Slashdot Mirror
How Security Experts Are Protecting Their Own Data (siliconvalley.com)
Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes:
The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."
The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
Hey, we were just wondering how you secure your data?
I don't have any data.... What is this "data"
The only times I've ever gotten a virus were when I had AV running. Without AV, I don't run anything that's untrusted. Worked out well so far.
Learn to love Alaska
By virtue of the fact that he has even mentioned that using Linux is part of his reason to not run antivirus software, wouldn't the fact that he is using Linux be considered to be lulling him into exactly the same sort of false sense of security that he is accusing antivirus software of creating?
File under 'M' for 'Manic ranting'
They're only doing their job if you have a reason to use them. If you spend your time avoiding visiting unsavoury websites and have the knowledge not to downloading/open questionable files, then they're just costing you space on your PC (or in your wallet).
Also, sometimes they break.
This completely ignores the fact that sometimes (often?) advertising networks are used to spread viruses on completely legit sites. Or those sites could be exploited themselves and start spreading malware.
Just because you only check your email and read the news doesn't make you completely safe. Safer, sure. But not completely safe.
I have a BIOS lock to annoy thieves if my laptop is stolen. I have clamav but I barely ever run it. I run noscript and ghostery on a Linux Mint LTS and I run the Firewall GUFW in it's default config. I have firefox set not to accept 3rd party cookies and to clear cookies at the end of a session. I lock my documents up with truecrypt, it's an older version but I am just trying to stop criminals if my laptop is stolen and it's the version that was reviewed for security, so I guess that's okay. I am thinking of setting up firejail on my next install and if things get much worse on the internet I might start using more VM's to do most of my work.
All operating systems and system software have bugs that, when exploited, can allow the system to be compromised. If you're a user, you're probably running software like Firefox, which certainly can be exploited. While servers generally don't have instances of Firefox running, they do get compromised, and you hear about it in data breaches. While some of these data breaches certainly occur because if incompetent administrators, there are still plenty of Linux systems being compromised because of the software running on them. Linux provides a false sense of security because the software running on it does get compromised somewhat frequently.
As for antivirus, software on Linux is vulnerable to attack. MS Office has had plenty of vulnerabilities that were exploited. It would be foolish to assume that LibreOffice can't be exploited, too. There's no harm in running clamav to scan files that you download to a Linux system before you open them in software like LibreOffice. I use antivirus software on Linux for precisely that purpose. It's one line of defense, one of many, but why would you remove a legitimate line of defense?
Basically, there should be many lines of defense that include:
1) Firewalls that monitor incoming and outgoing traffic, blocking undesired and potentially harmful traffic
2) Turning off unnecessary services and restricting the privileges given to essential services
3) Using strong passwords that are hard to guess
4) Encrypting and backing up data
5) Running antivirus software to monitor likely threat vectors, especially files from outside sources
6) Monitoring the system for unusual activity that might indicate a breach
The real problem with many antivirus systems is that they run with too many privileges, are too vulnerable and miss too many threats, such that they actually become a liability for the user. That doesn't mean you should avoid using antivirus software, but that you should be smarter about the antivirus software you do run.
If he did -nothing- about security, that would be true. That's not likely the case. More likely, he's using protective strategies that are appropriate for his environment and the threats most prevalent in that environment. The most common threats for Linux machines aren't viruses. Viruses specifically are more of a Windows thing. Not that there are no threats that affect Linux, they are -different- threats.
On Linux, he may use the firewall, Tripwire or another IDS, some form of IPS if only fail2ban, SELinux, etc. Also of course browser-specific things like an adblocker and NoScript. Linux has long had good support for good partition and file encryption, so he might use that, and scheduled offsite pull backups protect against ransomware.
ClamAV runs -on- Linux, but normally -for- Windows - you install on on your Linux mail server to remove viruses before your Windows clients download their mail, etc.
> If you spend your time avoiding visiting unsavoury websites and have the knowledge not to downloading/open questionable files
The number 1 source of infections is compromised ads on mainstream sites like Slashdot. Avoiding "unsavoury websites" isn't protecting you. Noscript and an ad blocker would provide much more protection, along with automated offsite backups in a pull configuration (your computer must not be able to delete/overwrite the backups, for ransomware protection).
I don't understand why people consider some sites more unsavory than others. And yes, some sites are more dangerous to visit than others, but people do an awful job of assessing the danger. Even nerds do a poor job of this, otherwise we wouldn't be on Slashdot.
