Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Myths of Security

samzenpus posted more than 5 years ago | from the read-all-about-it dept.

Security 216

brothke writes "The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'" Read on for the rest of Ben's review. The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.

Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.

From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.

The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.

While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.

In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.

Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.

While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.

Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .

You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×

216 comments

Sorry! There are no comments related to the filter you selected.

Myths of Security? (2, Interesting)

erbbysam (964606) | more than 5 years ago | (#29265013)

There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...

Re:Myths of Security? (5, Funny)

mcgrew (92797) | more than 5 years ago | (#29265075)

There are no myth's of security

Sorry, but I'm going to have to send you to Bob's office [angryflower.com] .

Re:Myths of Security? (1)

commodore64_love (1445365) | more than 5 years ago | (#29265309)

What's with the Day of the Triffids escapee? That flower looks mean.

Re:Myths of Security? (0, Troll)

mcgrew (92797) | more than 5 years ago | (#29265389)

Mean as hell [angryflower.com] . However, he does have some redeeming [angryflower.com] features [angryflower.com] .

Re:Myths of Security? (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#29265427)

Your rabid cock is mean as hell. And in this case, "mean" equals "minuscule".

Re:Myths of Security? (0, Offtopic)

mcgrew (92797) | more than 5 years ago | (#29265801)

So your mom's been bragging about me, has she?

Re:Myths of Security? (0)

Anonymous Coward | more than 5 years ago | (#29265399)

What's with the Day of the Triffids escapee? That flower looks mean.

We don't need to be privy to every thought that slips into your bean, little one. Try keeping one or two of them to yourself for a change.

Re:Myths of Security? (1)

Chris Mattern (191822) | more than 5 years ago | (#29265497)

Also, "there are algorithms"

Re:Myths of Security? (1)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#29266745)

I feel both you, and Bob, could do with a little perspective [motivatedphoto.com] .

Re:Myths of Security? (1)

Lord Ender (156273) | more than 5 years ago | (#29265229)

Your comment isn't very intelligible. Are you confusing cryptography with computer security, perhaps?

Re:Myths of Security? (0)

erbbysam (964606) | more than 5 years ago | (#29266193)

Your comment isn't very intelligible. Are you confusing cryptography with computer security, perhaps?

I know they are two separate topics (albeit related to some extent), I was just kinda generalizing that there is always a flaw in the system, obviously a buffer overflow doesn't have anything to do with cryptography... and I forgot to hit the "Post Anonymously" button.

Re:Myths of Security? (1)

Lord Ender (156273) | more than 5 years ago | (#29266789)

Buffer overflows aren't about whether an algorithm can be "reversed," and there is a hell of a lot more to infosec than crypto and buffer overflows.

Re:Myths of Security? (1)

Thinboy00 (1190815) | more than 5 years ago | (#29267085)

It is, at least in theory, possible to make a program with no buffer overruns at all. Now in practice, the probability of such a thing is too low to consider.

Also, see Quantum cryptography [wikipedia.org] .

Re:Myths of Security? (2, Insightful)

smartr (1035324) | more than 5 years ago | (#29265549)

There's plenty of monetary incentive for math to come forth and reverse things. For all we know, P = NP and public key encryption is broken as a pure concept. But we don't, and no one is able to step up and take tons of money to prove one way or the other.

Re:Myths of Security? (0)

Anonymous Coward | more than 5 years ago | (#29266187)

Actually, its this post that typifies what's wrong with security. This previous author clearly thinks of 'security' as purely technical (agorithms), when processes, communication, awareness, relationships and passion are 100x more important. You aren't going to secure anything if you don't have the power to do so, let alone the processes to maintain it.

Re:Myths of Security? (3, Insightful)

Forge (2456) | more than 5 years ago | (#29266383)

There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...

I disagree.

There are many security myths that have made it into company policy etc...

For-instance the idea that forcing all staff in a mid sized to large company to update their passwords every months or two is somehow more secure than allowing them to keep the same password indefinitely.

In practice, this causes them to use simpler passwords that just barely make whatever limits are imposed (I.e. a single number and one capital letter) and to rotate throgh slight modifications of this weak password.
Password#1
Password#2
Password#3

Etc...

Or worse yet. Some just write down the password in a place that's easy to find.

As for those Algorithms. Sure they can be broken. As long as you update them faster than the old ones are broken you should be fine. What bugs me though is when a single bug in an OS is exploited by a thousand different bits of malware and instead of fixing the bug we have a dozen antivirus vendors producing a detector for each of the thousand bits of malware.

