How Security Experts Are Protecting Their Own Data

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."

AV only helps if you are bad

[AK+Marc]

The only times I've ever gotten a virus were when I had AV running. Without AV, I don't run anything that's untrusted. Worked out well so far.

Re:AV only helps if you are bad

[TheRaven64]

You got lucky. There are two problems with most Antivirus software:

Most of them still use system call interposition. They're vulnerable to a whole raft of time-of-check to time-of-use errors, so the only part that actually catches things is the binary signature checking, and that requires you to install updates more frequently than malware authors release new versions - it's a losing battle.

They run some quite buggy code in high privilege. In the last year, all of the major AV vendors have had security vulnerabilities. My favourite one was Norton, which had a buffer overflow in their kernel-mode scanner. Providing crafted data to it allowed an attacker to get kernel privilege (higher than administrator privilege on Windows). You could send someone an email containing an image attachment and compromise their system as long as their mail client downloaded the image, even if they didn't open it. It's hard to argue that software that allows that makes your computer more secure.

Re:AV only helps if you are bad

[mwvdlee]

Profit in a visible virus; very little.
Profit in a virus that acts as a slave in a botnet and monitors your computer usage; a lot more.

Re:Is he going for irony, here?

[Gr8Apes]

Then you're making an ignorant assumption.

Yes, you are.

Every other OS out there for server and end user use is more secure than Windows. Windows is flawed by design. Here's why: windows is built on top of an inverted security model that requires the process token to have all permissions required for every aspect of the program running, and then masks that token for child threads and processes. That means that any thread or child-process that has an exploit can automatically run at the highest security level of the process. Add to that the ability of almost any process to inject code into DLLs, and you see why pwning windows is almost trivial. I submit that windows will never be secure until they fix these 2 fundamental architectural mistakes.

Meanwhile, Linux, BSD, and other *nix OSes have a sane least permissions security where a token can be elevated upon authentication/authorization as needed. If a process manages to escape its code path via a buffer overflow, damage is limited to whatever permissions that thread has at that time. In *nix systems, that's usually very little. If you're still not convinced, try to modify a system library in *nix from your own program or some javascript in your browser via a drive by scenario. No fair using the Java plugin, as that shouldn't be installed on any browser.