Consider this: Slashdot loves to post stories that criticize other sites for abusive practices involving ads and tracking. You'd think that such a site wouldn't be engaging in the same types of behavior. However, if you look, Slashdot loads numerous advertising and tracking scripts. Trackers monitor your browsing activity across multiple sites, making a record that can be used to profile you. Ads are an extremely common vector for distributing malware. If that's not unsavory behavior, I don't know what is. We love to criticize other companies like Facebook and Microsoft for deceptive and dangerous behavior. Why should Slashdot get a free pass? This isn't the news for nerds, stuff that matters, geek site that Rob Malda, Jeff Bates, and Jonathan Pater started in the late '90s. Its changed tremendously and engages in many of the same harmful behaviors that other news sites do. And while we're at it, there's nothing anonymous about Anonymous Coward posts, either. Slashdot, its advertisers, and its trackers are all monitoring you.
So why do we consider Slashdot to be less unsavory than most other sites? It doesn't make any sense to me. Any site that engages in behaviors like that can't be trusted and puts its users at risk. We can reduce that risk by blocking scripts and ads, but even that doesn't guarantee safety. I just think even nerds, who are quite educated about the security and privacy issues, do a terrible job of deciding what's safe and what isn't. The fact that we're here posting on this site is proof enough.
Just because Linux doesn't have as many viruses for it, doesn't mean it's immune to viruses. In fact, Linux probably a very popular carrier for viruses - Linux host gets broken in (usually via a PHP exploit) and some files are dropped onto it and files modified so whenever a Windows host accesses it, it obtains the payload and gets infected.
Linux may not be harmed by it, but it certainly is an active participant in the propagation of viruses. Mostly because the malware authors want to target users, and 90% of them run Windows. But they can't target Windows servers, because 75% of the servers out there run Linux. So they will exploit those Linux-running servers to plant some WIndows malware on there so the Linux host distributes the Windows malware to everyone.
Linux is a carrier, and perhaps having an anti-virus may be handy if nothing more than to ensure that you're not being part of the problem and serving up stuff that infects other users. The best part is, these scanners need not be intrusive since the host can be assumed to be free of malware, so you're really just looking for bad files.
Same thing on MacOS - there's no reason to have a antivirus scanner other than to make sure you're not serving up infected files, or to alert you in case you get an email that won't infect you, but may infect someone else if you forward it on or something.
Google, for example, scans emails and documents for viruses and other malware, not because they can infect Google, but to prevent spread.
That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software.
I run Linux, and I don't bother with AV software either, but it's not because I run Linux, it's because AV software is shit.
File under 'M' for 'Manic ranting'
It's common knowledge that if you knock out Chuck Norris with a roundhouse kick you become the new Chuck Norris.
Similarly, if you manage to steal Bruce Schneier's identity, you become the new Bruce Schneier.
No wonder he's a target. Everybody wants to be him.
My personal favorite Bruce Schneier Fact: "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."
You're assuming that Linux and OS/X systems can only be public servers. But you shoudn't run things like a public PHP based website on the computer you use for highly confidential stuff, and if you don't it's unlikely to become a carrier for Windows viruses. Not running such services in the first place is one of the most appropriate security measures you would take on such a system. More public functions you can implement on separate machines that you protect in ways appropriate for their purposes.
Someone once made it to the lock-box, but... I just didn't have to feed the sharks that day.
I even have a sign posted: Do not look at sharks with remaining good eye.
It must have been something you assimilated. . . .
...but I still install AV on every single system which I set up for other people, and I recommend that they keep using AV. Why? Because it would be considered negligent to omit it. If they get infected, which they inevitably do, then not installing AV would put me in an indefensible position. Asking a professional how they protect their data is a useless endeavor. It doesn't teach you how to keep your data secure, because you don't know all the other things they know which stop them from doing stupid things.
"I don't take precautions because they make me complacent." I'm glad that the idiots in that article aren't the ones making any decisions in the computer security industry. Note how the CEO of MalwareBytes is the exception in that article - that's the person who's worked with exploits and viruses. Kudos for not having your head in the sand.
And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag? Most likely not. Your car is still a wreck if you crash.
The same applies to malware. I do have an AV kit running. But I also know that it ain't no silver bullet. It's not my first but my last line of defense, another layer of security that is there in case everything else failed. Treating it any different is dumb (and yes, I know, there are people out there who go by the logic that they can turn their brains off now that they turned their AV kit on), but simply saying that you don't need it because it gives you a false sense of security isn't too smart either.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Which means that for a normal user of Linux. Running anti-virus is useless.
You only run anti-virus on Linux mail servers.
Just saying it like it are.
That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software
I interpreted it more along the lines of "AV software targets vectors that are generally not relevant or redundant on linux, so I don't bother with it." Kind of like how you might choose not to run OpenGL or a multitasking scheduler on a DOS box - you can think of some edge cases where it might be helpful, but it's not generally going to do anything. You would definitely be justified in saying, "I don't run openGL because I'm on DOS," but it wouldn't be that you think DOS has great graphics.
