General discussion

  • Creator
    Topic
  • #2189931

    The Six Dumbest Ideas in Computer Security

    Locked

    by jdclyde ·

    This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional “wisdome” about computer security.

    “Marcus Ranum released any interesting editorial entitled “The Six Dumbest Ideas in Computer Security.” He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:
    http://www.ranum.com/security/computer_security/editorials/dumb/”

    After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

    Is this approach something that you use, or could use?

All Comments

  • Author
    Replies
    • #3065564

      Several good points

      by Jay Garmon ·

      In reply to The Six Dumbest Ideas in Computer Security

      Read this earlier today, and I found some very good points within, especially the notion of “Enumerating Badness” as a stupid premise. Why have security software that must maintain a list of thousands of harmful programs to block–which must be constantly updated–instead of simply allowing only authorized programs to run. Great idea in principle, though I expect the application would be difficult, especially at the home user level.

      The idea goes off the rails in the “block all attachments” rants, because I legitimately receive exe files and have the good sense to know which ones to run and which not to. Some of these extreme countermeasures could easily toss out the baby with the bath water.

      Still, required reading for IT pros, as far as I’m concerned.

      • #3065533

        Quarantined attachments

        by stress junkie ·

        In reply to Several good points

        The article simply said that it is possible to put email attachments on a system that will make it more difficult for viruses to compromise. The scheme that he proposed said that the email attachments would be stripped from the email body and stored on a special server. The end user could log in to the special server to view or retrieve the email attachment.

        • #3065521

          Good Idea

          by dr dij ·

          In reply to Quarantined attachments

          major companies’ headquarters where I used to work does this. educating users only helps slightly. They will still try to download spyware screensavers, open attachments, visit pages that do surreptitious installs, etc.

        • #3057234

          But you still should educate

          by graeme ·

          In reply to Good Idea

          We find our travelling roadshow for small businesses (1 hour plain English PowerPoint of what the problems of allowing staff to indiscriminitly email, IM and surf are). DRAMATICALLY reduces support requirement for stupid stuff. If only because they now understand how the kids have screwed up their home machines and they got hit in the pocket to fix them. The hit in thwe pocket lesson transfers to the workplace – for about 6 months. Then it needs re-inforcing.

          If only the MS “Limited” account was really such a thing……… I like this guy’s approach and arguments.

        • #3056622

          Stupid is as Stupid does!

          by the_m0nk ·

          In reply to But you still should educate

          I agree wholeheartily, one of my job roles is to train our sales staff on pc components. They still come up with some interesting ideas. Never the less the saying of forest Gump remains one of my favourites….

        • #3058890

          Every time you idiot-proof, they come up with a better idiot

          by fortinbras armstrong ·

          In reply to But you still should educate

          I have, unfortunately, had mixed results with educating users. Some years ago, we worked with everyone in the company to try to make them concerned with password security. A few weeks after the last of the classes, we ran a test. We sent out an e-mail purporting to come from a new system administrator. In essence, it said

          Hi, I’ve just started as a computer administrator here at . In order for me to keep the records up-to-date, please give me the following:
          ID:

          Mainframe system(s):

          Mainframe password:

          Unix systems(s):

          Unix password:

          E-mail password:

          In our company, each user has a unique ID which is the same for mainframe, Unix, or e-mail. (Or the NT LAN, but the password for that is the same as the e-mail password.) Thus, Joe Bloggs would be “jbloggs” no matter where he logged in. BTW, Unix administration, mainframe administration, and e-mail administration are handled by three completely different groups.

          Out of 2400 users, sixteen sent in their passwords, one department head not only e-mailed his password, but also clicked on “Reply to all”, so every user in the company got his message, and 627 people called either the help desk or the security group to complain that someone was trying to get their passwords.

        • #3062586

          Try this one . . .

          by realme ·

          In reply to Every time you idiot-proof, they come up with a better idiot

          I work for a government agency that (when our network was originally rolled out – about 15 years ago) upheld the requirement that we provide our supervisors our passwords so they could access our stuff if we “were out.” Never mind the fact that the I.T. department could change the password and allow access on a supervisor’s/department head’s request. This was encountered in a City Attorney’s office. So much for password protection, they were kept on a list in the supervisor’s desk.

        • #3059681

          actually . . .

          by apotheon ·

          In reply to Quarantined attachments

          The article said to quarantine at a staging server and allow end-users to retrieve attachments from there, as you stated, but it also said to throw out all executables right off the top. I think it was only with that last bit that the Trivia Geek took exception.

        • #3059198

          Ideas like this MUST be heard

          by big jerry ·

          In reply to Quarantined attachments

          One thing we know for sure: the current security situation to which we have evolved is a mess. It was founded on archaic concepts from a simpler time. It didn’t evolve in the right direction, so it needs to be overhauled.

          The major players (Microsoft, etc.) must look into finding creative and flexible ways for administrators to identify trusted software (and probably with different levels of trust), and those, and those only, run on the computer.

      • #3065369

        Recieving exe files

        by jdclyde ·

        In reply to Several good points

        I delete all exe files at the firewall.

        If there IS a valid reason to send a program via email rather than downloading it, I make the sender modify the extention to just .ex.

        The reciever must then manually modify it back to the .exe, and because of this process I KNOW what it is and am always expecting that executable.

        As you are in Tech, and my users are not, this would happen much less frequently for us than it would for you. While a hassle, it does save me from the “well, I got an attachment so I HAD to see what it was”.

        • #3065357

          Enumerate goodness of users

          by dmambo ·

          In reply to Recieving exe files

          Another way to control attachments is to group users by level of confidence. The ones with enough training will have rights to pull the executables from quarentine. Too hard to administer? What part of the title SysAdmin let’s you not be aware of users’ abilities? (to paraphrase the article).

          JD, the correlary to “well, I got an attachment so I HAD to see what it was” is “I only opened it for a second.” 🙂

        • #3065330

          And ever better

          by jdclyde ·

          In reply to Enumerate goodness of users

          is when they DENY opening that attachment that gave them sircam or whatever. X-(

          Or when they open it, it does nothing so they open it again and again. Hmmm, maybe there is something wrong? ?:|

          “Only opened if for a second!” Too funny! (Sounds like what my future ex-wife would do [in bed]). :O

        • #3057200

          blocking exe not a great idea

          by scott.geiger ·

          In reply to Recieving exe files

          Ok so you’ve blocked .exe, have you blocked .pif, .bat, .avi, .swf, (and on and on and on…)? It goes back to point #1 of the article – Default Permit. If you are going to block – block all and allow few. Or better yet set up a quarantine server/ftp server in a DMZ.

          Simply changing the extension is not a real solution and one that can be circumvented. We’ve seen viruses that embed javascript/vbs in HTML formatted email messages. It would not be very hard to write a script to change the extension after it gets past the block.

          I work at a place that blocked/blocks .zip, but they didn’t block .tar.gz or .tgz (both of which can be opened via almost any windows based compression tool).

        • #3059887

          You do what you can with what you have

          by jdclyde ·

          In reply to blocking exe not a great idea

          I am the Net admin, not the mail admin.

          The only thing I CAN do is what the firewall able to do for me. Anything more than that is seen as encroaching on someone elses area, and if you don’t think that creates problems then you haven’t been in IT for long. I am not going to create a war with people I have to spend 1/3 of my life with, over this.

          I can make suggestions, but that is as far as that goes.

          I am seen as “paranoid” because I am concerned with security. Oh well, politics as usual.

        • #3059884

          yup, me too

          by gadgetgirl ·

          In reply to You do what you can with what you have

          I’m sure someone changed the dictionary definition of security to paranoia at some stage.

          Hey, that’s an idea, jd!

          Shall we start the TR Paranoia Club? 😀

          GG

        • #3059871

          Were you watching me?

          by jdclyde ·

          In reply to yup, me too

          I know you people are up to something, I JUST KNOW IT! (takes his meds, and the shaking stops)

          I would take a membership in that club as I have lots of credentials in paranoia! Ask any of my co-workers! B-)

          Any administrator that doesn’t have SOME paranoia will not stay on top of the security game.

          Their coming to take me away, ha ha
          Their coming to take me awAY, ho ho

        • #3059787

          I’m not paranoid…

          by hardware queen ·

          In reply to Were you watching me?

          they really are after me!

          Seriously, the admins at our county think our school district is paranoid because we have things locked down so tightly. But guess who doesn’t get infected with the Worm of the Month?

          I would like to take this author’s approach, but I’m overridden by my supervisor. He’s the “fun uncle” who lets the kids do what they want, then mops up after them later.

        • #3059614

          Paranoia

          by birgirsch ·

          In reply to Were you watching me?

          Just because you’re paranoied,
          that does not nececeraly meen that,
          they’re not out to get you!!!

        • #3056819

          to the funny farm…

          by nicknielsen ·

          In reply to Were you watching me?

          When was the last time you saw clean white shirts in an IT shop?

        • #3056646

          fun uncles..

          by shadowpassword ·

          In reply to Were you watching me?

          yep. I’ve got a director whose idea is “We can’t cause any hate, pain or discontent with the users”. So I find myself constantly trying to do things in some roundabout way taking me twice as long throwing me into the syndrome of “I’ll secure it later”. Later never comes because later it will cause even more hate, pain and discontent and the vicious circel continues…

        • #3059677

          Paranoia Club

          by apotheon ·

          In reply to yup, me too

          Where do I sign up?

