Discussion on:

The Six Dumbest Ideas in Computer Security

This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:
http://www.ranum.com/security/computer_security/editorials/dumb/"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

Read this earlier today, and I found some very good points within, especially the notion of "Enumerating Badness" as a stupid premise. Why have security software that must maintain a list of thousands of harmful programs to block--which must be constantly updated--instead of simply allowing only authorized programs to run. Great idea in principle, though I expect the application would be difficult, especially at the home user level.

The idea goes off the rails in the "block all attachments" rants, because I legitimately receive exe files and have the good sense to know which ones to run and which not to. Some of these extreme countermeasures could easily toss out the baby with the bath water.

Still, required reading for IT pros, as far as I'm concerned.

The article simply said that it is possible to put email attachments on a system that will make it more difficult for viruses to compromise. The scheme that he proposed said that the email attachments would be stripped from the email body and stored on a special server. The end user could log in to the special server to view or retrieve the email attachment.

major companies' headquarters where I used to work does this. educating users only helps slightly. They will still try to download spyware screensavers, open attachments, visit pages that do surreptitious installs, etc.

We find our travelling roadshow for small businesses (1 hour plain English PowerPoint of what the problems of allowing staff to indiscriminitly email, IM and surf are). DRAMATICALLY reduces support requirement for stupid stuff. If only because they now understand how the kids have screwed up their home machines and they got hit in the pocket to fix them. The hit in thwe pocket lesson transfers to the workplace - for about 6 months. Then it needs re-inforcing.

If only the MS "Limited" account was really such a thing......... I like this guy's approach and arguments.

I agree wholeheartily, one of my job roles is to train our sales staff on pc components. They still come up with some interesting ideas. Never the less the saying of forest Gump remains one of my favourites....

I have, unfortunately, had mixed results with educating users. Some years ago, we worked with everyone in the company to try to make them concerned with password security. A few weeks after the last of the classes, we ran a test. We sent out an e-mail purporting to come from a new system administrator. In essence, it said

Hi, I've just started as a computer administrator here at . In order for me to keep the records up-to-date, please give me the following:
ID:

Mainframe system(s):

Mainframe password:

Unix systems(s):

Unix password:

E-mail password:

In our company, each user has a unique ID which is the same for mainframe, Unix, or e-mail. (Or the NT LAN, but the password for that is the same as the e-mail password.) Thus, Joe Bloggs would be "jbloggs" no matter where he logged in. BTW, Unix administration, mainframe administration, and e-mail administration are handled by three completely different groups.

Out of 2400 users, sixteen sent in their passwords, one department head not only e-mailed his password, but also clicked on "Reply to all", so every user in the company got his message, and 627 people called either the help desk or the security group to complain that someone was trying to get their passwords.

I work for a government agency that (when our network was originally rolled out - about 15 years ago) upheld the requirement that we provide our supervisors our passwords so they could access our stuff if we "were out." Never mind the fact that the I.T. department could change the password and allow access on a supervisor's/department head's request. This was encountered in a City Attorney's office. So much for password protection, they were kept on a list in the supervisor's desk.

The article said to quarantine at a staging server and allow end-users to retrieve attachments from there, as you stated, but it also said to throw out all executables right off the top. I think it was only with that last bit that the Trivia Geek took exception.

One thing we know for sure: the current security situation to which we have evolved is a mess. It was founded on archaic concepts from a simpler time. It didn't evolve in the right direction, so it needs to be overhauled.

The major players (Microsoft, etc.) must look into finding creative and flexible ways for administrators to identify trusted software (and probably with different levels of trust), and those, and those only, run on the computer.

I delete all exe files at the firewall.

If there IS a valid reason to send a program via email rather than downloading it, I make the sender modify the extention to just .ex.

The reciever must then manually modify it back to the .exe, and because of this process I KNOW what it is and am always expecting that executable.

As you are in Tech, and my users are not, this would happen much less frequently for us than it would for you. While a hassle, it does save me from the "well, I got an attachment so I HAD to see what it was".

Another way to control attachments is to group users by level of confidence. The ones with enough training will have rights to pull the executables from quarentine. Too hard to administer? What part of the title SysAdmin let's you not be aware of users' abilities? (to paraphrase the article).

JD, the correlary to "well, I got an attachment so I HAD to see what it was" is "I only opened it for a second."

is when they DENY opening that attachment that gave them sircam or whatever.

Or when they open it, it does nothing so they open it again and again. Hmmm, maybe there is something wrong?

"Only opened if for a second!" Too funny! (Sounds like what my future ex-wife would do [in bed]).

Ok so you've blocked .exe, have you blocked .pif, .bat, .avi, .swf, (and on and on and on...)? It goes back to point #1 of the article - Default Permit. If you are going to block - block all and allow few. Or better yet set up a quarantine server/ftp server in a DMZ.

Simply changing the extension is not a real solution and one that can be circumvented. We've seen viruses that embed javascript/vbs in HTML formatted email messages. It would not be very hard to write a script to change the extension after it gets past the block.

