You need to go back to university and take a couple lessons in design. Not UI-design, ordinary design.
If the door doesn't visually indicate if you need to push or pull, people will mix it, even if there are signs that say "push" or "pull". In fact, every time you see one of those labels, a door designer fucked it up. The same way that every time you see an IT "expert" blaming stupid idiot losers, a UI designer fucked it up.
Computers have literally been re-designed For Dummies now
The eliteism strong with this one is.
Guess what, if you build something useful, people want to use it. If that's a surprise, university might be too advanced.
no matter how many times I've done my job to try and teach them.
If you teach something and people don't learn it - maybe you're not teaching it right?
We continue to deal with idiots because we're paid well.
I don't deal with idiots.
I deal with humans. Humans whose job is not to nurse my IT system, but to manage the production line, or run the legal department, or properly calculate the company tax statement. I'm paid not for making their life more difficult or claiming they are idiots. I'm paid for making the company secure with as little productivity impact as possible.
Human beings make mistakes. Some of them repeatedly. A good fraction of us wouldn't be here if our parents hadn't made a few mistakes. Designing secure systems around failable components is half the challenge.
As I said, I use the same two passwords for all the sites that mean little to me. Sure, if you get hold of it, you can post in my name not to one, but to 20 forums. The sky is falling. Seriously, it would cost me more headache to change all those passwords than it would to lose access to all of those sites.
Risk analysis is not only for companies. Before implementing some security method, always ask yourself what the actual threat is. My bank account, of course, has two-factor authentication and an SMS-TAN system.
I'm not so sure about that. I have a fear that Bell was right in his 2005 paper, that security is diminishing rather than growing.
The security industry is growing, don't get me wrong. We have a million security products and maybe ten million security consultants today. But the security that everyone does is on a band-aid level. As far as I'm aware, there has been zero fundamental research into information security since the 70s.
SELinux suffers from a complexity flaw. Setting up a tight policy for a production system is not an easy task. I was evangelizing SELinux for many years (my name is in their contributors list). The complexity issue was clear from the start, I was always hoping it would be solved one day, but it still isn't.
So today you have SELinux in all the major distributions, but it's not really much used. Even if it is run in enforcing mode, the policy is very generous. That puts it on the level of a firewall - another layer of security, but it still lets a lot of stuff through.
A tightly configured SELinux is a very hard target. I went to hacker conferences a few times, put up my SELinux notebook and wrote IP address and root password on a piece of paper posted right above it. The real root password, with SSH root login enabled. One time a guy managed to put a file into the root home directory, because I had forgotten one policy rule. That's it. SELinux can be configured very tightly, but at that time, there were maybe two dozen people in the world who could do it. That's not acceptable for commercial purposes. Who wants a system where if you lose your one guy who can handle it, it might be impossible to find a replacement?
So I used the same password for all of them (A big nono)
Says who? The same guys who tell you that a password needs to have special characters and numbers. Oh look, this year the guy who wrote that rule originally apologized and admitted that he basically pulled it out of his ass at that time and thinking about it again, it's complete nonsense.
For all the sites that are not important to my life, which is about 95% of my accounts, I use only two passwords. One for forums and games and such where I really don't care at all and one for places that matter to me. If anyone gets one of these from a breach at any of these sites, omg he can post in my name to some forum...
but more interested in covering their asses and be able to blame somebody when things go wrong.
It's more of a "nobody ever got fired for buying IBM" problem. When you set up your security system, one issue is liability. By following "best practice", you can get out of liability. That is what top management cares about the most.
I couldn't care less about trends on/. -- I have been giving conference speeches about this for half a decade now, pointing out what exactly we can do better when it comes to integrating users into infosec instead of considering them the enemy.
Slowly, personal security is becoming important. I'm not talking awareness campaigns, I think that's a snake-oil business. I'm talking screening, training, proper procedures and also not treating your employees like shit. In my fathers time, you didn't need rallys - people were actively interested in what is good for the company, because the company was actively interested in what is good for the employees. Bring back that give-and-take relationship and you have done wonders for infosec.
You completely misready my post. Nowhere did I put all the responsibilities on IT and nowhere did I claim that users and their capabilities and intentions could be ignored. You need to figure these things into your security. That's the point. You can't just take the cheap way out, say "ah, users are idiots" and put all the blame on them. If users are idiots, it is your job to make the system idiot-safe. That's why airplane doors don't open in-flight, because a drunk passenger might mistake it for the toilet. Right now, too many computer systems will happily open that door and then we go around shouting that users are idiots.
