IIRC, the original promise of cable TV was that, since I was paying a subscription fee, there would be no advertising. That obviously isn't the case any more. Now, if I chose to pay for cable (I don't watch any TV any more, let alone pay for it, BTW), I am paying for the opportunity to watch commercials.
Given that highly-successful precident, I can easily forsee your proposed packaging being bastardized in a similar fashion.
Of course, you're still working on the premise that there's stuff on teh Intarweb out there that I'd be willing to pay for, even for a couple bucks a month. Thus far, I've yet to find anything.
Meh! This guy's a lightweight. He believes that those crumpled pieces of paper are actually worth something. Do you think that the gubment'll do anything for them if the banks all go belly up? I don't think so!
/me checks shoulder and runs into closet to caress pile of shiny stones
Agreed, people are idiots, and will likely write their pin on their token using a permanent marker. Still, when their token is gone, they KNOW it is gone. They know that they no longer have the token itself and they know that someone else likely has their pin. The token can then be revoked and the pin changed.
With single-factor auth, the authenticator (a.k.a. the pin) can be "stolen" without the user's knowledge. Their pin still works, they still know it. This give the bad guy time to do bad stuff. When something goes missing (probably car keys, since tokens are often built to be used as a keychain fob), the user will quickly become aware of this, thus reducing the window of oppertunity.
Ah-ha! The problem isn't protecting the highly-intelligent readers of/. from a MiTM attack, it is protecting people like my father from one. Even though the error message would be big, loud, visible, and wouldn't let him move forward without some acknowledgement, more likely than not, he'd simply click "Yes I trust this new key" and move on.
People are stupid. Joe Schmoe was never trained in PKCS#11, the importance of the chain of trust in PKI, or even in proper handling of invalid certificate errors. All Joe wants to do is pay his bills, or buy some porn, or any of a hundred different simple things.
Oh, and J. Random Hax0r doesn't have to compromize a major network provider to get access to banking information. All he has to do is take his laptop and wireless card to the neighborhood Starbucks and to MiTM on their wireless. Wireless helps everyone do their jobs easier, even the bad guys.
At the risk of being pedantic, a x.x.x.255 address CAN BE a valid IP address in certain masks. Under the old Class C model (i.e./24 bit netmask, network is defined by the first 3 bytes, host by the last one), you are correct, 255 is probably broadcast. However, if you switch to a/23 bit netmask, say 10.1.0.0/23, you'd find that 10.1.0.255 is a valid host address, and 10.1.1.255 would probably be the broadcast. Check out Daryl's TCP/IP Primer (http://www.ipprimer.com/bitbybit.cfm for the CIDR information, http://www.ipprimer.com/subnet.cfm for his subnet calculator).
I've long wondered this. What is it about a CEO's job that makes them worth 400 times what I make? No one yet has been able to even explain to me what a CEO does, yet alone be able to justify the grandiose pay scale beyond the banal company-prestige argument (you're not a Fortune 500 company unless your CEO makes X million dollars).
OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?
My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.
What a steaming pile of bullcrap! If the story had been that Yahoo! had complied with an investigation into a child molester in the US, then there would have been no story. Yahoo! was simply complying with the laws of a country that Yahoo! has operations in. Big deal.
Yahoo! is a publicly-traded company. Its shareholders want one thing: more money. For Yahoo! to pull out of the biggest growing economy in the world wold be suicide. If they want to operate in China, guess what? They have to abide by Chinese laws. Their only options if they don't are to follow the political process in China to change the laws or to pull out of China entirely. There is no special Most Favored Corporation status that magically protects Yahoo! and makes it so they don't have to follow the laws just because they're popular with a bunch of pimple-faced, 40 year old virgins.
You think China's bad, then DO SOMETHING ABOUT IT! Don't just sit here bitching about how someone else didn't.
Ahh, but the LEOs have a point. In my job, finding suitable evidence to convince HR is a far cry from finding suitable evidence that'd convince a jury of people who aren't smart enough to talk themselves out of jury duty that the cookie file, combined with this bunch of bits that were supposedly deleted and the mumbo-jumbo from the proxy logs means this particular person actively downloaded the picture of the squirrel-porker.
