×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Antivirus Inventor Says Security Pros Are Wasting Time

Zonk posted more than 6 years ago | from the think-outside-the-para-digum dept.

Security 282

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

282 comments

PBKAC (5, Insightful)

DigitalisAkujin (846133) | more than 6 years ago | (#22335566)

Software / Hardware security is not too difficult to achieve. If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security.

The issue is usually the idiot that becomes the victim of a well done social hack.

As usual, the company is only as strong as it's weakest link.

Re:PBKAC (4, Insightful)

GiovanniZero (1006365) | more than 6 years ago | (#22335612)

Agreed, the problem is usually the user. I recently got an email from someone that CCd everyone and when I told him in the future to BCC us he said "oh its ok, I trust everyone on the list not to spam us" I replied "that's great but do you trust them all to keep their machine's clean and free from spyware?"

Re:PBKAC (-1, Flamebait)

djupedal (584558) | more than 6 years ago | (#22335770)

"...the problem is usually the user"

Let me be the first.

You sir, are a moron.

Re:PBKAC (0)

Anonymous Coward | more than 6 years ago | (#22335824)

You sir, are a moron.

Re:PBKAC (0)

Brian Gordon (987471) | more than 6 years ago | (#22335870)

Is it just me or is this article just total nonsense? What does arrow-proofing a car have anything to do with computer security? And I doubt this guy will have a job much longer if he's going around claiming that 100% security isn't the goal and that he only tries to keep out the 11 year old script kiddies

Re:PBKAC (4, Insightful)

somersault (912633) | more than 6 years ago | (#22336084)

100% security is never possible unless you don't want to give anyone access, ever.

Re:PBKAC (4, Funny)

techpawn (969834) | more than 6 years ago | (#22336164)

100% security is never possible unless you don't want to give anyone access, ever.
DBA: We got the server running the best it ever has
Boss: Great! How'd you pull it off?
DBA: Well, we replaced all queries with 'Select * from tblQuery' which only has 1 row and 1 Column. Then stopped letting people call the queries!
Boss: You're fired...

Re:PBKAC (3, Insightful)

provigilman (1044114) | more than 6 years ago | (#22336480)

Yeah, the only way to 100% secure a PC is to disconnect it from the network, take out the power supply and then lock in a bank vault. Anything short of that, and it's still vulnerable. It might be the user getting up to use the washroom without locking his station, or it might be some 11 script kiddie...but it doesn't matter. As long as there's power running to it and/or it's hooked to a network, it's vulnerable. Security is just about mitigating the risk.

Re:PBKAC (1)

joeytmann (664434) | more than 6 years ago | (#22336678)

I can't remember where I read this, and I am sure I am going to muck it up, but the only 100% secure system is on that is unplugged from any other device in a closet that only you have the key to.

Re:PBKAC (1)

trolltalk.com (1108067) | more than 6 years ago | (#22336130)

Is it just me or is this article just total nonsense? What does arrow-proofing a car have anything to do with computer security? And I doubt this guy will have a job much longer if he's going around claiming that 100% security isn't the goal and that he only tries to keep out the 11 year old script kiddies

No kidding. The guy was pulling figures (and other sh*t) out of his rectum over and over again.

Re:PBKAC (3, Insightful)

Bloodoflethe (1058166) | more than 6 years ago | (#22336252)

It's called an analogy. It was a pretty good one too. He's basically asking why spend tons of cash for a negligible improvement in security. There's no such thing as an unbreakable system. That's why people use detection tools in conjunction with their security measures - if you can't stop em, find out who they are and prosecute them. But even that can be sidestepped with sufficient resources and intelligence on the part of the hacker. I mean, this guy was the inventor of one of the more prominent (and actually pretty high ranking on the lists) anti-virus programs out there. I would say it is safe to assume that he has a pretty decent idea of what you can do to improve security. Also, notice that he is the inventor actually counseling people not to waste money on costly upgrades on software like the software he created and gets paid royalties on! How often does someone admonish people for overusing something that gets him paid?

Re:PBKAC (2, Insightful)

Brian Gordon (987471) | more than 6 years ago | (#22336458)

That's not what he was saying.

It isn't very likely, but it's possible.
He's opposing closing security holes that are obscure.. but by his own points, you only need ONE security hole. If you don't close the obscure ones it doesn't do you any good.

Re:PBKAC (5, Insightful)

boristdog (133725) | more than 6 years ago | (#22335658)

Social Hacking is the main weakness of any system. And most of the time you don't even have to "hack" if you are perceived as "computer literate"

Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."

Re:PBKAC (2, Funny)

Anonymous Coward | more than 6 years ago | (#22335884)

Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."
[Posted anonymously for obvious reasons] Heck I work for a (non-computer) Fortune 500 company and when we did systemwide hardware upgrade swaps, they had everyone send their passwords in clear text email to the support desk mailing list!

Re:PBKAC (5, Interesting)

eln (21727) | more than 6 years ago | (#22335958)

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

Re:PBKAC (3, Insightful)

somersault (912633) | more than 6 years ago | (#22336160)

Same. Everyone seems to think I know their password already but I try to tell them that I don't even *need* their password. Also a lot of users don't seem to get the whole 'network' thing and think that you need the normal user's username and password to be able to access a computer. And sometimes when people leave the company then others still use the account of the person that has left without letting me know, so when I remove the account I get questions on why they can't access the account anymore. *sigh* Thankfully they are learning, slowly, but I find it so hard to get into the mindset of those users that I'm never going to be able to anticipate all the moronic things they're likely to do..

What did I gain? (1)

krovisser (1056294) | more than 6 years ago | (#22335580)

I "gained" 3,000 passwords that the hacker won't get. So we should all have short passwords, huh? Since there's obviously no point.