Yeah you can bet it wont be the upper reaches of any company.
According to the law, it will be. Liability lies with top management, not with any IT guy. The company boss can shout at the IT guy, but the judge will shit on the CEO.
Also, where does this fine go? Who gets it? I get the punishment aspect, but if you force a company who already isn't spending enough on Cyber to push that same money into a fine, where will they get the money to put in better security?
They will find it somewhere, or they will be fined again.
This is a strawman argument. "Sorry officer for robbing the old lady. I was hungry. Don't fine me, because if you take away my little money, I will be hungry again and rob another old lady." - seriously? You think that argument will fly?
Depends on the secret. Where you buried the body? Definitely not something you want in a searchable medium.
But it can actually be as simple as having properly defined boundaries. If I convert all e-mails that my top-secret people need to read into plain ASCII text before sending them on, and remove any base64 encoded parts, the chance of getting a malware infection is reasonably low. Of course the convenience factor is low as well, but that's the trade-off. You want to work in a nuclear reactor? Here's your safety gear.
Why we understand this in physical security, but in IT security we think cleaning the reactor core in jeans and T-shirts should be possible?
2017, and the masses still haven't learned. I swear they'll click on anything. Yes, of course that Windows pop-up for a Kardashian baby-watch app was totally legit. I mean, why wouldn't Microsoft want you to know...
Yes, why wouldn't Microsoft? It preloaded their home computer with a dozen application it deemed useful (ok, was paid for including, but users don't know that) and it serves them personally relevant information (sorry, paid-for ads, but that's not marked anywhere) wherever it can, say on Bing or whatever their current attempt at social networking is. It also made several attempts to put important announcements (advertisement) directly on the desktop of their computers.
From a non-IT user, the scenario does not look all that much unbelievable. Maybe a bit unusual, but your facepalm is coming from a certain arrogance and insider frame. Some of those dumb users will laugh at you how you put that silly oil into your car, everyone knows it's synthetic shit and you should really use that bottle over there which isn't so heavily advertised. Or what you eat or how you do sports or whatever. You know more about IT than they do, which makes some things seem obvious to you. But you are just as oblivious about "basic facts that everyone knows" in many other areas of life.
Because laws mean so much in this day and age where "too big to fail" lets you break regulations and laws with impunity, and secure yourself a bailout and a golden parachute.
The utter contempt with which almost all corporations look at tax laws gives you a good indication for their respect for the rule of law.
Reputation loss and thus loss of future business - now that is something they might care about. But laws? Please.
Actually, it's our OS fundamentals that are flawed. In a properly designed system, the AV would not need full access to everything. Of course I'm talking 1970s "properly designed" here, not 2000s "ship half-ready to customer, then patch" philosophy. Sorry, I think they re-branded it "Agile Development".
AV is a workaround, a hack, for serious weaknesses in our fundamental systems design. That your e-mail system can access business secret documents when you open the wrong mail - that is the actual problem that needs solving. We have AV for the same reason we have condoms - there's a lot of STDs and for most of them we don't have good vaccinations.
In that sense, AV is not fundamentally flawed, because in a fundamentally non-flawed world, we wouldn't even have it. It's an at-least-this-works-most-of-the-time solution because we can't be arsed to tackle the real issues.
Perhaps anti-virus wouldn't be even necessary if there were less users infected with anti-intelligence.
So tired of this bullshit argument.
I've been working in infosec for 20 years.
For about half of that time, I also said that "lusers" are the main problem.
Then one day I grew up and realized that they are just being humans and that's a bullshit excuse for not doing my job properly by complaining that water is wet and gravity sucks. Guess what? We're paid good money for solving exactly these problems. If you can't bring a rocket to the moon because of gravity, you don't belong into rocket science. If you can't build a ship that floats because water is so difficult to work with, you don't belong into shipbuilding. And if you can't deal with people being people, you don't fucking belong into information security.
The problem isn't so much in the horse and pony show, but in the fact that you install software on your devices which you bought from an external party and allow it to read all your data. I mean, if that is not a leap of faith, I don't know what qualifies as one.
Proper compartmentalisation would solve this issue. Let the virus scanner manage only incoming data, have defined communication channels for pattern updates, don't let it phone home. Keep your data in trusted DMS. Use non-rich data formats (why people use MS Word to write a letter is beyond me). Stop putting convenience above security.