I work at a place that blocked/blocks .zip, but they didn't block .tar.gz or .tgz (both of which can be opened via almost any windows based compression tool).

I am the Net admin, not the mail admin.

The only thing I CAN do is what the firewall able to do for me. Anything more than that is seen as encroaching on someone elses area, and if you don't think that creates problems then you haven't been in IT for long. I am not going to create a war with people I have to spend 1/3 of my life with, over this.

I can make suggestions, but that is as far as that goes.

I am seen as "paranoid" because I am concerned with security. Oh well, politics as usual.

I'm sure someone changed the dictionary definition of security to paranoia at some stage.

Hey, that's an idea, jd!

Shall we start the TR Paranoia Club?

GG

I know you people are up to something, I JUST KNOW IT! (takes his meds, and the shaking stops)

I would take a membership in that club as I have lots of credentials in paranoia! Ask any of my co-workers!

Any administrator that doesn't have SOME paranoia will not stay on top of the security game.

Their coming to take me away, ha ha
Their coming to take me awAY, ho ho

they really are after me!

Seriously, the admins at our county think our school district is paranoid because we have things locked down so tightly. But guess who doesn't get infected with the Worm of the Month?

I would like to take this author's approach, but I'm overridden by my supervisor. He's the "fun uncle" who lets the kids do what they want, then mops up after them later.

Just because you're paranoied,
that does not nececeraly meen that,
they're not out to get you!!!

When was the last time you saw clean white shirts in an IT shop?

yep. I've got a director whose idea is "We can't cause any hate, pain or discontent with the users". So I find myself constantly trying to do things in some roundabout way taking me twice as long throwing me into the syndrome of "I'll secure it later". Later never comes because later it will cause even more hate, pain and discontent and the vicious circel continues...

Where do I sign up?

Do I have to use a valid email address?

we already have all of your personal information, thank you very much.

I just can't believe you wear THAT to bed each nigh!

We already have all of that information, so you don't need to do anything but watch out your window.

I can't believe you wore THAT to work today.....

Hey, I like the camel obfu!

I thought you could scan a MIME type to determine file type and weed out even renamed files (ie .mpg changed to .txt? Our UNI does it to our linux home file space and the script deletes all unacceptable files no matter the extention, if the MIME type is wrong its gone!

In the *nix world, the usual method is to look at the first 2 bytes of the file. Each *known* file (as listed in the /etc/magic file) has a specific signature, no matter what the name. This is why you can name an executable DontYouDareExec.This and it will still run if flagged executable in the directory (or called by a shell). For scripts in *nix, a #! on the first line says "execute me using the shell specified". In the MS world, any file ending in .exe, .bat, .cmd, .vbs... will execute, since there is no concept of read/write/execute in it's shell. Therefore, (after taking the long way around), your answer is yes. You can scan the beginning of the file to look for a signature. For more information, search for "unix magic file" or "unix file command" using your favorite search engine. For .vbs or .bat files, however, all bets are off.

For a while there, executables were sent with the extension .jar rather than .exe. So if you were expecting a program from someone, you could rename it and use it. If not, you just deleted all the .exe files that were unknown.

I refuse to run executables unless I specifically asked for them. Otherwise, you're in trouble.

Why not lockdown the hardrives of servers so that only the baseline inventoried programs can execute? Look, we know malware is going to get thru so why not just prevent if from running when it does?
Building moats and perimeter defences didnt always work in the middle ages either.
Educating users? Not realistic or cost effective in our environement.
Make vendors write bug-free code? - Hello! this has been a problem since forever and simply isnt going to happen. Why? because its impossible to do for any non-trivial program.

Enumerating the goodness and preventing anything else from executing is the best approach I've heard of.

one software package.

Securewave, sure it's expensive, but it can lock down what can and can not run at the kernel level so go ahead double click on that exe it won't run unless it's on the white list.

Not to mention you can lock down the usb ports so that printers work but usb keys do not. You can lock the floppy and the cdrom. Think about it, if there is no way a virus can execute it's code then you don't even need a virus checker.

I mean, the Mac just looks at them and isn't affected at all. In fact,
OSX asks if you really want to download it anyway.
Why the big hoohah about exe? It's not as if you use windows or
some other archaic OS that passes system calls straight through to
the kernel, right?

:>D

Linux does the same thing: looks at it quizzically and says "So?"

This is actually a great idea. Let only attachments through with a suffix of .(yourchoice)
that way people sending you legitimate files will have to rename them and so will your users.You will never be infected via attachments. Unless some idiot sends you a virus:}

How do you determine which programs are "Good"? How easy would it be to add a program to this list? There are a number of viruses that hide themselves from antivirus programs (without the proper patch), so I don't see a virus having a problem adding it's self to a good list. Then there are the viruses that overwrite DLL's of valid programs. What about Word and excel exploits? Those types of programs are going to be apart of every accept list.

