How Security Experts Are Protecting Their Own Data

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."

AV only helps if you are bad

[AK+Marc]

The only times I've ever gotten a virus were when I had AV running. Without AV, I don't run anything that's untrusted. Worked out well so far.

Re:AV only helps if you are bad

You don't run AV therefore you've never had a virus? The force is strong with this one.

Re:AV only helps if you are bad

[TheRaven64]

You got lucky. There are two problems with most Antivirus software:

Most of them still use system call interposition. They're vulnerable to a whole raft of time-of-check to time-of-use errors, so the only part that actually catches things is the binary signature checking, and that requires you to install updates more frequently than malware authors release new versions - it's a losing battle.

They run some quite buggy code in high privilege. In the last year, all of the major AV vendors have had security vulnerabilities. My favourite one was Norton, which had a buffer overflow in their kernel-mode scanner. Providing crafted data to it allowed an attacker to get kernel privilege (higher than administrator privilege on Windows). You could send someone an email containing an image attachment and compromise their system as long as their mail client downloaded the image, even if they didn't open it. It's hard to argue that software that allows that makes your computer more secure.

Re:AV only helps if you are bad

[mwvdlee]

Profit in a visible virus; very little.
Profit in a virus that acts as a slave in a botnet and monitors your computer usage; a lot more.

I don't run AV and I tell people I don't run AV

...but I still install AV on every single system which I set up for other people, and I recommend that they keep using AV. Why? Because it would be considered negligent to omit it. If they get infected, which they inevitably do, then not installing AV would put me in an indefensible position. Asking a professional how they protect their data is a useless endeavor. It doesn't teach you how to keep your data secure, because you don't know all the other things they know which stop them from doing stupid things.

Re:Is he going for irony, here?

[tburkhol]

These security experts wouldn't recommend it, but they're relying on security through obscurity.

The wouldn't recommend that obscurity be your only security, but I think they would all agree that obscurity can be a useful component of a comprehensive security plan.

For example, if you run a web server, everyone knows it. Controlling the server signature to not obscure the specific version or modules that server runs means an attacker can not target known version-specific vulnerabilities, but has to try a bunch of them. This gives the server the opportunity to detect multiple exploit attempts and ban the source (or whatever). Using unpopular/obscure software, like ngnix or lighthttpd instead of apache/IIS, may also reduce the attack profile (ie, worms or script kiddies), while being less intrinsically secure.

Security isn't hard

[LichtSpektren]

For your average workstation, the easy way to lock it down is by examining all of the vectors that malware can take. From there it's usually simple.

Probably about 95% of malware comes through malicious websites. Solution: use tools like NoScript and an adblocker. Also use SELinux/AppArmor/grsecurity etc. to make sure that whatever slips by cannot do anything that your browser doesn't have permission to do. If you want to be really safe, only run your browser in a virtual machine (this is the premise of Qubes OS, by the way).

Also apply SELinux (or whatever you're using) to any programs that have listening Internet ports, like SSH and CUPS.

If you use a local email client instead of webmail, don't be dumb and allow your client to auto-execute JavaScript or attachments in emails. Also, don't be dumb and mount random peoples' portable drives without some precautions.

Re:Is he going for irony, here?

[Gr8Apes]

Then you're making an ignorant assumption.

Yes, you are.

Every other OS out there for server and end user use is more secure than Windows. Windows is flawed by design. Here's why: windows is built on top of an inverted security model that requires the process token to have all permissions required for every aspect of the program running, and then masks that token for child threads and processes. That means that any thread or child-process that has an exploit can automatically run at the highest security level of the process. Add to that the ability of almost any process to inject code into DLLs, and you see why pwning windows is almost trivial. I submit that windows will never be secure until they fix these 2 fundamental architectural mistakes.

Meanwhile, Linux, BSD, and other *nix OSes have a sane least permissions security where a token can be elevated upon authentication/authorization as needed. If a process manages to escape its code path via a buffer overflow, damage is limited to whatever permissions that thread has at that time. In *nix systems, that's usually very little. If you're still not convinced, try to modify a system library in *nix from your own program or some javascript in your browser via a drive by scenario. No fair using the Java plugin, as that shouldn't be installed on any browser.