We Live In The Dark Ages of Internet Security, Says Kaspersky Labs CEO

An anonymous reader cites a report on TheMerkle: It is never a positive sign when one of the world's leading security firms mentions how the world is currently in the "Dark Ages" of computer security. That particular statement was made by Kaspersky Labs CEO Eugene Kaspersky during the NCSC One conference in The Hague. Enterprises and consumers need to step up their protection sooner rather than later, as the number of security threats keeps increasing. Update: 04/05 18:41 GMT by M :Reader Rob MacDonald has posted the following insightful comment (slightly edited for clarity and length): We're in the dark ages by design. We've allowed the alphabet agencies to compromise our security, at every level, including hardware. The one that doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it.

Only if you force yourself to live in the dark.

That's only true if you force yourself to live in the dark.

If you don't want to, you can always use OpenBSD. If security is what you care about, then OpenBSD is your best choice. Its developers have proven time and time again that they put security first and foremost, and this has resulted in one of the most trustworthy operating systems to have ever have existed. Best of all, it's free and open source! There's really no reason not to use it, especially if you want and need security.

The one thing that I think really sets OpenBSD apart from its peers is that the OpenBSD team will go out of their way to secure software they didn't even write. They'll fork, fix, maintain and improve third-party software that doesn't meet their standards. LibreSSL is a superb example of this, but they've done it with other software in the past, too.

Nobody claims that OpenBSD is perfect, but it's as close as anyone is going to get today. As we become more and more aware of the risks that we face, it becomes clearer that OpenBSD is the operating system that's best poised to stand strong against these threats.

OpenBSD is where it's at. If you want to live in the dark, then by all means ignore OpenBSD. But if security is what matters to you, then OpenBSD is the light.

Re:Only if you force yourself to live in the dark.

BULLSHIT

An operating system is as secure as its administrator makes it. OpenBSD with it's inferior performance due to lack of tuning (stop blaming it on "being more secure" because that's a straight up lie,) lack of a reliable modern filesystem (good grief, port ZFS already...oh wait, you can't because it's almost literally impossible...THANKS THEO,) and a project "leader" who is actually an impossible to work with asshole who thinks he knows everything and knows better than everybody else what his little operating system needs.

And don't even get me started on how fucking hard it is to install and run even the most common software in that bastardized environment, which was made that way by a bunch of change "for the sake of security" that was in reality change for the sake of change. If you don't know what I'm on about then you've never gone through the experience of trying to set up apache, pgsql, and a CMS of any complexity. The fight to compile is only the first of many battles that don't need to be fought on any other OS.

So, I repeat. An operating system is as secure as its admins make it, and a competent admin can mitigate the security risks of any OS, even Windows.

Before anyone says it....

[phishybongwaters]

Yes, they are Russian. Yes it's a fucking solid, quality, AV solution for enterprise. In fact, there's a shit load of functionality there that most people wouldn't expect from an AV solution. So yeah, when one of the world leaders in the industry says that, he's not talking out of his ass. The point not stated, at least in the summary, is the fact that we're in the dark ages BY DESIGN. We've allowed the alphabet agencies (not google you dolt) to compromise our security, at every level, including hardware. That which doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it. TLS, SSL, sha. all compromised at the core. Jesus we can't even trust random number generators. We can't trust encryption based on primes as it's proven these can be broken if you have the hardware (they do) and the time (they do). Nothing short of a do over can fix this. The infrastructure is compromised, the undersea trunks are tapped, they can even decipher passwords and information from an AIR GAPPED COMPUTER. Seriously. I can't see a way out of this. Encryption for all!!!!! FBI much? Encryption is a joke when they've helped build the encryption system. We hae been pwnd from day 1.

Re:Before anyone says it....

[mlts]

I wouldn't say it was alphabet agencies.

The real culprit, in my experience, is the "security has no ROI" philosophy which has been part of many companies since 2000. When told by a previous manager that "a lock brings no money except to the lock maker", with the implications that security is, at best, an afterthought in product design.