Bill Dewey

Exposing it with RPC, COM or even .net would probably be a bad idea. Essentially if client side execution of foreign code under the system account is going to be left in, don't bother with it.

Some years ago someone said to me that if you tell people what they already believe they will think that you are a genius. As far as I'm concerned this guy is a genius.

One of the great design elements of my beloved DEC VMS operating system is that the security model was designed around the kind of model that Mr. Ranum describes. All user accounts were created within the scope of permitted actions. All else was denied. This greatly simplified security configuration. The basic premise is to deny everything to everyone then enable specific actions for specific accounts or groups of accounts.

I also like the idea that he expressed several times that if a given approach hasn't worked by now then it never will work. Patching bugs in software hasn't worked. Penetration testing hasn't worked. Educating users against social engineering attacks hasn't worked. Finding and implementing methods such as code reviews have proven to be effective, yet corporations refuse to adopt new ways of developing products. Developing a product to be secure makes more sense than trying to patch holes as they are discovered.

When I started in this business in 1985 I thought that this business would certainly have a short run. Even back then when most businesses didn't have a computer it seemed to me that computers could soon be made as easy to use as a telephone or a television. That could have happened but it didn't. Poor quality software has kept system administration alive and well. We still require years of experience to develop skills to keep bad software working more or less safely. We still have to think of baroque schemes to make computers work the way that people think that they should work.

All of this might be acceptable if system administrators were all competent and did their best work. Unfortunately that isn't the case. Like all people, the group of system administrators has a few people who want to do a good job and who work hard. But like all people, the group of system administrators are mostly comprised of people who do the least that they can get away with doing without losing their job. That fact combined with the poor quality software and the vast amount of valuable, sensitive, personal information stored on computers combine to create a disastrous scenario whose potential for crime has only just been glimpsed. When I hear stories of "highly secure" government military computers having been recently hacked I know that the software products and the system administrators are sorely lacking in quality.

Stress you bring up a good point. Most system admins could care less about actually having a secure system with a good system plan behind it. It is the 80-20 rule. I generally find those sys admins and make sure that I keep reporting on their actions or lack there of.

A bigger problem in current IT is that there are too many cooks in the kitchen. The managers think they can be sys admins, the sys admins think they are net admins, the net admins thinking they are sys admins, the HR department thinking they are project managers, etc ad nausium. I have NO idea how you fix the corporate culture in this respect.

While I agree, mostly, with what he is saying, I don't know if I can totally latch on to his "Hacking is Cool" point.

I see his point, but I disagree with the the fact that someone who might not be a criminal becomes one because they can hack (Donn Parker). I think that is a pretty large leap in logic. I also disagree that learning how to hack and pen test your systems is a waste of time.

The waste of time is using tools that get dated and/or have no application within your current setup. Write your own tools and pen test your networks in various way.

I see the main problem with the administration of systems and networks is the windows mentality.

Windows gives this easy to use by default server that installs and runs with little knowledge. Remember most IT departments started out as subsets of Accounting, simply because the accounting department were the first to get the computers so they knew the most about them.

This led to the dreaded "Admin by default" that many companies end up with.

The other thing that has added to this is the horde of "Consultants" that are of very substandard quality. They will drop a network in for a price, usually of generic defaults and then leave. The customer will try to let the system run on it's own as long as possible and only get a knowledgable person to come in AFTER it has crash and burned.

That and the glut of worthless MicroSoft Certs that people use to add crediblity to themselves. Did you know that a part of the certs now cover MARKETING information now? The Techs are now the front line of the sales force, instead of focusing on doing their job correctly they are more worried about selling another server.

This is the midset a university networking fellow I know used to get his mc* certs.
he picked answers that best sold ms products.
aced the exams.

since his degree, and experience, are in Unix networking he has the knowledge that ms tools don't require.

there are more people willing to pay to take a MS class than to pay to take a *nux class. Many that use *nux in the first place are they types that aren't afraid to read a MAN page or look up the answer.

There is some good training for Unix, I got the MACE cert myself. But the classes were not offered nearly as often and ran at about 1/3 the class size of the MS classes.

Bottom line, there is more money to be made TEACHING and SELLING MS for many.

I've really pushed my students to learn *nix. They typically know Windows inside and out (sometimes they are even Win sys admins and have a good grasp of admin concepts, but don't quite "get" it)

Windows is pushed as the market leader, but after Zotob and Mytob, it seems there is a backlash in the "MS can cure all" management mentality.

I would say it's ms trying to save advertising money.
if the "Techs" are going to sell their products to the companies they work for they can target advertising to areas they have not gotten a significant market share in, or want to increase their share in.

the real problem is that mc* is a meaning less cert.
just as RH* is.
vendor specific training is a waste of time and money.

I was wondering if I was the only one who felt like that after reading that article.

"One of the great design elements of my beloved DEC VMS operating system..." Ah, yes, the good ol' days of mainframes with software that actually worked! Remember how fun IT was BEFORE you had to worry about someone hacking your system?

