How Security Experts Are Protecting Their Own Data

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."

AV only helps if you are bad

[AK+Marc]

The only times I've ever gotten a virus were when I had AV running. Without AV, I don't run anything that's untrusted. Worked out well so far.

Re:AV only helps if you are bad

You don't run AV therefore you've never had a virus? The force is strong with this one.

Re:AV only helps if you are bad

[tsa]

Same here. I hate AV software with a passion bcause it slows your computer to a crawl, gives a false sense of security and once it's on your computer it takes a complete reinstall of the OS to get it off again. The best AV practices are:
Never use MS software to browse the internet and read email
Use an ad blocker
Never even read email from unknown sources, let alone open attachments from there.
MAKE BACKUPS of your files.

Re:AV only helps if you are bad

[AK+Marc]

If you can't tell whether you have a virus without an AV, then you are dumber than you look. I've cleaned many friend and family computer where they got a virus without an AV, then asked for help. Turns out it's quite easy to get a virus without an AV, and from my experience, not to hard to get one with.

Re:AV only helps if you are bad

[HBI]

Precisely. It's like the idiot light on your car for gas/overheating/whatever. If you failed to note the problem, it might warn you. Find a lightweight program and suck it up. I ran without AV from the late 80s to about 2011, and then I gave in based on the more subtle threats that were becoming common. Just not running scripts and untrusted attachments wasn't feeling entirely safe in an age of hidden filesystems that could get past air gaps.

For the record, i'd never gotten anything I knew about and no AV was ever able to find malware on my personal systems. No guarantees, but it was a pretty good record.

Re: AV only helps if you are bad

I dont know. I think AV is a great deterrent against skiddies. I woul much rather get owned by new undetected malware than a decade old one.

Re: AV only helps if you are bad

[blavallee]

I get virus warnings WITHOUT running AV. Should I download and install their advertised AV software?

Re:AV only helps if you are bad

[TheRaven64]

You got lucky. There are two problems with most Antivirus software:

Most of them still use system call interposition. They're vulnerable to a whole raft of time-of-check to time-of-use errors, so the only part that actually catches things is the binary signature checking, and that requires you to install updates more frequently than malware authors release new versions - it's a losing battle.

They run some quite buggy code in high privilege. In the last year, all of the major AV vendors have had security vulnerabilities. My favourite one was Norton, which had a buffer overflow in their kernel-mode scanner. Providing crafted data to it allowed an attacker to get kernel privilege (higher than administrator privilege on Windows). You could send someone an email containing an image attachment and compromise their system as long as their mail client downloaded the image, even if they didn't open it. It's hard to argue that software that allows that makes your computer more secure.

Re:AV only helps if you are bad

[mwvdlee]

Profit in a visible virus; very little.
Profit in a virus that acts as a slave in a botnet and monitors your computer usage; a lot more.

Re:AV only helps if you are bad

[mwvdlee]

Same here. I hate AV software with a passion bcause it slows your computer to a crawl, gives a false sense of security and once it's on your computer it takes a complete reinstall of the OS to get it off again.

Good AV software would have prevented you installing Symantec.

Re: AV only helps if you are bad

[Anonymous+Brave+Guy]

The trouble is, all of that remains true if you have anti-virus software installed. Your odds might be slightly better overall, but AV software doesn't catch everything. In a few cases, AV software has even opened additional vulnerabilities itself.

It's surprisingly difficult to be sure that you're only running what you think you're running in 2016 and that your data is safe and private. That's a real and serious problem regardless of which if any AV tools you run.

Re:AV only helps if you are bad

[geekmux]

...The best AV practices are...Never use MS software to browse the internet and read email...

...which of course is great technical advice to act upon right away, and so easily accomplished for the average US corporation addicted to Microsoft products...

Re: AV only helps if you are bad

[tsa]

I've been reading Slashdot and the like for more than twenty years now and the relative amount of vulnerabilities reported for MS products, especially IE and Outlook is so significantly higher that not using that already makes a huge difference. Of course other software is also not without its faults but I could say that your approach of treating all software as equally bad is paranoia.
Now that we've both insulted each other I think I can safely say that we agree that you have to find software that gives the best balance between risk and usability for the situation you use it in.