And that's completely ignoring the whole law thing. I mean, maintaining chain of custody and making sure that only things that are looked at were supposed to be according to the wording of the subpoena are positively trivial. Especially when dealing with crimes that cross jurisdictions and/or state lines. Given the tendency of most geeks to try to get around this little problem (DMCA anyone?), it is probably much more likely that you can teach an existing LEO computers than you can find a true geek and make him not only understand, but also ABIDE BY the law:-)
Granted, a supposed expert who can't figure out proxy logs and cookies isn't very much of an expert, but he does have a point. I do computer forensics for one of my clients, and not only have I never run into a single case where the suspect deliberately hid their activity in the 7 years I've been doing this, but most of them are so unbelieveably stupid that they:
surf porn at work
during business hours
in open cubicles
with the monitor facing the hallway
when tour groups are going through the building
and when tech support is at the next desk
For the vast majority of cases I've seen, finding evidence isn't really the problem. Explaining what the evidence means to HR/Legal is MUCH more difficult.
Re:"Always trust code from Microsoft"
on
Do You Code Sign?
·
· Score: 1
You're correct. The popup, if it occurs, is asking if you trust that particular certificate. The problem with chain-of-trust occurs when your system is configured to trust any certs signed by a trusted cert (i.e. your browser). In those cases, if the chain is broken, as it was with the Verisign/Microsoft event, the end user will NOT get prompted at all for the malicious traffic, just as they will not be prompted for going to an official Microsoft SSL site.
The CA certs are preloaded in browsers because a) end users are not capable of making valid decisions in this space, and b) Microsoft/Netscape/Mozilla/whomever decided that those certificate providers were fairly commonly used. Even though the certificate purpose is that of establishing trust, browsers set up certificate acceptance based on end-user convenience.
Agreed! I'm quite certain that, given enough time and effort, I could probably get it working. I put a couple days work into it and decided that the path-of-least-resistance would be to use it as a file share and syslog server and save the more complicated tasks for more complicated hardware.
I've been reading Bruce's writings for several years now. I've even met the man and had dinner with him. To be honest, I'm not entirely sure what keeps him going.
One common comment at his blog is that most of his writings point out the flaws, but few point out solutions. A perfectly valid criticism, and quite accurate. Having worked in the computer security industry for nearly ten years now, I am coming to the conclusion that there may be no solution. We've all heard the joke about the only secure computer (no power, locked in a safe, encased in concrete, and at the bottom of the ocean), and laughingly made comments about how security would be easier if it weren't for the users, but have we really thought about that?
I've written several comments on/. regarding security, and I'm starting to come up with a trend: it isn't possible to really secure the computer if the end-user doesn't understand and/or care about security. Here on/. there are many, many people who care and understand. I run multiple firewalls on my systems AT HOME, plus antivirus and antispyware programs. I actually review my logs. I don't run any program that was written more recently than my AV updates. I'm what most "normal" people would consider paranoid. And I still run into issues.
Since I work in the industry, I am really struggling with this. I believe in security, I desire security, I really, really WANT security. I also see that none of my efforts will bring it as long as people are involved. People make coding mistakes. People are greedy. People are petty. People are malicious. The same instincts at work looting in New Orleans tonite lead some people to do anything in their power to hack other people's systems. The rest of the people, the so-called good people, sit at home and want their computers to be as simple as their toasters. They don't want to have to know about viruses, spyware, phishing, and Nigerian 419 scams. They want email, smilies, and porn.
Regardless of how despondant I feel about security in general, security theater really pisses me off. When I see a product or a process being sold as perfect security or as any kind of silver bullet, I just have to yell. People believing that one relatively good tool will fix everything is bad enough, but when they're told that a worthless tool will fix all their problems...
In theory, code signing has the potential in some environments to limit the risks from certain vulnerabilities. In practice, code signing for the masses is worse than worthless, because Joe User sees "Do you trust Microsoft?" and honestly believes that the code will do him no harm. He will then download and run any program, regardless of where it actually came from, as long as he gets presented with another "Do you trust Microsoft?" button, because he's been conditioned to say "Yes" by Windows Update. In this case (i.e. for general use on the Internet), the "all or nothing" concept is appropriate. Joe User would be far better off treating every application with suspicion than learning that the Code Signing Fairy will bless certain bits and everything else will be covered in foul-smelling, rotten tomatoes. There is no way that the code signing theory is applicable in general use, so using it is a bad idea.
Now that I'm sufficiently depressed, I think I hear a bottle of Jack Daniels calling me
Code signing for trust
on
Do You Code Sign?
·
· Score: 4, Insightful
You state that several of Bruce's arguments do not apply, since code signing wasn't designed to solve problem A or problem B. Unfortunately, this isn't an issue of what signing was designed to solve, it is a question of what the end user thinks code signing is for.