Might I gently remind you that the first security breaches ere on Unix (gasp) I believe the books name is The Coocoo's Egg.

disconnect from the internet? that's why they're being hacked. companies want their sales people to be able to dial in from Starbucks.

you let people from Bulgaria and China ping your firewall, when there is no reason for them to ever connect if you have no customers there.

"One of the great design elements of my beloved DEC VMS operating system..." Ah, yes, the good ol' days of mainframes with software that actually worked! Remember how fun IT was BEFORE you had to worry about someone hacking your system?

I'm not sure I see the difference between patching and keeping an antivirus up to date. He rails against patching a system (to defeat exploits), but goes on to say in another article that he has his antivirus product update itself automatically. This is very similar to a patch (since the AV wouldn't be able to protect the system without it), but I don't know a way around it outside of having a bubble-boy computer that isn't attached to the internet and has no removable media. I suppose he could argue that we don't have a good antivirus system, since they all continually need updates.

I really do like the way he thinks. He bypasses the standard arguments and looks at the underlying assumptions.

is that if a system is written correctly in the first place, it would not REQUIRE several patches a month, every month, for the life of the package.

When after all this time, MicroSoft still refuses to do a good job of handling limited permissions by default for a home system. The Admin by default config is directly to blame for the vast majority of the windows exploits out today. And if you DO create a limited account, it often can't do half the tasks you need it to do as an end user unless you have LEARNED how to MODIFY the permissions.

A limited user should be able to run any program that does not change the system, but that generally is not the case.

The worm/virus/exploit should not run on the target computer. There are ~30 programs that he would like to have permission to run on his computer, and nothing else should be allowed at all. This would prevent viruses by default. Again, his point.

The problem is that Outlook assumes that it should run every series of bytes it sees that seems executable. The Notes ECL (Execution Control List) has a lot of potential, but very few companies actually put it to use.

The author's patches to his anti-virus are a concession to reality, not a "good idea".

The ~30 apps allowed to run argument breaks down when it comes to web surfing. It is hard, these days, to log onto a website that doesn't have some code on it. And do we really want to go back to static pages? I don't think so. The idea of a well constructed sandbox for foreign apps to run in is fine, and not a bad idea. As long as we consider code outside of those ~30 apps we trust to be hostile and not give them default resources, then we can allow them to run. For that matter, we shouldn't even give those ~30 apps default access to all resources.

If the user wasn't browsing as ADMINISTRATOR, the code on the web pages would be limited to what damage they could do to the users system, while still letting them access dynamic websites.

Also, if web devolopers would get a clue and adhere to internet standards instead of trying to use every non-standard "feature" that MS can throw their way, the world would be a much better place.

If I can't run something on multiple browsers, it has no place on a business web site. Why would I make it hard for someone to do business with me?

If you were talking about a *nix system, you'd be right on the money. Anything run by someone that doesn't have root privileges doesn't have the ability to screw up anything to which that user doesn't have direct access. This is because unix was designed from the beginning as a multi-user system.

Windows, meanwhile, was designed on top of a single-user system, DOS, and its multi-user functionality started out as nothing more than a little confection on top of your single-user functionality. Software kludges were heaped atop this single-user system to simulate the effects of multi-user privilege separation, which looks good to the unattentive sysadmin, and gives a warm and fuzzy "secure" feeling. Unfortunately, software is only limited in what it can do by the Windows privilege separation scheme if the programmer who created the software designs it to "play along" with the multi-user interface layered over the single-user system beneath it.

Microsoft has, over the years, begun making some changes to Windows to make it closer to being a true multi-user system, but it's very slow going, and they're still not quite there (unless Vista surprises me mightily, of course). File attributes have better built-in support for permission separation than they used to with older iterations of Microsoft filesystems, for instance. Ultimately, however, it's still tied together with an official API and designated "right way" to write applications for Windows so that they'll be compliant with the permissions system. What this means is that people who know how to break those rules can write software that completely bypasses Windows privilege separation, which in turn means that while avoiding running things as the Administrator account on Windows would cut down on the amount of system-wide damage malicious code could do, that's only any kind of guarantee if the code was written by someone that doesn't know how to ignore the permissions system on Windows without breaking the program.

I know, you probably already know most or all of this, jdclyde. I figured I'd just be pedantic, and point out how and why your "if the user wasn't browsing as ADMINSTRATOR" comment isn't quite as clearly applicable as it might at first seem.

that is why I stated "limits" instead of "stops".

It is a start and of course anyone that surfs regularly with ActiveX/java/scripting in full swing DESERVES to have to format their system a few times a year.

It blows my mind that cable companies haven't started selling or leasing a cable router to protect the home users! Makes their system work better for the user AND adds another "service" they can soak people for!

The cable company out here offers a "home networking" plan with a router/firewall. Obviously, I just chose to buy my own.

Essentially everything came down to design secure programs and then only allow those you know are secure to execute.
As a programmer I've done a LOT of turd polishing, buffed up several products into usable in fact. In fact I have to wholeheartedly agree, it won't happen Security is very lucrative commercial industry.