Re:Myths of Security? (1)

ipb (569735) | more than 5 years ago | (#29267081)

Darn, now I need to change my password.

Re:Myths of Security? (1)

DomNF15 (1529309) | more than 5 years ago | (#29266467)

Anything that is done by man can be undone by man. Yes, the algorithms can be reversed, just not quickly. That may change, but security has almost always been about making the potential "win" too difficult to achieve. Think about it. In medieval times, castles and fortresses were built on top of hills/mountains so they would be more difficult to breach. Were they ultimately defeatable? Of course, but the cost in either human lives, money, or both, was often too great to warrant an attack.

Re:Myths of Security? (2, Insightful)

Gverig (691181) | more than 5 years ago | (#29266635)

Your statement, that's a myth, one of many. Sure, there is no ABSOLUTE security, but nobody claims that. There is no absolute physical security either- with enough resources anything can be stolen and anybody can be killed. It's the understanding of how secure you are in any given situation and how to improve your chances of staying safe (in virtual or real worlds) is what defines security and surely, that exists.

The greatest myth of security... (3, Interesting)

tacarat (696339) | more than 5 years ago | (#29265015)

Security does not actually protect you, it delays others. If you don't implement enough delays to allow yourself to find out you're being attacked and to act accordingly, it's all useless.

It can protect you (5, Insightful)

davidwr (791652) | more than 5 years ago | (#29265425)

If it raises the cost of hurting you to higher than the adversary is willing to spend, it protects you.

The trick is knowing how much security is worth paying for.

If the adversary is willing to spend $1000 to attack you, and you have to spend $100 a month to raise the cost of an attack to $1001, and if a successful attack will cost you $1 and the number of successful attacks will be 1 per decade because face it, you don't have much to offer, then it's not cost-effective. On the other hand, if an adversary is willing to spend the same $1000 and it will cost you the same $100 a month to make yourself too expensive to attack, but each breach will cost you $500 and there will be about 1 breach per month if you don't invest, then suddenly things look different.

Re:It can protect you (1)

tacarat (696339) | more than 5 years ago | (#29265707)

It is a form of protection, but it's more like comparing camouflage to bullet proof armor with camouflaged bullet proof armor being the ideal. Too many folks think that better armor is the only solution.

Most people simply don't think about security (4, Insightful)

oldspewey (1303305) | more than 5 years ago | (#29265021)

Lots of friends and family - people who are otherwise thoughtful, intelligent, and clueful - simply don't think about security. That will always be the weak link. You can't "design around" the casual negligence of hundreds of millions of users.

Re:Most people simply don't think about security (2, Insightful)

Omnifarious (11933) | more than 5 years ago | (#29265179)

I try to educate people carefully and non-confrontationally every chance I get. It's an uphill battle, but one I think is worth fighting.

Re:Most people simply don't think about security (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29265215)

You might well be able to, actually. You just can't preserve the user's freedom while doing so.

Re:Most people simply don't think about security (2, Interesting)

arminw (717974) | more than 5 years ago | (#29265397)

...You just can't preserve the user's freedom while doing so....

Apple has found out about this and has implemented their app store as the only legitimate place to download software for the iPhone that has been filtered and approved. This does limit the users freedom, but it's about the best security that can be had in any computer system. I hope that they will extend the system to the Mac sometime soon.

Re:Most people simply don't think about security (3, Insightful)

cusco (717999) | more than 5 years ago | (#29265763)

Wow, just imagine the uproar if M$ tried something like that. I can't think of a single Windows user who wishes that Microsoft controlled access to every piece of hardware or software that would ever plug into a Windows machine, or who would be happy to pay Microsoft for that right. All I can say is, "Wow".

Re:Most people simply don't think about security (2, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29265913)

I'm sure MS would never do that (directly) to Windows; but that is basically the XBox360.

Now, getting people to cheer them for it is something that only one of the Steves can manage.

Re:Most people simply don't think about security (1)

snowraver1 (1052510) | more than 5 years ago | (#29266503)

Ironically enough, my XBOX360 crashes more than my home computer, work computer and 5 lab computers all combined.

Re:Most people simply don't think about security (1)

s.bots (1099921) | more than 5 years ago | (#29266059)

"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin

I think your sig is a more valid contribution to the discussion than your comment... You can toss as many security obstacles on a computer as you can, but if your end user is a knuckle-dragger who loves his FREE PR0N! and VI@GR4, then your attempt at security is wasted.