And think three steps. "Only US companies" - seriously? Because it would be so incredibly difficult for some Russians to start a US company, right? Because your US company doesn't get half its hardware from China, right? And because it absolutely didn't outsource its software development to India.
You can see right now in Europe how to do it. We've tried it the hard way for 30 years, worked not so very much. For about the same time we tried to convince politics that this is a danger, not much happened. Oh yeah, one day SOX happened and that brought a tiny benefit, but mostly on the paperwork and consulting-hours side.
In Europe, right now massive investments into information security are being made, because of two laws that politicians have finally passed, both at the EU level. One is the General Data Protection Regulation and the other is the Council Directive "on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection". You have an equivalent (referenced in the EU) from the NIST.
The fundamental change, and that answers your question, is that violations of these laws, and especially data breaches or other infosec events that could have been prevented with proper security, now carry massive fines. Let me quantify "massive":
â20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater
The magic bullet is the 4% rule. It refers to global revenue, and it refers to corporate revenue - no more reducing risk by seperating your corporation into tiny "independent" companies. If a five-person subsidary of Facebook suffers a severe data breach, the fine can be $ 345 million.
Also, the law puts the legal liability to top-level management. That is the second magic bullet. Put CEOs and directors on the front line. Unless they can demonstrate that they took steps to comply to the technical and organisational requirements, they could go to jail. Now that gets top-level management moving.
So the simple answer is: Hit them where it hurts. Money and personal liability. Take away the corporate shield and diffusion.
Disclaimer: I do this stuff for a living. We are currently being drowned in projects to implement ISMSs and the GDPR is a main driver behind that.
---
Addendum: This gets you basic security levels. As soon as the risk management labels the residual risk as acceptable, that's it. My personal opinion is that our security is still shoddy at those levels, and the main reason we're not all dead is that most hackers are imbeciles and the only reason they can make a living with their laughable hacking skills is that security is such a joke. For illustration, look at the typical spam / phishing mails you get. Who would fall for that shit full of spelling errors, grammar mistake and my-blind-grandma-could-spot-this forgery? The answer is: If you send it to enough people, you will find enough idiots who do.
Once we have a basic security level across the board, the game will change. Lots of "hackers" will have to go back serving burgers and fries, but those with any actual skills will step up their game. And then we'll be in a world of hurt. There'll be an Equifax every month. My daily rate will probably skyrocket because supply and demand, but I'm still not looking forward to that.
If you are serious about security, as the saying goes you don't have to run faster than the bear, only faster than your friends. But don't walk just because they do. Start running now, because once they are eaten, you have to run faster than the bear.
So what, exactly, has Russia as a country, or the Russian government, done to make your life worse?
Compared to, say, the corporations that poison our water and air, the politicians who demolish our social security systems, the banks who stole unbelievable amount of tax payer money to cover up their gambling that lead to the financial crisis?
And he's been invading neighboring countries like Georgia and Ukraine. He's not our friend and he's not someone we should be helping.
The correct method for this is a trade embargo, i.e. don't sell them security software at all. But our leaders don't want that, because they are not interested in values or good. They are interested in geopolitical power games and their own personal profits and influence. All the fear-mongering is just a means to an end. Today it's Russia, last year it was muslim terrorists, before that it was this or that. What a load of bullshit.
Oh yeah, on invasions: If you are from the US, shut your stupid mouth and look up the list of countries that the USA has invaded in the past 50 years. Yes, always under the pretense of democracy and liberation and peace and bla bla bla. Now look at the effect that the invasion had on those countries, then name three where the invasion actually did have the effect that was claimed on TV.
Your own leaders sent more young Americans to their deaths in the past decade than Russia has killed in a century. What is the actual threat?
I said "basic facts". In this case that is stuff like that there was a shooting, lots of people are dead and wounded, it happened in Las Vegas, at a country festival - that kind of basic.
I'm saying the US government shouldn't be using code that's neither open source nor fully closed source.
While there are theoretical advantages to Free Software in this context, they do not manifest to the degree that many Free Software advocates think. And I say that as a stern believer in Free Software (to the degree that I refuse to call it "Open Source").
OpenBSD is about the only project that actually does this right - by not relying on the assumption that Free Software actually gets read, but making sure it happens and running regular code reviews.
From a security perspective, I'd rather take a piece of close source software that I know has been through code reviews, than a piece of Free Software that may or may not have been looked at by anyone else besides the creator.