If the end user is presented with pop-ups asking "Do you want to trust code from Company X?", the user will be making a decision about that trust. They may (or may not) be concerned with questions such as "Will this code crash my computer?" or "Is this a Trojan horse?". They couldn't care less if the code was really authored by Simon P. Coder while under the employ of Company X. When they click "Always Trust", if they're thinking at all (not guaranteed), they will think that the code is safe, won't crash, and won't have extra "features" that steal their private information.
This is Bruce's point. Because of the presentation and implementation issues, most end users are left with the impression that signed code==good code, an impression that is not always accurate. If the technology is leading the end users to believe things that simply aren't true, there is a problem. In certain, limited, tightly-controlled environments, code signing can work as intented. In general, it is at best an annoyance to the end users and at worst a complete fraud.
Re:"Always trust code from Microsoft"
on
Do You Code Sign?
·
· Score: 5, Informative
In addition to the two points on what you are trusting Microsoft to do, there is a third, even more important, thing that you are trusting. By "trusting" the signed code, you also trusting the chain of certificates involved.
"Huh?" you say? "WTF does that mean?" Most of the time, the certificate that was used to sign the code was also signed by another certificate. This is supposed to establish a chain of trust. In Microsoft's example, their root certificate may be signed by Verisign. The theory is that Verisign is trusted by everybody, and therefore if Verisign signs someone's key, the signed key can also be trusted.
Unfortunately, the theory breaks down. There was a well-publicized instance where Verisign issued a code-signing certificate to someone claiming to be from Microsoft but actually wasn't. When Verisign screws up, or otherwise proves themselves to be not trustworthy, then the end user is left with trying to figure out which "Microsoft" keys are good and which ones aren't. Above and beyond the fact that many users aren't equiped to make those decisions, the vast majority simply don't care.
In a closed-form environment (i.e. inside a company with a PKI in place, physical security on the PKI servers and root key, documented procedures for establishing the identities of the cert requestors, where the apps being signed are for internal use only), code signing, and even chain of trust, mostly works. Once you get out of that tight model, the signature on the code only says "This code was signed by someone claiming to be Microsoft".
I have an NSLU2 (affectionately called the slug), and have successfully performed the upgrade to Unslung. Let me tell you, this is not a good platform for someone looking to learn on.
Beyond the memory constraints (only 32mb of RAM), it isn't x86-based, so you'll have to take what someone else thought was a good configuration for pre-compiled binaries, cross-compile on another linux box, or endure the hideously slow compile process on the slug as it enters paging hell due to the low RAM. Even once I got everything I thought I wanted on it (Apache, MySQL, and PHP), I found that not everything worked, so I couldn't run my desired app (Gallery).
As it stands, I only use the box for tcpdump and as a syslog server. Works OK for that, but given the $100+ I spent on the slug and the external drive, I'd say its far overpriced for what I got.
Why be concerned? My understanding (limited at best, I admit) of Darwinism says that occasionally, a random mutation turns out to be beneficial and the offspring of said mutation are better able to survive than "normals". Maybe, instead of being the bane of humanity, this $12,000 wienie roaster will enable us to evolve into something much better!
Let me be the first to welcome our new three-armed overlords!
Software firewalls can work. A company I work with has over 10k laptops in use, and nearly all of them run a standard firewall package. It has centralized logging, so we can tell when someone disables it and/or uninstalls it. Those users are warned once and then walked out the door if it happens again, even managers. Patch management is handled automatically, so when a user logs on, the patch is pushed to them. If the firewalls are configured intelligently (i.e. absolutely NO MS networking allowed when in an untrusted network), patches are maintained, and antivirus software is in place, the virus problem gets much more managable.
Add to that an IDS that has provisions to automatically identify propegating worms inside the company, interfaces with the trouble-ticketing system, and a process through which access control lists are applied to the appropriate routers within 15 minutes, and you have a method for dealing with viruses quickly and without a bunch of manpower. These days, a bad virus outbreak for me is 2-3 computers, and we've got well over 40k end users.
First, how is not being able to get anything accomplished any different from when their computers are working? [rimshot]
But seriously, you couldn't pay me enough to take that job. Why? Because I know that there are 12,000 computers out there that need patching, lack firewalls, lack antivirus protection, and probably lack spyware protection. It is likely that there are 12,000 users who need education regarding the changes in how their computers will work, and 0 users who will appreciate being told that they can't use Bonzi Buddy any more. It is obvious that there is no patch management infrastructure in place, so the first round of updates will be largely manual and performed simultaneously with architecture revisions that will lead to patch management in the future. We can also tell that there are potentially systemic roadblocks to good computer security within the management structure and that anyone who comes in to "fix the problem" will be given the axe if the next virus hits before all the necessary changes can be completed.