Re:Most people simply don't think about security (4, Interesting)

lgw (121541) | more than 5 years ago | (#29265897)

Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice. A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for. Hopefully people will focus on that, instead of the myth of the "educatable user".

Limiting what individual pieces software can do, rather than what the user can do, is key. Admin/root acount vs normal account is a first step, but no where near a last one, as it still requires too much user smarts. SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there. Taking a few more steps in this direction would be real research, and profoundly improve computer security.

Thinking that the answer is to improve the user instead of the system only makes sense from a religious perspective (and even them, half the religions would disagree that this is possible).

Re:Most people simply don't think about security (1)

oldspewey (1303305) | more than 5 years ago | (#29266899)

SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there.

In the broader sense, SE Linux fails because it is a fucking bear to configure and use, even for a relatively adept technical user. I can't imagine unleashing that thing on an "average" person.

Re:Most people simply don't think about security (1)

lgw (121541) | more than 5 years ago | (#29267255)

It can't work if the user has to configure the per-process jails. The jail should come with the software, both from an authoritative source. Typical malware can only change the prcess, not the jail, so can do only limited damage (i.e., you can prove the malware could not install a rootkit). However, this ultimately fails because the malware will social-engineer the user into jailbreaking the malware. Still, that approach is better than the "root or not" model, because the finer-grained process permissions really can help. If the only choices for what you allow a process to do are "everything" and "nothing", far to many processes need "everything" and user's just get used to clicking "OK".

Still, it's clearly step 2 of N, for some large N.

Re:Most people simply don't think about security (2, Insightful)

mraudigy (1193551) | more than 5 years ago | (#29265221)

The biggest problem and risk with computer security is ultimately the users. And, unfortunately, you just can't fix stupid...

Most SHOULD NOT think about security... (4, Interesting)

nweaver (113078) | more than 5 years ago | (#29265257)

It is a great failing in our industry that its viewed as a problem that "most don't think about security".

Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them.

EG, a good succes story is the modern car key. 10-20 years ago, it was trivial to steal a car. You break the steering lock, put two wires together, and drive off. We had horrible cludges like "the Club", and people had to think all the time about it, in theory.

Now our carkeys have RFID transponders which are cryptographically keyed to the car's computer. It is vastly harder to steal a modern car (either bring a tow truck or swap the computer), but the actual cognitive load for most people is vastly less. You do the same thing you did before, but now your new car is far more secure.

Re:Most SHOULD NOT think about security... (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29265327)

On the minus side, while your car may be safe, having to get one of the keys replaced will make you feel like your wallet has been stolen. Obviously, that isn't intrinsic to the technology, a similar system could have been implemented as a cheap industry standard; but that moment of technological change(while it did increase security) also allowed the vendors to strengthen their positions.

Re:Most SHOULD NOT think about security... (2, Interesting)

clang_jangle (975789) | more than 5 years ago | (#29265379)

Modern cars are actually a pretty bad example. Your new car is "far more secure" against the average destitute crackhead non-pro thief, but cracking codes and cloning RFIs is actually pretty trivial for a pro. So it appears reasonable to conclude that (to paraphrase an old saw), "even the best security only works against the honest and the incompetent".

Re:Most SHOULD NOT think about security... (2, Insightful)

quickOnTheUptake (1450889) | more than 5 years ago | (#29266197)

Yes, but with the car you still have trust issues. As in, when I give my keys to the valet, I have to trust that he actually works for the hotel and isn't just going to go for a joyride when I step in the door. Or when I give my keys to a friend I have to trust that he has good judgment and at least basic driving skills.
Many of the run-of-the-mill infections are based as much on misplaced trust ("I wanna see dancing bunnies") as they are on weaknesses in the system itself. And trust isn't something a computer can judge (although systems can reduce the number of times we need to trust, e.g., by using the principle of least privilege, centralized software distributions, etc). At the end of the day you will always have to choose between severely limiting what the user is able to do and opening the door to social engineering and user error.

Re:Most SHOULD NOT think about security... (1)

quickOnTheUptake (1450889) | more than 5 years ago | (#29266309)

BTW, this is to say nothing of the dumbasses who leave the keys in the car while they run into the store and the like. As they say, you can't cure stupid.

Re:Most people simply don't think about security (-1)

commodore64_love (1445365) | more than 5 years ago | (#29265447)

>>>simply don't think about security.

Perhaps because we know "locking" our computer is as pointless as locking the car or locking the house. The thieves can just ignore the lock and come-in through the window. Most our safety relies upon the fact that 99.9% of our neighbors are moral and don't want to break-in.

