Antivirus Inventor Says Security Pros Are Wasting Time

talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."

PBKAC

[DigitalisAkujin (846133)]

Software / Hardware security is not too difficult to achieve. If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security.

The issue is usually the idiot that becomes the victim of a well done social hack.

As usual, the company is only as strong as it's weakest link.

Re:PBKAC

[GiovanniZero (1006365)]

Agreed, the problem is usually the user. I recently got an email from someone that CCd everyone and when I told him in the future to BCC us he said "oh its ok, I trust everyone on the list not to spam us" I replied "that's great but do you trust them all to keep their machine's clean and free from spyware?"

Re:PBKAC

[somersault (912633)]

100% security is never possible unless you don't want to give anyone access, ever.

Re:PBKAC

[techpawn (969834)]

100% security is never possible unless you don't want to give anyone access, ever.

DBA: We got the server running the best it ever has
Boss: Great! How'd you pull it off?
DBA: Well, we replaced all queries with 'Select * from tblQuery' which only has 1 row and 1 Column. Then stopped letting people call the queries!
Boss: You're fired...

Re:PBKAC

[provigilman (1044114)]

Yeah, the only way to 100% secure a PC is to disconnect it from the network, take out the power supply and then lock in a bank vault. Anything short of that, and it's still vulnerable. It might be the user getting up to use the washroom without locking his station, or it might be some 11 script kiddie...but it doesn't matter. As long as there's power running to it and/or it's hooked to a network, it's vulnerable. Security is just about mitigating the risk.

Re:PBKAC

[somersault (912633)]

I think it would be better if nobody had the key, and the closet resided in the centre of a distant sun. Even then it's not 100% - that sun is gonna die if a few billion years..

Re:

[Bloodoflethe (1058166)]

It's called an analogy. It was a pretty good one too. He's basically asking why spend tons of cash for a negligible improvement in security. There's no such thing as an unbreakable system. That's why people use detection tools in conjunction with their security measures - if you can't stop em, find out who they are and prosecute them. But even that can be sidestepped with sufficient resources and intelligence on the part of the hacker. I mean, this guy was the inventor of one of the more prominent (and

Re:

[Brian Gordon (987471)]

That's not what he was saying.

It isn't very likely, but it's possible.

He's opposing closing security holes that are obscure.. but by his own points, you only need ONE security hole. If you don't close the obscure ones it doesn't do you any good.

Actually

[DaedalusHKX (660194)]

Actually, he seems to be more clear thought than you.

He's saying "aim for as much security as you can get" not "aim for 100% impregnable", there is no such thing. Even Open BSD isn't impregnable, despite their claims. Nothing is impregnable to a determined and resourceful attacker.

He is correct in saying, "rather than bunkering up, strive to be indigestible to AS many potential predators and parasites as you can"... i.e. he is admitting the one fact of the universe... "there is an exception to every rule, just because you haven't found it, doesn't mean it doesn't exist somewhere else, in some form.

The arrow through the roof, for those with the intellectual openness to understand the metaphor is an unlikely incident, but if it does happen, what then. Peter is using that concept, to teach those willing to learn/understand, that for a car to be 100% impregnable, it would have to be arrow, bullet, cannon, nuclear weapon, weather and everything proof, including driver and other driver error proof, road proof, etc. However, the COSTS involved, and the final results are out of reach of even the rich, would make for a rather heavy, expensive and CLUMSY vehicle, and judging by risk, the benefits would far outweigh the costs. Its like flu shots. I travel, talk, do meetings, etc. I get sick very rarely, yet I see so many immediately taking "flu vaccines" out of fear that the flu will kill them. I've never had a relative who either died of the flu or had complications. Neither have I known anyone in my personal life who had these complications, and I have associates who have lived in first, second as well as third world scenarios.

Thus, in similar vein, driver training gives better results than building the bullet proof car. Don't surf porn with internet explorer is FAR better advice than installing the latest antispyware, and "don't accept email except in plaintext format" is far better advice than trying to balance a proper load of antivirus (which the user might not allow to update, or might become broken, etc). There have been plenty of virus samples that hijacked the latest Symantec and McAfee antivirus, why? Because they tried to be everything to everyone, and when you over extend your coverage, you end up leaving holes in your defenses.