If you read this short opinion piece along with 6 Dumbest Mistakes, you might make the connection that the reason we are losing is because the whole industry is based on those bad ideas/premises.

Cyber Crimefighters Are Losing The Battle

http://www.governmententerprise.com/170700548

Without trying to sell, Trustifier for Linux is a "default deny" security model that "enumerates goodness". Patching becomes unnessary in many cases. All unauthorized attempts to access the system or files just fall off the system as non-events. Lock down your Linux systems and get to work.

This article helped me realize why so few people in security "get it". They have a certain mindset, have blinders on to anything new, and probably enjoy the swashbucking adrenaline rush of being on the front battle lines while they milk the cash cow at their clients expense.

But just that.
1st dumbest It is a variation on don't install default settings. At least it is at my level- I don't write programs to sell to people.
One thing he does ignore is the choices. Yes, 20 to 40 programs are the norm for a user: but As Robert Heinlein used to say about horse races "It is well established that one horse runs faster than another-but which one? Differences are critical!"
Not to start another thread devoted to screaming about freedom verses safety, just that there is a middle of the road approach that is needed in some places. There is a real cost to security. Try locking all materials in a room in an manufacturing plant. Unless the stuff is small, expensive or rarely used, the cost outways the benifit. Futher there is a cost to living in a locked down state. The benifits may some time outway that, and an employer can do what they want on thier machines and network, but there is still a cost in tems of employee satisfaction, morale, and creativity.
His views on user education and patching involve some card palming. In the last ten years Microsoft has offered 8 OS's for the desktop- let alone the server. IE has been through 3,4 languages and To dismis that increased complexity and change by saying "2-3 patches a month for 10 years" should have fixed it I say Hey, just set your browser to text only.
Education sometimes requires pain. People need to pay the consequences of breaking rules. This is not a technology issue, it is a social issue. For a conputer startup you can require people to install their own machines as a way to weed out wannabes, not on a loading dock or a cash register.
Hacking- leaving alone the 'hacker/cracker' definition issue, the cool issue is moot. People are doing this for cold hard cash-no other reason. They are doing it in counties where the fix is in, screw "timid" it's safe. There is a difference between B&E goofs who rattle doorknob and slit window screens in the next neighbor hood and those who break into jewelry stores for big hauls. You better know the latest tools and tricks.

What kind of "creativity" should an employee have with a company computer? Should they be allowed to install any application they want at any time they want?

What is the cost of LETTING them trash "their" systems as they please can be small or huge. There is the down time while their system gets reloaded, and hope they had backup of "their data".

If data is lost, who much time is wasted replacing that data instead of doing their job?

Then there is the information theft. What will happen to your business if people find out your user database gets stolen because you don't want to stiffle creativity with a company asset? I think you will see less people wanting to do business with you, not to mention possible law suits.

Bottom line, that computer is NOT the users computer. It is a company TOOL that they are allowed to use to complete set tasks for the duration that they are employeed. The more they dump systems, the shorter that employment will be.

Just what kind of security/lockdown goes on at places like websense and other blacklisting organizations, where users are required to look at hate sites, moveon.org, internet porn, drive-by-downloader sites (and so on) all day long.

Maybe they keep the "boot to Ghost" CD as close as we do when we are testing old Win 95 apps on WinXP Pro machines ...

Wow! And I thought we were all alone out here struggling against the tide. On an individual basis the delete key is the most effective effective tool for computer security through e-mail. If you don't want it, delete it.

Secondarily, why did the article have to be thin white print on a black background, that's really dumb!

Sometimes when I click on the link to a story I get the dark background. If I reload the page it goes to black letters on a white background.

I was thinking it was a homage to maddox.

I think your link is broken

Firstly, there are user requirements. Often, such include running of Internet Explorer with permission to execute scripts, that Microsoft did not foreseen when integrating of their browser into their Operating Systems. That alone is a dumbest idea of them all. While I agree that this is not such a big problem if you put a experienced admin on a spot, the chance of being "hacked" is already down by at least 98%. (Last 2% is Microsoft itself and their complaint department is closed for the weekend)

That said, secondly, even dumbest idea might be is to employ a network administrator with insufficient knowledge and assign him to a manager who spends most of the time sticking his head up his butt.

Computers are tools. There is no magic or romance involved here. If someone would give you a spoon and say dig out a swimming pool for me asap. -- even when I have seen in my experience dumb admins who would actually start digging, and middle management supporting the idea -- the spoon will eventually brake.

I want to be secure, but I want to have no restrictions! Voila -- there we go, dumbest idea number three.

Should I continue?

Great article...it's as good this time as it was the first 10 or 20 times I have read it (in one form or another).

Now back to the hard work fo fighting every foolish idea, notion or inspiration that comes from managers, HR and especially Marketing.