Re:What did I gain? (5, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#22335632)

That's not the point. The point is that instead of making everyone have long passwords, you could take that same time and effort and train them about security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE. The chances of an attacker getting the password file are lower than the chances of a user doing something that will infect their computer because the user hasn't been taught correctly, so why focus on the passwords?

Re:What did I gain? (1)

krovisser (1056294) | more than 6 years ago | (#22335694)

True, but he mentions it like it's almost completely useless.

Re:What did I gain? (5, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#22335912)

Bruce Schneier wrote about the long password requirement and how it can backfire because users can't remember them. My dad keeps his passwords in a text file on his desktop because his job requires them to change it every month, have letters and number and be different from the last 6 passwords. While that's good in theory, it's counterproductive because he doesn't (and can't) keep the passwords safe. Besides, as seen by myspace and phishers, the strength of the password is rarely the weakest link, it's the security skills of the people. In 90% of the cases, strict passwords are completely useless because they're not the weakest link, other parts of the system and the users are.

"Attack trees" by Bruce Schneier (5, Informative)

khasim (1285) | more than 6 years ago | (#22336290)

http://www.schneier.com/paper-attacktrees-ddj-ft.html [schneier.com]

Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.

You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.

There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?

Re:What did I gain? (1)

KublaiKhan (522918) | more than 6 years ago | (#22335704)

And also to recognize that no system is perfect--there will always be the cantankerous guy who is inexplicably "invaluable" to the company who thinks that "fereng1" is an uncrackable password, for instance--and to take steps more along the lines of risk mitigation than risk removal.

Re:What did I gain? (4, Funny)

tenton (181778) | more than 6 years ago | (#22336422)

And also to recognize that no system is perfect--there will always be the cantankerous guy who is inexplicably "invaluable" to the company who thinks that "fereng1" is an uncrackable password, for instance--and to take steps more along the lines of risk mitigation than risk removal.

Crap. I'd better go and change my password.

Re:What did I gain? (1)

Bloodoflethe (1058166) | more than 6 years ago | (#22336460)

Thank you, for step one of social hacking. I am about to proceed with a step two: find the most cantankerous person at your workplace. Then Step 3: I'm in your networks, reading your data!

Re:What did I gain? (3, Funny)

Seth Kriticos (1227934) | more than 6 years ago | (#22335880)

..security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE.

Um, I must have misunderstood you.. just thought, you want to say, that the IE is a secure browser..

Re:What did I gain? (1)

Vectronic (1221470) | more than 6 years ago | (#22336106)

I think he meant telling them to use a web browser other than IE, not that using another browser is less secure than using IE.

Or you could look really far into it, and maybe the Admin had some security setup that relied on IE, and by using another web browser would make that security ineffective.

Re:What did I gain? (1)

orclevegam (940336) | more than 6 years ago | (#22336278)

I would argue that a security setup that relied on IE wasn't really a "security" setup. If it depends on the client, it's pretty much by definition not secure.

Re:What did I gain? (3, Insightful)

raddan (519638) | more than 6 years ago | (#22336096)

Long passwords are trivial to enforce. In Active Directory, for instance, you simply set a policy. Done. Sure, whining users-- get used to it. It's your job to make sure the company has the resources it needs, and if they go down, it's your head on the chopping block.

The more common scenario that he does not mention is that people who are trying to gain access are trying to brute force a login through a network protocol. NOT running something like rainbowcrack on your password hashes. If they've gotten to that point your passwords are essentially worthless already.

BUT this is where defense-in-depth comes in. Security is NOT A PRODUCT. It is a mindset. So if your user accounts aren't all administrators and someone finally manages to brute force a network login, at the worst, that person now can do as much damage as one employee. You do have access controls on your employees, right? Not to mention, most "secure" network protocols nowadays make brute-forcing much harder. SSH, for instance, will timeout the connection after X failed login attempts. They now have to work a lot longer. The login prompt in Windows does the same thing.

So you apply this thinking to everything. Stop using a VPN. Make only the services you want available through your firewall. Do egress filtering. Use a DMZ. Prevent LAN clients from talking to any hosts other than the gateway and servers. When I started, my company originally used VPN to check email on an Exchange server. BAD! Passwords were usually the same as the username. Someone could trivially walk in and have access to the entire WAN. I pointed this out to them and got "But we're using a VPN. Checkpoint says it's secure!" If you have Exchange, take advantage of RPC-over-HTTPS, and then proxy that! There are lots of things you can do. As this guy points out, none of them are perfect, but you never know-- one of those little things might save your ass.

Re:What did I gain? (3, Insightful)

Beyond_GoodandEvil (769135) | more than 6 years ago | (#22336176)

BUT this is where defense-in-depth comes in. Security is NOT A PRODUCT. It is a mindset.
Actually, it's a cost item that gets in the way of the money making work. That is how most people view it.

Re:What did I gain? (1)

orclevegam (940336) | more than 6 years ago | (#22336658)

Actually, it's a cost item that gets in the way of the money making work. That is how beancounters and upper management view it.
There, fixed that for you.

Re:What did I gain? (1)

moderatorrater (1095745) | more than 6 years ago | (#22336358)

Long passwords are trivial to enforce.
Are you making sure that they're not keeping the passwords on a post it note on their monitor? Or as a text file on their desktop? Enforcement isn't enough if the users aren't on the same page.

Re:What did I gain? (1)

Rhaize (626145) | more than 6 years ago | (#22336432)

Long passwords are trivial to enforce. In Active Directory, for instance, you simply set a policy. Done. Sure, whining users-- get used to it. It's your job to make sure the company has the resources it needs, and if they go down, it's your head on the chopping block
the number of passwords I see around my office on post-it-notes verifies this as a very valid approach. 12 character 2 up 2 down 2 symbols and 2 #'s that changes every 45 days is great. It insures that passwords will be forgotten and written down, that the overtaxed help desk will reset more passwords. You idiots in IT need to realize that computers are a TOOL to be used to make the job easier. Business doesn't exist to justify an IT budget. Good security is a balance between usability and security. The tighter your security, the more strict you are about "locking down them stupid users" the more likey they are to have to circumvent as much of it as possible. A good rule of thumb, in my opinion is to look at your IT staff's machines, if they have disabled your SMS, turned off vital suite, modified their antivirus, and set themselves to admins on your machine, you likely need to rethink your strategy, because your users are doing the same thing.