Properly trained users is like having the original Citizen Militia, not truly powerful, but if properly trained in guerilla warfare and survival, and properly equipped, they can make ANY invading army's life, VERY difficult, to the point where the invading country finds the "host" or "prey" country to be "indigestible."

Nothing is unassailable, but plenty of plants are poisonous to their consumers, so as to make it a known thing that they are indigestible. The one size fits all solution, from antivirus, to security departments, to everything else, is STILL the same age old problem. No risk can be reduced to 0%. But it can be minimized and compensated for. This is what Peter talks about.

Its disappointing, I expected that those frequenting this board would've had the ability to apply metaphors in design. Good book for all to read. The Art of War. Get it bundled with The Prince. Good way to learn how to think.

Re:Actually

[XanC (644172)]

the one fact of the universe... "there is an exception to every rule"

Except that one, of course. ...whoa

Re:PBKAC

[boristdog (133725)]

Social Hacking is the main weakness of any system. And most of the time you don't even have to "hack" if you are perceived as "computer literate"

Who here hasn't had people tell them: "Can you help me with my computer? Here's my password..."

Re:PBKAC

[eln (21727)]

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can. Basically, if someone gives you their password, and something later happens to their account, you automatically become a suspect. If someone does give me their password, I'll often have them change it right then, as in I'll bring up the change password dialog of whatever program it is, and then turn my back while they type in a new password. That way, not only do I not know their password, but they know that I don't know it, and hopefully they get a better sense that passwords shouldn't be shared.

Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

Re:PBKAC

[somersault (912633)]

Same. Everyone seems to think I know their password already but I try to tell them that I don't even *need* their password. Also a lot of users don't seem to get the whole 'network' thing and think that you need the normal user's username and password to be able to access a computer. And sometimes when people leave the company then others still use the account of the person that has left without letting me know, so when I remove the account I get questions on why they can't access the account anymore. *sigh* Thankfully they are learning, slowly, but I find it so hard to get into the mindset of those users that I'm never going to be able to anticipate all the moronic things they're likely to do..

Re:PBKAC

[by Anonymous Coward]

Of course, then I see the same person with their password on a Post-It on their monitor, and all hope of them ever learning the lesson is dashed.

I wouldn't need to keep my password on a Post-It note if you IT guys didn't make me change it every two weeks!

Re:

[Speare (84249)]

I scrupulously avoid knowing anyone's password. If they try to give it to me, I attempt to stop them from doing so before they can.

What's interesting is that very little kids are having to be trained in this philosophy as well. Kids and daycare staff sometimes use a password in case there's an unforeseen pickup snafu. Now toy codes and login information (like WebKinz) can have big consequences if they're leaked. I felt good when my daughter tried to explain your point to her friend-- she didn't want to know her friend's login.

Re:PBKAC

[rickb928 (945187)]

"If an admin is truly competent they will have no problem getting their lab workstations up and running cleanly and bug free with pretty solid security"

That's not the goal. Security's goal is to get PRODUCTION workstations up and running cleanly and bug free with pretty solid security.

The lab is easy. Let a few users have those machines for a week, visiting the casino sites, clicking on the latest e-greeting, and bringing the USB drive from home with those oh-so-important documents they were working on last night, right after their kids updated all the myspace pages.

Security is, indeed, fairly easy save for two variables. Users and attackers. As an analogy, you can put any sort of locks, grates, fences, alarms, dogs, and flaming trenches around your house. If the kids let in the cable guy without seeing some ID, none of it matters. If all the crook wanted was to steal your mailbox, you'll have to weigh the advantages of fencing it in vs. having mail delivered, or hardening it into a 1/4" plate steel box on a 4x6 I-beam, mounted into a 500-pound footing. Or just replace the damned mailbox when the kiddies bash it with a baseball bat driving by.

Oh, and the plate-steel mailbox? In rural Maine, those are a laugh a minute. Sometimes you see splinters on it, shards of a Louisville Slugger in the ditch, and a brief note in the local fishwrap about some kid at the ER with a broken wrist. Priceless. If only we could do the same thing to the script kiddies...

chicken egg?

[El_Muerte_TDS (592157)]

If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network

Why would the hacker need to guess one password from a list of password hashes when he already broke in and was able to elevate his rights to read the password hashes file? He might was well add his own password entry.