          Do I have to use a valid email address?

        • #3059642

          In this club

          by jdclyde ·

          In reply to Paranoia Club

          we already have all of your personal information, thank you very much.

          I just can’t believe you wear THAT to bed each nigh! 🙂

        • #3061424

          The club

          by jdclyde ·

          In reply to Paranoia Club

          We already have all of that information, so you don’t need to do anything but watch out your window.

          I can’t believe you wore THAT to work today…..

        • #3061357

          What, the shirt?

          by apotheon ·

          In reply to Paranoia Club

          Hey, I [b]like[/b] the camel obfu!

        • #3073847

          MIME scanning possible?

          by tntjenkins ·

          In reply to blocking exe not a great idea

          I thought you could scan a MIME type to determine file type and weed out even renamed files (ie .mpg changed to .txt? Our UNI does it to our linux home file space and the script deletes all unacceptable files no matter the extention, if the MIME type is wrong its gone!

        • #3073776

          RE: Mime scanning possible?

          by azrider ·

          In reply to MIME scanning possible?

          In the *nix world, the usual method is to look at the first 2 bytes of the file. Each *known* file (as listed in the /etc/magic file) has a specific signature, no matter what the name. This is why you can name an executable DontYouDareExec.This and it will still run if flagged executable in the directory (or called by a shell). For scripts in *nix, a #! on the first line says “execute me using the shell specified”. In the MS world, any file ending in .exe, .bat, .cmd, .vbs… will execute, since there is no concept of read/write/execute in it’s shell. Therefore, (after taking the long way around), your answer is yes. You can scan the beginning of the file to look for a signature. For more information, search for “unix magic file” or “unix file command” using your favorite search engine. For .vbs or .bat files, however, all bets are off.

        • #3059890

          A jar of files

          by danag429 ·

          In reply to Recieving exe files

          For a while there, executables were sent with the extension .jar rather than .exe. So if you were expecting a program from someone, you could rename it and use it. If not, you just deleted all the .exe files that were unknown.

          I refuse to run executables unless I specifically asked for them. Otherwise, you’re in trouble.

        • #3059831

          An old Idea

          by jobothetechnopeasant ·

          In reply to Recieving exe files

          Why not lockdown the hardrives of servers so that only the baseline inventoried programs can execute? Look, we know malware is going to get thru so why not just prevent if from running when it does?
          Building moats and perimeter defences didnt always work in the middle ages either.
          Educating users? Not realistic or cost effective in our environement.
          Make vendors write bug-free code? – Hello! this has been a problem since forever and simply isnt going to happen. Why? because its impossible to do for any non-trivial program.

          Enumerating the goodness and preventing anything else from executing is the best approach I’ve heard of.

        • #3059789

          Best idea I’ve heard

          by yzfdude11 ·

          In reply to An old Idea

          one software package.

          Securewave, sure it’s expensive, but it can lock down what can and can not run at the kernel level so go ahead double click on that exe it won’t run unless it’s on the white list.

          Not to mention you can lock down the usb ports so that printers work but usb keys do not. You can lock the floppy and the cdrom. Think about it, if there is no way a virus can execute it’s code then you don’t even need a virus checker.

        • #3059645

          WHY are exe’s a problem?

          by cio at alphabetas ·

          In reply to Recieving exe files

          I mean, the Mac just looks at them and isn’t affected at all. In fact,
          OSX asks if you really want to download it anyway.
          Why the big hoohah about exe? It’s not as if you use windows or
          some other archaic OS that passes system calls straight through to
          the kernel, right?

          :>D

        • #3059597

          yeah

          by apotheon ·

          In reply to WHY are exe’s a problem?

          Linux does the same thing: looks at it quizzically and says “So?”

      • #3059613

        Block all attachments

        by Anonymous ·

        In reply to Several good points

        This is actually a great idea. Let only attachments through with a suffix of .(yourchoice)
        that way people sending you legitimate files will have to rename them and so will your users.You will never be infected via attachments. Unless some idiot sends you a virus:}

      • #3054573

        Determine good programs

        by wdewey ·

        In reply to Several good points

        How do you determine which programs are “Good”? How easy would it be to add a program to this list? There are a number of viruses that hide themselves from antivirus programs (without the proper patch), so I don’t see a virus having a problem adding it’s self to a good list. Then there are the viruses that overwrite DLL’s of valid programs. What about Word and excel exploits? Those types of programs are going to be apart of every accept list.

        Bill Dewey

        • #3054551

          That depends on interface

          by tony hopkinson ·

          In reply to Determine good programs

          Exposing it with RPC, COM or even .net would probably be a bad idea. Essentially if client side execution of foreign code under the system account is going to be left in, don’t bother with it.

        • #3073905

          Re: Good Programs

          by azrider ·

          In reply to Determine good programs

          Unlike *most* other operating systems, MS products install everything in the system directories (in fact, this is the only way they can run). Even worse, runtime information is contained in the system registry!?! If the architecture was set up so that a pointer to the application’s path is stored there, and then the application is responsible for it’s tree (ie: root, root/bin, root/lib, root/etc…), it would be absurdly simply to quarantine any installed program (as well as completely nuke it if desired). In addition, any program could be set up to only have access to the files owned by the installer (who *usually* should not have admin rights to the entire system tree.
          This way, *no* malicious program would be able to modify system (or other application) libraries at will.

    • #3065535

      Kindred spirit

      by stress junkie ·

      In reply to The Six Dumbest Ideas in Computer Security

      Some years ago someone said to me that if you tell people what they already believe they will think that you are a genius. As far as I’m concerned this guy is a genius.

      One of the great design elements of my beloved DEC VMS operating system is that the security model was designed around the kind of model that Mr. Ranum describes. All user accounts were created within the scope of permitted actions. All else was denied. This greatly simplified security configuration. The basic premise is to deny everything to everyone then enable specific actions for specific accounts or groups of accounts.

      I also like the idea that he expressed several times that if a given approach hasn’t worked by now then it never will work. Patching bugs in software hasn’t worked. Penetration testing hasn’t worked. Educating users against social engineering attacks hasn’t worked. Finding and implementing methods such as code reviews have proven to be effective, yet corporations refuse to adopt new ways of developing products. Developing a product to be secure makes more sense than trying to patch holes as they are discovered.

      When I started in this business in 1985 I thought that this business would certainly have a short run. Even back then when most businesses didn’t have a computer it seemed to me that computers could soon be made as easy to use as a telephone or a television. That could have happened but it didn’t. Poor quality software has kept system administration alive and well. We still require years of experience to develop skills to keep bad software working more or less safely. We still have to think of baroque schemes to make computers work the way that people think that they should work.

      All of this might be acceptable if system administrators were all competent and did their best work. Unfortunately that isn’t the case. Like all people, the group of system administrators has a few people who want to do a good job and who work hard. But like all people, the group of system administrators are mostly comprised of people who do the least that they can get away with doing without losing their job. That fact combined with the poor quality software and the vast amount of valuable, sensitive, personal information stored on computers combine to create a disastrous scenario whose potential for crime has only just been glimpsed. When I hear stories of “highly secure” government military computers having been recently hacked I know that the software products and the system administrators are sorely lacking in quality.

      • #3065527

        Pareto’s Principle

        by jmgarvin ·

        In reply to Kindred spirit

        Stress you bring up a good point. Most system admins could care less about actually having a secure system with a good system plan behind it. It is the 80-20 rule. I generally find those sys admins and make sure that I keep reporting on their actions or lack there of.

        A bigger problem in current IT is that there are too many cooks in the kitchen. The managers think they can be sys admins, the sys admins think they are net admins, the net admins thinking they are sys admins, the HR department thinking they are project managers, etc ad nausium. I have NO idea how you fix the corporate culture in this respect.

        While I agree, mostly, with what he is saying, I don’t know if I can totally latch on to his “Hacking is Cool” point.

        I see his point, but I disagree with the the fact that someone who might not be a criminal becomes one because they can hack (Donn Parker). I think that is a pretty large leap in logic. I also disagree that learning how to hack and pen test your systems is a waste of time.

        The waste of time is using tools that get dated and/or have no application within your current setup. Write your own tools and pen test your networks in various way.

        • #3065362

          Bad cooks as well as too many

          by jdclyde ·

          In reply to Pareto’s Principle

          I see the main problem with the administration of systems and networks is the windows mentality.

          Windows gives this easy to use by default server that installs and runs with little knowledge. Remember most IT departments started out as subsets of Accounting, simply because the accounting department were the first to get the computers so they knew the most about them.

          This led to the dreaded “Admin by default” that many companies end up with.

          The other thing that has added to this is the horde of “Consultants” that are of very substandard quality. They will drop a network in for a price, usually of generic defaults and then leave. The customer will try to let the system run on it’s own as long as possible and only get a knowledgable person to come in AFTER it has crash and burned.

          That and the glut of worthless MicroSoft Certs that people use to add crediblity to themselves. Did you know that a part of the certs now cover MARKETING information now? The Techs are now the front line of the sales force, instead of focusing on doing their job correctly they are more worried about selling another server.

        • #3065351

          re marketing

          by jaqui ·

          In reply to Bad cooks as well as too many

          This is the midset a university networking fellow I know used to get his mc* certs.
          he picked answers that best sold ms products.
          aced the exams.

          since his degree, and experience, are in Unix networking he has the knowledge that ms tools don’t require.