Generally speaking...there are more good System Admininstrators than there are bad ones, don't laugh-bear with me a moment. The biggest flaw with most Sys Admin is not having the strenght of conviction to not allow the systems they are charged with protecting to be compromised by for a "minor" drop in security..."just until we get this sorted". Invariably, "just until" becomes, "just a little longer" and finally morphs into...well, "why change it now, we havent had any problems".

The point is...if they are paying you for knowledge, then be knowledgable. Complacency is the biggest enemy of a secure system. Seems the better you are at keeping staff from shooting themselves in foot, the less they respect our warnings.

As stated in the article; the sys admin that "saves" the system or "cleans" a corrupt email system...after it is infected or comprmised...gets a boat load of "Atta' boys". The guy that prevents the infection, compromise, is labeled as a "hard ass" and roundly vilified by managment and staff.

This isn't the line of thinking you get from many securty "Experts" as it would take away from their business if people followed it.

If you have other good sources, links are always wanted. (thanks)

As for the "atta boys", that is the EXACT reason that a Windows Sys Admin gets more respect than a *nix Admin does. The Win admin has to come along to "save the day" on a regular basis, and the user doesn't know he saves the day by rebooting the server. The *nix admin puts the system in place and you forget about it until it is time for an update or upgrade.

The worst thing I see, is a company with a firm security policy that they are unable or unwilling to enforce. Welcome to my he11.

lol, as if...

You do like everyone else, you patch the whole...fight the virus...lick your wounds...do it again tomorrow.

You do make some points but for the most part what you describe does not exist in most infrastructures today. To put out the idea that these methods are dumb ideas is silly in most existing corporate infrastructures you must do these things until your so called zen network is in place. By the way good luck with that. Oh and what ever you create can be hacked in ten minutes with one payoff to a disgruntled employee, let's not forget about the attacks from within. I'm not sure what you goal is with this article but I think if you have a new OS to take over the market well put it out otherwise get back to patching since Microsoft is not going to build bullet proof OSs anytime soon. Good Perimeter, Good Domain Security and sensible design will help you hande things in between patching and IDS but they are not instead of it.

Just My two Cents

The way people BUILD and run networks has to be regularly looked at and reviewed.

Is this the best way to do things? Can it get better doing what we are doing? Or is it not working, time to try a different approach?

That is what I took this article as. Sure, most of us couldn't change over to his ideal right now, but it is something to think about.

People need to expect more.

I could use a little Zen, how about you?

Excuse my typing, I am one-handed this week! The dreamworld is OS's that don't need pattching. Every OS will require patching. You can't create and OS that is bulletproof, when new bullets are coming out every day. Windows, Linux, Mac, they all have patches. Who ever assumed 5 years ago, we would be fighting an army of Zombies. How are you going to lock down Granny's computer, and have her just activate the services she needs. Are you going to install a quarentine server for her emails, and one for her 200 friends? They solution is the same one the solves the problem if having to lock you doors. If the penalty for trespassing is so sever, no one will do it, then the problem is solved. To send a hacker to less than a year in a juvenile detention center, complete with Cable TV, golf course, swimming pools is the punishment, we have lost. That is better than some people have at home. Not a big proce to pay for millions of $ of damage. The author has some very valid points, but is obviously stuck in a IT world that only exists in his dreams. This isn't a discussion on what OS is better, but how to make computing safe. And you have to start with the problem, that attackers, not trying to protect something that shouldn't have to be protected.

All someone has to do is be in a country where that activity isn't illegal and doesn't have extradition. From that point, there is NOTHING that can be done to these people.

The only way to stop this behavior is to black list countries that do not follow guidelines for on-line behavior. Spammers, porn jockies, scam artists, and hackers can do as they please.

Then when someone here DOES get caught, it is "unpopular" to prosucute (execute?) them and they get the slap on the wrist you pointed out.

His ideas can't save the world, but they could help the work networks and servers. If grandma has to have her system reloaded a few times a year, oh well.

or re-engineer the human race.
Windows source code a and C book coming up.
Don't want your dream world anyway, if you took the tendencies that lead to criminality out of out race we'd be extinct in short order. A lot of innovation comes from getting round constraints natural or man made.

a visual basic book


actually, windows is coded in c++ exclusivly.*



*trivia gained from ms associate that has been alpha testing windows for last 10 years.

Ongoing coding is exclusively in C++, but there is still C code in the kernel. I guess that makes your statement true, if you mean "is coded" as in "ongoing work" rather than "all included code".