Re:What did I gain? (1)

orclevegam (940336) | more than 6 years ago | (#22336226)

The chances of an attacker getting the password file are lower than the chances of a user doing something that will infect their computer because the user hasn't been taught correctly, so why focus on the passwords?
Because getting all the users to follow basic security procedures is about as likely to happen as porcine aviation? Essentially it's taken as a given that some moron is going to compromise the system, and strong passwords are equal parts convincing upper management that you're doing something about security, and actually doing something about security that you can control. It's also about corporate CYA with the shareholders, because if your system is compromised you can always say you're following established best practices to get them off your back and let you actually investigate and figure out how to really improve security.

Really a better approach then improving passwords is to ensure that a single compromised system won't be able to do too much damage, but after that's done, enforcing stricter passwords standards will probably lead to a better gain in security then trying to pound sense into the users for the simple fact that a 2% security improvement is better returns then a theoretical 30% improvement that will never happen.

Re:What did I gain? (1)

Bloodoflethe (1058166) | more than 6 years ago | (#22336354)

Yeah, I gave up IE a while back, but most users never noticed. I also managed to get corporate to allow me to train new users on information security. It doesn't work on everyone, but thankfully most get it after a few good examples.

Re:What did I gain? (3, Insightful)

torkus (1133985) | more than 6 years ago | (#22335744)

What's more secure?

12 digit change-montly lower+upper+number+ symbol passwords written on sticky notes (or similar) for 75% of users and freely shared due to complete lack of security training

or

6 character passwords that only prohibit patters and the username from being used changed every 6 months that people know not to write down or share?

Re:What did I gain? (2, Interesting)

profplump (309017) | more than 6 years ago | (#22336662)

That depends on where you expect the attacker to be -- it's hard to read sticky notes on my monitor from across the Internet.

And it's hardly fair to assume that complex passwords are more likely to be shared than simple passwords. Sharing passwords is a separate behavior entirely. Not to mention the complex passwords are harder to share for the same reasons they are harder to remember.

How about a password generation algorithm that works like this: select two or more short dictionary words, append or prepend numbers to at least one of the words, and join them with punctuation/special characters. That produces passwords that are both complex to guess (even if you know the generation algorithm) and easy to remember.

The next step is to add a tool that generates good passwords and make it available from the password changing dialog box, so users don't have to come up with a good password on their own -- they can just copy one from the computer. OS X does exactly that, and it's a good time for everyone involved.

Re:What did I gain? (1)

techpawn (969834) | more than 6 years ago | (#22335862)

What's the only adage? "It is hard for the users it's going to at least be that much harder for the hacker"?

Yes, they only need one password to get in, you only need one crack in the armor to deliver a damaging blow... But if you have strong armor around you, you look like a less appealing target as to try to find the one weak scale under your wing. People are more likely to jump on an open WAN then try to break into a hidden one with at least WEP. It sounds more like a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

This guy wrote security software, there may be a conflict of interests here too...

Re:What did I gain? (2, Informative)

AmaDaden (794446) | more than 6 years ago | (#22336132)

a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

Tippett warned that about a third of the work that security departments do today is a waste of time.
He didn't say stop doing these things he is saying work smarter not harder. Taking the time to educate people about what is safe is far more effective then using that same time to deal with the constant password problems you would have with a high security password policy.

Re:What did I gain? (1)

techpawn (969834) | more than 6 years ago | (#22336292)

Taking the time to educate people about what is safe is far more effective
"Educating" users is like herding cats. As soon as you think you're getting somewhere with it, they all scatter. As much as I hate it, sometime you need to be heavy handed with policy in order to get anyone to learn. It also gets more difficult as an organization gets larger.

Re:What did I gain? (3, Insightful)

idontgno (624372) | more than 6 years ago | (#22336644)

"It is hard for the users it's going to at least be that much harder for the hacker"?

Up to a point of diminished returns, at which point it's impossible* for the legitimate user, so they cheat and defeat the whole scheme. (Witness the archetypal "I can't remember this stupid password" sticky-note-under-the-keyboard situation.)

(*"Impossible" is dependent on the user's level of apathy, forgetfulness, or hostility to the security regime.)

But if you have strong armor around you, you look like a less appealing target as to try to find the one weak scale under your wing.

That presumes an equal level of interest and intent between the "soft" target and the hardened one. If the hard target contains the more valuable goodies, well, that's just "crunchy on the outside, tender and tasty on the inside."

Also, for some in the cracking community, an apparently-hard target is an personal challenge to their 1334 hax0r skills, and quite appealing.

People are more likely to jump on an open WAN then try to break into a hidden one with at least WEP.

Again, assuming the values of the targets behind the protection schemes are equal. If all you want is free wireless, then one WAP is as good as another. If you want that WAP for a particular reason, you'll target it no matter what its apparent hardness. Every security scheme is fallible; the real value is measured in terms of effectiveness versus the value of what's protected.

It sounds more like a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

I suspect the author is arguing that we should strengthen our defenses by implementing effective measures (non-self-defeating, like the too-complicated password example above; or "security theater" measures that sound tough and look effective but can be easily defeated by ignoring their fundamental premise, like complete isolation from the outside except for trusted partners, but then trusting those partners unreservedly--if they get pwn'd so do you)

chicken egg? (4, Insightful)

El_Muerte_TDS (592157) | more than 6 years ago | (#22335586)

If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network

Why would the hacker need to guess one password from a list of password hashes when he already broke in and was able to elevate his rights to read the password hashes file? He might was well add his own password entry.