Re: AV only helps if you are bad

[Anonymous+Brave+Guy]

Sometimes, but there are no guarantees these days. Once a system has been compromised, it is now almost impossible to make sure it's clean again no matter what you do to recover. In a world with the likes of UEFI and "hidden" secondary processors within CPUs, even wiping the hard drive and reinstalling from known good media isn't a reliable fix. It's all rather depressing, this so-called progress.

Re: AV only helps if you are bad

[Type44Q]

Your arrogance in the belief that Microsoft products are more risky than others would be laughable if it wasn't so dangerous.

Actually, you have a point: it would be terrible - possibly even dangerous, I suppose - for microsoft, black hats and gov'ts everywhere if people were to truly grasp the risk of using Microsoft products, as they'd quickly switch to something else and all that insidiousness would have been for nothing...

Signed,

A Microsoft-Certified Systems Engineer with a far better grasp of reality than yourself... and/or simply not on the take, unlike yourself.

Is he going for irony, here?

[mark-t]

The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security.

By virtue of the fact that he has even mentioned that using Linux is part of his reason to not run antivirus software, wouldn't the fact that he is using Linux be considered to be lulling him into exactly the same sort of false sense of security that he is accusing antivirus software of creating?

Re:Is he going for irony, here?

[Black+Parrot]

Yes.

I think my Linux is more secure than my Windows, but honestly it only takes one exploit.

If the spooks or large organized crime want in, they're in. Small fry *may* be kept out by best practices, but I wouldn't bet on it.

Anything secret shouldn't be on a computer, let alone a computer on the internet. But then there's the eternal trade-off between security and convenience.

Re:Is he going for irony, here?

[tchdab1]

These security experts wouldn't recommend it, but they're relying on security through obscurity.
Think about it, but don't actually think about *it* because that might endanger the security experts.

Re:Is he going for irony, here?

[TheRaven64]

In terms of Linux, it's not classical security through obscurity, it's security through diversity. One of the reasons Slammer was so painful a decade ago was that most institutions had a Windows monoculture. The time between one machine being infected on your network and every machine on your network being infected was about 10 minutes (a fresh Windows install on the network was compromised before it finished running Windows Update for the first time). If you'd had a network that was 50% Windows and 50% something else, then it would only have infected half of your infrastructure and you'd have been able to pull the plug on the Windows machines and start recovery. It's possible to write cross-platform malware, but it's a lot harder (though there's some fun stuff out of one of the recent DARPA programs writing exploit code that is valid x86 and ARM code, relying on encodings that are nops in one and valid in the other, interspersed with the converse). Writing malware that can attack half a dozen combinations of OS and application software is difficult.

This is why Verisign's root DNS runs 50% Linux, 50% FreeBSD and of those they run two or three userland DNS servers, so an attack on a particular OS or particular DNS server will only take out (at most) half of the machines. Even an attack on an OS combined with an independent attack on the DNS server will still leave them with about a quarter functional, which will result in a bit more latency for Internet users, but leave them functioning.

Re:Is he going for irony, here?

[tburkhol]

These security experts wouldn't recommend it, but they're relying on security through obscurity.

The wouldn't recommend that obscurity be your only security, but I think they would all agree that obscurity can be a useful component of a comprehensive security plan.

For example, if you run a web server, everyone knows it. Controlling the server signature to not obscure the specific version or modules that server runs means an attacker can not target known version-specific vulnerabilities, but has to try a bunch of them. This gives the server the opportunity to detect multiple exploit attempts and ban the source (or whatever). Using unpopular/obscure software, like ngnix or lighthttpd instead of apache/IIS, may also reduce the attack profile (ie, worms or script kiddies), while being less intrinsically secure.

Re:Is he going for irony, here?

[naughtynaughty]

They aren't relying on the secrecy of their implementations as their main method of providing security, therefore they are not using security through obscurity.

I'd recommend you read up on what security through obscurity really is.

Re:Is he going for irony, here?

[jeffmeden]

The icing on the cake is that several of them (notably Bruce) basically saying security by obscurity really is a thing (well at least if you're famous)

Re:Is he going for irony, here?

[Gr8Apes]

Then you're making an ignorant assumption.

Yes, you are.