Of course, mandating that everything be C++ might be part of the security issue.

still a lot of C code in it, there again as C++ is a superset of C we could both be right.
Both languages are extremely powerful, but power is a two edged sword.
Have you had the misfortune to use Delphi 2005, they rewrote the IDE in C++ for some reason best known to themselves and a complete wanker. It is seriously flaky. I've spent as much time dealing with it's issues as I have with those in the code I'm working on.
It has C++'s endemic problem, all your pointer management problems surface at run time.
Long live Pascal.

read the system requirements and checked the screenshots etc for delphi 2005 I wasn't impressed.

it has always been a windows only app.
borland stopped maintaining kylix.
( version 3 is latest and requires the 2.4 kernel, it won't install on 2.6 kernel systems )

only the kernel itself has c code in it.
the gui, all included apps are all written in c++

was reading the requirements for gnu branded apps today.
c code. ansi or posix or k&r only.
( preferably k&r )
all requirements must be standard, or else integral ( widget sets )
must be hardware agnostic. ( cross platform at core, as well as os level )
no references to proprietary apps / tech in documents, other than inspired by foo.
they must be given copyright ( for longevity if app is popular )
they require legal release by any contributor for use of code.
( submit a patch for a bug, and you have to submit legal release before they will concider using it )

I'm a big fan of Delphi, but I would recommend this one to our competitors. They've stopped doing all fixes it to it (you can try unofficial patches off the devlopment team blogs). It's a damn mess. The ideas were good though by definition very heavy in resources but the execution is pathetic. I think they were forced to release it, buggy as it was, because of how abysmal Delphi 8 was.

Given the choice I'd have reverted back to Delphi 7, but the guys I'm working for went from Delphi 5 Pro to 2005 Enterprise. (Windows is mandatory)

In order to help you develop it maintains an abundance of lists and trees about your program, it however quite obviously loses control of them as you edit, leaving you with the wrong information, just crash and close, or with numerous access violations, In the latter case if you're lucky it will let you save and then a close and open will tidy up enough to continue. I'd estimate at least two weeks lost time in 5 months just down to how poor it is.

Borland was one of the first companies to actively adopt and participate in the standards.
almost every product they have meets the iso standards that are appropriate for it.



but, why on earth would they go 100% .net with delphi?
you can't install it without latest .net patches.
you can't code anything unless it's .net

a complete and utter waste of time.

and given any sort of choice will continue to do so.
I can understand providing .net, they've done their version of C++ for a while and C# even seems a reasonable commercial venture. Why they re-wrote the IDE in C++ , I haven't a clue, my suspicion is someone in charge had a lobotomy. Equally the decision to maintain all the development environments through one IDE, shows a total lack of brains, that was the decision of a complete moron. We have foind a few twiidles here and there but the damn thing takes nearly two minutes to load, I took the lid off my PC to make sure someone hadn't took the memory out of it.
On top of that been doing a little work at home and just lost the last forty minutes work in patches over eight code files. So now I'm chatting away and partaking of a malt or three. **** work.

you lost work because of the danged thing?

send 'em a bill for faulty app.

..and the solution that worked for many with your problem is to simply get a really fast machine with plenty of RAM (1 or 2 GB) for development. Also, ensure that the you are working on a 'clean' machine, ie. without much un-necessary software installed.

Cheers,
Steve

"Hacking is Cool" will never go away. That's like telling a teenage boy never to look at a Playboy magazine. Or telling any kid, "never do anything that will get you in trouble."
"Educate Users" sounds like a great plan. Problem is, there will always be a ton of users who just don't care. They'll run anything on their machines, download whatever comes their way, and never give it a second thought.
On top of that, consider how much hacking comes in from outside U.S. borders, just out of spite for the U.S.
Do you lock the doors to your office to keep unauthorized people out? Do the same to your network.

Well what a load of twaddle!

I don?t know about the rest of you, but isn?t this the world in which no same 10 million lines of code can be occupy the same copyright, doesn?t all the goodness eventually become outdated badness anyway! Just think on the false positives that are being asserted here! default permit/default deny I just love it when people start making these sort of statements, know this; default permitting the goodness without sufficiently providing for the invariable event of your goodness turning into an exploited badness, leaves you where exactly ? down the river without a paddle my friend!

Enumerating badness, well again plugging the holes in the dam before we all get drowned, is preferable to being overwhelmed isn?t it, here is a small basic program to demonstrate:-
10 GOSUB LOOK_FOR_HOLES
20 IF HOLE_FOUND = FALSE THEN GOTO 50
30 GOSUB FIX_HOLE
40 GOTO 10
50 GOSUB CONGRATULATE_SELF
60 GOSUB EXPLOIT_POTENTIAL_NEGATED
70 GOTO 10

?if "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer by now. What has it been? 2 or 3 a month for 10 years, Space Shuttle! supposed to be hackable then it shouldn't be hackable?

Ye, bu, no bu ye bu no bu, again what the writer fails to point out is how many revisions and new functional elements have been applied to IE over the past 10 years, clearly far more benefit than detriment has been afforded Microsoft worldwide audience than ever the trickle of reported exploits.

?Doesn't that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind?

Er yes it does sound dumb actually, there is no such thing as secure by design, design involves people, people are not without fault does this make sense to anyone else?

Hacking is cool oh yes it is, finding other peoples faults? What you don?t read the tabloids, Penetrate and Patch is the part of any design that leads to comparable best practice. Hacking is way cool period.

?There have been numerous interesting studies that indicate that a significant percentage of users will trade their password for a candy bar, and the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females. If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week. That's dumb.?