        • #3065332

          And the reason for this

          by jdclyde ·

          In reply to re marketing

          there are more people willing to pay to take a MS class than to pay to take a *nux class. Many that use *nux in the first place are they types that aren’t afraid to read a MAN page or look up the answer.

          There is some good training for Unix, I got the MACE cert myself. But the classes were not offered nearly as often and ran at about 1/3 the class size of the MS classes.

          Bottom line, there is more money to be made TEACHING and SELLING MS for many.

        • #3065318

          Sad but true

          by jmgarvin ·

          In reply to And the reason for this

          I’ve really pushed my students to learn *nix. They typically know Windows inside and out (sometimes they are even Win sys admins and have a good grasp of admin concepts, but don’t quite “get” it)

          Windows is pushed as the market leader, but after Zotob and Mytob, it seems there is a backlash in the “MS can cure all” management mentality.

        • #3058402

          actually

          by jaqui ·

          In reply to And the reason for this

          I would say it’s ms trying to save advertising money.
          if the “Techs” are going to sell their products to the companies they work for they can target advertising to areas they have not gotten a significant market share in, or want to increase their share in.

          the real problem is that mc* is a meaning less cert.
          just as RH* is.
          vendor specific training is a waste of time and money.

        • #3056652

          yep..

          by shadowpassword ·

          In reply to Bad cooks as well as too many

          I was wondering if I was the only one who felt like that after reading that article.

      • #3059891

        The good ol’ days

        by computer_chick ·

        In reply to Kindred spirit

        “One of the great design elements of my beloved DEC VMS operating system…” Ah, yes, the good ol’ days of mainframes with software that actually worked! Remember how fun IT was BEFORE you had to worry about someone hacking your system?

        • #3056712

          Garden of Eden…NOT

          by bhunsinger ·

          In reply to The good ol’ days

          Might I gently remind you that the first security breaches ere on Unix (gasp) I believe the books name is The Coocoo’s Egg.

        • #3056513

          Pull the plug?

          by dr dij ·

          In reply to The good ol’ days

          disconnect from the internet? that’s why they’re being hacked. companies want their sales people to be able to dial in from Starbucks.

          you let people from Bulgaria and China ping your firewall, when there is no reason for them to ever connect if you have no customers there.

      • #3059880

        The good ol’ days

        by computer_chick ·

        In reply to Kindred spirit

        “One of the great design elements of my beloved DEC VMS operating system…” Ah, yes, the good ol’ days of mainframes with software that actually worked! Remember how fun IT was BEFORE you had to worry about someone hacking your system?

      • #3059223

        Easy to use as a TV

        by wdewey ·

        In reply to Kindred spirit

        I almost need a manual to decypher some newer TV remote controls. Computers and software are extremly complex and that complexity requires knowledge and understanding to use. I don’t think computers could ever have been as easy to use as the older TV or telephone systems were because computers are simply 1,000 times more complex.

        Bill Dewey

    • #3065524

      I like how he thinks, however…

      by gralfus ·

      In reply to The Six Dumbest Ideas in Computer Security

      I’m not sure I see the difference between patching and keeping an antivirus up to date. He rails against patching a system (to defeat exploits), but goes on to say in another article that he has his antivirus product update itself automatically. This is very similar to a patch (since the AV wouldn’t be able to protect the system without it), but I don’t know a way around it outside of having a bubble-boy computer that isn’t attached to the internet and has no removable media. I suppose he could argue that we don’t have a good antivirus system, since they all continually need updates.

      I really do like the way he thinks. He bypasses the standard arguments and looks at the underlying assumptions.

      • #3065360

        I think his point about patching

        by jdclyde ·

        In reply to I like how he thinks, however…

        is that if a system is written correctly in the first place, it would not REQUIRE several patches a month, every month, for the life of the package.

        When after all this time, MicroSoft still refuses to do a good job of handling limited permissions by default for a home system. The Admin by default config is directly to blame for the vast majority of the windows exploits out today. And if you DO create a limited account, it often can’t do half the tasks you need it to do as an end user unless you have LEARNED how to MODIFY the permissions.

        A limited user should be able to run any program that does not change the system, but that generally is not the case.

      • #3057192

        Execution control is the point

        by codepoke ·

        In reply to I like how he thinks, however…

        The worm/virus/exploit should not run on the target computer. There are ~30 programs that he would like to have permission to run on his computer, and nothing else should be allowed at all. This would prevent viruses by default. Again, his point.

        The problem is that Outlook assumes that it should run every series of bytes it sees that seems executable. The Notes ECL (Execution Control List) has a lot of potential, but very few companies actually put it to use.

        The author’s patches to his anti-virus are a concession to reality, not a “good idea”.

        • #3057186

          What about Java?

          by erich1010 ·

          In reply to Execution control is the point

          The ~30 apps allowed to run argument breaks down when it comes to web surfing. It is hard, these days, to log onto a website that doesn’t have some code on it. And do we really want to go back to static pages? I don’t think so. The idea of a well constructed sandbox for foreign apps to run in is fine, and not a bad idea. As long as we consider code outside of those ~30 apps we trust to be hostile and not give them default resources, then we can allow them to run. For that matter, we shouldn’t even give those ~30 apps default access to all resources.

        • #3059864

          It all comes down to access

          by jdclyde ·

          In reply to What about Java?

          If the user wasn’t browsing as ADMINISTRATOR, the code on the web pages would be limited to what damage they could do to the users system, while still letting them access dynamic websites.

          Also, if web devolopers would get a clue and adhere to internet standards instead of trying to use every non-standard “feature” that MS can throw their way, the world would be a much better place.

          If I can’t run something on multiple browsers, it has no place on a business web site. Why would I make it hard for someone to do business with me?

        • #3056634

          not entirely true

          by apotheon ·

          In reply to It all comes down to access

          If you were talking about a *nix system, you’d be right on the money. Anything run by someone that doesn’t have root privileges doesn’t have the ability to screw up anything to which that user doesn’t have direct access. This is because unix was designed from the beginning as a multi-user system.

          Windows, meanwhile, was designed on top of a single-user system, DOS, and its multi-user functionality started out as nothing more than a little confection on top of your single-user functionality. Software kludges were heaped atop this single-user system to simulate the effects of multi-user privilege separation, which looks good to the unattentive sysadmin, and gives a warm and fuzzy “secure” feeling. Unfortunately, software is only limited in what it can do by the Windows privilege separation scheme if the programmer who created the software designs it to “play along” with the multi-user interface layered over the single-user system beneath it.

          Microsoft has, over the years, begun making some changes to Windows to make it closer to being a true multi-user system, but it’s very slow going, and they’re still not quite there (unless Vista surprises me mightily, of course). File attributes have better built-in support for permission separation than they used to with older iterations of Microsoft filesystems, for instance. Ultimately, however, it’s still tied together with an official API and designated “right way” to write applications for Windows so that they’ll be compliant with the permissions system. What this means is that people who know how to break those rules can write software that completely bypasses Windows privilege separation, which in turn means that while avoiding running things as the Administrator account on Windows would cut down on the amount of system-wide damage malicious code could do, that’s only any kind of guarantee if the code was written by someone that doesn’t know how to ignore the permissions system on Windows without breaking the program.

          I know, you probably already know most or all of this, jdclyde. I figured I’d just be pedantic, and point out how and why your “if the user wasn’t browsing as ADMINSTRATOR” comment isn’t quite as clearly applicable as it might at first seem.

        • #3061417

          It does slow things down though

          by jdclyde ·

          In reply to not entirely true

          that is why I stated “limits” instead of “stops”.

          It is a start and of course anyone that surfs regularly with ActiveX/java/scripting in full swing DESERVES to have to format their system a few times a year.

          It blows my mind that cable companies haven’t started selling or leasing a cable router to protect the home users! Makes their system work better for the user AND adds another “service” they can soak people for!

        • #3061356

          they do

          by apotheon ·

          In reply to It does slow things down though

          The cable company out here offers a “home networking” plan with a router/firewall. Obviously, I just chose to buy my own.

        • #3059773

          ahh, the

          by jaqui ·

          In reply to What about Java?

          infamous clientside scripting is a needed concept.

          I build my mozilla with no support for java, javascript or plugins at all.
          if I can’t use a site without having clientside scripting, then there is nothing on that site I’m interested in.

          I don’t miss the garbage that comes with the clientside scripting.

          dynamic websites can easily be done with server side scripting.
          it’s called server push.
          the original animated images online were all done with it.

          css has fancy dynamic capabilities without using javascript, java, vbscript, activex or flash in the website.

    • #3065498

      Interesting view point

      by tony hopkinson ·

      In reply to The Six Dumbest Ideas in Computer Security

      Essentially everything came down to design secure programs and then only allow those you know are secure to execute.
      As a programmer I’ve done a LOT of turd polishing, buffed up several products into usable in fact. In fact I have to wholeheartedly agree, it won’t happen Security is very lucrative commercial industry.

    • #3065333

      Why are we losing the battle?

      by praetorpal ·

      In reply to The Six Dumbest Ideas in Computer Security

      If you read this short opinion piece along with 6 Dumbest Mistakes, you might make the connection that the reason we are losing is because the whole industry is based on those bad ideas/premises.