Nope, I'm much happier staying away from sinking ships, even if I am a rat:-)
And if you truly are a fortune 500 company, you should be leaning on any software vendor heavily to make them work to keep their software working.
Ahh, I've heard that one before, but unfortunately, just because I'm at a Fortune 500, or even Fortune 100, company doesn't mean my company has much leverage with Microsoft.
I mean, think about it. My guess is that companies from 100-500 in the Fortune list have fewer than 50,000 MS systems per company (numbers grabbed from a company I work with and rough guessing based on SEC filings for number of employees). So, all together, those 400 companies have maybe 20,000,000 systems. Big number, sure, but compare that to the total number of (legal) MS licenses in the wild. If just 60% of people in the US have a computer, that's still 144 million computers. There's millions more home computers in the rest of the world, not to mention all the computers in the companies that are too small to be in the Fortune list. Furthermore, it isn't likely that big corporations would band together to form a purchasing lobby, so Ford's buying power is theirs alone, and not combined with GM and Daimler.
Simple fact is that, to Microsoft, 50k licenses is not a lot of revenue compared to the rest of their customers. Also, given that there are no alternatives that are regarded as viable by managers by which a valid threat of "Fix this or we leave" can be made. Even if there was an alternative, the costs of switching 50,000 computers to different OS, office suite, etc. and retraining every single user FAR outweigh the incremental costs of patching Windows every month and even of having entire locations down for a day (check out Caterpillar's stock price history this week... not much change, eh?). Microsoft would know that GM has no real option to move all their users to platform X, so the threat is an empty one.
Of course, if there was a viable alternative (Mac?) and GM, Ford, Daimler, IBM, Oracle, Sun, Walmart, and Chase all banded together into a single purchasing block to negotiate with Microsoft, it is possible that MS would pay attention. Until then, it simply isn't profitable to really shift their whole development efforts to a complete bottoms-up redesign of every single one of their products making security a priority.
Is anyone but me getting sick of these companies releasing "free" tools that require you to register for their incessant spam, phone calls, and other marketing harassment in order to download? Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network? MySQL isn't too bad, at least. They have the marketing signup, should you be interested, but provide a link to download without all the crap.
[Wanders off muttering about the good old days of gopher and archie]
I bought a NSLU-2 after the/. story on running Debian on it. Let me tell you, it isn't quite ready for prime-time.
The basic out-of-the-box functionality is OK (i.e. Samba server with web config), but since I got it to run as a server, I looked into reflashing it. The Debian stuff that was listed in the/. story (sorry for no link, but it was in the past 2-3 weeks) doesn't include net drivers that work, so that was out. I went with Unslung, and that went fine, but then reality set in.
I wanted to run a web server using Gallery, but the thttpd server that's compiled for it doesn't do PHP or CGI very well, so that was out. Every other thing I tried, especially Apache, sent the poor thing into swap hell due to the intersection of huge code (apache) and 32 Meg of RAM.
In the end, I gave up, installed Apache on my desktop and configured it to auto-standby every 15 minutes with Wake On Lan enabled. Gets me closer to an always-on webserver that doesn't eat electricity for breakfast.
Still have the Slug, but its just hiding in a corner now, waiting for a purpose.
While I nodded my head in agreement to your post, I figure that you forgot to add some key bits:
Writing, policies that are rejected, making integration recommendations that are rejected, attending spec meetings and having your suggestions ignored, reviewing logs that no one else cares about, etc...
Not only are most InfoSec careers unglamorous, they can also have the tendency to grind your pride, passion, determination, and enthusiasm for life in general into dust.
Bitter? Definately. On the other hand, there are days where there you get the opportunity to do a forensic analysis of some stupid schmuk's computer to find the porn collection that he's been amassing 8 hours a day for 20 years, so there are perks!
Kings Cross and Charing Cross stations? You know, this might not be normal terrorists after all. Harry Potter book 6 comes out in a week or two, this could be a publicity stunt by Rowling's publicity engine. Wonder if Voldemort's going to claim responsibility.
Sniff, sniff. What's that smell? My karma, up in flames:-)
Slashdot Mirror
IIRC, the original promise of cable TV was that, since I was paying a subscription fee, there would be no advertising. That obviously isn't the case any more. Now, if I chose to pay for cable (I don't watch any TV any more, let alone pay for it, BTW), I am paying for the opportunity to watch commercials.