A. The first statement here is made up rubbish
B. The second statement fails as the other half of humanity never got to see Anna, Aw! As the vulnerability had already been squished, Penetrated and Patched, sorry about that!

Educating Jane Bloggs user, well the real real answer is maybe if I were more interested in the real world everyday usage of the myriad applications under our control and the idiosyncrasies of those systems, then who knows just maybe you could really help someone, educate yourself and instil an environment in which people are lead by your example of how to work smarter and save themselves the bother of continually having to call you for support, it?s a two way thing don?t ya know!

?It really is easier to not do something dumb than it is to do something smart. The trick is, when you avoid doing something dumb, to make sure your superiors know you navigated around a particularly nasty sand-bar and that you get appropriate credit for being smart. Isn't that the ultimate expression of professional kung-fu? To get credit for not doing anything?!?

No NO Sir, the trick is to let all your colleagues know how you navigated the sand-bar, or indeed how you fell foul of it, thereby extenuating the knowledge of your team, and hey don?t worry, if it was really that great a manoeuvre or crash your team will make it known to whom the adulation is owing, Win-Win!

Best advice:-

Worry not about that which is beyond your control, nor that which is under your control, for if it is under control there is little to worry about, if beyond your control it?s someone else?s worry.

Even the stupidest man knows by some instinct of nature per se, that the greater the number of conforming observations the surer the conjecture.

Happy hacking!

ElSteveo LetricToken

Engineering is about maximizing certain features by design. Each time you make a decision that maximizes a feature, you are doing so at the expense of another feature.

Most of the examples Mr. Ranum supplies trade security for flexibility or ease of use. Quite often these are the appropriate choices, sometimes they are not. The root of the problem might well be that maximizing security does not maximize profits.

How effective is cobbling together piece-meal security technologies as opposed to a comprehensive model that provides a complete solution? A lot of what is being used now in the enterprise impedes optimization of the business model, adds to system load (20-30%), and causes headaches due to lack of interoperability.

The question to ask is how much better could the organization do with increased uptime, lower maintenance costs and fully optimized IT/business models?

agrees with you wholeheartedly, which when you come down to it isn't all that comforting.

Feature set is not the problem, anything that can be done by foreign code on my system can be done by either by running native code or by server side execution. Exactly what features are we gaining for the compromised security ?

Native code == everyone has to have the code beforehand. How would Microsoft, or any other software distributor know ahead of time that you might want to watch Elf bowling? Wether you accept it or not, email is a very flexible way of distributing programs.

Server side execution == enlarged IT infrastructure and less meaningful access to your own system (i.e. the exact same file level access you are trying to avoid).

Now, I am not arguing that a completely flexible approach provides any security. On the contrary, I believe it occupies the opposite end of the spectrum. An engineer's problem is to balance and maximize security and flexibility to the level appropriate for the system.

Microsoft's or any other distributor's failure to balance, or maximize security and flexibility may constitute bad design, but it does not change the underlying dynamic I am discussing.

#1. This is the way all software SHOULD be written. You don't let anyone do anything they aren't explicitly allowed to do. This is the way Novell, UNIX, and Oracle have handled their security since day one. Its too bad Microsoft abandoned this concept.

#2. This one is a little more contentious, in that this isn't currently practical for many companies. I won't point fingers at who is to blame for this, because it is fairly self-evident. It would require a certain proprietary software company to divulge their communications specifications in order to make this a reality.

#3. This one has both fact and fiction. Penetration testing can be useful information, but I agree with the underlying premise - that because the original software wasn't built securely in the first place, that it is inherently (and possibly intentionally) flawed. Noone is expecting anyone to write a non-trivial application securely the first time. That's why there is beta testing and trial before it goes out to customers. But I have to agree that the sheer volume of patches indicates a haphazard underlying programming framework.

#4. This is right on the money. Of course, if it weren't so easy to hack things, much of this would disappear.

#5. Ultimately, this one is more a business decision than a technical decision. This is a question of whether or not the effort to train employees in basic IT practices is worth the reduced instances of viruses, misuse, etc. From a human resources perspective, companies are required to train employees on what constitutes misuse of company property for legal and employment reasons. While I can understand the logic, I disagree with the conclusion not on security principles, but on business principles.

#6. This is also a business decision. I think the crux of this one comes down to the trust relationship that exists between the decision-maker (management) and the IT staff (recommendation team/implementers), and comes down to whether or not the manager knows IT. If the manager knows IT principles, he/she is much less likely to make poor decisions, and much more likely to rely on the IT department/staff for recommendations and implementation plans. If the manager DOESN'T know IT, however, they have to rely on someone else's knowledge. To me, this is more of a management issue of knowledge and trust that a security problem.

Just switch to an IBM MVS system.

And that's the problem.

The "reason" PCs/LANs/WANs exist is because of the inflexible nature of M/F operating systems.

So, you can be secure OR you can be flexible. I don't believe you can be both.

Doug