      Cyber Crimefighters Are Losing The Battle

      http://www.governmententerprise.com/170700548

      Without trying to sell, Trustifier for Linux is a “default deny” security model that “enumerates goodness”. Patching becomes unnessary in many cases. All unauthorized attempts to access the system or files just fall off the system as non-events. Lock down your Linux systems and get to work.

      This article helped me realize why so few people in security “get it”. They have a certain mindset, have blinders on to anything new, and probably enjoy the swashbucking adrenaline rush of being on the front battle lines while they milk the cash cow at their clients expense.

    • #3058495

      A place to start.

      by bhunsinger ·

      In reply to The Six Dumbest Ideas in Computer Security

      But just that.
      1st dumbest It is a variation on don’t install default settings. At least it is at my level- I don’t write programs to sell to people.
      One thing he does ignore is the choices. Yes, 20 to 40 programs are the norm for a user: but As Robert Heinlein used to say about horse races “It is well established that one horse runs faster than another-but which one? Differences are critical!”
      Not to start another thread devoted to screaming about freedom verses safety, just that there is a middle of the road approach that is needed in some places. There is a real cost to security. Try locking all materials in a room in an manufacturing plant. Unless the stuff is small, expensive or rarely used, the cost outways the benifit. Futher there is a cost to living in a locked down state. The benifits may some time outway that, and an employer can do what they want on thier machines and network, but there is still a cost in tems of employee satisfaction, morale, and creativity.
      His views on user education and patching involve some card palming. In the last ten years Microsoft has offered 8 OS’s for the desktop- let alone the server. IE has been through 3,4 languages and To dismis that increased complexity and change by saying “2-3 patches a month for 10 years” should have fixed it I say Hey, just set your browser to text only.
      Education sometimes requires pain. People need to pay the consequences of breaking rules. This is not a technology issue, it is a social issue. For a conputer startup you can require people to install their own machines as a way to weed out wannabes, not on a loading dock or a cash register.
      Hacking- leaving alone the ‘hacker/cracker’ definition issue, the cool issue is moot. People are doing this for cold hard cash-no other reason. They are doing it in counties where the fix is in, screw “timid” it’s safe. There is a difference between B&E goofs who rattle doorknob and slit window screens in the next neighbor hood and those who break into jewelry stores for big hauls. You better know the latest tools and tricks.

      • #3058332

        A locked down state

        by jdclyde ·

        In reply to A place to start.

        What kind of “creativity” should an employee have with a company computer? Should they be allowed to install any application they want at any time they want?

        What is the cost of LETTING them trash “their” systems as they please can be small or huge. There is the down time while their system gets reloaded, and hope they had backup of “their data”.

        If data is lost, who much time is wasted replacing that data instead of doing their job?

        Then there is the information theft. What will happen to your business if people find out your user database gets stolen because you don’t want to stiffle creativity with a company asset? I think you will see less people wanting to do business with you, not to mention possible law suits.

        Bottom line, that computer is NOT the users computer. It is a company TOOL that they are allowed to use to complete set tasks for the duration that they are employeed. The more they dump systems, the shorter that employment will be.

        • #3057496

          I wonder

          by too old for it ·

          In reply to A locked down state

          Just what kind of security/lockdown goes on at places like websense and other blacklisting organizations, where users are required to look at hate sites, moveon.org, internet porn, drive-by-downloader sites (and so on) all day long.

          Maybe they keep the “boot to Ghost” CD as close as we do when we are testing old Win 95 apps on WinXP Pro machines …

        • #3057236

          Security unveiled, at last

          by tor ·

          In reply to I wonder

          Wow! And I thought we were all alone out here struggling against the tide. On an individual basis the delete key is the most effective effective tool for computer security through e-mail. If you don’t want it, delete it.

          Secondarily, why did the article have to be thin white print on a black background, that’s really dumb!

        • #3057235

          Background and font

          by stress junkie ·

          In reply to Security unveiled, at last

          Sometimes when I click on the link to a story I get the dark background. If I reload the page it goes to black letters on a white background.

        • #3059873

          Background and font 2

          by coberbeck ·

          In reply to Background and font

          I was thinking it was a homage to maddox.

        • #3056670

          Work enviorment Empoyer’s Choice

          by bhunsinger ·

          In reply to A locked down state

          There is a difference between scratching and tearing. I could just as easily say what kind of ‘security’ requires that I have to submit a request to go to a technical site just because TR is not on an approved list. Or keeps me from checking my web based email account with out a sign off. Or requires that I submit to a strip search every time I enter the job site.
          Oh and how much time is spent authorizing those changes, and reseting 16 character passwords?
          I am not advocating anything goes. What I am saying is that there balance between employee morale/productitvity and security. If you treat employees as if they cannot think, learn, or act responsibly, the culture of your company becomes one in which noone acts without orders/permission.
          “I was waiting for the proper authorization ” is why several hundred school buses were flodded while people were trapped in New Orleans.
          Security reason were why data wasn’t adequatly shared between government agencies before 911.
          National Security has been used for 50 years to coverup misdeads at the federal level.
          Fear sells. Scared people give up power. There are some people in security. of all types, because they like having power.
          Joe Foss, an 80+ year old war veteran, was stoped from flying to West Point after 9/11. Why? His Congressional Metal of Honor, which he was taking to show the cadets, had pointy edges, and he wouldn’t let them take it.
          My comments are not about the rights of the company to do as it see fit about security on the company’s property. It is about how to chose.

    • #3057238

      broken link

      by gallagher2 ·

      In reply to The Six Dumbest Ideas in Computer Security

      I think your link is broken

      • #3059882

        Works just fine

        by jdclyde ·

        In reply to broken link

        Just checked it out, and still up.

        You might have checked it at the same time as the hords of TR scampered to it.

        Very common when an article gets linked to and many find out about it at the same time.

    • #3057237

      Interesting

      by ou jipi je ·

      In reply to The Six Dumbest Ideas in Computer Security

      Firstly, there are user requirements. Often, such include running of Internet Explorer with permission to execute scripts, that Microsoft did not foreseen when integrating of their browser into their Operating Systems. That alone is a dumbest idea of them all. While I agree that this is not such a big problem if you put a experienced admin on a spot, the chance of being “hacked” is already down by at least 98%. (Last 2% is Microsoft itself and their complaint department is closed for the weekend)

      That said, secondly, even dumbest idea might be is to employ a network administrator with insufficient knowledge and assign him to a manager who spends most of the time sticking his head up his butt.

      Computers are tools. There is no magic or romance involved here. If someone would give you a spoon and say dig out a swimming pool for me asap. — even when I have seen in my experience dumb admins who would actually start digging, and middle management supporting the idea — the spoon will eventually brake.

      I want to be secure, but I want to have no restrictions! Voila — there we go, dumbest idea number three.

      Should I continue?

    • #3057193

      Preaching to the choir…Always gets applause

      by beoweolf ·

      In reply to The Six Dumbest Ideas in Computer Security

      Great article…it’s as good this time as it was the first 10 or 20 times I have read it (in one form or another).

      Now back to the hard work fo fighting every foolish idea, notion or inspiration that comes from managers, HR and especially Marketing.

      Generally speaking…there are more good System Admininstrators than there are bad ones, don’t laugh-bear with me a moment. The biggest flaw with most Sys Admin is not having the strenght of conviction to not allow the systems they are charged with protecting to be compromised by for a “minor” drop in security…”just until we get this sorted”. Invariably, “just until” becomes, “just a little longer” and finally morphs into…well, “why change it now, we havent had any problems”.

      The point is…if they are paying you for knowledge, then be knowledgable. Complacency is the biggest enemy of a secure system. Seems the better you are at keeping staff from shooting themselves in foot, the less they respect our warnings.

      As stated in the article; the sys admin that “saves” the system or “cleans” a corrupt email system…after it is infected or comprmised…gets a boat load of “Atta’ boys”. The guy that prevents the infection, compromise, is labeled as a “hard ass” and roundly vilified by managment and staff.

      • #3059875

        It was new to a few of us

        by jdclyde ·

        In reply to Preaching to the choir…Always gets applause

        This isn’t the line of thinking you get from many securty “Experts” as it would take away from their business if people followed it.

        If you have other good sources, links are always wanted. (thanks)

        As for the “atta boys”, that is the EXACT reason that a Windows Sys Admin gets more respect than a *nix Admin does. The Win admin has to come along to “save the day” on a regular basis, and the user doesn’t know he saves the day by rebooting the server. The *nix admin puts the system in place and you forget about it until it is time for an update or upgrade.

        The worst thing I see, is a company with a firm security policy that they are unable or unwilling to enforce. Welcome to my he11.

      • #3059588

        Not hard enough / CLM

        by mwrmwr ·

        In reply to Preaching to the choir…Always gets applause

        Excellent point. Only employ sysadmins who will insist on absolutely no network connections and no media importation etc.

        Then get those knowledgeable folk to explain to the shareholders how much this zero-risk strategy has boosted the company worth….

        Shucks. I *do* agree with you actually on the mis-directed sysadmin-praise topic. I am regularly commanded to “make do and mend” rather than understand, fix and thus minimise the daily fire-fighting; so I empathise. The politicians that avoid wars tend to get less glory than those that “win” wars; likewise, sadly, those that re-inforce coastal or earthquake defences are seen to just waste $? – until disaster strikes.