Re:

[somersault (912633)]

Can't everyone read the password hashes file? On Linux at least. You aren't protecting the file, you're protecting the keys that were used to generate the hashes in the file. Biiiiig difference between read and write access to a password file.

Re:chicken egg?

[swillden (191260)]

From my password file:

alex@ephesus ~ $ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
[...]

That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:

alex@ephesus ~ $ ll /etc/shadow
-rw-r----- 1 root shadow 896 2008-02-03 21:18 /etc/shadow

So what does the corresponding entry in the shadow file look like?

Re:

[DaleGlass (1068434)]

Sure, you can see mine if you want:

root:!:13916:0:99999:7:::

If you manage to crack that, try it at 127.249.17.156

Re:chicken egg?

[Penguinisto (415985)]

He might was well add his own password entry.

True, but the idea is that if he's working from a SAM or shadow file written to pilfered backup tape, or got the password DB by use of a whole host of tools designed to suck out a Windows AD SAM from a server to your laptop over, say, a wifi network connection made in the parking lot or somesuch... e.g. you have the hash file, but don't have a clue as to what it contains. A lot of tools are designed to exploit holes in Windows' Active directory to get a copy of the SAM without all the bother of logging in (most required physical access to the box and a reboot, but IIRC there were some that didn't, depending on the exploit used).

In the corporate espionage type break-ins, it makes more sense to not poke around too much and break stuff as you go, but instead concentrate on finding the means by which you can return to the network with your presence all dressed up as a legit user or three. This way, you have relatively more time and leisure with which to poke around in. If you add your own account (modify a file) and give it privs, you're liable to get someone's attention (self-audits, internal file integrity sweeps such as AFICK provides, etc...). If you merely copy a file, there's less of a potential fuss.

The tangents and possibilities can go on and on, mostly because security and breaking-in can become less of a science, and more of an art form. :)

/P (who sees bits and pieces of it from time to time)

A sane voice is heard...

[Jennifer York (1021509)]

I've had enough of the Security Vendors and their rhetoric. I'm constantly bombarded with requests to attend sales presentations on the latest intrusion detection pizza box appliance, or spam firewall thingy, etc. The value of these products are only so that the execs can point to their "security initiatives" and "best practices" when a breach of security is discovered. If they look like they've made an effort to curtail the risk, then they still get their big bonus.

Corporate mouthpiece

[Space cowboy (13680)]

So, at first I wondered why an anti-virus man was basically blowing huge holes in the usefulness of his industry by coming out with quotable nonsense, for example:

But if a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000,"

No. If you mandate long passwords on the server, there are no short passwords. That's sort of the point.

But then, I read on in the article (yeah, I know, it's /., but what the hell), past the flawed car analogy and it became clear - he's making nonsense statements at the start to try and hide his introduction of the meme that an anti-virus program that doesn't really work is still a "really good thing"(TM).

Now, don't get me wrong, *any* protection is obviously better than none, but this is basically a surrender - instead of selling the common (wrong, but common) "I have an up-to-date anti-virus package, I am protected" perception, they're now moving towards "Hey, we did the best we could; all those *old* virus's/virii(+) are *definitely not getting through". Woo Hoo.

So perhaps I'm being overly cynical, but it seems to me like a corporate piece with quotable sound-bites (so it gets wide distribution) that tries to deliver the message "hey, we suck, but keep on buying our software", in a more acceptable-to-the-people manner...

Simon

(+) And with this, I hope to equally annoy the grammar and spelling nazis out there. [insert random deity] those people piss me off.

Re:Corporate mouthpiece

[by Anonymous Coward]

I can fully understand your cynicism, I share a lot of it. However, Peter Tippett does not work for Norton any more. He works for Verizon Business in their Risk Intelligence, and he has spent the past several years doing actual research on risk on an Enterprise level.

Maybe he's wrong, but he isn't trying to sell you any software.

Ben

Not only that.

[khasim (1285)]

But he's confusing ATTACKING a specific company with INFECTING various machines.

They are not the same. The defenses are not the same. There may be overlap (a workstation at a company gets infected and sends out spam vs a workstation at a company gets cracked and is used to crack other boxes at that company) but that is all.