Given that highly-successful precident, I can easily forsee your proposed packaging being bastardized in a similar fashion.
Of course, you're still working on the premise that there's stuff on teh Intarweb out there that I'd be willing to pay for, even for a couple bucks a month. Thus far, I've yet to find anything.
Meh! This guy's a lightweight. He believes that those crumpled pieces of paper are actually worth something. Do you think that the gubment'll do anything for them if the banks all go belly up? I don't think so!
/me checks shoulder and runs into closet to caress pile of shiny stones
human history is chock full of headless Good Samaritans.
Thank you! I now have a new signature on my email at work! :-)
Agreed, people are idiots, and will likely write their pin on their token using a permanent marker. Still, when their token is gone, they KNOW it is gone. They know that they no longer have the token itself and they know that someone else likely has their pin. The token can then be revoked and the pin changed.
With single-factor auth, the authenticator (a.k.a. the pin) can be "stolen" without the user's knowledge. Their pin still works, they still know it. This give the bad guy time to do bad stuff. When something goes missing (probably car keys, since tokens are often built to be used as a keychain fob), the user will quickly become aware of this, thus reducing the window of oppertunity.
Ah-ha! The problem isn't protecting the highly-intelligent readers of /. from a MiTM attack, it is protecting people like my father from one. Even though the error message would be big, loud, visible, and wouldn't let him move forward without some acknowledgement, more likely than not, he'd simply click "Yes I trust this new key" and move on.
People are stupid. Joe Schmoe was never trained in PKCS#11, the importance of the chain of trust in PKI, or even in proper handling of invalid certificate errors. All Joe wants to do is pay his bills, or buy some porn, or any of a hundred different simple things.
Oh, and J. Random Hax0r doesn't have to compromize a major network provider to get access to banking information. All he has to do is take his laptop and wireless card to the neighborhood Starbucks and to MiTM on their wireless. Wireless helps everyone do their jobs easier, even the bad guys.
At the risk of being pedantic, a x.x.x.255 address CAN BE a valid IP address in certain masks. Under the old Class C model (i.e. /24 bit netmask, network is defined by the first 3 bytes, host by the last one), you are correct, 255 is probably broadcast. However, if you switch to a /23 bit netmask, say 10.1.0.0/23, you'd find that 10.1.0.255 is a valid host address, and 10.1.1.255 would probably be the broadcast. Check out Daryl's TCP/IP Primer (http://www.ipprimer.com/bitbybit.cfm for the CIDR information, http://www.ipprimer.com/subnet.cfm for his subnet calculator).
I've long wondered this. What is it about a CEO's job that makes them worth 400 times what I make? No one yet has been able to even explain to me what a CEO does, yet alone be able to justify the grandiose pay scale beyond the banal company-prestige argument (you're not a Fortune 500 company unless your CEO makes X million dollars).
OK, really paranoid, conspiracy-theory thought here... Yesterday, Symantec, a vendor with an AV product, releases a report claiming that Mozilla is not as secure as IE. Today, a news story comes out that a download of Mozilla from some website in Korea has been trojaned. Anyone else wondering if Symantec placed the infected files in Korea to boost sales of either their Linux AV product (haven't checked to see if there is one yet) or their security consluting services?
My late-night googling skills are failing to find a reference, but I remember some stories from a couple years back about AV companies writing and releasing new viruses to pad their list of known viruses. If that was true, then I wouldn't put a stunt like this past them.
What a steaming pile of bullcrap! If the story had been that Yahoo! had complied with an investigation into a child molester in the US, then there would have been no story. Yahoo! was simply complying with the laws of a country that Yahoo! has operations in. Big deal.
Yahoo! is a publicly-traded company. Its shareholders want one thing: more money. For Yahoo! to pull out of the biggest growing economy in the world wold be suicide. If they want to operate in China, guess what? They have to abide by Chinese laws. Their only options if they don't are to follow the political process in China to change the laws or to pull out of China entirely. There is no special Most Favored Corporation status that magically protects Yahoo! and makes it so they don't have to follow the laws just because they're popular with a bunch of pimple-faced, 40 year old virgins.
You think China's bad, then DO SOMETHING ABOUT IT! Don't just sit here bitching about how someone else didn't.