Now combine that with the fact that so far, there have been no real consequences for security breaches. All a company has to do is tell the Windows admin to do a "dsquery user | dsmod user -mustchpwd yes", pay for the victims to have a year of LifeLock, toss some PR ads, and stock prices will be back to normal in 90 days or less, even for the most egregious breaches. Even regulations have no teeth. HIPAA is rarely used. The only person who went to jail by Sarbanes-Oxley law was someone fishing who went over their bag limit with grouper, and that use of the law got tossed overboard by SCOTUS. The only "regulation" that has any respect whatsoever is PCI-DSS3.x, and that is because Visa will pull merchant status.

It is common to criticize blaming the victim... but with security being an afterthought at best in many places, it is actually astounding that far more attacks have not happened.

How can this be fixed? Well, right now, there still isn't any interest or caring for the most part in general. It is going to take an event like GM's OnStar being compromised and disabling all vehicles during a hurricane evacuation, causing astounding casualties, before something actually will get done.

The ironic thing is that, of all places, security is where the TLAs are actually on the ball. NIST has a lot of security guidelines on their website, from basic stuff like killing the guest user, but there are a lot more useful and esoteric things as well (for example, using trustchk on AIX to keep unauthorized libraries from being loaded.)

Re:Before anyone says it....

[Tom]

with the implications that security is, at best, an afterthought in product design.

And that, exactly, is the reason everything is going to shit (and has been doing so for 30+ years).

If you would design security into your product, not afterwards as a fix, but from the very beginning, from the first stroke on the drawing board, the whole thing would be twice as good and five times less expensive and you could integrate it into your normal design and implementation workflows.

As it is, you pay a shitload of money to people like me so we tell you afterwards where and how much you've fucked up and then you pay a shitload more to your developers to patch it. And usually you do it after some bad press has already hit you in the face.

on the other side:

The only person who went to jail by Sarbanes-Oxley law

yes, but SOX had big corporations scared shitless and if the big consulting companies wouldn't have seen $$$ and turned a simple thing into this monster that brings them a neverending supply of income because you need to hire one of them to implement this impossibly convoluted "standard" to be compliant (where the standard is written by those same guys, and the actual law is so much more easy to comply with - been there, done that) - well, if that consulting money-grab hadn't happened, SOX could have brought so much security into corporations, because for the first time upper management actually was accountable, and if they don't understand security, they do understand accountability.

From three directions ...

[gstoddart]

We're getting this stuff from three directions:

1) The manufacturers of products are lazy and incompetent, and carry no liability for that;
2) Organizations take short cuts from within, and don't realize just how vital security is;
3) Entities like the FBI want to undermine our security so they can be assured access to our stuff, while stupidly refusing to accept they're causing security to suck even more;

As long as these things keep happening, we basically live in a world where security is an afterthought, or too complicated, or something to be actively undermined to allow idiots to bypass it.

And all three of those combine to more or less ensure that having real security is almost impossible. Because no matter what the assholes who want to spy on us say, leaving it open for them also leaves it open for everyone else.

The people who claim to be protecting are as much fault for this as anybody else. Only they're too stupid to accept that the world doesn't recognize that only the good guys will bypass security when it's been built to have holes in it.

This is why we can't have nice things.

Yeah, do they remember the past?

[JMZero]

Does he remember the dance you had to do to install Windows 2000 on an unfiltered connection (if you didn't want it to be instantly owned)? You had to install completely disconnected, disable a bunch of services, and then try to connect and download patches as quickly as you could in order to get to a viable state. And everyone else's Windows computer you used had 9 layers of browser toolbars and adware and anti-anti-anti-adware that made their system effectively unusable?

I'm sure there's lots of security battles to come - maybe even a World War or two - but the real dark ages of security are in the past.

Re:Yeah, do they remember the past?

[Tom]

Well, that's the point - there's bigger stakes now, and the actors are more significant using more sophisticated tools.

No, you missed the entire point.

When we were up against script kiddies, we would start with a system in a secured and defined state. Our task as security people was to keep it in that state.

Now that we're up against our own governments fucking us over, the system you freshly unpacked from its box is already compromised. You don't know how and by whom (plural, you also don't know how many), and you need to bring it into a secured and defined state that you do not know how to verify because you don't have a defined clear baseline.