All in all, he's 100% backwards on his comments. Just what you'd expect from someone trying to push a specific product from a specific company.

Double Eentendres

[CowTipperGore (1081903)]

Peter Tippett thinks it's time for security professionals to wake up and stop wasting their energy. In a presentation here yesterday, Tippett -- who is vice president of risk intelligence for Verizon Business, chief scientist at ICSA Labs, and the inventor of the program that became Norton Antivirus...

Peter Tippett invented the computer condom? You just know that his resume also lists a job somewhere in penetration testing.

That efficient?

[Rampantbaboon (946107)]

About 3/4 of the work done by the average corporate department is useless. Congrats on the efficency, security people.

1/3 +

[globaljustin (574257)]

Tippett is right on with this, and I'd venture we could go further. Think of how much money is wasted on redundant security and the people to operate it, now add to that all the time and productivity wasted b/c rank and file employees have to navigate under such redundant incumberments.

I honestly feel like 9/11 and it's aftermath has *something* to do with how several sectors of our country are tripping over themselves to implement unnecessary, bloated, counterproductive measures in the name of 'security'.

Existence is insecurity. The only way for something to be 100% secure is for it not to exist.

having a lock on my door

[circletimessquare (444983)]

is stupid because somebody can just kick in a window

except it isn't stupid. if someone is determined enough, they will break into my house, no doubt. most of the security features on my house are meant to deter those with a casual interest

same with all of the efforts that tippett pokes holes in. well yeah, duh: every single security effort in the world is surmountable. what's the value in pointing that out? none

that someone can get over your security measures with effort is not an argument against the lowest level of security. the lowest level security practices always has value: against casual transgressions

Re:

[phliar (87116)]

The biggest effect these lowest level ineffective gratuitous "security" measures have is to annoy everyone and make lots of money for the security companies. Good security is a matter of quality, not quantity.

Let me give you an example: I work downtown in a building of 10 floors, surrounded by buildings of around 50 floors. There are only offices in this building, all very boring and white collar. We already have card-readers on the doors on each floor. You also have to swipe your card in the elevator or

Defense In Depth

[ThaNooch (1186931)]

No one is trying to create an Iron Curtain. Security departments (most of them hopefully) are taking numerous measures to prevent breaches. Including access controls preventing one compromised computer from getting all the marbles via role-based or well-configured discretionary access controls, appropriate traffic filtering and intrusion detection techs.

Risk management is the specific practice of minimizing the greatest risks (what will do the most harm and will be the most likely to happen). And for the most part everyone realizes that no risk can be completely eliminated, so we mitigate them as best we can and rely on fundamentally sound access controls et. al. to limit the effect of any breach and hopefully know about and plan for unforeseen circumstances by planning for certain categories of attacks.

Hopefully I'm right, because if I'm not... I'm scared.

my root password is

[FudRucker (866063)]

a small poem (haiku style), it is difficult to type correctly because of intentional typos and a few numbers substituting for letters, i even get it wrong myself about 1/3 of the time even though i know it by heart...

Valid points from article

[whitehatlurker (867714)]

1) Not all "vulnerabilities" are dangerous. Yes, there are a lot of junk security warnings out there. Part of the security officers' duty is to separate the chaff from the kernels.

2) You're only as secure as your weakest password. We knew that.

3) This guy shouldn't talk about seatbelts.

Dirty Little Secrets

[dschuetz (10924)]

Sort of reminds me of Bruce Potter's "8 Dirty Little Secrets of Information Security." The premise of that talk was pretty much that anti-virus, firewalls, IDS, etc., were all just band-aids that masked the real problem: We write (and buy) crappy products. He even showed an extensive quote regarding current threats and the inadequacy of counter-measures, and after everyone in the audience had finished nodding their heads, revealed it was from 1972.

We've been fighting the same problem, in the same way, for 35 years. It's time we regrouped and found a better way to attack it.