Re:chicken egg? (2, Informative)

somersault (912633) | more than 6 years ago | (#22335742)

Can't everyone read the password hashes file? On Linux at least. You aren't protecting the file, you're protecting the keys that were used to generate the hashes in the file. Biiiiig difference between read and write access to a password file.

Re:chicken egg? (1)

gnick (1211984) | more than 6 years ago | (#22335888)

Can't everyone read the password hashes file? On Linux at least.
No. That was true 15 years ago, but things like .shadow files have made things much trickier for the average user.

Re:chicken egg? (3, Informative)

ealex292 (758889) | more than 6 years ago | (#22335966)

No. The /etc/passwd file does not actually contain passwords, despite the name. It used to (hence the name), but hasn't in a while, since letting people read the hashes lets people brute force breaking the passwords a lot more easily (basically, hash every word in the dictionary, save it in a file, and compare those hashes against the one in the password file --- though this is less effective if salting [wikipedia.org] is used).

From my password file:

alex@ephesus ~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]

That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

alex@ephesus ~ $ ll /etc/shadow
-rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

Re:chicken egg? (4, Funny)

swillden (191260) | more than 6 years ago | (#22336124)

From my password file:

alex@ephesus ~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]

That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

alex@ephesus ~ $ ll /etc/shadow
-rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

So what does the corresponding entry in the shadow file look like?

Re:chicken egg? (0)

Anonymous Coward | more than 6 years ago | (#22336168)

Heh, nice try!

Re:chicken egg? (1)

Vellmont (569020) | more than 6 years ago | (#22336072)


Can't everyone read the password hashes file? On Linux at least.

Absolutely not. Shadow password files became common on Linux 12-15 years ago, and other Unix variants around the same time. Only root is allowed to see the hash. If you have root privs, seeing the password hash wouldn't gain you much.

Re:chicken egg? (5, Insightful)

Penguinisto (415985) | more than 6 years ago | (#22335872)

He might was well add his own password entry.

True, but the idea is that if he's working from a SAM or shadow file written to pilfered backup tape, or got the password DB by use of a whole host of tools designed to suck out a Windows AD SAM from a server to your laptop over, say, a wifi network connection made in the parking lot or somesuch... e.g. you have the hash file, but don't have a clue as to what it contains. A lot of tools are designed to exploit holes in Windows' Active directory to get a copy of the SAM without all the bother of logging in (most required physical access to the box and a reboot, but IIRC there were some that didn't, depending on the exploit used).

In the corporate espionage type break-ins, it makes more sense to not poke around too much and break stuff as you go, but instead concentrate on finding the means by which you can return to the network with your presence all dressed up as a legit user or three. This way, you have relatively more time and leisure with which to poke around in. If you add your own account (modify a file) and give it privs, you're liable to get someone's attention (self-audits, internal file integrity sweeps such as AFICK provides, etc...). If you merely copy a file, there's less of a potential fuss.

The tangents and possibilities can go on and on, mostly because security and breaking-in can become less of a science, and more of an art form. :)

/P (who sees bits and pieces of it from time to time)

Re:chicken egg? (2, Informative)

crowemojo (841007) | more than 6 years ago | (#22336674)

You are proving his point!

By the time an attacker has the hashes, the game is essentially over! Do you think a 10 character password is really going to be that much weaker then a 14 character password in the situation where an attacker does *not* have hashes? (And simple controls such as account lockout features are enabled?)

I think Tippet would prefer passwords to be only complicated enough that they aren't susceptible to brute forcing when account lockout features are in place. His point is that anything past that is not netting you any practical security gain, and I think he's dead on.

I've heard the speech that this article is referring to and I have to tell you, it's pretty interesting. He talks a lot about trying to take a more practical approach to security, especially security research. Asking questions like "in a given environment, which controls result in an appreciable difference in security?" "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?" Putting aside how you answer such questions (it's not an impossible task) I have to admit that the answers themselves are relevant!

One of Tippet's messages he stresses in this talk is that the security industry does things differently then other industries and it doesn't make sense. He draws a lot of comparisons to the medical industry because he is a medical doctor as well. In medicine, when we want to know how effective something is, we study it, we design trials, we examine the effects in the field. In security, we tend to go straight from the theoretical realm, debating ideals and their implications, straight to hard and fast rules, without the testing in between. We do ourselves a disservice by doing so. Straight from thinking "Antivirus updates are important and need to take place daily" to a general believe that "if you don't update daily, you are stupid, and insecure" without the in between step of asking "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?"

Car Analogies (1)

FreakinSyco (873416) | more than 6 years ago | (#22335634)

That story has more car analogies than an average /. thread.

Re:Car Analogies (5, Funny)

Farmer Tim (530755) | more than 6 years ago | (#22335946)

That story has more car analogies than an average /. thread.

Or to put it another way, if car analogies were like cars on a highway...

Re:Car Analogies (1)

techpawn (969834) | more than 6 years ago | (#22336078)

That story has more car analogies than an average /. thread.
Yeah, but he wanted to make sure everyone was getting what he meant
Like when the check engine light comes on and...

A sane voice is heard... (4, Insightful)

Jennifer York (1021509) | more than 6 years ago | (#22335668)

I've had enough of the Security Vendors and their rhetoric. I'm constantly bombarded with requests to attend sales presentations on the latest intrusion detection pizza box appliance, or spam firewall thingy, etc. The value of these products are only so that the execs can point to their "security initiatives" and "best practices" when a breach of security is discovered. If they look like they've made an effort to curtail the risk, then they still get their big bonus.