20 years ago, that might have been a good choice. These days, not so much.
Yes, the conspiracy theories around that shooting are probably out of control. I checked about five videos of it, 2 handy videos from the grounds, 1 short news blurb and 2 conspiracy videos and boy do these guys need to take less of whatever drugs they are taking.
But (and that's a big butt, in the words of Ben Goldacre) the mainstream media is not exactly an impartial, reliable and thorough reporter of news anymore. Too many real journalists have been cut in the name of profits, too much funding diverted from investigation and background checking, too much power given to click counts and advertiser demands.
I won't trust the mainstream media on anything more deep than the basic facts. Too many stories where I know the backgrounds have been reported incorrectly, or shortened in simplified so much that they are barely recognizable. Too much clear bias has been uncovered by media studies. Too much press releases and press conference statements are parrot-like repeated instead of properly checked before reporting.
Putting less weight on conspiracy theories - good. But it's a step too little. The balance should be tilted against all sensationalist and click-bait reporting, including that of mainstream media. Balance should be up on reporting that includes background information, fact-checking and independent investigations. But hey, that would require some actual human judgement and is hard to put into a couple lines of code.
Russians examining the rifle that US army uses is very unlikely to lead to them discovering a way to disable it remotely. Not so with security software.
The NSA is tasked with the security of the US government and military infrastructure. I'm quite sure that they've done a code review of this same software a long time ago. You'd think they would have spotted such a way, don't you?
In summary: nice Russian troll. How's the weather in St. Petersburg, Ivan?
According to the Internet, about 10 degrees, cloudy with a good chance of rain in the evening. Your mommy doesn't let you visit weather webpages?
It is possible to remove comments from source code before handing it in to code review. It is also possible to establish sane comment guidelines, especially when you are a security company. And it is quite trivial to figure out who actually writes the software for a software company, without comments in source code.
Sure you get additional information from code, especially if good documentation explains the thinking behind algorithms. However, to go into a panic because another country made a source code review is the most insane thing I've seen in a very long time.
These things are standard. Every large important piece of software has been through source code review many, many times. You think that the MS Windows source code is very much secret?
It's not standard operational procedure to hand your code over to an attacking foreign power.
Are you especially dense or paid?
Ok, let's turn this around: Russian company wants to sell security product to US government.
Would you or would you not expect the US to ask for source code and review it?
No further questions.
Maybe the world should be perfect, but it isn't, live in the real world.
Every day. I actually to IS for a living, you know? This is standard operational procedure. If you don't believe when a professional firefighter tells you "ya, throwing large quantities of water on something that's burning really is quite normal" then I really can't help you.
You need to wake up to what Putin's up to.
You need to wake up to the fact that certain interested parties want to start a new Cold War, not for ideological reasons, but for $$$.
Should we be aware of other countries? Of course, they all have their own interests, it would be idiotic to blindly trust them. Should we panic and see evil communists on every corner? Uh, sorry, I thought McCarthy died already?
How about: their people look at, come up with some changes they'd need before trusting their systems to it, then give one back to the vendor and keep some to themselves for later.
Yes, the "threat model" is that they discover a bug and don't tell anyone.
Which means that the NSA (who is responsible for keeping US government infrastructure and systems safe) didn't find that bug when they did their source code review.
Additional information: There are many ways to find bugs in software aside from code reviews. So not showing them the code would have had two effects: a) they would've probably bought some other software and b) they would've given the binary to their binary testing team.
Making a source-code review is standard operation procedure for high security settings. In fact, I recommend exactly this to some of my clients (I've worked in IS before the abbreviation had a second meaning about murderous religious idiots).
If this allowed them to discover weaknesses in the software, then maybe the US departments should've done a source-code review themselves and discovered those same weaknesses? What is wrong with the author of this crap to shout wolf because someone is doing proper security?
"omg, the Russians tested the same rifle that our army uses! Maybe they discovered at what temperature it explodes!"
Guys, you need to wake up over there before you find yourself plundged into a new Cold War by nonsense propaganda. Ask yourself who profits from such shit, who gets to sell more stuff thanks to articles like this, and who gets to gain more influence from the fear.
Slashdot Mirror
I expect an idiot to do that over and over again.
You need to go back to university and take a couple lessons in design. Not UI-design, ordinary design.
If the door doesn't visually indicate if you need to push or pull, people will mix it, even if there are signs that say "push" or "pull". In fact, every time you see one of those labels, a door designer fucked it up. The same way that every time you see an IT "expert" blaming stupid idiot losers, a UI designer fucked it up.