Ahh, but the LEOs have a point. In my job, finding suitable evidence to convince HR is a far cry from finding suitable evidence that'd convince a jury of people who aren't smart enough to talk themselves out of jury duty that the cookie file, combined with this bunch of bits that were supposedly deleted and the mumbo-jumbo from the proxy logs means this particular person actively downloaded the picture of the squirrel-porker.
And that's completely ignoring the whole law thing. I mean, maintaining chain of custody and making sure that only things that are looked at were supposed to be according to the wording of the subpoena are positively trivial. Especially when dealing with crimes that cross jurisdictions and/or state lines. Given the tendency of most geeks to try to get around this little problem (DMCA anyone?), it is probably much more likely that you can teach an existing LEO computers than you can find a true geek and make him not only understand, but also ABIDE BY the law :-)
Granted, a supposed expert who can't figure out proxy logs and cookies isn't very much of an expert, but he does have a point. I do computer forensics for one of my clients, and not only have I never run into a single case where the suspect deliberately hid their activity in the 7 years I've been doing this, but most of them are so unbelieveably stupid that they:
For the vast majority of cases I've seen, finding evidence isn't really the problem. Explaining what the evidence means to HR/Legal is MUCH more difficult.
You're correct. The popup, if it occurs, is asking if you trust that particular certificate. The problem with chain-of-trust occurs when your system is configured to trust any certs signed by a trusted cert (i.e. your browser). In those cases, if the chain is broken, as it was with the Verisign/Microsoft event, the end user will NOT get prompted at all for the malicious traffic, just as they will not be prompted for going to an official Microsoft SSL site.
The CA certs are preloaded in browsers because a) end users are not capable of making valid decisions in this space, and b) Microsoft/Netscape/Mozilla/whomever decided that those certificate providers were fairly commonly used. Even though the certificate purpose is that of establishing trust, browsers set up certificate acceptance based on end-user convenience.
Agreed! I'm quite certain that, given enough time and effort, I could probably get it working. I put a couple days work into it and decided that the path-of-least-resistance would be to use it as a file share and syslog server and save the more complicated tasks for more complicated hardware.
I've been reading Bruce's writings for several years now. I've even met the man and had dinner with him. To be honest, I'm not entirely sure what keeps him going.
One common comment at his blog is that most of his writings point out the flaws, but few point out solutions. A perfectly valid criticism, and quite accurate. Having worked in the computer security industry for nearly ten years now, I am coming to the conclusion that there may be no solution. We've all heard the joke about the only secure computer (no power, locked in a safe, encased in concrete, and at the bottom of the ocean), and laughingly made comments about how security would be easier if it weren't for the users, but have we really thought about that?
I've written several comments on /. regarding security, and I'm starting to come up with a trend: it isn't possible to really secure the computer if the end-user doesn't understand and/or care about security. Here on /. there are many, many people who care and understand. I run multiple firewalls on my systems AT HOME, plus antivirus and antispyware programs. I actually review my logs. I don't run any program that was written more recently than my AV updates. I'm what most "normal" people would consider paranoid. And I still run into issues.
Since I work in the industry, I am really struggling with this. I believe in security, I desire security, I really, really WANT security. I also see that none of my efforts will bring it as long as people are involved. People make coding mistakes. People are greedy. People are petty. People are malicious. The same instincts at work looting in New Orleans tonite lead some people to do anything in their power to hack other people's systems. The rest of the people, the so-called good people, sit at home and want their computers to be as simple as their toasters. They don't want to have to know about viruses, spyware, phishing, and Nigerian 419 scams. They want email, smilies, and porn.
Regardless of how despondant I feel about security in general, security theater really pisses me off. When I see a product or a process being sold as perfect security or as any kind of silver bullet, I just have to yell. People believing that one relatively good tool will fix everything is bad enough, but when they're told that a worthless tool will fix all their problems...
In theory, code signing has the potential in some environments to limit the risks from certain vulnerabilities. In practice, code signing for the masses is worse than worthless, because Joe User sees "Do you trust Microsoft?" and honestly believes that the code will do him no harm. He will then download and run any program, regardless of where it actually came from, as long as he gets presented with another "Do you trust Microsoft?" button, because he's been conditioned to say "Yes" by Windows Update. In this case (i.e. for general use on the Internet), the "all or nothing" concept is appropriate. Joe User would be far better off treating every application with suspicion than learning that the Code Signing Fairy will bless certain bits and everything else will be covered in foul-smelling, rotten tomatoes. There is no way that the code signing theory is applicable in general use, so using it is a bad idea.