Re:A sane voice is heard... (1)

SCHecklerX (229973) | more than 6 years ago | (#22336340)

Couldn't have said it better myself, which is one of the reasons I left my last job where I was the lead security analyst.

Re:A sane voice is heard... (2, Insightful)

ssummer (533461) | more than 6 years ago | (#22336584)

Unfortunately that kind of thinking which you condemn is present in just about every facet of industry and society. It's called CYA (Cover Your Ass). Its why we have to take off our shoes at the airport, its why doctors order unnecessary tests, its why millions of tons of "expired" food is destroyed every year, its what runs the Legislative and Executive branches, its why we are still in Afghanistan and Iraq, its...

re: a sane voice? Depends.... (1)

King_TJ (85913) | more than 6 years ago | (#22336600)

The problem I see with the entire "computer security" issue is that there are lucrative jobs and big money to be had, hawking it to people.

The best examples I can think of of genuinely valid and useful security practices all involve things that don't cost much, if anything. (EG. TrueCrypt 5.0 is free software, yet you can encrypt a whole notebook computer's drive with boot-time password protection with it. This adds an obvious and practical layer of security. Configuring a proxy server to disallow downloading of files with "high risk" extensions on them, such as .scr files, costs you nothing but a few minutes of your time, yet can prevent all sorts of potential issues for your Windows users in a corporate setting.)

Yet, like you say, the people at the top of the corporate ladder, who have the most to risk from security breaches (but conversely, have the least "technical knowledge" about such situations) want to essentially "pay for scapegoats". Free, practical security solutions don't give you someone you can demote/fire, file a lawsuit against, or at least point a finger at as responsible if something does go wrong. A highly paid "security consultant" or "I.T. Security Specialist" in the firm, however, can be the "fall guy", and an expensive network appliance that's supported under a paid contract? Again, there's a place to direct blame.

I forget (1)

jojo1835 (470854) | more than 6 years ago | (#22335680)

Why does my company have a list of passwords again? We need to get out of the thought that each individual device needs a password, and get to the point where passwords are part of an account a user has. Then we don't need to keep a list, we just need to enforce security on the directory storing passwords.

Tim

Re:I forget (1)

tepples (727027) | more than 6 years ago | (#22336350)

We need to get out of the thought that each individual device needs a password, and get to the point where passwords are part of an account a user has.
Good luck paying cell phone minutes for all the time that a battery-powered device is turned on. Not all devices are connected to a wired or Wi-Fi network at all times.

Corporate mouthpiece (3, Insightful)

Space cowboy (13680) | more than 6 years ago | (#22335688)

So, at first I wondered why an anti-virus man was basically blowing huge holes in the usefulness of his industry by coming out with quotable nonsense, for example:

But if a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000,"

No. If you mandate long passwords on the server, there are no short passwords. That's sort of the point.

But then, I read on in the article (yeah, I know, it's /., but what the hell), past the flawed car analogy and it became clear - he's making nonsense statements at the start to try and hide his introduction of the meme that an anti-virus program that doesn't really work is still a "really good thing"(TM).

Now, don't get me wrong, *any* protection is obviously better than none, but this is basically a surrender - instead of selling the common (wrong, but common) "I have an up-to-date anti-virus package, I am protected" perception, they're now moving towards "Hey, we did the best we could; all those *old* virus's/virii(+) are *definitely not getting through". Woo Hoo.

So perhaps I'm being overly cynical, but it seems to me like a corporate piece with quotable sound-bites (so it gets wide distribution) that tries to deliver the message "hey, we suck, but keep on buying our software", in a more acceptable-to-the-people manner...

Simon

(+) And with this, I hope to equally annoy the grammar and spelling nazis out there. [insert random deity] those people piss me off.

Re:Corporate mouthpiece (5, Insightful)

Anonymous Coward | more than 6 years ago | (#22335930)

I can fully understand your cynicism, I share a lot of it. However, Peter Tippett does not work for Norton any more. He works for Verizon Business in their Risk Intelligence, and he has spent the past several years doing actual research on risk on an Enterprise level.

Maybe he's wrong, but he isn't trying to sell you any software.

Ben

Re:Corporate mouthpiece (1)

Penguinisto (415985) | more than 6 years ago | (#22335982)

What did you expect? This is the same website that gives a periodic voice to Rob Enderle [darkreading.com] as if he were some sort of security expert... :/

/P

Not only that. (4, Insightful)

khasim (1285) | more than 6 years ago | (#22335994)

But he's confusing ATTACKING a specific company with INFECTING various machines.

They are not the same. The defenses are not the same. There may be overlap (a workstation at a company gets infected and sends out spam vs a workstation at a company gets cracked and is used to crack other boxes at that company) but that is all.

All in all, he's 100% backwards on his comments. Just what you'd expect from someone trying to push a specific product from a specific company.

Re:Corporate mouthpiece (1)

maxume (22995) | more than 6 years ago | (#22336408)

It depends a little bit on how close your definition of a long password is to his definition of a long password. If is saying long password in the context of what he thinks is common practice, and he is basing the 2000/5000 on how many would likely be cracked before they were changed, he probably has a point.

Double Eentendres (4, Funny)

CowTipperGore (1081903) | more than 6 years ago | (#22335696)

Peter Tippett thinks it's time for security professionals to wake up and stop wasting their energy. In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus...
Peter Tippett invented the computer condom? You just know that his resume also lists a job somewhere in penetration testing.

Re:Double Eentendres (1)

iknownuttin (1099999) | more than 6 years ago | (#22335932)

Peter Tippett invented the computer condom?

That's not the only thing. Apparently his guy has a problem with others stealing his ideas. I always thought Peter Norton invented the Norton Anti virus. What, now you're going to tell me that he's not related to Ed Norton [imdb.com] ?

