wires, keep important stuff server side, etc etc, but don't brag about it. Bragging about security on the Internet is like putting on a white karate outfit with a black belt and strutting all around the low income parts of town. Maybe you are secure in your components or your not, but don't go looking for people to try and break you.
God spoke to me
SRW Iron https://www.srware.net/en/soft... is touted to be a secure browser [Warning: Demands Java after install]. I don't think it is.
In fact, playing around with FF shows that the problem isn't the browser, but the reliance on 3rd party cookies as 1 example of the way websites are constructed.
If you load FF's Lightbeam and check all the 3rd party sites, block access to them, they often stop the parent website from operating properly or at all. Typically, Google and most banking sites won't work without 3rd party links or cookies.
Then there are routers that claim security but are still running buggy old firmware. AV software like Bitdefender also have issues. AV software still refuses to scan for pup, browser addons and other malware that the UAC allows! I mean if you download an app, UAC asks for permission which you give for that instance, but it automatically gives permissions for all the other installs that come with the package. Why?
I reckon half of the security issues can be fixed if some clever plug-ins, better AV database and a trusted installer with UAC can be done. EG Spoofing 3rd party links and cookies within the browser.
I went here http://alcpu.com/CoreTemp/ and downloaded the app a few days ago. It installed on Vista and a Win 7 machine (with MS Defender) I was building. The payload installed as well (Trovi) - I wasn't paying attention btw but the 2nd time I installed it on a Vista machine I had an option of opting out. As a test, I Installed it on another Win 7 box with an updated Kaspersky. It installed (without the payload or opt out!) and when I checked the reports, there was no log or trace that there was any payload at all. Weird, but my respect for Kaspersky has increased and/or the UAC was working properly.
We all talk about security but there are fundamental, easily fixable things we can do right now. I don't think that this has to do with the OS as most of these issues are external.
Don't be apathetic. Procrastinate!
The biggest security hole lies between chair and the keyboard.
It's not that it was based on a pre-existing product that was the problem- even though that was one of the major things pointed out and they were implying they designed the device itself (for no apparent reason; ie they weren't claiming that they were giving it a new name because of some ethical reasons, like promoting another company, for which was otherwise producing poorly designed products, or, unethical products).
The product was never going to be secure because the devices code was not available. It could never be totally free software friendly as the hardware (the chips it used) was dependent on non-free software. Without those pieces the device doesn't work.
Before you even begin talking about security you need the ability to be able to fix the security-related bugs. That's not happening when your not even in control of it. It's the same reason anti-virus software is fraudulent. Anti-virus companies can't fix the bugs because they don't have the code to fix it. All anti-virus does is camouflage the fact you can't do anything about the poor-security of the software you use.
is how I assume all hackers (regardless of hat color) would read "Designed for Security."
Here's what works in most practical systems with a little effort:
- Threat model. Sequence diagram of all external communication between all servers and clients. Apply STRIDE analysis. May be take a step back to see if you can simplify the workflow.
- Assurance model. State diagram of system. Capture success and error states. Unit tests for each case.
Add to that third party oversight:
- Static analysis tools.
- Third party verification.
I assume you're not developing mission critical systems that control functions in a nuclear power station, or even a car breaking system. Rather you're looking at consumer or enterprise level systems that involve some confidential, and possibly credit card information. Short deadlines and budget constraints mean you can't spend forever coming up with a solid specification or even do extensive analysis.
All it takes is one guy with a grudge to undo you.
Exactly. Just like when Larry Ellison said that there weren't any holes in Oracle....
All the buzzwords in the world won't help you if the code sucks.
Time and time again experience has proven that security starts with correctly implemented, well-written, reuseable software. Excessive focus on modeling the overall architecture, or even the components, is part of the _cause_ of insecure software.
When need to learn to get our priorities straight.
Your examples of nuclear control systems and car breaking systems only show how horrible the system is. Toyota's breaking system suffered from a stack overflow. And industrial control software is hardly the epitome of secure. Showing reliability and consistency in a controlled environment gives absolutely no assurances whatsoever when hackers are able to tickle bugs.