        As for HR and Marketing “bright ideas”, minimise the time waste by smiling and saying “Yes, yes, yes” enthusiastically …and then enter the idea into the to-do list where it can be assigned the relevant cost, benefit and priority attributes ;-}

    • #3057189

      Hack-Proof Network

      by thisisfutile ·

      In reply to The Six Dumbest Ideas in Computer Security

      lol, as if…

      You do like everyone else, you patch the whole…fight the virus…lick your wounds…do it again tomorrow.

    • #3057179

      What are you smoking?

      by jsullo ·

      In reply to The Six Dumbest Ideas in Computer Security

      You do make some points but for the most part what you describe does not exist in most infrastructures today. To put out the idea that these methods are dumb ideas is silly in most existing corporate infrastructures you must do these things until your so called zen network is in place. By the way good luck with that. Oh and what ever you create can be hacked in ten minutes with one payoff to a disgruntled employee, let’s not forget about the attacks from within. I’m not sure what you goal is with this article but I think if you have a new OS to take over the market well put it out otherwise get back to patching since Microsoft is not going to build bullet proof OSs anytime soon. Good Perimeter, Good Domain Security and sensible design will help you hande things in between patching and IDS but they are not instead of it.

      Just My two Cents

      • #3059872

        A change in thought is required

        by jdclyde ·

        In reply to What are you smoking?

        The way people BUILD and run networks has to be regularly looked at and reviewed.

        Is this the best way to do things? Can it get better doing what we are doing? Or is it not working, time to try a different approach?

        That is what I took this article as. Sure, most of us couldn’t change over to his ideal right now, but it is something to think about.

        People need to expect more.

        I could use a little Zen, how about you?

        • #3059684

          This ideal standard..

          by praetorpal ·

          In reply to A change in thought is required

          … is available now for Linux. If you drop Trustifier on each Linux server/node where data is kept, and each access point (firewall/VPN and eventually mobile devices), than that ideal is attainable now.

          NOTE: Trustifier is a commercial product for the enterprise. In this forum topic I am trying to tread the fine line between discussing a new model of security product factually, and selling. This product was my introduction to security and everything else just seems like too much darn work.

    • #3059883

      Can I have your dreamworld

      by gphoto45 ·

      In reply to The Six Dumbest Ideas in Computer Security

      Excuse my typing, I am one-handed this week! The dreamworld is OS’s that don’t need pattching. Every OS will require patching. You can’t create and OS that is bulletproof, when new bullets are coming out every day. Windows, Linux, Mac, they all have patches. Who ever assumed 5 years ago, we would be fighting an army of Zombies. How are you going to lock down Granny’s computer, and have her just activate the services she needs. Are you going to install a quarentine server for her emails, and one for her 200 friends? They solution is the same one the solves the problem if having to lock you doors. If the penalty for trespassing is so sever, no one will do it, then the problem is solved. To send a hacker to less than a year in a juvenile detention center, complete with Cable TV, golf course, swimming pools is the punishment, we have lost. That is better than some people have at home. Not a big proce to pay for millions of $ of damage. The author has some very valid points, but is obviously stuck in a IT world that only exists in his dreams. This isn’t a discussion on what OS is better, but how to make computing safe. And you have to start with the problem, that attackers, not trying to protect something that shouldn’t have to be protected.

      • #3059867

        But how to enforce?

        by jdclyde ·

        In reply to Can I have your dreamworld

        All someone has to do is be in a country where that activity isn’t illegal and doesn’t have extradition. From that point, there is NOTHING that can be done to these people.

        The only way to stop this behavior is to black list countries that do not follow guidelines for on-line behavior. Spammers, porn jockies, scam artists, and hackers can do as they please.

        Then when someone here DOES get caught, it is “unpopular” to prosucute (execute?) them and they get the slap on the wrist you pointed out.

        His ideas can’t save the world, but they could help the work networks and servers. If grandma has to have her system reloaded a few times a year, oh well.

      • #3059631

        Lets see lets make all OS’s secure

        by tony hopkinson ·

        In reply to Can I have your dreamworld

        or re-engineer the human race.
        Windows source code a and C book coming up.
        Don’t want your dream world anyway, if you took the tendencies that lead to criminality out of out race we’d be extinct in short order. A lot of innovation comes from getting round constraints natural or man made.

        • #3056629

          not a c book

          by jaqui ·

          In reply to Lets see lets make all OS’s secure

          a visual basic book 😉

          actually, windows is coded in c++ exclusivly.*

          *trivia gained from ms associate that has been alpha testing windows for last 10 years.

        • #3056562

          true to an extent

          by apotheon ·

          In reply to not a c book

          Ongoing coding is exclusively in C++, but there is still C code in the kernel. I guess that makes your statement true, if you mean “is coded” as in “ongoing work” rather than “all included code”.

          Of course, mandating that everything be C++ might be part of the security issue.

        • #3056550

          Well I was pretty sure there was

          by tony hopkinson ·

          In reply to not a c book

          still a lot of C code in it, there again as C++ is a superset of C we could both be right.
          Both languages are extremely powerful, but power is a two edged sword.
          Have you had the misfortune to use Delphi 2005, they rewrote the IDE in C++ for some reason best known to themselves and a complete wanker. It is seriously flaky. I’ve spent as much time dealing with it’s issues as I have with those in the code I’m working on.
          It has C++’s endemic problem, all your pointer management problems surface at run time.
          Long live Pascal.

        • #3059153

          when I

          by jaqui ·

          In reply to Well I was pretty sure there was

          read the system requirements and checked the screenshots etc for delphi 2005 I wasn’t impressed.

          it has always been a windows only app.
          borland stopped maintaining kylix.
          ( version 3 is latest and requires the 2.4 kernel, it won’t install on 2.6 kernel systems )

          only the kernel itself has c code in it.
          the gui, all included apps are all written in c++

          was reading the requirements for gnu branded apps today.
          c code. ansi or posix or k&r only.
          ( preferably k&r )
          all requirements must be standard, or else integral ( widget sets )
          must be hardware agnostic. ( cross platform at core, as well as os level )
          no references to proprietary apps / tech in documents, other than inspired by foo.
          they must be given copyright ( for longevity if app is popular )
          they require legal release by any contributor for use of code.
          ( submit a patch for a bug, and you have to submit legal release before they will concider using it )

        • #3059144

          I’ve always liked Borland products

          by tony hopkinson ·

          In reply to when I

          I’m a big fan of Delphi, but I would recommend this one to our competitors. They’ve stopped doing all fixes it to it (you can try unofficial patches off the devlopment team blogs). It’s a damn mess. The ideas were good though by definition very heavy in resources but the execution is pathetic. I think they were forced to release it, buggy as it was, because of how abysmal Delphi 8 was.

          Given the choice I’d have reverted back to Delphi 7, but the guys I’m working for went from Delphi 5 Pro to 2005 Enterprise. (Windows is mandatory)

          In order to help you develop it maintains an abundance of lists and trees about your program, it however quite obviously loses control of them as you edit, leaving you with the wrong information, just crash and close, or with numerous access violations, In the latter case if you’re lucky it will let you save and then a close and open will tidy up enough to continue. I’d estimate at least two weeks lost time in 5 months just down to how poor it is.

        • #3059018

          Same here,

          by jaqui ·

          In reply to I’ve always liked Borland products

          Borland was one of the first companies to actively adopt and participate in the standards.
          almost every product they have meets the iso standards that are appropriate for it.

          but, why on earth would they go 100% .net with delphi?
          you can’t install it without latest .net patches.
          you can’t code anything unless it’s .net

          a complete and utter waste of time.

        • #3059007

          Well I’m still devloping in Win32 Delphi

          by tony hopkinson ·

          In reply to I’ve always liked Borland products

          and given any sort of choice will continue to do so.
          I can understand providing .net, they’ve done their version of C++ for a while and C# even seems a reasonable commercial venture. Why they re-wrote the IDE in C++ , I haven’t a clue, my suspicion is someone in charge had a lobotomy. Equally the decision to maintain all the development environments through one IDE, shows a total lack of brains, that was the decision of a complete moron. We have foind a few twiidles here and there but the damn thing takes nearly two minutes to load, I took the lid off my PC to make sure someone hadn’t took the memory out of it.
          On top of that been doing a little work at home and just lost the last forty minutes work in patches over eight code files. So now I’m chatting away and partaking of a malt or three. **** work.

        • #3058969

          ouch

          by jaqui ·

          In reply to I’ve always liked Borland products

          you lost work because of the danged thing?

          send ’em a bill for faulty app. 😉

        • #3059526

          You are not alone,,

          by stevef199 ·

          In reply to I’ve always liked Borland products

          ..and the solution that worked for many with your problem is to simply get a really fast machine with plenty of RAM (1 or 2 GB) for development. Also, ensure that the you are working on a ‘clean’ machine, ie. without much un-necessary software installed.

          Cheers,
          Steve

        • #3054548

          Plenty of oomph

          by tony hopkinson ·

          In reply to I’ve always liked Borland products

          and space. Some of the problems are exacerbated by the low quality code base and some from the fact that the switch to Delphi 6 wasn’t made. All the others are’nt down to lackk of resources but p1ss poor housekeeping in the IDE. It’s not that it can’t manage anymore pointers, but that they are pointing at the wrong thing. Changed the way I usually go at things as a work-around, but the consensus from the team about Delphi 2005 is we should never have gone near it, another highly polished turd in the market place. They didn’t even test it properly. It crashed on me eight times on the first day of use. Interestingly it works better under XP than it does under 2K.