Re:Double Eentendres (1)

vandegraff (461064) | more than 6 years ago | (#22336360)

Looking at AV from 50,000 feet:

Problem #1 why would anti-virus software which is added after the fact for protection really "know" what was good or bad in the context of the operating system? Why should it be trusted as much as the operating system itself?

Problem #2 signature based detection does not work when threats are polymorphic.

That efficient? (4, Insightful)

Rampantbaboon (946107) | more than 6 years ago | (#22335722)

About 3/4 of the work done by the average corporate department is useless. Congrats on the efficency, security people.

Dr. Tippett's old analogy (1)

SCHecklerX (229973) | more than 6 years ago | (#22335730)

Wow,

10 years ago he was saying exactly the same thing. It's still relevant, but nobody has been listening.

Re:Dr. Tippett's old analogy (0)

Anonymous Coward | more than 6 years ago | (#22336638)

Or, it's not relevant at all, and that's why nobody has been listening.

Seriously, Dr. Tippett makes some good points from time to time, but he has been going on the same rant for years now regardless of the actual state of the security industry. He has become a self-appointed elder statesman because he was part of the early AV industry long ago, and his interpretation of this role is to 1) state the obvious and 2) make attention-getting, seemingly contrarian statements that are supported only by flawed analogies. (Oldsters on this thread will remember this as the modus operandi of John McAfee and most other leaders of the early security industry, as well as a few modern security pundits.)

His papers and speeches usually fail a close parse and the consultants in his own companies, much less the security community at large, pay no attention to him.

1/3 + (4, Interesting)

globaljustin (574257) | more than 6 years ago | (#22335738)

Tippett is right on with this, and I'd venture we could go further. Think of how much money is wasted on redundant security and the people to operate it, now add to that all the time and productivity wasted b/c rank and file employees have to navigate under such redundant incumberments.

I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'.

Existence is insecurity. The only way for something to be 100% secure is for it not to exist.

having a lock on my door (5, Interesting)

circletimessquare (444983) | more than 6 years ago | (#22335748)

is stupid because somebody can just kick in a window

except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

Re:having a lock on my door (1)

mapsjanhere (1130359) | more than 6 years ago | (#22336120)

I was thinking the same; yes, I still would like to cut the company president and half the PhDs off the internet half the time, but nevertheless I sleep better with with automatic patches, AV and long passwords. Sure it's not defense against a dedicated hacker or the NSA, but it beats relying on people actually listening to you in the security briefings, especially the "I don't have time for this" and the "I know better" crowds.

Re:having a lock on my door (2, Interesting)

phliar (87116) | more than 6 years ago | (#22336694)

The biggest effect these lowest level ineffective gratuitous "security" measures have is to annoy everyone and make lots of money for the security companies. Good security is a matter of quality, not quantity.

Let me give you an example: I work downtown in a building of 10 floors, surrounded by buildings of around 50 floors. There are only offices in this building, all very boring and white collar. We already have card-readers on the doors on each floor. You also have to swipe your card in the elevator or it won't take you to your floor. And last month they added BART-style card-reading barricades downstairs. All this expensive security for what? So that you forget your card, you can wait downstairs while someone from your floor can come escort you up to your floor, where you get your temporary day badge.

Exactly what benefit does all that extra security have? If I wanted to steal corporate secrets I wouldn't be doing it by trying to sneak into the building.

But it's the war on terra! 9/11 changed everything!!!

Warning, meaningless automotive metafoor's ahead.. (0)

Anonymous Coward | more than 6 years ago | (#22335756)

dont even bother reading tfa..

Defense In Depth (5, Insightful)

ThaNooch (1186931) | more than 6 years ago | (#22335778)

No one is trying to create an Iron Curtain. Security departments (most of them hopefully) are taking numerous measures to prevent breaches. Including access controls preventing one compromised computer from getting all the marbles via role-based or well-configured discretionary access controls, appropriate traffic filtering and intrusion detection techs.

Risk management is the specific practice of minimizing the greatest risks (what will do the most harm and will be the most likely to happen). And for the most part everyone realizes that no risk can be completely eliminated, so we mitigate them as best we can and rely on fundamentally sound access controls et. al. to limit the effect of any breach and hopefully know about and plan for unforeseen circumstances by planning for certain categories of attacks.

Hopefully I'm right, because if I'm not... I'm scared.

Not totally clear .. (1)

lorenzino (1130749) | more than 6 years ago | (#22335780)

The 2000 vs 5000 password problem is not really clear to me. Anyone can explain better ? And I partially agree on the other things he said, basically inbound and outbound default DROP/DENY and investing on teaching to workers rather than spending money on antivirus software only ..but does that mean he is out of antivirus business ? Why would HE suggest that ?

Re:Not totally clear .. (3, Insightful)

Christianson (1036710) | more than 6 years ago | (#22336098)

I think his point might be this: when you enforce strong password policies, you reduce exposure but you do not prevent someone gaining access to your systems. They only have to be lucky once. Strong password policies make it harder for them to be lucky, but not impossible. What do you gain with a strong password policy? You make it much more difficult for someone to use a dictionary attack. Aren't there other ways to protect against that?

What do you lose with a strong password policy? Good user habits. They will start writing passwords down, or reusing them, and in general starting to do thinks we know you shouldn't. The policy starts becoming a direct impediment to the users, and so they naturally do their best to work around it. You may have reduced your exposure to brute force attacks, but you've opened yourself up to social engineering, and it's not clear that you've won by doing so.

Which is why (I think) he makes the point about user education. Getting users to follow good security procedures would likely solve more problems than any possible technical solution. This in turn requires a recognition that there are certain technical solutions you simply cannot put in place if you want people to use your system in a secure fashion.

my root password is (2, Funny)

FudRucker (866063) | more than 6 years ago | (#22335796)

a small poem (haiku style), it is difficult to type correctly because of intentional typos and a few numbers substituting for letters, i even get it wrong myself about 1/3 of the time even though i know it by heart...

