Security

5 IT security pet peeves

Anyone who cares about a field of expertise -- really cares about it -- must have some annoyances about things that could, even should, be better, but aren't for what seem like the dumbest of reasons. I'll share five of my pet peeves in the realm of IT security.

Anyone who cares about a field of expertise -- really cares about it -- must have some annoyances about things that could, even should, be better, but aren't for what seem like the dumbest of reasons. I'll share five of my pet peeves in the realm of IT security.


Sometimes, I just feel like complaining. I look at the world around me, and despair at the difficulty of making a dent in the rampant dominance of security issues in the world that are, frankly, among the technically easiest to solve. Despite the fact that the solutions are not exactly unknown or difficult to implement, they don't gain any traction. While he tends to phrase it more diplomatically, Bruce Schneier has essentially made the point that the biggest problem in IT security is people.

The intractable social problem of fixing security failures that only persist because of the tendencies of herd behavior are some of my pet peeves:

  • Too many people still believe ignorance is an effective security strategy. There is a pernicious meme contaminating the general discourse of security issues that keeping people in the dark can somehow improve security. It can't. As should be all too obvious by now to anyone who is paying attention, obscurity is not security. In fact, in many cases, quite the opposite is true.

  • People who know nothing about IT security have godlike power over matters of IT security policy. In particular, members of congress, judges, and law enforcement officers wield a lot of power over matters of IT security, and are clearly incompetent to use it. It's a sad truth that not everything can be legislated away, nor should it.

  • People keep insisting that the best way to improve security is to violate it. Prying into the lives of the people you're supposedly protecting, without their permission or even any probable cause for doing so, is not only insulting, but counterproductive. Try to remember that privacy is security, and avoid making the mistake of burning the village to save it.

  • We still don't have widely available, cheap technology for encrypted telephone calls. Despite this, using a telephone to talk to someone about a bank account, sensitive legal matters, or other private topics is almost never questioned as a means of securely communicating. Particularly since the advent of digital cellphone networks and the modern cellphone that can run games like Tetris and Solitaire, there isn't really any significant technological challenge to using encryption to protect sensitive calls. The only bright point right now is the fact that devices that run the Openmoko Linux and Google Android open source operating systems provide ample opportunity for software call encryption to creep into our mobile telephony lives, but I haven't seen an encouraging rush to fill that gap yet.

    Probably the only thing worse than lacking the available technology is . . .

  • We have widely available, free technology for encrypted online communication, but (almost) nobody uses it. With encryption tools like GnuPG, OpenSSH, and OTR, there's simply no excuse for the major mailing list software offerings, bank notification systems, and even my friends to fail to offer or use encryption to help protect their communications from malicious security crackers. Somehow, though, the importance of being encrypted is still lost on most people.

You may have noticed that many of my pet peeves in the realm of IT security fall under a single heading: willful ignorance. That is, in fact, one of the biggest pet peeves in my life in general, even outside of security matters. I just wish I knew a way to mitigate the problem in the world at large.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

23 comments
lastchip
lastchip

A wise man once told me: "You can't legislate against idiots!"

kumvinod
kumvinod

The problem of IT Security is that People who don't know the heads and tails of security are the one who decide the security of an organization ... The other fact is that many people thinks of IT Security as waste of money and time until their systems are hacked / compromised..

DT2
DT2

There's more... #6: It seems that the people that are in charge of IT security at most places are the same ones that used to wiggle door knobs at night to check them. They got promoted. But, hey, "security is security" isn't it? #7: Ignorance - It also seems that, if the security managers don't understand a process then the answer is "No!" And, this happens entirely too often. Reason - See #6 above. #8: Good security policy should enable business, not disable it. Good policy and the proper tools should enable one to do things that would otherwise be considered risky.

jvan
jvan

I can provide encrypted voice calls for mobile comunication. With no extra machines or wathever. Straigth forward mobile to mobile calling with clearly recognizable voices and with little delay. Jacob van den Berg Security LATAM jvan@oesia.com for more information!