    • #3059857

      Undoing Social Engineering

      by larry.johnson25 ·

      In reply to The Six Dumbest Ideas in Computer Security

      “Hacking is Cool” will never go away. That’s like telling a teenage boy never to look at a Playboy magazine. Or telling any kid, “never do anything that will get you in trouble.”
      “Educate Users” sounds like a great plan. Problem is, there will always be a ton of users who just don’t care. They’ll run anything on their machines, download whatever comes their way, and never give it a second thought.
      On top of that, consider how much hacking comes in from outside U.S. borders, just out of spite for the U.S.
      Do you lock the doors to your office to keep unauthorized people out? Do the same to your network.

    • #3059854

      False Positive?

      by lectrictoken ·

      In reply to The Six Dumbest Ideas in Computer Security

      Well what a load of twaddle!

      I don?t know about the rest of you, but isn?t this the world in which no same 10 million lines of code can be occupy the same copyright, doesn?t all the goodness eventually become outdated badness anyway! Just think on the false positives that are being asserted here! default permit/default deny I just love it when people start making these sort of statements, know this; default permitting the goodness without sufficiently providing for the invariable event of your goodness turning into an exploited badness, leaves you where exactly ? down the river without a paddle my friend!

      Enumerating badness, well again plugging the holes in the dam before we all get drowned, is preferable to being overwhelmed isn?t it, here is a small basic program to demonstrate:-
      10 GOSUB LOOK_FOR_HOLES
      20 IF HOLE_FOUND = FALSE THEN GOTO 50
      30 GOSUB FIX_HOLE
      40 GOTO 10
      50 GOSUB CONGRATULATE_SELF
      60 GOSUB EXPLOIT_POTENTIAL_NEGATED
      70 GOTO 10

      ?if “Penetrate and Patch” was effective, we would have run out of security bugs in Internet Explorer by now. What has it been? 2 or 3 a month for 10 years, Space Shuttle! supposed to be hackable then it shouldn’t be hackable?

      Ye, bu, no bu ye bu no bu, again what the writer fails to point out is how many revisions and new functional elements have been applied to IE over the past 10 years, clearly far more benefit than detriment has been afforded Microsoft worldwide audience than ever the trickle of reported exploits.

      ?Doesn’t that sound dumb? Your software and systems should be secure by design and should have been designed with flaw-handling in mind?

      Er yes it does sound dumb actually, there is no such thing as secure by design, design involves people, people are not without fault does this make sense to anyone else?

      Hacking is cool oh yes it is, finding other peoples faults? What you don?t read the tabloids, Penetrate and Patch is the part of any design that leads to comparable best practice. Hacking is way cool period.

      ?There have been numerous interesting studies that indicate that a significant percentage of users will trade their password for a candy bar, and the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females. If “Educating Users” is the strategy you plan to embark upon, you should expect to have to “patch” your users every week. That’s dumb.?

      A. The first statement here is made up rubbish
      B. The second statement fails as the other half of humanity never got to see Anna, Aw! As the vulnerability had already been squished, Penetrated and Patched, sorry about that!

      Educating Jane Bloggs user, well the real real answer is maybe if I were more interested in the real world everyday usage of the myriad applications under our control and the idiosyncrasies of those systems, then who knows just maybe you could really help someone, educate yourself and instil an environment in which people are lead by your example of how to work smarter and save themselves the bother of continually having to call you for support, it?s a two way thing don?t ya know!

      ?It really is easier to not do something dumb than it is to do something smart. The trick is, when you avoid doing something dumb, to make sure your superiors know you navigated around a particularly nasty sand-bar and that you get appropriate credit for being smart. Isn’t that the ultimate expression of professional kung-fu? To get credit for not doing anything?!?

      No NO Sir, the trick is to let all your colleagues know how you navigated the sand-bar, or indeed how you fell foul of it, thereby extenuating the knowledge of your team, and hey don?t worry, if it was really that great a manoeuvre or crash your team will make it known to whom the adulation is owing, Win-Win!

      Best advice:-

      Worry not about that which is beyond your control, nor that which is under your control, for if it is under control there is little to worry about, if beyond your control it?s someone else?s worry.

      Even the stupidest man knows by some instinct of nature per se, that the greater the number of conforming observations the surer the conjecture.

      Happy hacking!

      ElSteveo LetricToken

    • #3059853

      Engineering 101

      by jdgeek ·

      In reply to The Six Dumbest Ideas in Computer Security

      Engineering is about maximizing certain features by design. Each time you make a decision that maximizes a feature, you are doing so at the expense of another feature.

      Most of the examples Mr. Ranum supplies trade security for flexibility or ease of use. Quite often these are the appropriate choices, sometimes they are not. The root of the problem might well be that maximizing security does not maximize profits.

      • #3059716

        Depends oh how you look at it…

        by praetorpal ·

        In reply to Engineering 101

        How effective is cobbling together piece-meal security technologies as opposed to a comprehensive model that provides a complete solution? A lot of what is being used now in the enterprise impedes optimization of the business model, adds to system load (20-30%), and causes headaches due to lack of interoperability.

        The question to ask is how much better could the organization do with increased uptime, lower maintenance costs and fully optimized IT/business models?

      • #3059620

        A certain giant in the software industry

        by tony hopkinson ·

        In reply to Engineering 101

        agrees with you wholeheartedly, which when you come down to it isn’t all that comforting.

        Feature set is not the problem, anything that can be done by foreign code on my system can be done by either by running native code or by server side execution. Exactly what features are we gaining for the compromised security ?

        • #3054355

          flexibility

          by jdgeek ·

          In reply to A certain giant in the software industry

          Native code == everyone has to have the code beforehand. How would Microsoft, or any other software distributor know ahead of time that you might want to watch Elf bowling? Wether you accept it or not, email is a very flexible way of distributing programs.

          Server side execution == enlarged IT infrastructure and less meaningful access to your own system (i.e. the exact same file level access you are trying to avoid).

          Now, I am not arguing that a completely flexible approach provides any security. On the contrary, I believe it occupies the opposite end of the spectrum. An engineer’s problem is to balance and maximize security and flexibility to the level appropriate for the system.

          Microsoft’s or any other distributor’s failure to balance, or maximize security and flexibility may constitute bad design, but it does not change the underlying dynamic I am discussing.

        • #3054268

          secure flexibility

          by apotheon ·

          In reply to flexibility

          Allowing for things like watching elf bowling is fine. Allowing for things like remote execution of elf bowling code is not so fine. Allowing for things like accessing privileged system internals by way of remote execution of elf bowling code is even less fine.

          I’ve yet to see anything ActiveX can do that you can’t do without it (or something like it), excepting the manner in which it allows you to completely bypass almost all security controls without trying.

    • #3059841

      Criticism of 6 ideas

      by blarman ·

      In reply to The Six Dumbest Ideas in Computer Security

      #1. This is the way all software SHOULD be written. You don’t let anyone do anything they aren’t explicitly allowed to do. This is the way Novell, UNIX, and Oracle have handled their security since day one. Its too bad Microsoft abandoned this concept.

      #2. This one is a little more contentious, in that this isn’t currently practical for many companies. I won’t point fingers at who is to blame for this, because it is fairly self-evident. It would require a certain proprietary software company to divulge their communications specifications in order to make this a reality.

      #3. This one has both fact and fiction. Penetration testing can be useful information, but I agree with the underlying premise – that because the original software wasn’t built securely in the first place, that it is inherently (and possibly intentionally) flawed. Noone is expecting anyone to write a non-trivial application securely the first time. That’s why there is beta testing and trial before it goes out to customers. But I have to agree that the sheer volume of patches indicates a haphazard underlying programming framework.

      #4. This is right on the money. Of course, if it weren’t so easy to hack things, much of this would disappear.

      #5. Ultimately, this one is more a business decision than a technical decision. This is a question of whether or not the effort to train employees in basic IT practices is worth the reduced instances of viruses, misuse, etc. From a human resources perspective, companies are required to train employees on what constitutes misuse of company property for legal and employment reasons. While I can understand the logic, I disagree with the conclusion not on security principles, but on business principles.

      #6. This is also a business decision. I think the crux of this one comes down to the trust relationship that exists between the decision-maker (management) and the IT staff (recommendation team/implementers), and comes down to whether or not the manager knows IT. If the manager knows IT principles, he/she is much less likely to make poor decisions, and much more likely to rely on the IT department/staff for recommendations and implementation plans. If the manager DOESN’T know IT, however, they have to rely on someone else’s knowledge. To me, this is more of a management issue of knowledge and trust that a security problem.

    • #3059811

      Easy to implement

      by douglasjohnledet ·

      In reply to The Six Dumbest Ideas in Computer Security

      Just switch to an IBM MVS system.

      And that’s the problem.

      The “reason” PCs/LANs/WANs exist is because of the inflexible nature of M/F operating systems.

      So, you can be secure OR you can be flexible. I don’t believe you can be both.

      Doug

    • #3059802

      Excellent Article!

      by heml0ck ·

      In reply to The Six Dumbest Ideas in Computer Security

      Well written, well thought out.
      We quarantine all attachments in Notes, and examine them for malware before releasing them. Used to make the users grumpy until it was pointed out that unlike every other site in our division, we had not had a disruption of service due to viruses in over two years.
      We also only allow vpn’d connections through our firewall ( inbound) and proxy access with URL scanning/blocking outbound. If we don’t want you in, you don’t come in.