It also helps if you don't use known-hacked programs like Internet Explorer. Go use Firefox or Safari or Chrome.

Re:Most people simply don't think about security (2, Funny)

jggimi (1279324) | more than 5 years ago | (#29265819)

The thieves can just ignore the lock and come-in through Windows.

Fixed that for you.

Re:Most people simply don't think about security (0, Troll)

nine-times (778537) | more than 5 years ago | (#29266217)

Lots of friends and family - people who are otherwise thoughtful, intelligent, and clueful - simply don't think about security.

Well I think there are a few different issues here, and you have to break the issue apart a little to understand why they don't think about security.

At least part of it is just that security issues can be fairly complex in themselves, computers can be complex in themselves, and people generally don't want to deal with complex issues that they're not very knowledgeable about. It's intimidating, and a lot of people understand on an intuitive level that trying to secure your computer without knowing very much about computers or security is a bit pointless. If you don't understand the issues, fiddling with things is just as likely to open new security holes as it is to close any. In some ways it's fairly sensible to refrain from thinking too much about security and leave it to the experts.

Another problem is that security often comes with a trade-off to accessibility. This isn't an absolute universal principle, but often when you make something harder for unauthorized people to access, you're also going to make it more difficult for authorized people to access. Extra layers of security means authorized users have to jump through more hoops, be more mindful of their own actions, and risk losing access due to mistakes or bugs.

What makes it all worse is that many people simply don't understand how accessible their information is or what it means for their data to be accessible. Think, for example, of all the people who have posted information about their crimes on MySpace where the police can read it, or how many have posted about skipping work on Facebook where their boss can read it. So that's pretty obvious, but how many people do you think check to make sure their various online logins are using SSL? How many people actually sign their emails to verify their identity?

So no, this can't all be fixed with technical changes, but there may be things we can do. For example, I think we're underutilizing encryption technologies on the Internet.

Re:Most people simply don't think about security (1)

oldspewey (1303305) | more than 5 years ago | (#29266355)

Another problem is that security often comes with a trade-off to accessibility.

Another problem is that security comes at the expense of "free shit." People just love to load up their computers with screensavers, smilies, banzai buddies, cracked software ... doesn't matter that they'll never actually use 90% of it.

"What do you mean I don't know where that software came from? It came from the website where I downloaded it ..."

Re:Most people simply don't think about security (0)

Anonymous Coward | more than 5 years ago | (#29266261)

You can't "design around" the casual negligence of hundreds of millions of users.

I would argue the opposite. You MUST design around the casual negligence of users. You cannot expect your users to have a certain level of expertise in security. Most people don't know the difference between wallpaper and a screen saver. You expect them to know security? Not gonna happen.

You cannot make hundreds of millions of users care about computer security. Until there is a direct, provable correlation between their actions and a loss they feel, people won't care. Until there is an exploit where they click on WebObjectX and money disappears from their bank account, people will not care.

Re:Most people simply don't think about security (1)

Thinboy00 (1190815) | more than 5 years ago | (#29267219)

You cannot make hundreds of millions of users care about computer security. Until there is a direct, provable correlation between their actions and a loss they feel, people won't care. Until there is an exploit where they click on WebObjectX and money disappears from their bank account, people will not care.

But such exploits do exist! (Keyloggers)

Re:Most people simply don't think about security (0)

Anonymous Coward | more than 5 years ago | (#29266327)

I'm ugly and broke, which is the best security of all.

Common Problem (3, Insightful)

SilverHatHacker (1381259) | more than 5 years ago | (#29265057)

Security is only one of many issues that could be vastly improved if people cared more than they currently do.

Re:Common Problem (1)

migla (1099771) | more than 5 years ago | (#29265241)

Security is only one of many issues that could be vastly improved if people cared more than they currently do.

Yes. And this raises the question of what issues can't. What are the issues we should postpone, because they only require some polish? I'd love to see a prioritized list of all the issues.

Re:Common Problem (1)

Meshach (578918) | more than 5 years ago | (#29265265)

Security is only one of many issues that could be vastly improved if people cared more than they currently do.

I think you have identified the major problem with security: people do not care. They do not want to spend time setting up a firewall, evaluating sites, or patching a system. They want a computer to be like a toaster: you take it out of the box and it works right away. And it keeps working with no intervention. Until computers get to that point it will be a continual problem.