Re:my root password is (1)

gnick (1211984) | more than 6 years ago | (#22336036)

Wow... That sounds a little overly-paranoid unless you're worried about being heavily attacked by a well-funded government. Even really dedicated crackers quit at the 14-char letter/number/special char rainbow table level...

Re:my root password is (0)

Anonymous Coward | more than 6 years ago | (#22336568)

my password is 'You'll never guess my password!!!111!!!eleven' Easy to remember, nobody would even guess it, and i doubt people would let their brute force algorithm work long enough to break it....

Valid points from article (4, Informative)

whitehatlurker (867714) | more than 6 years ago | (#22335808)

1) Not all "vulnerabilities" are dangerous. Yes, there are a lot of junk security warnings out there. Part of the security officers' duty is to separate the chaff from the kernels.

2) You're only as secure as your weakest password. We knew that.

3) This guy shouldn't talk about seatbelts.

he had me until (1)

caserio (144860) | more than 6 years ago | (#22335830)

"Security teams need to rethink the way they spend their time, focusing on efforts that could potentially pay higher security dividends, Tippett suggested. "For example, only 8 percent of companies have enabled their routers to do 'default deny' on inbound traffic," he said. "Even fewer do it on outbound traffic. That's an example of a simple effort that could pay high dividends if more companies took the time to do it."

This is on every Pix ever made. What is the point of any firewall if it does not block all then let some through.
I agree that education is probably the best security practice! There does not exsist a product that can secure stupid.
However you MUST have AV/long passwords/IDs/IPS and a host of other things to create layers and let you know what is going on in your network. If you just throw your hands up you are not doing your job!

Re:he had me until (1)

CowTipperGore (1081903) | more than 6 years ago | (#22336566)

This is on every Pix ever made. What is the point of any firewall if it does not block all then let some through.
In the quote you included from TFA, Tippett is talking about routers. Also, a PIX does not deny outbound by default, only inbound.

Routers, "default deny," and training (1)

yuna49 (905461) | more than 6 years ago | (#22336690)

I found this figure rather implausible as well. I suppose it's possible that only 8% of routers connected to the Internet deny inbound traffic by default, but I thought that was a fundamental aspect of firewall design as well. Even consumer routers are designed this way.

But if the base for the 8% figure is all routers in, say, the top 2000 companies, then I might believe it. It's not uncommon to trust all internal traffic, even though a stricter security model might be more appropriate there as well. Converting internal routers from accept to deny raises the possibility that applications will suddenly stop working. For overworked network administrators this alone probably provides a sufficient disincentive to implementing internal security. The miscreant Tippett describes in TFA who spreads out across a network after breaking a single password will have a harder time if the internal routers block his path.

I'm also not surprised to hear that "techie" stuff like vulnerability testing gets a disproportionate share of security spending while employee training gets short shrift. Code vulnerabilities have an empirical reality about them that training doesn't offer. You can fix a hole in code or install anti-virus software on all your workstations. Your chances of "fixing" employees by making them adopt better security practices is a lot more hit or miss.

AV programs can even be counter-productive (1)

pyrr (1170465) | more than 6 years ago | (#22335838)

One of the silliest things I've seen in my IT career was an old memo regarding some employees' desire to upgrade their Macs to OS X 10.2 (from OS 9.x). One of the notable objections was along the lines that "OS X is very new and we don't have Symantec AV for it, so computers running OS X would be at-risk".

Nevermind how pointless an AV program is on a *nix platform to begin with, I'm a bit horrified at the false sense of security that having an AV program installed on a Macintosh provides as well. Sure, there have been some recent exploits found, but most of them still rely on the end user making exceptionally poor choices and being tricked into granting escalated privileges to malware. If anything, the fallacious impression of being somehow "protected" could encourage users to make even more risky choices.

And yes, FWIW, the memo was produced by MCSEs...

Wasting Time (0)

Anonymous Coward | more than 6 years ago | (#22335846)

Seems I wasted my time reading this article. Lots of hyperbole and zero information.

Analogies (1)

Nikademus (631739) | more than 6 years ago | (#22335858)

It is funny how these analogies are totally flawed..

"If I sat up in a window of a building, I might find that I could shoot an arrow through the sunroof of a Ford and kill the driver,"

And if I put a bomb in the basement of your IT company, I could destroy all your data. This is critical.

"But automobile seatbelts only prevent fatalities about 50 percent of the time. Are they worthless? Security products don't have to be perfect to be helpful in your defense."

If automakers could build seatbelts with 100% efficiency, they would. And they improved seatbelts by putting airbags.

"If we made seatbelts out of titanium instead of nylon, they'd be a lot stronger. But there's no evidence to suggest that they'd really help improve passenger safety."

They would be stronger, and raise the fatalities number. Seatbelts are voluntarily made distortable so they can help diffusing kinetic energy.

Re:Analogies (1)

gnick (1211984) | more than 6 years ago | (#22336332)

"If we made seatbelts out of titanium instead of nylon, they'd be a lot stronger. But there's no evidence to suggest that they'd really help improve passenger safety."
They would be stronger, and raise the fatalities number. Seatbelts are voluntarily made distortable so they can help diffusing kinetic energy.
Not to mention the fact that, in this case, the security measure is strong enough to successfully mitigate the threat. When is the last time that you remember hearing about a wreck when the occupant tore through the seatbelt and proceeded through the windshield?

Re:Analogies (1)

SCHecklerX (229973) | more than 6 years ago | (#22336446)

He used to do a better analogy with the car roof. That it wasn't as structurally strong as, say, the front, because the likelyhood of a boulder falling on the car was pretty slim, so the engineering goes there, and not to the roof. Still somewhat flawed (cars roll over), but it was better than the arrow one.