Now that I'm sufficiently depressed, I think I hear a bottle of Jack Daniels calling me
You state that several of Bruce's arguments do not apply, since code signing wasn't designed to solve problem A or problem B. Unfortunately, this isn't an issue of what signing was designed to solve, it is a question of what the end user thinks code signing is for.
If the end user is presented with pop-ups asking "Do you want to trust code from Company X?", the user will be making a decision about that trust. They may (or may not) be concerned with questions such as "Will this code crash my computer?" or "Is this a Trojan horse?". They couldn't care less if the code was really authored by Simon P. Coder while under the employ of Company X. When they click "Always Trust", if they're thinking at all (not guaranteed), they will think that the code is safe, won't crash, and won't have extra "features" that steal their private information.
This is Bruce's point. Because of the presentation and implementation issues, most end users are left with the impression that signed code==good code, an impression that is not always accurate. If the technology is leading the end users to believe things that simply aren't true, there is a problem. In certain, limited, tightly-controlled environments, code signing can work as intented. In general, it is at best an annoyance to the end users and at worst a complete fraud.
In addition to the two points on what you are trusting Microsoft to do, there is a third, even more important, thing that you are trusting. By "trusting" the signed code, you also trusting the chain of certificates involved.
"Huh?" you say? "WTF does that mean?" Most of the time, the certificate that was used to sign the code was also signed by another certificate. This is supposed to establish a chain of trust. In Microsoft's example, their root certificate may be signed by Verisign. The theory is that Verisign is trusted by everybody, and therefore if Verisign signs someone's key, the signed key can also be trusted.
Unfortunately, the theory breaks down. There was a well-publicized instance where Verisign issued a code-signing certificate to someone claiming to be from Microsoft but actually wasn't. When Verisign screws up, or otherwise proves themselves to be not trustworthy, then the end user is left with trying to figure out which "Microsoft" keys are good and which ones aren't. Above and beyond the fact that many users aren't equiped to make those decisions, the vast majority simply don't care.
In a closed-form environment (i.e. inside a company with a PKI in place, physical security on the PKI servers and root key, documented procedures for establishing the identities of the cert requestors, where the apps being signed are for internal use only), code signing, and even chain of trust, mostly works. Once you get out of that tight model, the signature on the code only says "This code was signed by someone claiming to be Microsoft".
I have an NSLU2 (affectionately called the slug), and have successfully performed the upgrade to Unslung. Let me tell you, this is not a good platform for someone looking to learn on.
Beyond the memory constraints (only 32mb of RAM), it isn't x86-based, so you'll have to take what someone else thought was a good configuration for pre-compiled binaries, cross-compile on another linux box, or endure the hideously slow compile process on the slug as it enters paging hell due to the low RAM. Even once I got everything I thought I wanted on it (Apache, MySQL, and PHP), I found that not everything worked, so I couldn't run my desired app (Gallery).
As it stands, I only use the box for tcpdump and as a syslog server. Works OK for that, but given the $100+ I spent on the slug and the external drive, I'd say its far overpriced for what I got.
Why be concerned? My understanding (limited at best, I admit) of Darwinism says that occasionally, a random mutation turns out to be beneficial and the offspring of said mutation are better able to survive than "normals". Maybe, instead of being the bane of humanity, this $12,000 wienie roaster will enable us to evolve into something much better!
Let me be the first to welcome our new three-armed overlords!
Software firewalls can work. A company I work with has over 10k laptops in use, and nearly all of them run a standard firewall package. It has centralized logging, so we can tell when someone disables it and/or uninstalls it. Those users are warned once and then walked out the door if it happens again, even managers. Patch management is handled automatically, so when a user logs on, the patch is pushed to them. If the firewalls are configured intelligently (i.e. absolutely NO MS networking allowed when in an untrusted network), patches are maintained, and antivirus software is in place, the virus problem gets much more managable. Add to that an IDS that has provisions to automatically identify propegating worms inside the company, interfaces with the trouble-ticketing system, and a process through which access control lists are applied to the appropriate routers within 15 minutes, and you have a method for dealing with viruses quickly and without a bunch of manpower. These days, a bad virus outbreak for me is 2-3 computers, and we've got well over 40k end users.
First, how is not being able to get anything accomplished any different from when their computers are working? [rimshot]
But seriously, you couldn't pay me enough to take that job. Why? Because I know that there are 12,000 computers out there that need patching, lack firewalls, lack antivirus protection, and probably lack spyware protection. It is likely that there are 12,000 users who need education regarding the changes in how their computers will work, and 0 users who will appreciate being told that they can't use Bonzi Buddy any more. It is obvious that there is no patch management infrastructure in place, so the first round of updates will be largely manual and performed simultaneously with architecture revisions that will lead to patch management in the future. We can also tell that there are potentially systemic roadblocks to good computer security within the management structure and that anyone who comes in to "fix the problem" will be given the axe if the next virus hits before all the necessary changes can be completed.