Re:Common Problem (2, Insightful)

Chris Mattern (191822) | more than 5 years ago | (#29265519)

The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

Re:Common Problem (2, Insightful)

Meshach (578918) | more than 5 years ago | (#29265623)

The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

Re:Common Problem (1)

Thinboy00 (1190815) | more than 5 years ago | (#29267233)

The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.

I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.

I know everyone here hates it, but that's what Ubuntu is for.

Re:Common Problem (0)

Anonymous Coward | more than 5 years ago | (#29265909)

This applies in both the individual sector and the business sector.

I've encountered many people who just want an appliance, and view computers as machines where they don't know/don't care about what is going on, they just want to browse their naughty sites, play with the latest FB apps, and if something goes awry or slow, take it to a "guru" who will "fix" [1] it.

I have encountered this in the business sector. Bean counters who are handling sensitive information don't want the expense in both new equipment and process changes to keep up with today's threats. Of course, when (not if) they get nailed, the first thing they will do is go after the IT people who were not able to get the items required in the first place. If a business wants enterprise level security, they will have to deal with enterprise level policies and maybe end up paying enterprise level prices for critical bits of hardware (HSMs for the signing keys, routers, smart cards.

Staying abreast of security threats means expenses that one doesn't think of first thing. As operating systems age and hit end of life, those must either be used with third party applications to supplement their security, put behind more sophisticated security appliances, air-gapped from the Internet, or replaced (perhaps with hardware upgrades) for stuff that is engineered for today's threats. XP is just hitting this problem. It's almost at EOL, and in 2-3 years, it will require either hardware/software solutions for security life support, or wholesale replacement.

[1]: I always dislike the term of "fixed" when it comes to computers. It is too vague. Does yanking all malware count as fixed until the next intrusion, or does fixed mean forcing the user to run with zero admin privs with both enterprise AV software and AppLocker ensuring that only the basic apps (mail, web browser, office suite) are able to run?

Re:Common Problem (3, Insightful)

bberens (965711) | more than 5 years ago | (#29265535)

I'm sure I'll be modded down for this, but I don't see why a company or person SHOULD concern themselves more with security than they do currently. A simple cost/benefit analysis of what it actually entails to become "secure" shows that it's simply not worth it. It's the same math that goes into determining whether to do a vehicle recall and whether or not to install a home security system. If you look at it in those terms, you'll see we're dramatically over-spending on security.

And yet... I'm often considered paranoid by my peers (IT and otherwise) with respect to my personal information.

Re:Common Problem (2, Insightful)

plopez (54068) | more than 5 years ago | (#29265995)

Part of the problem is building it in from the beginning. There is much more fun and/or marketing appeal to build in eye candy, support the latest games, multi-media capabilities, mobile devices support etc. than to design in security.

A vendor or kernel programmer group should design it in from the ground up. But there isn't really any money in it for vendors and few programmers think of it as fun. With the exception of these guys maybe http://www.openbsd.org/security.html [openbsd.org]

So in other words, many people are dropping the ball for a variety of reasons, commercial interest, lack of skill or plain disinterest.

Security should be "plug and play". The user shouldn't have to think about it at all, other than put in the correct key (physical or virtual). Which I think is also part of your point.

its all hype (0)

Anonymous Coward | more than 5 years ago | (#29265091)

the security industry is just a lot of hot air and hype.

blah blah Kaminsky bug blah blah hacking blah blah we scanned you with this tool blah blah

what's that? you can't point me to a single instance of this "vulnerability" ever being exploited in the real world? that's what I figured.

My Cheap and fullproof method (5, Funny)

Anonymous Coward | more than 5 years ago | (#29265107)

See, I have no security. Anyone can access my data. Folks come across the data and think, "There's no security. This can't be real!" I throw in some names like "Dick Hertz, Harry P. Ness, Mike Hunt, Haywood Jablowme, etc..." and the data thieves think it's bogus.

I call it "Security through rudenss."

Re:My Cheap and fullproof method (1)

WindBourne (631190) | more than 5 years ago | (#29266183)

Odd; Those were made up names? 53 [whitepages.com]
# pages, including Harry V. Ness [whitepages.com]
Mike Hunt is all over Nebraska.
And of course [whitepages.com]

The Myths of a Check Engine Light (0)

Anonymous Coward | more than 5 years ago | (#29265115)

Heh heh Had to toss that in!

Do we really need to read it..? (2, Insightful)

castironpigeon (1056188) | more than 5 years ago | (#29265133)

If the book can be summarized in those last three sentences is it really worth the read? I think /.ers will realize before turning the first page that even the most ridiculously complex security system can be thwarted by stickies posted to people's monitors.