Every other OS out there for server and end user use is more secure than Windows. Windows is flawed by design. Here's why: windows is built on top of an inverted security model that requires the process token to have all permissions required for every aspect of the program running, and then masks that token for child threads and processes. That means that any thread or child-process that has an exploit can automatically run at the highest security level of the process. Add to that the ability of almost any process to inject code into DLLs, and you see why pwning windows is almost trivial. I submit that windows will never be secure until they fix these 2 fundamental architectural mistakes.

Meanwhile, Linux, BSD, and other *nix OSes have a sane least permissions security where a token can be elevated upon authentication/authorization as needed. If a process manages to escape its code path via a buffer overflow, damage is limited to whatever permissions that thread has at that time. In *nix systems, that's usually very little. If you're still not convinced, try to modify a system library in *nix from your own program or some javascript in your browser via a drive by scenario. No fair using the Java plugin, as that shouldn't be installed on any browser.

Different protections for different threats, envir

[raymorris]

If he did -nothing- about security, that would be true. That's not likely the case. More likely, he's using protective strategies that are appropriate for his environment and the threats most prevalent in that environment. The most common threats for Linux machines aren't viruses. Viruses specifically are more of a Windows thing. Not that there are no threats that affect Linux, they are -different- threats.

On Linux, he may use the firewall, Tripwire or another IDS, some form of IPS if only fail2ban, SELinux, etc. Also of course browser-specific things like an adblocker and NoScript. Linux has long had good support for good partition and file encryption, so he might use that, and scheduled offsite pull backups protect against ransomware.

ClamAV runs -on- Linux, but normally -for- Windows - you install on on your Linux mail server to remove viruses before your Windows clients download their mail, etc.

#1 source of malware is ads on mainstream sites

[raymorris]

> If you spend your time avoiding visiting unsavoury websites and have the knowledge not to downloading/open questionable files

The number 1 source of infections is compromised ads on mainstream sites like Slashdot. Avoiding "unsavoury websites" isn't protecting you. Noscript and an ad blocker would provide much more protection, along with automated offsite backups in a pull configuration (your computer must not be able to delete/overwrite the backups, for ransomware protection).

Re:#1 source of malware is ads on mainstream sites

[jbmartin6]

It's not idiots. It is just regular people. I've seen people who forward scam emails to the security team religiously fall for a fake email once in a while. On a bad day, just back from vacation with thousands of emails piled up, and they just happen to be expecting a package. The typical tale I hear is something like 'I knew right away I should not have opened it. But...' I've even come close a couple time and I protect against this sort of thing for a living.

Re:Different protections for different threats, en

[tlhIngan]

If he did -nothing- about security, that would be true. That's not likely the case. More likely, he's using protective strategies that are appropriate for his environment and the threats most prevalent in that environment. The most common threats for Linux machines aren't viruses. Viruses specifically are more of a Windows thing. Not that there are no threats that affect Linux, they are -different- threats.

Just because Linux doesn't have as many viruses for it, doesn't mean it's immune to viruses. In fact, Linux probably a very popular carrier for viruses - Linux host gets broken in (usually via a PHP exploit) and some files are dropped onto it and files modified so whenever a Windows host accesses it, it obtains the payload and gets infected.

Linux may not be harmed by it, but it certainly is an active participant in the propagation of viruses. Mostly because the malware authors want to target users, and 90% of them run Windows. But they can't target Windows servers, because 75% of the servers out there run Linux. So they will exploit those Linux-running servers to plant some WIndows malware on there so the Linux host distributes the Windows malware to everyone.

Linux is a carrier, and perhaps having an anti-virus may be handy if nothing more than to ensure that you're not being part of the problem and serving up stuff that infects other users. The best part is, these scanners need not be intrusive since the host can be assumed to be free of malware, so you're really just looking for bad files.

Same thing on MacOS - there's no reason to have a antivirus scanner other than to make sure you're not serving up infected files, or to alert you in case you get an email that won't infect you, but may infect someone else if you forward it on or something.

Google, for example, scans emails and documents for viruses and other malware, not because they can infect Google, but to prevent spread.

Re:Different protections for different threats, en

[mark-t]

That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software.

I run Linux, and I don't bother with AV software either, but it's not because I run Linux, it's because AV software is shit.

I keep my data...