Here [dc414.org] is a copy of the DefCon version of the speech (I think he's given it a few different places, so there are subtly different versions out there). I'm sure the video is floating out there somewhere, too (though I couldn't find it on YouTube). He's fun to watch. :)

Re:Dirty Little Secrets

[Aladrin (926209)]

You say 'crappy product' and I say 'so complicated there's no chance of eliminating all bugs.' (A ton of people just decided that I'm a Microsoft fanboy, and they're all wrong.) It doesn't matter what operating system you use, by its very nature, it is too complicated to completely remove all bugs in any meaningful timeframe. Nobody tries to say Windows, OS X or Linux are bug-free. Instead they talk about how fast bugs are patched after they are found and reported.

Of course they're bandaids on the real problem. So are cars, if you must have another car analogy:

The problem with distance is that it takes so long to travel it. Cars are a bandaid on the distance problem. We've been fighting that problem for a lot longer than 35 years. It's time we regrouped and found a better way to attack it.

The reason antivirus/etc exists is that we have never found a better solution. It's just that simple. I'm all for thinking and planning, but it's no magic. If we all put our heads together right now and work on -nothing- else, we might never find a solution. There's no guarantee that there -is- a better solution.

The problem is management

[SCHecklerX (229973)]

What Tippett is saying is already well known by security professionals (at least the ones who know what they are doing...risk analysis is part of the CISSP exam, is it not?). The problem is that despite this, we are forced to do expensive and less useful (useful at all?) stuff by management because they are the "decider". Companies that actually have a CISO with competent staff have a decent chance at doing it right, but in my experience, many companies don't, so you end up deploying stuff just because management likes to deploy new 'security systems' rather than actually address the security posture of the company.

Re:What did I gain?

[moderatorrater (1095745)]

That's not the point. The point is that instead of making everyone have long passwords, you could take that same time and effort and train them about security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE. The chances of an attacker getting the password file are lower than the chances of a user doing something that will infect their computer because the user hasn't been taught correctly, so why focus on the passwords?

Re:

[Seth Kriticos (1227934)]

..security risks that are more likely to happen, like them getting an email with an attachment, or using a browser other than IE.

Um, I must have misunderstood you.. just thought, you want to say, that the IE is a secure browser..

Re:What did I gain?

[raddan (519638)]

Long passwords are trivial to enforce. In Active Directory, for instance, you simply set a policy. Done. Sure, whining users-- get used to it. It's your job to make sure the company has the resources it needs, and if they go down, it's your head on the chopping block.

The more common scenario that he does not mention is that people who are trying to gain access are trying to brute force a login through a network protocol. NOT running something like rainbowcrack on your password hashes. If they've gotten to that point your passwords are essentially worthless already.

BUT this is where defense-in-depth comes in. Security is NOT A PRODUCT. It is a mindset. So if your user accounts aren't all administrators and someone finally manages to brute force a network login, at the worst, that person now can do as much damage as one employee. You do have access controls on your employees, right? Not to mention, most "secure" network protocols nowadays make brute-forcing much harder. SSH, for instance, will timeout the connection after X failed login attempts. They now have to work a lot longer. The login prompt in Windows does the same thing.

So you apply this thinking to everything. Stop using a VPN. Make only the services you want available through your firewall. Do egress filtering. Use a DMZ. Prevent LAN clients from talking to any hosts other than the gateway and servers. When I started, my company originally used VPN to check email on an Exchange server. BAD! Passwords were usually the same as the username. Someone could trivially walk in and have access to the entire WAN. I pointed this out to them and got "But we're using a VPN. Checkpoint says it's secure!" If you have Exchange, take advantage of RPC-over-HTTPS, and then proxy that! There are lots of things you can do. As this guy points out, none of them are perfect, but you never know-- one of those little things might save your ass.

Re:What did I gain?

[Beyond_GoodandEvil (769135)]

BUT this is where defense-in-depth comes in. Security is NOT A PRODUCT. It is a mindset.
Actually, it's a cost item that gets in the way of the money making work. That is how most people view it.

Re:

[c_woolley (905087)]

I think people are missing the point of a very single and important statement the OP made. He said that all he needs is to get 1 password to compromise thousands. Much of security depends on a weak product...People. How many times in a movie have you seen those security guards watching a perimeter with those eagle-eyes of theirs, and spotting someone immediately. Well, usually in real life, after a few weeks on the job, those eagle-eyed guards turn into the other type of guards you see in movies...the o

Re:What did I gain?