Re:Do we really need to read it..? (2, Funny)

kalirion (728907) | more than 5 years ago | (#29265289)

I think the solution is clear - we need biometrically protected stickies!

Re:Do we really need to read it..? (0)

Anonymous Coward | more than 5 years ago | (#29265859)

some already are, depends on how you make em sticky

Re:Do we really need to read it..? (1)

yali (209015) | more than 5 years ago | (#29266007)

I think /.ers will realize before turning the first page that even the most ridiculously complex security system can be thwarted by stickies posted to people's monitors.

What I suspect many /.ers do not adequately consider is that the most ridiculously complex security systems are especially likely to be thwarted by user behavior.

The folks who design security systems need to realize that human beings are part of the system (i.e., pay attention to usability and to the peculiarities of human cognition, motivation, and behavior). If they cannot get past blaming users, they will simply continue to design computationally elegant but functionally ineffective security systems.

Re:Do we really need to read it..? (1)

jaysonsings (1608093) | more than 5 years ago | (#29266335)

He did a summary, he didn't say not to read it.

Evolution will produce security (2, Interesting)

onionman (975962) | more than 5 years ago | (#29265167)

While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.

Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Power Grid" ideas will have "Intelligent" power meters in most homes and businesses... imagine what a security failure in a widely deployed "Intelligent" power meter could do!

You totally ruined the ending (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29265185)

You totally ruined the ending, man that was almost as bad as finding out Dumbladore died

Make it cost money (0)

Anonymous Coward | more than 5 years ago | (#29265189)

Lack of security doesn't cost enough money right now. Worst case, you make a horrible mistake and get unencrypted credit card numbers stolen, you have to put a notice on your website and/or mail everybody affected. That costs a little bit... but not as much as proper security. So, lack of security simply needs to cost more.

Falling on deaf ears (1)

lbalbalba (526209) | more than 5 years ago | (#29265191)

Most people prefer 'ease of use' over 'security' (of course, until something 'bad' happens). They would prefer an unlocked door over the trouble of having to find the keys and unlocking the door every time they want to enter their house, until they get robbed of course. Sad but true, but it appears to be human nature.

Thanks... (0, Redundant)

hymie! (95907) | more than 5 years ago | (#29265211)

Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'"

Thanks for spoiling the ending.

Thanks! (5, Interesting)

viega (564643) | more than 5 years ago | (#29265285)

Ben, Thanks for the positive review. I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection). But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old. John

Re:Thanks! (1)

ivanmarsh (634711) | more than 5 years ago | (#29265965)

So this book was written to educate fanboys about their bad habits? I don't need another book on security that assumes I'm an irresponsible, apathetic, zealot. Your apparent attitude has just unsold this book for me.

Re:Thanks! (4, Insightful)

kevjava (259717) | more than 5 years ago | (#29266107)

But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old.

The thing is, you're not convincing me that the book is out of date. There is plenty of material in the Internet that is over a decade old and is still relatively current. I read the Cathedral and the Bazaar [catb.org] for the first time last month, and drew a good amount of benefit from its words, even if I'm not ready to swallow it whole. The Mythical Man Month [wikipedia.org] shed quite a bit of perspective on project management in a field that our industry has fifty or so years of experience in, and yet we still do terribly at.

The principles of cryptography are still the same today as they were in the days of the Roman Empire and the Caesar Cipher, with all the bits about Alice and Bob with Mallory in the middle. Our toys are much more advanced today, and their rate of advance continues to increase, but just what is it that makes our pulling of information from a 10+-year-old book harmful?

I'm no Schneier "fanboy", and haven't actually read the book; I just genuinely want to know.

Re:Thanks! (1)

blueskies (525815) | more than 5 years ago | (#29266525)

Our toys are much more advanced today, and their rate of advance continues to increase, but just what is it that makes our pulling of information from a 10+-year-old book harmful?

The field moves very fast because it is an "arms race." On that alone, i think it warrants having someone go back and re-evaluate the underlying assumptions that were in play during the last edition.

Don't care or plain lazy? (1)

burnin1965 (535071) | more than 5 years ago | (#29265333)

I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.

Case in point, SQL injection attacks on web applications. A very common attack vector and one that has seen extensive work in methods and code to make applications more robust, and yet most applications avoid the most basic security feature provided by a database engine backing an application, database user permissions.

Analysis of many web applications will reveal that they implement a single database user for all queries and this database user is often times the owner of the database with full privileges. A mistake in the application code that allows an SQL injection attack provides the attacker with the power to access or change any information in the database that pleases them.