Computers have literally been re-designed For Dummies now
The eliteism strong with this one is.
Guess what, if you build something useful, people want to use it. If that's a surprise, university might be too advanced.
no matter how many times I've done my job to try and teach them.
If you teach something and people don't learn it - maybe you're not teaching it right?
We continue to deal with idiots because we're paid well.
I don't deal with idiots.
I deal with humans. Humans whose job is not to nurse my IT system, but to manage the production line, or run the legal department, or properly calculate the company tax statement. I'm paid not for making their life more difficult or claiming they are idiots. I'm paid for making the company secure with as little productivity impact as possible.
Human beings make mistakes. Some of them repeatedly. A good fraction of us wouldn't be here if our parents hadn't made a few mistakes. Designing secure systems around failable components is half the challenge.
So what?
As I said, I use the same two passwords for all the sites that mean little to me. Sure, if you get hold of it, you can post in my name not to one, but to 20 forums. The sky is falling. Seriously, it would cost me more headache to change all those passwords than it would to lose access to all of those sites.
Risk analysis is not only for companies. Before implementing some security method, always ask yourself what the actual threat is. My bank account, of course, has two-factor authentication and an SMS-TAN system.
I'm not so sure about that. I have a fear that Bell was right in his 2005 paper, that security is diminishing rather than growing.
The security industry is growing, don't get me wrong. We have a million security products and maybe ten million security consultants today. But the security that everyone does is on a band-aid level. As far as I'm aware, there has been zero fundamental research into information security since the 70s.
SELinux suffers from a complexity flaw. Setting up a tight policy for a production system is not an easy task. I was evangelizing SELinux for many years (my name is in their contributors list). The complexity issue was clear from the start, I was always hoping it would be solved one day, but it still isn't.
So today you have SELinux in all the major distributions, but it's not really much used. Even if it is run in enforcing mode, the policy is very generous. That puts it on the level of a firewall - another layer of security, but it still lets a lot of stuff through.
A tightly configured SELinux is a very hard target. I went to hacker conferences a few times, put up my SELinux notebook and wrote IP address and root password on a piece of paper posted right above it. The real root password, with SSH root login enabled. One time a guy managed to put a file into the root home directory, because I had forgotten one policy rule. That's it. SELinux can be configured very tightly, but at that time, there were maybe two dozen people in the world who could do it. That's not acceptable for commercial purposes. Who wants a system where if you lose your one guy who can handle it, it might be impossible to find a replacement?
So I used the same password for all of them (A big nono)
Says who? The same guys who tell you that a password needs to have special characters and numbers. Oh look, this year the guy who wrote that rule originally apologized and admitted that he basically pulled it out of his ass at that time and thinking about it again, it's complete nonsense.
For all the sites that are not important to my life, which is about 95% of my accounts, I use only two passwords. One for forums and games and such where I really don't care at all and one for places that matter to me. If anyone gets one of these from a breach at any of these sites, omg he can post in my name to some forum...
but more interested in covering their asses and be able to blame somebody when things go wrong.
It's more of a "nobody ever got fired for buying IBM" problem. When you set up your security system, one issue is liability. By following "best practice", you can get out of liability. That is what top management cares about the most.
Yes but that doesn't change the fact that gravity is fundamentally your biggest problem.
Correct. I didn't say it's an easy problem. :-)
But it is our problem to solve. There are actually many solutions that already exist, but for stupid reasons we don't use many of them.
I couldn't care less about trends on /. -- I have been giving conference speeches about this for half a decade now, pointing out what exactly we can do better when it comes to integrating users into infosec instead of considering them the enemy.
Slowly, personal security is becoming important. I'm not talking awareness campaigns, I think that's a snake-oil business. I'm talking screening, training, proper procedures and also not treating your employees like shit. In my fathers time, you didn't need rallys - people were actively interested in what is good for the company, because the company was actively interested in what is good for the employees. Bring back that give-and-take relationship and you have done wonders for infosec.
You completely misready my post. Nowhere did I put all the responsibilities on IT and nowhere did I claim that users and their capabilities and intentions could be ignored. You need to figure these things into your security. That's the point. You can't just take the cheap way out, say "ah, users are idiots" and put all the blame on them. If users are idiots, it is your job to make the system idiot-safe. That's why airplane doors don't open in-flight, because a drunk passenger might mistake it for the toilet. Right now, too many computer systems will happily open that door and then we go around shouting that users are idiots.