STRIDE and similar systems are merely work products for project managers. And just because you have unit tests doesn't mean the software works. Well written software will be easy to unit test, but poorly written software can also be unit tested--it's just that poorly written software is better at hiding bugs from the tests.
To the best of my knowledge, there is one single "software" developed to be secure today, and that is OpenBSD.
Everything else, and I do mean everything literally, has gotten "security" tucked on later in the process (yes, obviously Windows is there too).
"Designed for security products don't just have to be good. They have to be beyond reproach" Bullshit. The term is used to designate that at least some minimal amount of effort was used to make the program secure, but not only is a perfect unhackable program impossible but you also get what you pay for. No one expects the $29.99 piece of software with that label to magically have better security than the DoD.
Troll is not a replacement for I disagree.
Hey I've got some "organic", "natural flavoring", ... oh, and don't forget your "diet" soda with aspartame to keep you an addicted junkie...
OH, and for bonus I bet you'll love some "internet freedom" laws... don't forget the "right to work"!
Security product (firewall, anti-malware software, anonymizing router) != secure product
it all depends on the quality of the implementation: code and configuration
I was just embroiled in a dispute with someone who is selling security related software that refuses to address key issues with their security model. I think the situation is probably similar here, software engineers that have the best of intentions but simply lack the expertise to properly execute. Most programmers are engineers who are perfectly capable of building out a working system. However, when it comes to security related software, it's not good enough for something to just work, you have to be able to have a deep understanding of how every component interacts with the larger system.
Is there anything better than clicking through Microsoft ads on Slashdot?
The list of products designed to be security enhanced that turned out to be anything but seems to get longer by the day.
It took me about four tries to parse that one properly.
Designed for security products don't just have to be good
That one could've used some quote marks too.
Captain Pedantic, away!
That is to say: I am Captain Pedantic (metaphorically speaking) and I will now go away.
systemd is Roko's Basilisk.
As an engineer doing security related products, it is never about our ability. It is unrealistic timelines and priorities.
Have true stories. It is all about fooling the customer (imagine them as a white fat middle aged PHB). They never have the time to do true evaluation. If there is some encryption somewhere somewhat relevant, they are ok with that. And their engineers usually dont care either. I can hack into our devices without problem (and as an example, pull out a whole nations biometric database of its citizens).
Well our boss got a Lamborghini (really!) for that project, we engineers got a months salary as bonus. Life goes on. Next project. Next PHB.
or even a car breaking system.
Can we now also blame car burglaries on security experts? Awesome.
None of this means anything if you don't know what you are doing though.
I have worked 10 years developing secure software that actually are secure and I have also worked as a security auditor. Most people just know shit about writing secure code, creating a threat model and so on. Most companies that do security audits are horrible as well, they more or less grep through your code after strcpy and such and that's it. Or they just note what libraries you use and google for vulnerabilities for those and say that you are vulnerable.
Doing an audit is more than looking at the source, about 50 % of the security problems lies in the design rather than errors in the code. Those are really hard to find, because you really do have to understand the design and why it was designed as it was in the first place.
The security industry is full of people trying to make a quick buck due to the NSA scare.
Also, designed to be secure is such a broad statement. An application can be designed to solve one security problem, but it becomes useless because it ignored several other aspects of security because the creator didn't understand the scope of the problem, the attack surface or even what problem s/he was actually trying to solve.
I have yet to audit the software where no security problems exist.
The default login for Windows 8.1 is your Microsoft email / cloud account and password. So anyone watching you type in your password has access to your cloud account.
I don't understand why Microsoft is not given more flack for this decision.
Your alternatives is to not use their cloud, or use 4 digit PIN or a series of screen swipes, but they don't support a local password. If you understand how to set it up, you can supplement the PIN/swipe with a USB key, but it is not a visable user option and you have to understand what your doing.
Expecting any software to be "beyond reproach" is completely unrealistic. All software has bugs; some of them will be exploitable.
I do not fail; I succeed at finding out what does not work.
You need both.
About 50 % of security issues stem from bugs in the code and the other 50 % are design flaws. The issues from bugs might be found during a code review, but most reviews do not review the design of the software.
And you don't have unit tests to prove that the code is correct, for all you know the tests might actually be buggy, tests are software as well. You have the tests to prove that changes doesn't change anything that worked before.