Deadly Ernest
Deadly Ernest

the ones using encryption at all times are the criminals, terrorists, high level drug dealers, and child pornography rings. And what's the governmental response to all this? They want to put in powerful systems to check all the OPEN communications on the Internet so they can filter out all the child porn that isn't even on there because they go on encrypted VPNs. When you start to understand the reasoning behind this, it's no wonder the other things mentioned are as they are, or that people don't think. And people wonder why I sometimes seem paranoid about what the government and big business are up to. Anyone for a strong dose of DRM?

cory.schultze
cory.schultze

I totally agree on this - it really p*sses me off when my manager thoroughly restricts the users' computers at our remote sites. It makes my job as a support tech a nightmare - especially if there are network issues or Windows has updated and cleared VNC from the Firewall's exception list. AAAARRGH! You get three types of user: The technophobes who refuse to be talked through the resolution to their problem. There are many of these. The gun-jumpers who think they know where you're heading; requiring a step back for every 2 steps forward. These are typically MAC users. The good listeners who follow your every instruction to the letter with faith and patience. There are far too few of these! If you're required to support any of the first two types over the phone (because you have no VNC) and their computer has restrictions, you'll need a brick wall to break your skull over.

mjd420nova
mjd420nova

Not even the best security procedures, guidelines or even enforcement means anything when the users post all of their passwords on sticky notes on the side of the unit or monitor. Anyone with half a brain could do some serious damage to a system when the idiots persist doing this. No amount of security can prevent this from becoming a hackers gateway to an incredible amount of a networks database. If the clowns insist on doing this, you might as well skip the security altogether and concentrate on using hardware implimentation like retina readers.

seanferd
seanferd

And right now I'm just too busy enjoying it to think of anything to add. You covered willful ignorance in your comment. I can't imagine how much I'd feel like complaining if I actually worked in a security-related field for a living. As, say, a consultant, I imagine my days would be filled with constant mind-blowing, jaw-dropping, WTF moments all strung together. Not mind-blowing in an extraordinary way, but in a boring, depressing, "is this the same way everywhere" sort of way. An, "Allow me to forcefully bring the heel of my hand to my forehead" sort of way.

apotheon
apotheon

Willful ignorance really annoys me. What about you?

tech4me
tech4me

Just quick FYI, your example does not relate to 'obscurity is not security'. Obscurity means something is not clearly understood, or it's meaning is hidden or looks inconspicuous. Thoroughly restricting access to the users computers sounds like a good idea, whether they're doing in for local users and/or remote access. I can empathize with your frustration at not being able to remotely administer PC's when they have any issues though it's only obscurity if your manager allows VNC but just changed the default port you're used to connecting through. Two examples of 'obscurity is not security' at my work (in the past): 1. Putting all Lotus Notes .id files (with default password of 'password') on the shared network drive. Anyone could just grab those .id files and access the email of anyone in the company using the password of 'password. My boss thought this wasn't a concern because he didn't think anyone outside IT would know how to do that. 2. All printers are configurable by the web interface. You only have to know the IP address of the printer and you can change all the settings. Yet again, "what the user's don't know they can't access...." yeah right.

Neon Samurai
Neon Samurai

Your link is kicking back a 404 error from Darkreading. The site is on my daily list now though.

tech4me
tech4me

Hackers, do the world a favour and make the corporate world FEAR you! It's been my experience that business execs are more likely to believe in the existence of the Tooth Fairy then real life hackers. Despite my business (like so many others) spending millions of dollars on IT security, we (the business, not so much IT) turn a blind-eye when we see user's casually circumventing our security measures due to their own laziness. No matter how many times you tell users, they just don't believe security breaches are a significant threat. It's a bit like when you go out to your mailbox you don't lock every window and door to prevent someone breaking in to your house during the 3 minutes you're out. You might however if there were 10 robberies in your street in the last week alone. Problem with IT security: 1. Applying strong security techniques is usually tiresome and complicated. 2. There just isn't enough real-world fear to motivate people to take IT security seriously. It may sound a bit radical, but until hacking becomes more common-place these pet peeves will never go away.

