IT Employment

General discussion


The Security Illusion

By Shanghai Sam ·
What is this continued idea of "unbeatable" security in systems here at TechRepublic? I read posts that suggest trunking or frequency hopping for wireless, higher rates of encryption, more complex passwords, or "such and such program" (even Pitbull,where root means nothing...)or *blank* brand hardware etc etc. which are all excellent measures, but not absolutely secure by any means.

Basically, everytime a reward (usually small, like $10,000) is offered by a smug manufacturer, these are broken too.

Do we somehow need the illusion of strong parental figures or other authority that is safe or what drives this?

Basically, as long as there are humans interfacing with the machines, we will never achieve the ideal of security. Even Kevin Mitnick got most of his breaches through phone calls. "Hi, I'm so and so and I need the password to fix your bosses computer......" even physical access in the case of: "Hi, I'm here to repair......"

I just can't believe that people buy into the fact that technonolgy can somehow secure them when, if you pull 5 desk drawers open to look for some white-out, you'll have all the passwords you need to get access. In a tech department, even root is all to often common.
Basically, it's us humans who make things insecure. We can only remember so many things anyway and are far outmatched in memory and computation ability.

It is of interest to note that the Germans once thought they had an unbreakable technology, and it contributed heavily to their downfall to believe this. Today, acquistion of systems and reverse engineering of hardware and software is much like the Enigma story.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

"Why I wrote the above..."

by admin In reply to The Security Illusion

or: "How to stop worrying and accept that at Tech Republic your real name is: User Deleted."

The above post (by me) was prompted by a phone call I got yesterday by a non-techie friend who was pretty proud of pirating internet access on his laptop. How did he do it? A disgruntled employee of the motel next door to his apartment building gave him a modem card. Some poor out of towner is probably getting charged for taking it I would guess. I suggested he return it, but really, how will he get caught?
Next time we look at security, maybe we should talk about the real limitation and admit it probably won't be fixed anytime soon.

Collapse -

You have to start somewhere

by generalist In reply to "Why I wrote the above... ...

I would be the first to agree that security is somewhat of an illusion. Claims of bullet proof security products tend to be somewhat limited when you consider all of the possible methods of going around things.

Still, when dealing with security,you have to start somewhere. And a multi-tiered approach, with layers of security, is much stronger than a 'solid' one layer shield.

And when you get down to it, setting up 'traps' and other spoofing techniques could also be useful. Imagine getting 'crackers' to attack a well fortified site that has nothing substantial in it. Also imagine such a site being well patrolled by groups like the FBI and various security specialists.

And if a group got particularly nasty, they could fight back and attack the 'crackers'. It wouldn't be legal, but who would complain as long as the target is a standalone 'cracker'. (Would a mugger call the police about being mugged while committing a mugging?)

Unfortunately, none of the above completely addresses the weakest link in the security chain. Even if you train users to do all the right things security wise, new users are always coming into the system.

And even if passwords and such are replaced by Bio-ID techniques, those could be spoofed. Or you could threaten a person to get them to sign in for you...

Collapse -

I'm not denying that more security....

by admin In reply to You have to start somewhe ...

is better. And certainly "honeypots" are a good way to observe and plan if you are being attacked. I just can't believe how many posts here claim to have discovered or purchased equipment or programs that are invulnerable. This is dangerous and misleading to those who need to make decisions about what data should be where -especially the non-technical. It's also pretty naive to think that there will be unified international law anytime soon regarding this. Some countries hero's are our nemesis in this arena.
Recent case in point: All the Chinese attacks on IIS boxes. What is the FBI going to REALLY accomplish here?
Now we just have a bunch of scapegoats in IT departments "so and so didn't apply the patch when it came out 2 weeks ago" andotherwise the illusion remains. The only thing that I can figure out is that sales and marketing are incredibily more successful than most technical peoples synapses these days....
I REALLY hope that's not true..

Collapse -

Levels of expertise

by generalist In reply to I'm not denying that more ...

I'd say that the sales types are getting through to those technical people who aren't skeptics when it comes to product promises.

I also suspect that some of the sales types are getting to higher level executives who don't keep track of what IT is doing. These executives want to take IT down a notch so they listen to the sales types and make demands to install the latest and greatest security fixes. (The same types are also the ones with their passwords on their monitors.)

Perhaps IT should be proactive in pointing out weaknesses in so called 'bullet proof' fixes, attaching TechRepublic articles to copies of the e-mails that recommended the fixes. That or the IT department should inform upper management that computer security is abattle that may never end and might be lost at times, despite the best you can do.

As an example of this last, if you're the very first group to be hit by a unique virus using a different attach technique, how can antiviral software protect you?

Collapse -

Los Alamos from Below

by epepke In reply to "Why I wrote the above... ...

Richard Feynman, who worked in Los Alamos on the Manhattan Project described this very well. He was concerned about security on the project and found that the locked filing cabinets and safes were very easy to open. He did this a lot in an attemptto alert management to the issue. Management reacted by viewing him as the threat to security.

As a technophile who was trained as a scientist, I have empathy with Feynman's idealism. However, I can still recognize its naivete.

What is security for? The security on the Manhattan project did not prevent the secrets from being regularly stolen. Many historians think that it did delay the project by about a year.

We see this going on now. Wozzname at the FBI. The scandal a few yearsback when people behind the fence at Lawrence Livermore were running cocaine. That hard drive that went missing a couple of years ago.

Collapse -

A fool and his corporate assets....

by cpu-uk In reply to "Why I wrote the above... ...

I work in security for a Global Telco, and I have implement security every day that is both safe and commercially acceptable to our customers.

Although security can never be 100%, I do think that some companies do make it too easy for it to be broken.

The ?discussion? I am having at present is with one of our Financial customers. Their requirement is simple, they want 200x dial-up accounts for their people. Whoa, let me re-phrase that, what they actually want 1x password account for 200users. Why do they want this? Well, because that way everyone only has to remember the one account, thus making an easy life for all. Is my customer interested in audit trail? No, that is seen as being unnecessary, and it?s just something they would have to manage. Mind you an audit trail, for an account used by 200 people, wouldn?t be of much use anyway.

I give it a month (tops) before their account appears in an alt.2600, and then the fun really starts.

Related Discussions

Related Forums