Nope, I'm much happier staying away from sinking ships, even if I am a rat :-)
And if you truly are a fortune 500 company, you should be leaning on any software vendor heavily to make them work to keep their software working.
Ahh, I've heard that one before, but unfortunately, just because I'm at a Fortune 500, or even Fortune 100, company doesn't mean my company has much leverage with Microsoft.
I mean, think about it. My guess is that companies from 100-500 in the Fortune list have fewer than 50,000 MS systems per company (numbers grabbed from a company I work with and rough guessing based on SEC filings for number of employees). So, all together, those 400 companies have maybe 20,000,000 systems. Big number, sure, but compare that to the total number of (legal) MS licenses in the wild. If just 60% of people in the US have a computer, that's still 144 million computers. There's millions more home computers in the rest of the world, not to mention all the computers in the companies that are too small to be in the Fortune list. Furthermore, it isn't likely that big corporations would band together to form a purchasing lobby, so Ford's buying power is theirs alone, and not combined with GM and Daimler.
Simple fact is that, to Microsoft, 50k licenses is not a lot of revenue compared to the rest of their customers. Also, given that there are no alternatives that are regarded as viable by managers by which a valid threat of "Fix this or we leave" can be made. Even if there was an alternative, the costs of switching 50,000 computers to different OS, office suite, etc. and retraining every single user FAR outweigh the incremental costs of patching Windows every month and even of having entire locations down for a day (check out Caterpillar's stock price history this week... not much change, eh?). Microsoft would know that GM has no real option to move all their users to platform X, so the threat is an empty one.
Of course, if there was a viable alternative (Mac?) and GM, Ford, Daimler, IBM, Oracle, Sun, Walmart, and Chase all banded together into a single purchasing block to negotiate with Microsoft, it is possible that MS would pay attention. Until then, it simply isn't profitable to really shift their whole development efforts to a complete bottoms-up redesign of every single one of their products making security a priority.
Is anyone but me getting sick of these companies releasing "free" tools that require you to register for their incessant spam, phone calls, and other marketing harassment in order to download? Yes, I understand that they spent money to develop the tool, but what if I want to scan my home network? MySQL isn't too bad, at least. They have the marketing signup, should you be interested, but provide a link to download without all the crap.
[Wanders off muttering about the good old days of gopher and archie]I bought a NSLU-2 after the /. story on running Debian on it. Let me tell you, it isn't quite ready for prime-time.
The basic out-of-the-box functionality is OK (i.e. Samba server with web config), but since I got it to run as a server, I looked into reflashing it. The Debian stuff that was listed in the /. story (sorry for no link, but it was in the past 2-3 weeks) doesn't include net drivers that work, so that was out. I went with Unslung, and that went fine, but then reality set in.
I wanted to run a web server using Gallery, but the thttpd server that's compiled for it doesn't do PHP or CGI very well, so that was out. Every other thing I tried, especially Apache, sent the poor thing into swap hell due to the intersection of huge code (apache) and 32 Meg of RAM.
In the end, I gave up, installed Apache on my desktop and configured it to auto-standby every 15 minutes with Wake On Lan enabled. Gets me closer to an always-on webserver that doesn't eat electricity for breakfast.
Still have the Slug, but its just hiding in a corner now, waiting for a purpose.
While I nodded my head in agreement to your post, I figure that you forgot to add some key bits:
Writing, policies that are rejected, making integration recommendations that are rejected, attending spec meetings and having your suggestions ignored, reviewing logs that no one else cares about, etc...
Not only are most InfoSec careers unglamorous, they can also have the tendency to grind your pride, passion, determination, and enthusiasm for life in general into dust.
Bitter? Definately. On the other hand, there are days where there you get the opportunity to do a forensic analysis of some stupid schmuk's computer to find the porn collection that he's been amassing 8 hours a day for 20 years, so there are perks!
Kings Cross and Charing Cross stations? You know, this might not be normal terrorists after all. Harry Potter book 6 comes out in a week or two, this could be a publicity stunt by Rowling's publicity engine. Wonder if Voldemort's going to claim responsibility.
Sniff, sniff. What's that smell? My karma, up in flames :-)