[fahrbot-bot]

... inside a locked box that requires a 10-digit code + retinal scan + penis imprint, stored at the bottom of a lake, filled with sharks, wearing lasers.

Someone once made it to the lock-box, but... I just didn't have to feed the sharks that day.

I even have a sign posted: Do not look at sharks with remaining good eye.

I don't run AV and I tell people I don't run AV

...but I still install AV on every single system which I set up for other people, and I recommend that they keep using AV. Why? Because it would be considered negligent to omit it. If they get infected, which they inevitably do, then not installing AV would put me in an indefensible position. Asking a professional how they protect their data is a useless endeavor. It doesn't teach you how to keep your data secure, because you don't know all the other things they know which stop them from doing stupid things.

Do you buckle up?

[Opportunist]

And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag? Most likely not. Your car is still a wreck if you crash.

The same applies to malware. I do have an AV kit running. But I also know that it ain't no silver bullet. It's not my first but my last line of defense, another layer of security that is there in case everything else failed. Treating it any different is dumb (and yes, I know, there are people out there who go by the logic that they can turn their brains off now that they turned their AV kit on), but simply saying that you don't need it because it gives you a false sense of security isn't too smart either.

Re:Do you buckle up?

[KozmoStevnNaut]

And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag? Most likely not. Your car is still a wreck if you crash.

Actually, several studies have shown that the number of accidents and fatalities tend to drop when new safety equipment is made mandatory, but starts to rise again a while later, when people get complacent.

For instance, when ABS brakes were introduced on a significant number of new cars sold, the accident rate dropped because people were still driving as if they didn't have ABS. Some years later, everyone had gotten used to the shorter stopping distances and started driving much close to the cars in front, so the accident rate went up again.

Re:Do you buckle up?

[Opportunist]

ABS brakes are a different kind of beast because they do make drivers actually get more reckless due to them noticing they can get away with it. It's different with equipment that only engages once you already wrecked your car.

Re:The reason why Schneier is a target

[Opportunist]

Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

That's amazing. I've got the same security for my luggage.

Security isn't hard

[LichtSpektren]

For your average workstation, the easy way to lock it down is by examining all of the vectors that malware can take. From there it's usually simple.

Probably about 95% of malware comes through malicious websites. Solution: use tools like NoScript and an adblocker. Also use SELinux/AppArmor/grsecurity etc. to make sure that whatever slips by cannot do anything that your browser doesn't have permission to do. If you want to be really safe, only run your browser in a virtual machine (this is the premise of Qubes OS, by the way).

Also apply SELinux (or whatever you're using) to any programs that have listening Internet ports, like SSH and CUPS.

If you use a local email client instead of webmail, don't be dumb and allow your client to auto-execute JavaScript or attachments in emails. Also, don't be dumb and mount random peoples' portable drives without some precautions.

Never do anything on the actual computer

[myowntrueself]

Do everything Internet-related in a guest VM.

I learned this from Joanna Rutkowska; you have at least 3 virtual machines.

One is 'green' and you only ever use it for very sensitive things like online banking.
One is 'yellow' and you only ever use it for semi-sensitive things like social media.
One is 'red' and you do this for random web browsing, searching etc. This one gets re-imaged or reverted to snapshot regularly.

If you like (and have the system resources for it) you can have multiple 'yellow' VMs for multiple social network sites or email accounts.

You can set these VMs up on separate networks with routers/firewalls between them. You can use egress filtering on the green VM so that literally the only sites it can possibly reach are your online banking sites.

You NEVER EVER read email in your green VM or on your host. You NEVER use a web browser in your host.

The basic red,yellow,green VM setup is very very easy to build, doesn't take a lot of skills. Modern PC's and laptops are quite capable of running these 3 VMs.

Re:Never do anything on the actual computer

[Qzukk]

I did exactly this, using Qubes at home. It took a little getting used to, but once you get the hang of it, it makes sense. It greatly reduces the risk of things like XSS and browser exploits leaking banking or other important information. I don't particularly consider myself the enemy of any state, but the increasing number of drive-by exploits targeting Joe Nobody for the purpose of extracting money (whether ransomware, stealing card numbers, whatever) makes this a reasonable course of action even for people not participating in espionage or whatever.

Shame that trying to game in a VM sucks hard, but that's the tradeoff.