[moderatorrater (1095745)]

Bruce Schneier wrote about the long password requirement and how it can backfire because users can't remember them. My dad keeps his passwords in a text file on his desktop because his job requires them to change it every month, have letters and number and be different from the last 6 passwords. While that's good in theory, it's counterproductive because he doesn't (and can't) keep the passwords safe. Besides, as seen by myspace and phishers, the strength of the password is rarely the weakest link, it's the security skills of the people. In 90% of the cases, strict passwords are completely useless because they're not the weakest link, other parts of the system and the users are.

"Attack trees" by Bruce Schneier

[khasim (1285)]

http://www.schneier.com/paper-attacktrees-ddj-ft.html [schneier.com]

Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.

If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.

You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.

There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?

Re:What did I gain?

[tenton (181778)]

And also to recognize that no system is perfect--there will always be the cantankerous guy who is inexplicably "invaluable" to the company who thinks that "fereng1" is an uncrackable password, for instance--and to take steps more along the lines of risk mitigation than risk removal.

Crap. I'd better go and change my password.

Re:What did I gain?

[torkus (1133985)]

What's more secure?

12 digit change-montly lower+upper+number+ symbol passwords written on sticky notes (or similar) for 75% of users and freely shared due to complete lack of security training

or

6 character passwords that only prohibit patters and the username from being used changed every 6 months that people know not to write down or share?

Re:

[profplump (309017)]

That depends on where you expect the attacker to be -- it's hard to read sticky notes on my monitor from across the Internet.

And it's hardly fair to assume that complex passwords are more likely to be shared than simple passwords. Sharing passwords is a separate behavior entirely. Not to mention the complex passwords are harder to share for the same reasons they are harder to remember.

How about a password generation algorithm that works like this: select two or more short dictionary words, append or prepend

Re:

[AmaDaden (794446)]

a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

Tippett warned that about a third of the work that security departments do today is a waste of time.

He didn't say stop doing these things he is saying work smarter not harder. Taking the time to educate people about what is safe is far more effective then using that same time to deal with the constant password problems you would have with a high security password policy.

Re:What did I gain?

[idontgno (624372)]

"It is hard for the users it's going to at least be that much harder for the hacker"?

Up to a point of diminished returns, at which point it's impossible* for the legitimate user, so they cheat and defeat the whole scheme. (Witness the archetypal "I can't remember this stupid password" sticky-note-under-the-keyboard situation.)

(*"Impossible" is dependent on the user's level of apathy, forgetfulness, or hostility to the security regime.)

But if you have strong armor around you, you look like a less appealing target as to try to find the one weak scale under your wing.

That presumes an equal level of interest and intent between the "soft" target and the hardened one. If the hard target contains the more valuable goodies, well, that's just "crunchy on the outside, tender and tasty on the inside."

Also, for some in the cracking community, an apparently-hard target is an personal challenge to their 1334 hax0r skills, and quite appealing.

People are more likely to jump on an open WAN then try to break into a hidden one with at least WEP.

Again, assuming the values of the targets behind the protection schemes are equal. If all you want is free wireless, then one WAP is as good as another. If you want that WAP for a particular reason, you'll target it no matter what its apparent hardness. Every security scheme is fallible; the real value is measured in terms of effectiveness versus the value of what's protected.

It sounds more like a lot of what we put in to place is useless once they're in, but that doesn't mean to weaken our defenses.

I suspect the author is arguing that we should strengthen our defenses by implementing effective measures (non-self-defeating, like the too-complicated password example above; or "security theater" measures that sound tough and look effective but can be easily defeated by ignoring their fundamental premise, like complete isolation from the outside except for trusted partners, but then trusting those partners unreservedly--if they get pwn'd so do you)

Re:Car Analogies

[Farmer Tim (530755)]

That story has more car analogies than an average /. thread.

Or to put it another way, if car analogies were like cars on a highway...

Re:

[Christianson (1036710)]

I think his point might be this: when you enforce strong password policies, you reduce exposure but you do not prevent someone gaining access to your systems. They only have to be lucky once. Strong password policies make it harder for them to be lucky, but not impossible. What do you gain with a strong password policy? You make it much more difficult for someone to use a dictionary attack. Aren't there other ways to protect against that?

What do you lose with a strong password policy? Good user hab