"Long" passwords??? (1)

keysersoze_sec (1229038) | more than 6 years ago | (#22335874)

"In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000"
What does "long" mean for that guy?!

Dirty Little Secrets (5, Interesting)

dschuetz (10924) | more than 6 years ago | (#22335924)

Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

Here [dc414.org] is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

Re:Dirty Little Secrets (0)

Anonymous Coward | more than 6 years ago | (#22336540)

The same can be said of home security, and the timeframe on that is in the hundreds or thousands of years, yet no one seems to rail against homebuilders for still building homes out of wood with easily breakable windows.

I am not saying we shouldn't be striving to build bank-vault secure type code, but I doubt anyone would really want to pay for the expense of their homes being built like a bank vault, and the same rings true for the software they buy, except financial/banking software.

The real problem here is I feel that programmers are often the recipients of the finger of blame, yet somehow no one notices that this criminal behavior is really the root of the problem.

A whole talk, with snippets taken out of context. (1)

Vellmont (569020) | more than 6 years ago | (#22335952)

There may be something of value here.. it's really hard to say as the article author chose to take a bunch of analogies out of context, and give few details. Essentially this article is useless. The only thing I got out of it is "we're focusing on the wrong things in security, for example passwords and viruses." That's probably true, but it sure doesn't tell me much.

Sounds like a Paid by Microsoft Commercial (0)

Anonymous Coward | more than 6 years ago | (#22336008)

Okay, so long passwords don't work - why make a cracker have to work to get that one password out of 5000 that lets him in? Go ahead, use your last name and birthday for a password or your puppy's name.

Open sun-roof's on cars are not protected because there's not an archery community out there bent on slinging an arrow thru every sunroof they see. However, there are many very sophisticated organizations and individuals out there that take great glee at finding and exploiting software flaws. We lock our doors to keep intruders out because there are intruders that may want in. We leave our sunroof's open when we drive because, well, no one is firing arrows thru them. Just wait until this speech of his inspires and creates an anti-sunroof arrow-shooting community and suddenly sunroof-hair will cease to be in short order...

His criticism of the tossing of buggy security software, comparing it to seatbelts that only save most lives but not all, illuminates his desire for us to all come back to Norton, even tho it is abysmally flawed and often is the root cause of many of the problems I've had to repair.

He says "studies" have shown that giving time to keeping your system patched and updated doesn't correlate to higher security - however omits any references to those "studies".

Ironically, his last paragraph illuminates EXACTLY why we SHOULD pay attention to fixing flaws and proper passwords and whatnot. It's not about 100% bulletproof security, which is impossible unless you leave your Microsoft servers turned off, but about not making it easy for intruders in the first place. He's acting like we need to toss bug-fixes and smart password policies altogether, and yet he recommends routers to deny inbound traffic. Er... what if those same routers have, say... an exploitable flaw???? Cough. His argument is scattered and poorly made and without any legitimate basis. Security covers a wide range of topics from ensuring your secretary doesn't brainlessly give out passwords to crackers-posing-as-techs to ensuring that your software is up to date, ensuring your firewalls are set correctly, routers are updated and secure, passwords are not easy-to-guess abominations, and your employee's don't run every executable that comes thru their inbox.

Oh - and it means that you most certainly run, not walk, but run screaming wildly away from anything Norton.

After all, while there's only the most remote chance that we'll get in an accident, we still put on our seat-belts every time we drive.

Lost all credibility at... (2, Funny)

Vectronic (1221470) | more than 6 years ago | (#22336042)

"Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus"

I'd be more prone to listen to security practices from the guy who...say...invented cheese string...

The problem is management (2, Informative)

SCHecklerX (229973) | more than 6 years ago | (#22336288)

What Tippett is saying is already well known by security professionals (at least the ones who know what they are doing...risk analysis is part of the CISSP exam, is it not?). The problem is that despite this, we are forced to do expensive and less useful (useful at all?) stuff by management because they are the "decider". Companies that actually have a CISO with competent staff have a decent chance at doing it right, but in my experience, many companies don't, so you end up deploying stuff just because management likes to deploy new 'security systems' rather than actually address the security posture of the company.

Security (1)

BigJClark (1226554) | more than 6 years ago | (#22336328)


Hate to blow everybodies arse right off the map, but I don't use any anti-virus software at all.

I find it to be resource-hoggish, slow-loading bloatware that is better off-loaded onto a seperate processor. I say these things, because I actually know a dev lead at symantec, and I recommend this solution to him, and he said his company is already working on it.

Anyways, you're probably asking yourself, what is my IP, and how do I protect myself. I hide behind a good router, have a bit of a honeypot setup, and am very careful what I download. So, no russian pron for me.

Serious people, viruses are for suckers.

It's the "war on viruses" (and spam) (2, Insightful)

recharged95 (782975) | more than 6 years ago | (#22336430)

I think Tippett's right, most corporations are living in a house of cards--it's securing the net in some cases and in others it's the reverse--most firms are taking a shotgun approach with vulnerability research and patching.

I see it being more related to the medical field, prevention is great idea (and has been a popular topic lately), but treatment is just as important and not to be forgotten.

I think he's really suggesting that business practices slow down--for instance, sure it's a painful to have a 15 letter password, but I'm pretty sure using 1 15 letter password for all your 7 important accounts is more secure that 7, 5 letter passwords...

Norton? (0)

Anonymous Coward | more than 6 years ago | (#22336576)

That is/was the most crappy "anti-virus" application I have ever used. It sucked up resources like a high-paid prostitute. It tried to take over my whole system like a wife takes over a mans life. I don't think anyone that created Norton Anti-Virus should be given a platform to stand on and talk about "security". I guess he got his payday from Norton and now can spew bunk?

Last time I checked, I couldn't go out and buy a box of "security". It is a process. Implementing different safeguards and educating users. End of story.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...