Yeah you can bet it wont be the upper reaches of any company.
According to the law, it will be. Liability lies with top management, not with any IT guy. The company boss can shout at the IT guy, but the judge will shit on the CEO.
Also, where does this fine go? Who gets it? I get the punishment aspect, but if you force a company who already isn't spending enough on Cyber to push that same money into a fine, where will they get the money to put in better security?
They will find it somewhere, or they will be fined again.
This is a strawman argument. "Sorry officer for robbing the old lady. I was hungry. Don't fine me, because if you take away my little money, I will be hungry again and rob another old lady." - seriously? You think that argument will fly?
Depends on the secret. Where you buried the body? Definitely not something you want in a searchable medium.
But it can actually be as simple as having properly defined boundaries. If I convert all e-mails that my top-secret people need to read into plain ASCII text before sending them on, and remove any base64 encoded parts, the chance of getting a malware infection is reasonably low. Of course the convenience factor is low as well, but that's the trade-off. You want to work in a nuclear reactor? Here's your safety gear.
Why we understand this in physical security, but in IT security we think cleaning the reactor core in jeans and T-shirts should be possible?
2017, and the masses still haven't learned. I swear they'll click on anything. Yes, of course that Windows pop-up for a Kardashian baby-watch app was totally legit. I mean, why wouldn't Microsoft want you to know...
Yes, why wouldn't Microsoft? It preloaded their home computer with a dozen application it deemed useful (ok, was paid for including, but users don't know that) and it serves them personally relevant information (sorry, paid-for ads, but that's not marked anywhere) wherever it can, say on Bing or whatever their current attempt at social networking is. It also made several attempts to put important announcements (advertisement) directly on the desktop of their computers.
From a non-IT user, the scenario does not look all that much unbelievable. Maybe a bit unusual, but your facepalm is coming from a certain arrogance and insider frame. Some of those dumb users will laugh at you how you put that silly oil into your car, everyone knows it's synthetic shit and you should really use that bottle over there which isn't so heavily advertised. Or what you eat or how you do sports or whatever. You know more about IT than they do, which makes some things seem obvious to you. But you are just as oblivious about "basic facts that everyone knows" in many other areas of life.
Because laws mean so much in this day and age where "too big to fail" lets you break regulations and laws with impunity, and secure yourself a bailout and a golden parachute.
The utter contempt with which almost all corporations look at tax laws gives you a good indication for their respect for the rule of law.
Reputation loss and thus loss of future business - now that is something they might care about. But laws? Please.
AV software is a fundamentally flawed product
Actually, it's our OS fundamentals that are flawed. In a properly designed system, the AV would not need full access to everything. Of course I'm talking 1970s "properly designed" here, not 2000s "ship half-ready to customer, then patch" philosophy. Sorry, I think they re-branded it "Agile Development".
AV is a workaround, a hack, for serious weaknesses in our fundamental systems design. That your e-mail system can access business secret documents when you open the wrong mail - that is the actual problem that needs solving. We have AV for the same reason we have condoms - there's a lot of STDs and for most of them we don't have good vaccinations.
In that sense, AV is not fundamentally flawed, because in a fundamentally non-flawed world, we wouldn't even have it. It's an at-least-this-works-most-of-the-time solution because we can't be arsed to tackle the real issues.
Perhaps anti-virus wouldn't be even necessary if there were less users infected with anti-intelligence.
So tired of this bullshit argument.
I've been working in infosec for 20 years.
For about half of that time, I also said that "lusers" are the main problem.
Then one day I grew up and realized that they are just being humans and that's a bullshit excuse for not doing my job properly by complaining that water is wet and gravity sucks.
Guess what? We're paid good money for solving exactly these problems. If you can't bring a rocket to the moon because of gravity, you don't belong into rocket science. If you can't build a ship that floats because water is so difficult to work with, you don't belong into shipbuilding. And if you can't deal with people being people, you don't fucking belong into information security.
this whole Kaspersky stuff is probably driven by Symantec.
Or just some state official who follows Trumps advise to put American companies first...
"Follow the money" is always a good idea.
The problem isn't so much in the horse and pony show, but in the fact that you install software on your devices which you bought from an external party and allow it to read all your data. I mean, if that is not a leap of faith, I don't know what qualifies as one.