That's a different game.

more like the dark ages of refusal to learn.

I've had a PC on the internet since the early-mid 1990's, and so far have had precisely zero security problems with this.

But then, I don't do a bunch of stupid shit, either. I don't let random web sites run javascript. I don't run "HotBabe.jpg.exe". In fact, I've never even run Windows on an internet connected computer, due to the security clusterfuck of that ecosystem. If I ever want to do something that could potentially be risky, I'll use a VM jail. And to more modern issues, I won't let IoT devices have the run of my internal network.

Net result? Zero security issues, zero loss of data, zero malware, zero ransomware. The people I see with weekly or monthly malware infestations are the ones absolutely refusing to learn. Even after the 20th time they do Stupid Thing X and get infected yet again, that doesn't seem to stop them from doing the very same thing again next week. Yet they act bewildered about what could have happened.

I'm not the only person I know who has had zero problems with internet security. Far from it. If you have one population that has constant problems, and another that has none, maybe just maybe the population having all the problems should ask themselves, "What are we doing wrong, that those other guys are not? Why are we having so many problems, and those guys are not having any problems at all? What should we be learning?"

Have there been real security flaws? Sure... but that's like 0.001% of the problem. The vast majority of the problem is people's own behavior.

Re:more like the dark ages of refusal to learn.

[jenningsthecat]

I've had a PC on the internet since the early-mid 1990's, and so far have had precisely zero security problems with this... But then, I don't do a bunch of stupid shit, either.

Sure. But do you have credit cards and/or bank accounts? Medical records? Employment records? A social security number? It's great that your own personal hardware and software are housed in a citadel of common sense and best practices bolstered by specialized knowledge probably not attainable by Joe and Jane Average; but what about your personal data, out there in the hands of people who don't know and/or don't care about security?

The people I see with weekly or monthly malware infestations are the ones absolutely refusing to learn. Even after the 20th time they do Stupid Thing X and get infected yet again, that doesn't seem to stop them from doing the very same thing again next week. Yet they act bewildered about what could have happened.

Too true. And in the physical world we have pressure, and sometimes laws, to get vaccinated against communicable diseases. We also enforce driver education and licensing. So as distasteful and problematic as I find the concept, maybe we need to seriously look at the suggestion made by some pariahs that we require testing and licensure before using the web. Then again, how can we effectively police it? 'Cause at that point we're back to square one, security-wise.

If you have one population that has constant problems, and another that has none, maybe just maybe the population having all the problems should ask themselves, "What are we doing wrong, that those other guys are not? Why are we having so many problems, and those guys are not having any problems at all? What should we be learning?"

The 'population with problems' should wise up, but most of them probably won't, ever. In the absence of their enlightened and disciplined involvement, how do you suggest we proceed?

Living in the dark

[fustakrakich]

And Kaspersky's use of an adware site (softonic.com) to download their software is not helping any.

Re: Only if you force yourself to live in the dark

[cfalcon]

> OpenBSD cost me everything with its lackluster security.

Even your slashdot login! The humanity!

Also the invisible hand...

[Ungrounded+Lightning]

The manufacturers of products are lazy and incompetent, and carry no liability for that;

It's worse than that.

The manufacturers are in a race to get new products and features to market. First through the window collects the customer base and market share. First three or so through the window slam it and everyone behind them crashes and burns. (For a startup that's IT. Go find more money and do another one - and have the same pathology.)

So doing things securely (which is hard and time consuming) means you miss the window. Thus only insecure stuff makes it to market. Maybe they fix it later, once they're established. Usually not, though. That's when you get the big breaches when somebody finds the holes.

The invisible hand has slapped down the players who tried to do it "right" - and thus did it too late.

Re:not surprising

[Tom]

I expected about that, but it turns out the guy said something smarter then I had thought.

Yes, the problem very much is that when you buy a device today, you don't know anymore who has backdoors to it already, before it's even in your hands.

That is a very real and very serious problem, and it makes pretty much everything you do afterwards, including buying his products, completely pointless.