Implementing multiple users with varying levels of access to the tables in a database does require some additional work but is very feasible and yet the response I have received from some developers when presenting such an idea as a way to protect a web sites database is often "it would be easier to just do database backups and restore a trashed database". Simply lazy.

Re:Don't care or plain lazy? (1)

sydb (176695) | more than 5 years ago | (#29266359)

I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.

Don't blame the developers, at least not the ones that are told what to do by a boss. If security is specified in the NFRs, the implementation is tested against the NFRs and consequent defects are placed before the developer for resolution before the product is released then the developer will code for security.

If any of this is left to chance then blame lies with management.

I have a full-proof security code (0)

Yvan256 (722131) | more than 5 years ago | (#29265343)

And it's 1, 2, 3, 4, 5.

I also use that code on my luggage.

Re:I have a full-proof security code (3, Interesting)

cheros (223479) | more than 5 years ago | (#29265495)

Actually, during the last Access-all-areas held in London I brought along a Samsonite briefcase with a digital lock.

Someone spent the ENTIRE weekend trying to open the lock and didn't manage, which was due to a bit of evil from my side. The lock has 4 digits, so I entered a code and opened/closed it - he tried everything from 0000 to 9999 and didn't manage.

The reason was me pretending to press keys. That case had a cute feature: you didn't have to use all 4 digits, so the actual combination was just "9" with me pretending to hit other buttons :-)

Ah, those where the days..

PS: that lock had a major weakness anyway so I didn't use it long - it was just amusing..

Re:I have a full-proof security code (2, Funny)

sydb (176695) | more than 5 years ago | (#29266459)

Someone spent the ENTIRE weekend trying to open the lock and didn't manage

I knew security geeks were people with high boredom thresholds but this takes the biscuit.

Re:I have a full-proof security code (0)

Anonymous Coward | more than 5 years ago | (#29266009)

"foolproof"

Re:I have a full-proof security code (1)

xrayspx (13127) | more than 5 years ago | (#29266535)

And it's 1, 2, 3, 4, 5.

... senses working overtime ...

The only way to truly achieve security (0)

Anonymous Coward | more than 5 years ago | (#29265363)

The only way to truly achieve security is to remove the power cord of the systems involved.
That will prevent anyone from breaking into them, or anything else...

Re:The only way to truly achieve security (1)

Abstrackt (609015) | more than 5 years ago | (#29266033)

The only way to truly achieve security is to remove the power cord of the systems involved. That will prevent anyone from breaking into them, or anything else...

Reminds me of the story about the consultant that was hired to audit a company's security. He walked out of the building with their server not five minutes later.

What about physical security? (1)

jeffasselin (566598) | more than 5 years ago | (#29265383)

The problem is not computer security but security, period. Most physical security (locks, alarm systems) is based on obscurity, barriers to entry that are easy to leap, and overall bad design. Why would it be different for computer security?

Re:What about physical security? (1)

PeterM from Berkeley (15510) | more than 5 years ago | (#29265651)

Physical security and securing your Internetworked computer are actually qualitatively different issues.

Sure, your network security can be circumvented if physical access is easy.

However, ANY criminal ANYWHERE in the world can get at your insecure Internetworked computer. Furthermore, they can often do it in automated fashion with minimal risk!

Physical access, on the other hand, requires that the criminal show up in person. That vastly limits his scope for criminal behavior and vastly increases his risk. Given that, I'm not sure it really makes sense to compare the adequacy of physical security measures to network security measures.

--PeterM

--PeterM

Security, summed up quickly (0)

Anonymous Coward | more than 5 years ago | (#29265509)

The three most common myths of security:

Myth 1: You have any.
Myth 2: You magically fall in with the less-than-one-percent of the world that legitimately needs it in personal communications on a daily basis.
Myth 3: You're not paranoid.

The rest is just theory and execution.

Just stole the book (1)

Runaway1956 (1322357) | more than 5 years ago | (#29265637)

From the book: "Even though I recently retired from McAfee, I still believe it is doing far better than the rest of the security industry for a few core reasons."

Google "Who is John Viega" I get this: John Viega is CTO of the SaaS Business Unit at McAfee and the author of many security books, including Building Secure Software

Sorry folks, but I don't believe that McAfee is the end-all and be-all authority on security. I'll read the book, and see what I can learn, but McAfee and I go back a long way. It's been one crummy relationship.