Proper compartmentalisation would solve this issue. Let the virus scanner manage only incoming data, have defined communication channels for pattern updates, don't let it phone home. Keep your data in trusted DMS. Use non-rich data formats (why people use MS Word to write a letter is beyond me). Stop putting convenience above security.
And think three steps. "Only US companies" - seriously? Because it would be so incredibly difficult for some Russians to start a US company, right? Because your US company doesn't get half its hardware from China, right? And because it absolutely didn't outsource its software development to India.
You can see right now in Europe how to do it. We've tried it the hard way for 30 years, worked not so very much. For about the same time we tried to convince politics that this is a danger, not much happened. Oh yeah, one day SOX happened and that brought a tiny benefit, but mostly on the paperwork and consulting-hours side.
In Europe, right now massive investments into information security are being made, because of two laws that politicians have finally passed, both at the EU level. One is the General Data Protection Regulation and the other is the Council Directive "on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection". You have an equivalent (referenced in the EU) from the NIST.
The fundamental change, and that answers your question, is that violations of these laws, and especially data breaches or other infosec events that could have been prevented with proper security, now carry massive fines. Let me quantify "massive":
â20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater
The magic bullet is the 4% rule. It refers to global revenue, and it refers to corporate revenue - no more reducing risk by seperating your corporation into tiny "independent" companies. If a five-person subsidary of Facebook suffers a severe data breach, the fine can be $ 345 million.
Also, the law puts the legal liability to top-level management. That is the second magic bullet. Put CEOs and directors on the front line. Unless they can demonstrate that they took steps to comply to the technical and organisational requirements, they could go to jail. Now that gets top-level management moving.
So the simple answer is: Hit them where it hurts. Money and personal liability. Take away the corporate shield and diffusion.
Disclaimer: I do this stuff for a living. We are currently being drowned in projects to implement ISMSs and the GDPR is a main driver behind that.
---
Addendum: This gets you basic security levels. As soon as the risk management labels the residual risk as acceptable, that's it. My personal opinion is that our security is still shoddy at those levels, and the main reason we're not all dead is that most hackers are imbeciles and the only reason they can make a living with their laughable hacking skills is that security is such a joke. For illustration, look at the typical spam / phishing mails you get. Who would fall for that shit full of spelling errors, grammar mistake and my-blind-grandma-could-spot-this forgery? The answer is: If you send it to enough people, you will find enough idiots who do.
Once we have a basic security level across the board, the game will change. Lots of "hackers" will have to go back serving burgers and fries, but those with any actual skills will step up their game. And then we'll be in a world of hurt. There'll be an Equifax every month. My daily rate will probably skyrocket because supply and demand, but I'm still not looking forward to that.
If you are serious about security, as the saying goes you don't have to run faster than the bear, only faster than your friends. But don't walk just because they do. Start running now, because once they are eaten, you have to run faster than the bear.
But we should be cognizant of who our enemies are
That we should be.
So what, exactly, has Russia as a country, or the Russian government, done to make your life worse?
Compared to, say, the corporations that poison our water and air, the politicians who demolish our social security systems, the banks who stole unbelievable amount of tax payer money to cover up their gambling that lead to the financial crisis?
And he's been invading neighboring countries like Georgia and Ukraine. He's not our friend and he's not someone we should be helping.
The correct method for this is a trade embargo, i.e. don't sell them security software at all. But our leaders don't want that, because they are not interested in values or good. They are interested in geopolitical power games and their own personal profits and influence. All the fear-mongering is just a means to an end. Today it's Russia, last year it was muslim terrorists, before that it was this or that. What a load of bullshit.
Oh yeah, on invasions: If you are from the US, shut your stupid mouth and look up the list of countries that the USA has invaded in the past 50 years. Yes, always under the pretense of democracy and liberation and peace and bla bla bla. Now look at the effect that the invasion had on those countries, then name three where the invasion actually did have the effect that was claimed on TV.
Your own leaders sent more young Americans to their deaths in the past decade than Russia has killed in a century. What is the actual threat?
Funny how you know which videos I watch. ;-)
I said "basic facts". In this case that is stuff like that there was a shooting, lots of people are dead and wounded, it happened in Las Vegas, at a country festival - that kind of basic.
I'm saying the US government shouldn't be using code that's neither open source nor fully closed source.
While there are theoretical advantages to Free Software in this context, they do not manifest to the degree that many Free Software advocates think. And I say that as a stern believer in Free Software (to the degree that I refuse to call it "Open Source").