    • #3059800

      society rules vs computer rules

      by ctos ·

      In reply to The Six Dumbest Ideas in Computer Security

      I agree in total with Ranum that society changing for the worse IS the real problem; but that is not under our control to reverse, that I know of.
      Computer design was a great invention, but it was designed by beginners as well. Now that it is apparent that we need to change the way we think and design, initiation of the changes should take place and virtually eliminate the badness of society. This would happen when we take their “playground” away by removing the basic access to individual machines.
      No matter what the subject is, take one step back in the discussion and view it and you will usually find a different focus on the item. That is what Ranum did and I applaud him for this insight! It is the way I *feel* and it is nice to hear someone actually say it and put it in print!
      Cant change society and the growing badness? Change the playground and the access to it!

      • #3059615

        good point

        by dirtycar74 ·

        In reply to society rules vs computer rules

        I like the analogy (sp?) of the playground; very cute and yet to the point and presents a strong visual that almost everyone can relate to.

    • #3059783

      Ahhh… the PERFECT IT world!

      by lando56 ·

      In reply to The Six Dumbest Ideas in Computer Security

      Of course the author makes some very good points, but does sometimes goes off in whatever direction that is basically a non-exsistant world… and never will exist. As one replier insinuated(sorry, forgot who) business drives IT, NOT the other way around. That is not to say that what ever business says ‘goes’… of course IT has to be sure that it is safe, beneficial and cost effective.

      As far as educating users ( the weakest link in the security chain) to ‘demand'(?) that CPA’s, insurance adjusters, finance executives, heart surgeons… whomever, become IT experts is to completely misunderstand the purpose of the business. People do not go to a medical specialists because the doctor has a BS in Computer Science or security certifcation.

      Anyway, in closing ( I know…finally!)yes, some good ideas, some a little too esoteric, and some that just will not work in the real world.

    • #3059632

      Another LA LA Land Citizen!

      by yowye ·

      In reply to The Six Dumbest Ideas in Computer Security

      Lets put an end to EXE’s…
      Thats not smart… that’s plain Lunatic
      Your intire Frame work depends on Executeable Files, weather upper class or subclass.
      Upperclass = loading schematic that puts the program on your computer… by simply embedding it into the framework of your funtional code.
      1 Messing with this eliminates program addions to be easily if not entirely capable of embeding them selves into the system… which means you cannot also load the software you want without reloading your entire system mainframe, and that will cause more problems then permiscuous spyware.
      2 When you think that your problems can’t get any worse then the previous statment… then you realize that you also messed up the Subclass EXE’s
      Subclass = loading schematic that opens the program each time you want to use it… so in a manner of speaking… you just initially prevented most of your programs from running properly.
      If you affect the Upperclass = loading schematic you will also affect the Subclass = loading schematic and visa-versa.

      In other words… you just created a diffrent and maybe even larger pile of headaches.

    • #3059617

      Instead of complaining, offer solutions

      by dirtycar74 ·

      In reply to The Six Dumbest Ideas in Computer Security

      I know most of the folks who frequent these boards are pretty busy, so I’ll cut to the chase…

      When you say that something is “a dumb idea”, you are stating the obvious, but you have yet to really offer up any real solutions or plans that the average IT guy/gal can take up and follow through with.

      Next time you want to rant about the standard practices, you might want to try re-designing the infrastructure of a mega-corporation first; only then will you see the futility in the whole design and re-design process. The whole idea behind most of the “dumb ideas” listed is the fact that they allow most things to work across a wide variety of setups. Until you invent something better, keep your rants to a minimum please. I want useful ideas not mindless drabble or follow the leader (and bash the industry standards), thanks.

      And please don’t take this as a flame or that I disrespect your point of view; I like the fact you are willing to voice this, just please remember that until there is something better, we are all pretty much stuck with what we have…

      • #3059600

        Angry but not ranting

        by praetorpal ·

        In reply to Instead of complaining, offer solutions

        I think he asking us to challenge the status quo. He is a security person, not a kernel programmer. It is not up to him to provide a solution. He is only making us aware of the reasons we are losing ground, as we continue to accept the status quo. I am telling you, after 2 years of writing editors, writers, you name it, that few people have the vision to accept the possiblity of anything new being better in this area, yet the status quo is failing us.

        If you want a solution, I again invite you to google Trustifier for your own information.

      • #3061380

        I think my reason for pointing the article out was missed

        by jdclyde ·

        In reply to Instead of complaining, offer solutions

        I think my reason for pointing the article out was missed.

        I firmly believe we should here NEW ideas all the time, not just the ones that agree with what we already think.

        Remember the old “no stupid questions” rule? That is why in Brain Storming sessions NOTHING is evaluated or discounted until after the collection time is done. Sure, some ideas are not very good, but a “bad” idea will get someone else think of why the idea is bad and how to make it a GREAT idea. None would have happened if the first “Bad” idea wasn’t thrown into the discussion in the first place.

        Not to mention, many inventions are done by MISTAKE.

        If more people start to question the “chase your tail” mentality we are all stuck in, someone WILL come up with that solution.

        And for the same reason Windows is so easy to be compromised, a vanilla config is just BEGGING for trouble.

        We need to expect MORE from software vendors.

    • #3059595

      Pushing patches in the Middle of the Day

      by kit_eizenga ·

      In reply to The Six Dumbest Ideas in Computer Security

      Our Security guy used to push patches in the middle of the day. Oh would users be pissed.

    • #3056820

      Too much money involved

      by nicknielsen ·

      In reply to The Six Dumbest Ideas in Computer Security

      I believe that to completely implement his suggested solutions in today’s IT market is an impossibility; too many people have an entrenched economic interest in the status quo.

      On the other hand, if software developers would simply write their applications so all actions take place by default in the &user& directory, we could probably eliminate 90% of what is already out there. It might even make the Microsoft “Limited” account actually useful for something besides an interesting entry in the WinXP user setup dialog.

    • #3056810

      Excellent article, some concerns

      by rm3mpc ·

      In reply to The Six Dumbest Ideas in Computer Security

      Overall, I thought the article was excellent. The author did what
      a few others I have encountered have done: he stood the
      problem on its ear and looked at it in a different way, and drew a
      set of conclusions that defied conventional wisdom. Even if you
      find cause to disagree with him, he makes you think.

      The article is most relevant to businesses which can afford to
      have smart sysadmins, isolation servers, etc. Home users, who
      are both victims and vectors for malware, wouldn’t be able or
      interested enough to do everything he calls for.

      The solutions should come from the OS providers. NOTHING that
      can harm a system should be allowed onto it without explicit
      permission, whether we’re talking about .exe executables, Java
      scripts, VBS or whatever. The OS should be layered and should
      protect itself. That doesn’t render a system completely
      bulletproof because social engineering can trick a user into
      making an ill-informed choice, but it’s a major step in the right
      direction.

      Furthermore, installed software should list every unique feature
      and request permission before putting in components that you
      didn’t explicitly ask for. Why should Acrobat Reader add a Yahoo
      search bar without asking me if it’s OK?

      And every installed component should be required to list the
      vendor who provided it along with a brief description in plain
      language that says this is part of such-and-such an application.
      That information should be available in things like System
      Configuration files, the System Registry, Add/Remove Programs
      in Windows, and whatever provides similar functions in other
      OSes.

      That said, I think the article should be required reading for every
      software designer/programmer. It wouldn’t be a bad idea to
      circulate it around management, either.

      Regarding the 80/20 rule as applied to sysadmins, netadmins, et
      al., that may be true, but even more to the point, it’s a
      management problem. Management often doesn’t see the
      problem, or imposes constraints that make it nigh unto
      impossible to provide a secure system.

      And when catastrophe strikes, who will get the blame? He or she
      to whom responsibility was delegated (see attached memo
      outlinking job responsibilities), but who lacked the resources to
      do the job.

      I still hold the OS developers most to blame, followed by the ISPs
      who can catch this stuff before it lands on your lap.

      • #3056632

        Sidetrack: Amen to the moan about adding “extra” software

        by kim spence-jones ·

        In reply to Excellent article, some concerns

        Two worst cases of that which I have encountered:

        1. Logitech, who “helpfully” installed a new mouse driver with my webcam software — and broke my mouse.

        2. HP Print drivers, which arrive as a massive (300MB iirc) install image, and seem to worm their way into the functionality of almost every application and function in your system, even including changing folders in explorer.

        As a result, I’ll think twice about buying or recommending further products from either company.

        The only way we stand a chance of keeping this stuff under control is if software sticks (by default at least) to its own core functionality.