And replicating what they do like monkey-see-monkey-do is not an advised way to protect yourself, even if you learned what they aren't telling you.
You can do things differently and recognize/avoid risks other people would not be
able to avoid, when you're the security guy.
Protecting an organization's endpoints and servers, OR someone else's computers against themself... is very different than protecting your own computer that nobody else is allowed to touch (although you might put it on a hostile network).
The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...")
He's quite right. We lull ourselves into a false sense of security all the time. I try to avoid it, complacency is a killer.
I drive at night without any lights on, because then if I'm in an accident it will probably be my fault. This keeps me wide awake and aware of all possible hazards.
During the day this doesn't work of course. Hence I have to drive in bare feet, so if there is an accident I'm not going to get very far trying to run away.
Or establish a sacrificial computer that you use just for getting your strange on.
For your average workstation, the easy way to lock it down is by examining all of the vectors that malware can take. From there it's usually simple.
Probably about 95% of malware comes through malicious websites. Solution: use tools like NoScript and an adblocker. Also use SELinux/AppArmor/grsecurity etc. to make sure that whatever slips by cannot do anything that your browser doesn't have permission to do. If you want to be really safe, only run your browser in a virtual machine (this is the premise of Qubes OS, by the way).
Also apply SELinux (or whatever you're using) to any programs that have listening Internet ports, like SSH and CUPS.
If you use a local email client instead of webmail, don't be dumb and allow your client to auto-execute JavaScript or attachments in emails. Also, don't be dumb and mount random peoples' portable drives without some precautions.
Was going to ask...how do you make use of it, but then I figured out it was connected to your open wireless router.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Obscurity can be an effective additional layer of defense. On its own it's insufficient.
"the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data."
And while you're at it, tell us where you hide your cash and other valuables...
Just cruising through this digital world at 33 1/3 rpm...
Do everything Internet-related in a guest VM.
I learned this from Joanna Rutkowska; you have at least 3 virtual machines.
One is 'green' and you only ever use it for very sensitive things like online banking.
One is 'yellow' and you only ever use it for semi-sensitive things like social media.
One is 'red' and you do this for random web browsing, searching etc. This one gets re-imaged or reverted to snapshot regularly.
If you like (and have the system resources for it) you can have multiple 'yellow' VMs for multiple social network sites or email accounts.
You can set these VMs up on separate networks with routers/firewalls between them. You can use egress filtering on the green VM so that literally the only sites it can possibly reach are your online banking sites.
You NEVER EVER read email in your green VM or on your host. You NEVER use a web browser in your host.
The basic red,yellow,green VM setup is very very easy to build, doesn't take a lot of skills. Modern PC's and laptops are quite capable of running these 3 VMs.
In the free world the media isn't government run; the government is media run.
Exactly this. You can tell how little someone knows about actual security by how they trot out the old 'security by obscurity' meme.
"There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me." Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
So... security by obscurity is apparently highly regarded by the pros. Good to know.
That's not so-called "security through obscurity." Typically, that term refers to taking the same (ineffective) measures as everyone else so that you don't stick out. On the contrary, he's saying that he does take special measures but chooses not to disclose them.
The Daddy casts sleep on the Baby. The Baby resists!
And since I'm not a target for the Russian government that means I'm as safe as its possible to be. I don't trust American AV apps because of the NSA and because in my experience the people who write them are not the best in our field whereas security and breaching security is all the Russians do. Simplistic -- maybe, but whatever.
I only surf fully sandboxed. Twice in the past four years zero-days told me I was infected. A reboot said otherwise as the sandbox was deleted. There is no reason to surf the web other then virtualized.
That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software.
I run Linux, and I don't bother with AV software either, but it's not because I run Linux, it's because AV software is shit.
No I think he mentions it because there ARE no anti-virus software FOR Linux, there AV software running on Linux but they are all against viruses targetting other platforms, primarily because while Linux get targetted by many different types of exploits, so far there haven't been any traditionally viruses.
There is exactly one reason to run Anti Virus software: To be able to say you did, if something bad happens. E.g. your bank account gets hacked. Your bank will ask whether you were running AV software. Even it the software is crap, you have to run it otherwise they will try to put the blame on you. Same with your work computer: Somebody in the intranet (not necessarily you) catches a virus. The admin will check whether everybody runs AV. If you don't, you will be blamed. Even if the admin knows that AV is mostly snake oil, he will still try to put the blame on you so it isn't on him. Or if you are the admin yourself, you also probably want everybody run AV because otherwise the PHB will blame you.
Yes, there is... the place where I used to work had a Linux antivirus program on their email server that would check any atttachments for Windows viruses (most of the computers on the network ran windows).
File under 'M' for 'Manic ranting'
so far there haven't been any traditionally viruses
What are these?