OpenBSD is about the only project that actually does this right - by not relying on the assumption that Free Software actually gets read, but making sure it happens and running regular code reviews.
From a security perspective, I'd rather take a piece of close source software that I know has been through code reviews, than a piece of Free Software that may or may not have been looked at by anyone else besides the creator.
20 years ago, that might have been a good choice. These days, not so much.
Yes, the conspiracy theories around that shooting are probably out of control. I checked about five videos of it, 2 handy videos from the grounds, 1 short news blurb and 2 conspiracy videos and boy do these guys need to take less of whatever drugs they are taking.
But (and that's a big butt, in the words of Ben Goldacre) the mainstream media is not exactly an impartial, reliable and thorough reporter of news anymore. Too many real journalists have been cut in the name of profits, too much funding diverted from investigation and background checking, too much power given to click counts and advertiser demands.
I won't trust the mainstream media on anything more deep than the basic facts. Too many stories where I know the backgrounds have been reported incorrectly, or shortened in simplified so much that they are barely recognizable. Too much clear bias has been uncovered by media studies. Too much press releases and press conference statements are parrot-like repeated instead of properly checked before reporting.
Putting less weight on conspiracy theories - good. But it's a step too little. The balance should be tilted against all sensationalist and click-bait reporting, including that of mainstream media. Balance should be up on reporting that includes background information, fact-checking and independent investigations. But hey, that would require some actual human judgement and is hard to put into a couple lines of code.
Russians examining the rifle that US army uses is very unlikely to lead to them discovering a way to disable it remotely. Not so with security software.
The NSA is tasked with the security of the US government and military infrastructure. I'm quite sure that they've done a code review of this same software a long time ago. You'd think they would have spotted such a way, don't you?
In summary: nice Russian troll. How's the weather in St. Petersburg, Ivan?
According to the Internet, about 10 degrees, cloudy with a good chance of rain in the evening. Your mommy doesn't let you visit weather webpages?
It is possible to remove comments from source code before handing it in to code review.
It is also possible to establish sane comment guidelines, especially when you are a security company.
And it is quite trivial to figure out who actually writes the software for a software company, without comments in source code.
Sure you get additional information from code, especially if good documentation explains the thinking behind algorithms. However, to go into a panic because another country made a source code review is the most insane thing I've seen in a very long time.
These things are standard. Every large important piece of software has been through source code review many, many times. You think that the MS Windows source code is very much secret?
It's not standard operational procedure to hand your code over to an attacking foreign power.
Are you especially dense or paid?
Ok, let's turn this around: Russian company wants to sell security product to US government.
Would you or would you not expect the US to ask for source code and review it?
No further questions.
Maybe the world should be perfect, but it isn't, live in the real world.
Every day. I actually to IS for a living, you know? This is standard operational procedure. If you don't believe when a professional firefighter tells you "ya, throwing large quantities of water on something that's burning really is quite normal" then I really can't help you.
You need to wake up to what Putin's up to.
You need to wake up to the fact that certain interested parties want to start a new Cold War, not for ideological reasons, but for $$$.
Should we be aware of other countries? Of course, they all have their own interests, it would be idiotic to blindly trust them.
Should we panic and see evil communists on every corner? Uh, sorry, I thought McCarthy died already?
How about: their people look at, come up with some changes they'd need before trusting their systems to it, then give one back to the vendor and keep some to themselves for later.
Yes, the "threat model" is that they discover a bug and don't tell anyone.
Which means that the NSA (who is responsible for keeping US government infrastructure and systems safe) didn't find that bug when they did their source code review.
Additional information: There are many ways to find bugs in software aside from code reviews. So not showing them the code would have had two effects: a) they would've probably bought some other software and b) they would've given the binary to their binary testing team.
Sensationalist crap if I ever saw one.
Making a source-code review is standard operation procedure for high security settings. In fact, I recommend exactly this to some of my clients (I've worked in IS before the abbreviation had a second meaning about murderous religious idiots).
If this allowed them to discover weaknesses in the software, then maybe the US departments should've done a source-code review themselves and discovered those same weaknesses? What is wrong with the author of this crap to shout wolf because someone is doing proper security?
"omg, the Russians tested the same rifle that our army uses! Maybe they discovered at what temperature it explodes!"
Guys, you need to wake up over there before you find yourself plundged into a new Cold War by nonsense propaganda. Ask yourself who profits from such shit, who gets to sell more stuff thanks to articles like this, and who gets to gain more influence from the fear.