    • #3056791

      Ruthless

      by retroreformat ·

      In reply to The Six Dumbest Ideas in Computer Security

      Having read every prior post, there seem to be many reasons to avoid doing the one thing a certain large and well known company refuses to do…
      LOCK THE DOOR.
      Yes, nothing man can devise cannot be UNdone by yet another man; I was under the impression though, that the lock is designed to stop the honest man and will only deter those motivated by lesser ideals.
      If redmond is filled with people that never lock their doors, why is it any surprise thieves congregate there? Why is it any surprise there are so many attacks?
      Unless someone has a financial interest in working the (known and exploited)failures in any OS, there is no other reason to advance the relevance or utility of such a system. Dump it at the first available opportunity.
      I really do understand the “enumerate the bad” crowd; somebody had to be the first to understand what a rattlesnake was.
      What they may not see in their rush to justify their salaries is that others have already decided
      they will avoid the bite in the first place, by design.
      I am currently on my LAST redmond product, and I figure it is only a matter of time before Redmond gets a DARWIN AWARD. I have no interest purchasing ANY OS that is “encryted for my safety”. All I see is a big push for Cover Your A** out of Redmond, which has apparently taken the screen door and firmly welded it to a submarine.
      Open source allows many eyes to assure that every prior set of eyes all see the very same thing… a secure and stable system.
      Advances in programming and technology should make that MORE of a reality, not less, and any attempt to cloud your view of what is running on YOUR systems only advances the cause of cash flow for courses, updates, patches and technicians.
      I’m lucky… my company is so far behind the curve on technology spending, all the rest of you are my test bed, and my boss thinks I am amazing with all the stuff he reads that we can AVOID due to that single fact.
      Funny thing is, as an ex-military guy, he feels just as I do that encrypting your OS is a great way to assure that nobody on the outside can see just how stupid you have been on the inside… you just limit everyone to chasing the end result at questionable cost across the board, as opposed to having far less to react to in the first place.

      Actually, the boss said “Trustworthy computing from REMOND is like BANKING with DILLINGER AND BARROWS”
      I’ll work for this guy until they drag me kicking and screaming out the door.

    • #3056781

      Pass this along!

      by lachandler2000 ·

      In reply to The Six Dumbest Ideas in Computer Security

      This is the most definative analysis of what’s wrong with modern computing.

    • #3059183

      Great points … in retrospect

      by michael_dore ·

      In reply to The Six Dumbest Ideas in Computer Security

      All of the points you raise are based on a lack of central control in systems development. Initially (not that I was around back then) systems development was about a bunch of smart people helping each other out and the basic assumption was that code should be open, sharable, decentralized… (see the cathedral and the bazaar). Interestingly as systems have evolved and become core infrastructure to most aspects of daily life from defending our country to buying movie tickets perhaps it is time for the industry to evolve as well. The next question is who should be standards body (govt, IEEE, business community, consumer watchdogs…) who will audit, list, and maintain the validated software lists? Who will pay for that? It would be an interesting study to see how much it would cost to do versus how much is spent now on wasted cpu cycles and person hours on current practices.

      Oh yeah how about closing some of the holes in email?

      • #3059167

        poppycock

        by apotheon ·

        In reply to Great points … in retrospect

        You don’t need “central control in systems development”, you need clear policy in systems implementation and transparency in systems development. Central control in systems development is exactly what got Microsoft into the mess in which it currently finds itself. Central control in systems development leads to opaque systems development planning, which leads to problems.

        • #3059008

          sarcasm is lost

          by michael_dore ·

          In reply to poppycock

          at the end of the day, no one is talking about the would be decompiler who uses techniques that are already in use (port scanning, decompiling, spoofing…) At the end of the day it won’t work and will just cost a lot of money.

          I agree with your ms comment incidentally.

      • #3059151

        re standards body

        by jaqui ·

        In reply to Great points … in retrospect

        the I.S.O.
        with a membership greater than the UN already, thier standards are a compilation of the needs by all interested parties.
        no one group has control. every standard is agreed on by international committee before it is released.

        when government, private industry, and end users all have an equal voice in setting the standard, it seems safe to assume that all concerns are addressed.
        a Standards Committee has a tribunal in charge, one from private sector, one from public and one from end users.
        these three have veto power individually as well as collectively. to governing body of the iso supplies the minute taker for discussions, so a neutral party is keeping the records, no overriding a nay-sayer.

      • #3059143

        No they are not they not

        by tony hopkinson ·

        In reply to Great points … in retrospect

        It’s aresult of commercial concerns overiding technical one. Now seeing as business is and should be in control, IT is a service to business after all, that is OK. But it’s not a free lunch, every time you make a design decision to go left that makes it much more expensive to go right. If the decision to go left was a business one, that only exacerbates the problem.
        How would you explain the decison to write an ordering application that only coped with one order per customer, for instance. What would be the technical justification ?

    • #3059086

      #4) Hacking is Cool

      by molotovmusic ·

      In reply to The Six Dumbest Ideas in Computer Security

      “Wouldn’t it be more sensible to learn how to design security systems that are hack-proof than to learn how to identify security systems that are dumb?” I agree with the ideas presented but, if you don’t know how to hack it how can you hack proof it? I’m talking real hacks not script kiddie stuff. I’m not saying hacking is cool I’m saying you may lose a million dollars waiting for a patch, not to mention your job. Sometimes a change of heart is a tough lesson.

      • #3059046

        well, yes . . .

        by apotheon ·

        In reply to #4) Hacking is Cool

        If you know how to hack your system, you can make it better. What he’s referring to is specific security cracking techniques, and he is unfortunately not well enough acquainted with what the hell he’s talking about to realize he’s using the wrong terms. This seems to be the major failure of this article: because the author doesn’t know the correct terms for what he’s talking about, he’s not entirely clear in his writing.

        Security cracking techniques are based on an understanding of currently valid system vulnerabilities. Learning these vulnerabilities might be somewhat valuable in teaching you how to recognize poor security design in general, and perhaps figure out what to do differently, but for the most part it’s an area of knowledge that is of limited value. More important is understanding principles of good, solid system design based on the sort of concepts he has brought up.

        As such, learning the tricks of the trade of security crackers is essentially useless for someone looking to secure a system for the long haul, and only helps you to secure a system for the short term instead. Learning to plan a system properly in the first place is what he’s advocating which, ironically, requires the aptitudes and attitudes of a real hacker, in the classic sense of the term, and not of script kiddies and other security crackers that seem to enjoy being misidentified as “hackers” now.

        I guess you could say that hacking is cool, but “hacking” is not.

      • #3058900

        All of the status quo is dumb now..

        by praetorpal ·

        In reply to #4) Hacking is Cool

        Pretty well all systems are dumb. A hack-proof system is by its own label/definition hack-proof. You can not convert an imperfect system into a hack-proof system by hacking it; you can only eliminate the bug of the day. That is one of the points of this article.

        This article describes incredible data breaches in so-called secure networks, which demonstrates an incomplete understanding of what security is really supposed to be:

        So You Think Your Data Is Secure?

        http://www.computerworld.com/securitytopics/security/story/0,10801,103869,00.html

    • #3059240

      It still won’t work for all networks

      by randy ·

      In reply to The Six Dumbest Ideas in Computer Security

      I really liked the article and I agree with it as it applies to corporate networks. I work for an ISP and while we do use some of the techniques described in the article, we can’t block everything and just allow the good. There are to many people that want the info that allows the bad. They don’t care if they get virus’. Besides they bring their machines to me to clean every 3 to 6 months.

    • #3070027

      Pain Points

      by adminisaurusrex ·

      In reply to The Six Dumbest Ideas in Computer Security

      The company I work for just started tracking InfoSec pain points. We talked to about 250 Security end users and got vendor and product ratings, and some other good tools. The research is free, so contact me at 212-672-0013 or adamady@theinfopro.net

    • #3060529

      6 dumbest ideas…

      by cburgess ·

      In reply to The Six Dumbest Ideas in Computer Security

      …are the authors.

      Well, his concept of focusing on only allowing permitted apps to run is well put, but is not the total answer to security.

      The reality is that no network is hacker proof…period. There are too many flaws in the apps, in the os, and in the CPU instruction sets.

      Real elite hackers don’t pay much attention to vulnerability notices…they already know about them. Elite hackers don’t publish their exploits…only script kiddy n00bs go for that lame stuff.

      How do you patch for a invalid CPU instruction that when passed through a CPU causes it to crash? The faulty code is in the silicon. No cpu as of yet has error code handling implemented. The cpu has a finite number of instructions in its set, and all other permutations are invalid and can cause the cpu to do some weird stuff.

    • #3119325

      Can’t Enumerate Goodness Either …

      by mdpetrel ·

      In reply to The Six Dumbest Ideas in Computer Security

      There are hundreds of ‘cool’ or ‘fun’ apps that a family WILL install in a given year, AND that they will update / patch / and ‘enhance’ w/ dozens of add-ons. This is over a 1000. And since newer versions of these come out annually, we well over several tens of thousands of “good” apps, too. Effort wise, it is better for a family to pay $30 USD for up to date virus definitions…

      A business may have less than a 1000 processes to keep track of; but that is not true of average families.

      • #3119233

        broken by design

        by apotheon ·

        In reply to Can’t Enumerate Goodness Either …

        That’s a failure of the Windows application model. A simple interactive front end on iptables (there are several available) can be used for an adaptive system for designing just such an “enumerated goodness” security model (for instance).

    • #3026506

      To Block or Not?

      by kellybriefworld ·

      In reply to The Six Dumbest Ideas in Computer Security

      I?m a consultant working with Palo Alto Networks; they have an excellent whitepaper on the subject of blocking social networking apps that you may have to worry about, ?To Block or Not. Is that the question?? here: http://bit.ly/d2NZRp. It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, etc.) Let me know what you think.
      kelly@briefworld.com

Viewing 33 reply threads