Re:Just stole the book (1)

multipartmixed (163409) | more than 5 years ago | (#29265879)

> McAfee and I go back a long way. It's been one crummy relationship.

I dunno, man. Back in the early 90s, their e-mail tech support was top-notch.

Re:Just stole the book (1)

jaysonsings (1608093) | more than 5 years ago | (#29266361)

who said he is the end-all? not even he. he is 1 voice, of many. do u hear the voices :)

Re:Just stole the book (1)

Runaway1956 (1322357) | more than 5 years ago | (#29266643)

You should see your therapist. I'm reading a PDF. If you are hearing voices from a PDF, you MAY just have a problem. Or not, as the case may be. Jean D'Arc did well with hearing voices, until the very end.....

These are not the tech specs you're looking for... (1)

AutumnLeaf (50333) | more than 5 years ago | (#29265741)

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Sometimes I think my technical ability is an obstacle to choosing products. A lot of security products are wrapped in marketing cheese-whiz that make them sound better than they are. From my point of view, I just want to know how security product Y is doing what it's doing, but to tell me that is to reveal details about the implementation, so they re-cast using something like a firewall as "anti-packet technology". WTF is anti-packet technology?

I'm curious to know if Viega touches on the fact that most modern anti-virus products in-essence do to your OS what the bad guys are trying to do (mini root-kits with haxored network drivers). I think the proposition of modern anti-virus tools these days is "let us own your box before a bad guy does."

Re:These are not the tech specs you're looking for (1)

Locklin (1074657) | more than 5 years ago | (#29266771)

From my point of view, I just want to know how security product Y is doing what it's doing, but to tell me that is to reveal details about the implementation, so they re-cast using something like a firewall as "anti-packet technology"

If the vendor can't explain how their security works without compromising it, then it's not security, it's obscurity and it's also probably snake-oil.

It's the soft stuff on the inside. (1)

chazd1 (805324) | more than 5 years ago | (#29265891)

It is a common understanding that the weakest link in information security is people. Until we are able to tell what people are thinking and protect ourselves from either their malice or ignorance it will be a problem.

Education of users is clearly a fundemental pillar in information security. I am sure social engineering schemes will continue to improve in their effectiveness in exploiting vulnerabilities.

Working againist this cause is that no one will be able to concretely say that an information security program created revenue (except of security product suppliers). The only real hook that keeps executives funding security is the criminal and civil exposure they deal with. Keeping the execs out of jail is worth funding.

Joke (0, Redundant)

dandart (1274360) | more than 5 years ago | (#29266363)

Security is a complete joke. Especially software security. You can get into any computer with access. Unless you encrypt emails and all that nonsense with huge private public key pairs, it's no good. It's so easy to send an email from anyone to anyone else. SMTP is a complete joke.

Re:Joke (1)

blueskies (525815) | more than 5 years ago | (#29266647)

Chapter 31: People like to believe in absolutes. Some people will believe their computers are completely safe and others think security is a complete joke. In between those two sets of people are a large number of reasonable people.

Re:Joke (1)

dandart (1274360) | more than 5 years ago | (#29266895)

Hey hey, only some of it is a joke. SMTP is, hardware encryption isn't. WEP and WPA is, private-public key pairs aren't. See? I'm reasonable.

I need a cloak of invisibility (1)

miliambar (1399345) | more than 5 years ago | (#29266413)

I'd say that the main myth of security is that its going to work if people have to think about it. It needs to be completely transparent to the user, which means that some things need to be changed or rewritten. People having to run Norton AV or Internet security, adaware, spybot, set security settings, or even click allow 300 billion times(I'm looking at you MS) just isn't going to cut it. Most users don't have the patience or knowledge to secure their boxes /. not withstanding. Hell most windows users wouldn't ever patch their boxes if it wasn't for the auto update system, I certainly don't expect them for example to turn off windows messaging(although MS may have released a patch that fixes that).

What *they* don't want you to know! (3, Interesting)

luddite47 (907624) | more than 5 years ago | (#29266741)

How many books have this stupid subtitle?
It must work...

The irony of IT security is practically axiomatic (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29266883)

Your job is make access impossible for a motivated, resourceful and knowledgeable attacker, yet dead simple for an unmotivated, uninformed and careless user.

Corollary:

If you fail, you get blamed / fired / sued, not the user, not the attacker.

This is why IT people are so "paranoid" - they are usually entrusted with this impossible responsibility (impossible because it's not theirs alone but shared by the users), yet their ass is on the line (perhaps others as well, but definitely theirs) if something gets compromised.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?