We Live In The Dark Ages of Internet Security, Says Kaspersky Labs CEO

An anonymous reader cites a report on TheMerkle: It is never a positive sign when one of the world's leading security firms mentions how the world is currently in the "Dark Ages" of computer security. That particular statement was made by Kaspersky Labs CEO Eugene Kaspersky during the NCSC One conference in The Hague. Enterprises and consumers need to step up their protection sooner rather than later, as the number of security threats keeps increasing. Update: 04/05 18:41 GMT by M :Reader Rob MacDonald has posted the following insightful comment (slightly edited for clarity and length): We're in the dark ages by design. We've allowed the alphabet agencies to compromise our security, at every level, including hardware. The one that doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it.

Only if you force yourself to live in the dark.

That's only true if you force yourself to live in the dark.

If you don't want to, you can always use OpenBSD. If security is what you care about, then OpenBSD is your best choice. Its developers have proven time and time again that they put security first and foremost, and this has resulted in one of the most trustworthy operating systems to have ever have existed. Best of all, it's free and open source! There's really no reason not to use it, especially if you want and need security.

The one thing that I think really sets OpenBSD apart from its peers is that the OpenBSD team will go out of their way to secure software they didn't even write. They'll fork, fix, maintain and improve third-party software that doesn't meet their standards. LibreSSL is a superb example of this, but they've done it with other software in the past, too.

Nobody claims that OpenBSD is perfect, but it's as close as anyone is going to get today. As we become more and more aware of the risks that we face, it becomes clearer that OpenBSD is the operating system that's best poised to stand strong against these threats.

OpenBSD is where it's at. If you want to live in the dark, then by all means ignore OpenBSD. But if security is what matters to you, then OpenBSD is the light.

Before anyone says it....

[phishybongwaters]

Yes, they are Russian. Yes it's a fucking solid, quality, AV solution for enterprise. In fact, there's a shit load of functionality there that most people wouldn't expect from an AV solution. So yeah, when one of the world leaders in the industry says that, he's not talking out of his ass. The point not stated, at least in the summary, is the fact that we're in the dark ages BY DESIGN. We've allowed the alphabet agencies (not google you dolt) to compromise our security, at every level, including hardware. That which doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it. TLS, SSL, sha. all compromised at the core. Jesus we can't even trust random number generators. We can't trust encryption based on primes as it's proven these can be broken if you have the hardware (they do) and the time (they do). Nothing short of a do over can fix this. The infrastructure is compromised, the undersea trunks are tapped, they can even decipher passwords and information from an AIR GAPPED COMPUTER. Seriously. I can't see a way out of this. Encryption for all!!!!! FBI much? Encryption is a joke when they've helped build the encryption system. We hae been pwnd from day 1.

Re:Before anyone says it....

[mlts]

I wouldn't say it was alphabet agencies.

The real culprit, in my experience, is the "security has no ROI" philosophy which has been part of many companies since 2000. When told by a previous manager that "a lock brings no money except to the lock maker", with the implications that security is, at best, an afterthought in product design.

Now combine that with the fact that so far, there have been no real consequences for security breaches. All a company has to do is tell the Windows admin to do a "dsquery user | dsmod user -mustchpwd yes", pay for the victims to have a year of LifeLock, toss some PR ads, and stock prices will be back to normal in 90 days or less, even for the most egregious breaches. Even regulations have no teeth. HIPAA is rarely used. The only person who went to jail by Sarbanes-Oxley law was someone fishing who went over their bag limit with grouper, and that use of the law got tossed overboard by SCOTUS. The only "regulation" that has any respect whatsoever is PCI-DSS3.x, and that is because Visa will pull merchant status.

It is common to criticize blaming the victim... but with security being an afterthought at best in many places, it is actually astounding that far more attacks have not happened.

How can this be fixed? Well, right now, there still isn't any interest or caring for the most part in general. It is going to take an event like GM's OnStar being compromised and disabling all vehicles during a hurricane evacuation, causing astounding casualties, before something actually will get done.

The ironic thing is that, of all places, security is where the TLAs are actually on the ball. NIST has a lot of security guidelines on their website, from basic stuff like killing the guest user, but there are a lot more useful and esoteric things as well (for example, using trustchk on AIX to keep unauthorized libraries from being loaded.)

From three directions ...

[gstoddart]

We're getting this stuff from three directions:

1) The manufacturers of products are lazy and incompetent, and carry no liability for that;
2) Organizations take short cuts from within, and don't realize just how vital security is;
3) Entities like the FBI want to undermine our security so they can be assured access to our stuff, while stupidly refusing to accept they're causing security to suck even more;

As long as these things keep happening, we basically live in a world where security is an afterthought, or too complicated, or something to be actively undermined to allow idiots to bypass it.

And all three of those combine to more or less ensure that having real security is almost impossible. Because no matter what the assholes who want to spy on us say, leaving it open for them also leaves it open for everyone else.

The people who claim to be protecting are as much fault for this as anybody else. Only they're too stupid to accept that the world doesn't recognize that only the good guys will bypass security when it's been built to have holes in it.

This is why we can't have nice things.

Yeah, do they remember the past?

[JMZero]

Does he remember the dance you had to do to install Windows 2000 on an unfiltered connection (if you didn't want it to be instantly owned)? You had to install completely disconnected, disable a bunch of services, and then try to connect and download patches as quickly as you could in order to get to a viable state. And everyone else's Windows computer you used had 9 layers of browser toolbars and adware and anti-anti-anti-adware that made their system effectively unusable?

I'm sure there's lots of security battles to come - maybe even a World War or two - but the real dark ages of security are in the past.

Re: Only if you force yourself to live in the dark

[cfalcon]

> OpenBSD cost me everything with its lackluster security.

Even your slashdot login! The humanity!