It won't stop malware from being installed but it will sure show you where it's at (root-kits iffy).
https://technet.microsoft.com/...
If you use a Mail reader like Forte Agent: Options unhide Microsoft entries, and save resources by disabling all of MS's email sub systems (and there are many).
It will also show any files missing (mostly Codec's),
But well worth running (as admin) often.
I haven't run an AV in ages, I put a lot of trust in my HOSTS file, and autoruns just to keep check.
> So... security by obscurity is apparently highly regarded by the pros. Good to know.
Security by obscurity is fine. The problem is relying on it primarily or exclusively, or executing it in a way that diminishes or eliminates standard security, which are all common issues.
> It means you use secret crypto algorithms, instead of openly-tested ones with a secret key.
Right, but even then you can make a case for it. What would be more secure:
> Your encrypted drive exists as encrypted.hc. You load encrypted.hc with Veracrypt, and it uses AES, Twofish, and Serpent.
> Your encrypted drive exists as encrypted2.hc. You load encrypted2.hc with Veracrypt, and it uses AES, Twofish, and Serpent. Inside the mounted encrypted2.hc is encrypted.hc. You load the encrypted.hc with Veracrypt, and it uses AES, Twofish, and Serpent.
> Your encrypted drive exists as yolo.proprietary. You mount this with a loopback, using a special cipher you have devised and no one has looked at. Inside the mounted yolo.proprietary, is encrypted.hc. You load the encrypted.hc with Veracrypt, and it uses AES, Twofish, and Serpent.
As long as your proprietary junk is implemented in a way that it layers on top of the standard stuff without interfering or replacing, you have added security. And whether the second or third case is more secure is interesting: you can assume that the proprietary cipher is trash compared to the three that Veracrypt implements, but a theoretical attack that is able to get through the first Veracrypted drive has good odds of getting through the second.
So there can be a use for it even in crypto, arguably- as long as that crap is somewhere else, and YOU are the one making it happen.
What we see instead is stuff like "well, we based our algo on AES and..." or otherwise borking it in some fashion that you can't actually be verified as actually applying the community-trusted ciphers in a useful fashion- that's the common problem we have seen a lot of, and all of those "solutions" are just more problems.
> What are these?
The first one is an Intel processor instruction. Nothing really to do with either Linux or viruses.
The second points out that executables contain unused bytes. In theory,there is space for someone to add code without making the file bigger.
The third never existed in the wild, as far as I can tell.
The fourth is a legit virus.
The fifth is another research curiousity - it allows root to break files. It's supposed to demonstrate a concept for a trojan, but instead if makes them not run at all.
The sixth is somebody's homework, which they titled "a good natured virus". Again, not a virus ever seen in the wild.
The seventh is in a language I can't read.
The eighth is the same site as the second - again talking generally about how someone could go about adding a trojan to an executable. Not a virus.
So one actual virus, in the first eight. I got bored after that. On the other hand, there are over 100,000 known Windows viruses.
How on earth do you use encrypted mail unless all your recipients also do the same, i.e. have public/private keys of their own that are configured in their email clients? He probably does communicate with other security minded folk who also use encryption, but the vast majority of ordinary people neither know nor care about these things.
The biggest drawback to encrypted anything is that it requires everybody to use it. There's plenty of open source and secure alternatives to popular apps but there's no point in recommending say, Signal or Toxwhen all the people you know couldn't be bothered to get off Whatsapp.
"..One hosts to look them up, one DNS to find them, and in the darkness BIND them."
One of many guides for it that I've read using a second video card and monitor hookup with the card itself assigned to a VM using IOMMU with something like 97% benchmark performance of bare metal, but I don't have a second video card to try it with, so I'm stuck with playing 2D games in a window.
If I have been able to see further than others, it is because I bought a pair of binoculars.
I must have been thinking by anonymity? Then does a honeypot rely on security through obscurity because it is less effective if attackers are aware of it?
The Daddy casts sleep on the Baby. The Baby resists!
You do realize that spamming the same message won't get you noticed more don't you?
Also, since I have technically disproved numerous parts of your spam, does that mean you have to change your spam?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Um, it is spam, you posted it 3 times because you were down modded. That is spamming, and it is spam also because you are advertising a commercial product when people are not requesting your advertisement. Spam is defined as "Unsolicited commercial advertisement", so can you show how your posts are not spam? Spam can also be the process of sending numerous duplicate messages, which is also what you are doing here, how is this series of posts not spam?
Have you figured out a addon for Chrome we can run to filter out your garbage yet?
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
No, that post specifically proves that I don't. If I was the one down modding you, as soon as I posted as me, the mods would disappear. Your ignorance does not imply me cheating anything.
I don't need to down mod you, plenty of others down mod your offtopic trolling shit on their own.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?