Neon Samurai
Neon Samurai

" Hackers, do the world a favor and make the corporate world FEAR you! It's been my experience that business execs are more likely to believe in the existence of the Tooth Fairy then real life hackers. " The misconception that "Hacker" can only ever mean malicious activities; that executives need to be scared into believing that Hackers are inherently criminal and more real than the tooth fairy. Good Baud man! Criminal activity and intent is not Hackerdom. Using things previously figured out by technology enthusiasts to carry out criminal actions does not make one a Hacker. The idea that some boogieman hacker is coming for them instead of a real life criminal is part of the problem. You want someone well suited to work on your security team; hire Hackers. Hire those of us who's passion and near manic love is exploring technology. Hire those of us who see the world through the Hacker mindset. The problem is the moment the word Hacker comes up, one is branded a criminal threat. Executives don't need any more fantisy stories about Eve'ill Hackersorses. They need to realize that technology and security enthusiasts are the one's interested in finding the flaws and improving the processes. I would agree that non-tech users need to realize that criminal enterprise is out there innovating ways to profit from any and every weakness. Let's call them what they are; Criminals. Giving them a Hacksorses scapegoat is no the way though. (edited for spelling)

apotheon
apotheon

Please use the correct terminology: Hacker vs. Cracker

apotheon
apotheon

. . . but not quite as high on the peeve scale as willful ignorance. The other one that runs neck-and-neck with willful ignorance for me is spite.

Neon Samurai
Neon Samurai

In the wide and colour full range of people who apply the hacker mindset to whatever area of interest they are attracted do, you seem to be of the Security Hacker type. Get written permission from the owner of the network and you should be good. You could also setup a lab at home specific to the parts you want to test. No work data is involved and you have a model to work with rather than the live system. You also own the test lab so you can give yourself permission to try and break into it. If your that concerned about the work network and can find enough to convince management, I'd push for a third party professional pentest. They are not cheap but the amount they can reveal about your network and possible improvements is amazing.

Neon Samurai
Neon Samurai

... those should never be placed in the same sentance. The general media is about selling news papers. They will spin any word they can for the most fear possible. Fear sells only second to sex after all. I realize language evolves over time. The difference I see is adding new words versus corrupting old ones. An example is "resiliency". Why does the word suddenly need a new convoluted ending to mean the same thing as "resilience"? Why do we have to change the meaning of Hacker when we have a word already that means criminal? Why don't we just smurf it all and smurf to everything as smurf then? We can smurf the meaning of smurf based on the smurf it's used in and we're all set? Or is the meanings of words maybe important? If it was generally understood that the word "hacker" is a mindset which does not always mean "in relation to security or computers" then using Hacker meaning a subset of society which includes the full range of people from good through to bad then that would be different. As it is now, I feel that those who can only use the word Hacker for it's negative connotations gives up the right to speak about the topic.

cory.schultze
cory.schultze

Good shout. I've always wanted to learn alot more about beating security systems as a matter of personal achievement - not to use or even view the data, but just to gain access. I'd love to hack our own system to see how secure we really are. Does that make me a criminal? Technically, as I would breach the data protection act. Does that make me a saboteur? No.

apotheon
apotheon

The proper use of the term "hacker" is the technical jargon use of the term "hacker". Just as the mainstream media gets terms like "libertarian", "felon", and "subsidy" wrong all the time, so too does it get the term "hacker" wrong -- and the only way the term is beyond "rehabilitation" is if the people who know better (the users of the technical jargon) give up. As long as there's a strong tradition of using the term correctly in technical circles, the proper use of the term can influence those outside those circles. In short, as someone wandering through technical circles but still misusing the term, you are the biggest part of the problem. You're the front line of a battle that is still undecided. Use the term correctly, and use terms like "security cracker" and "criminal" where those should be used instead. Saying "security cracker" when referring to a security cracker won't offend anyone, won't be misunderstood (unless you're talking to Saurondor, but there are exceptions to pretty much every rule), and won't contribute to the undermining and corruption of perfectly good uses of terminology like "hacker". Why do you insist on misusing the term "hacker"? What does it gain you? Why justify it, rather than correcting it? What would it hurt you to use the correct term? Why don't you use the correct term?

ederkley
ederkley

Unfortunately I think the world has moved on and accepted that a 'hacker' is a bad guy regardless. This is due to portrayal in the general media over countless movies, books and 'news' stories. Is the term beyond rehabilitation? I think so. I never see the argument raised that 'hacker'='good guy' outside of IT security forums :) Hardly a place the general media are going to drop by for some facts... Maybe we need a new funky name and some positive marketing spin for the good guys... Options?

Editor's Picks