Security for the Paranoid

Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."

Burnett

[by Anonymous Coward]

Mark Burnett talks about his computer security methods...

"Outwit, outplay, and outlast those pesky script-kiddies."

Mark is Paranoid, but Trusting of Microsoft?

[xmas2003 (739875)]

While being paranoid is argueably good (although Mark may be a bit extreme compared to most), I did wonder a bit about one comment near the end of the article which was: "And I install hotfixes the day Microsoft releases them" which seems to put an awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.

Re:Mark is Paranoid, but Trusting of Microsoft?

[wdd1040 (640641)]

He just doesn't tell you he rebuilds all computers on his network two days after the patch is released.

Re:Mark is Paranoid, but Trusting of Microsoft?

[pegr (46683)]

Beat me to it. I was just about to post "He runs Windows, the fucking pouser."

Precisly correct. He does all this to "feel good" without understanding the threat. Does he check his firewall logs daily? Did he disable LM hashes on his Windows box? (If not, the 14 char password is really just two sevens...)

I've always maintained that strict adherence to protocol is the last bastion for the truly evil and truly stupid...

paranoid?

[by Anonymous Coward]

get with it man, you're not important, nobody wants your porn

Not secure enough...

[stefanlasiewski (63134)]

The only truely secure computer is one which is switched off and disconnected from the network.

And smashed with a sledgehammer.

And set on fire, to the temperature of 600F, which should be sufficient to destroy the magnetic bits in the hard drive.

And then nuke it from orbit, it's the only way to be sure.

Re:Not secure enough...

[by Anonymous Coward]

" The only truely secure computer is one which is ... disconnected from the network."

That's why I recommend Comcast for all your security needs!

Convenience = 1/Security

[winkydink (650484)]

And this guy is set up very secure.

Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.

In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

Re:Convenience = 1/Security

[ClickNMix (218488)]

In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

But if you did have a beer with him, come the Apocalypse, maybe he'd let you have some of his food and water.

Read Dawkins, any studies on altruism...

[John Seminal (698722)]

And this guy is set up very secure.

Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.

In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.

For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.

If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.

Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.

It's a good start

[empty drum (876694)]

Paranoia's a good starting point for the IT Security beginner, but well-informed abject fear is the mark of a seasoned professional.

smart cards?

[VolciMaster (821873)]

for a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?

Re:smart cards?

[by Anonymous Coward]

kids need 14 character passwords to protect it inside your home?

Their passwords are probably things like:

my_dad_is_an_asshole!
hereismy14characterpasswo rdyounutjob

Not quite right

[norfolkboy (235999)]

Well, I can see the guys reasons.

However, information security has to be appropriate to the data you wish to protect.

A system that annoys users by making it hard to access the information (long passwords changed weekly for example) will just leave you with a static store of information.

The information will never be *USED*. There will be no point in having it.

Use security appropirate to your data. He IS paranoid, and - offtopic: sounds a bit of a nob.

I know for sure if I was one of his kids, I wouldn't WANT to connect to his network!

what a pseudo-fool (in a nice way)

[yagu (721525)]

..., No one else, not even my wife, knows my network password....,

... is about the only part of his screed that could make sense to me. Not because one should not divulge a password to one's wife, but because keeping passwords entirely private is good policy. Almost everything else about his life strikes me as goofy. If you read any of the "hacker" books, hacking and gaining access to people's stuff isn't about cracking passwords, it's about social engineering and dishonest behavior, most of which the author's behaviors won't prevent. But, if it makes him feel better.... (I wouldn't want to live on his network.)

I worked at a large company and called the administrator of their unix mainframe and complained that /usr/bin and /bin both didn't even have execute privelege so I couldn't even see what commands existed. The administrator dressed me down and explained they did that for security reasons so people couldn't hack in. He went on to tell me about the giant breach on that system from outside hackers and hence, the very tight "security". I gently reminded him the "breach" actually occurred with those very same directory permissions.... and they didn't prevent the hack. Sigh...

Is it just me or...

[mattmentecky (799199)]

Does it seem kind of stupid, especially for the 'security paranoid', to announce to the public that you use "at least 14 character passwords"? Seems to me you just set a lower bound and cut out 13^128 possibilities for a cracker :-p

paranoid my ass

[wardk (3037)]

mark me troll if you must. but I see this as a legitmate question....

if he's so damn paranoid, what the hell is he using windows for?

This guy is a moron

[Uhh_Duh (125375)]

Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.

A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.

Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.

I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.

Security,,,for the average user?

[nebaz (453974)]

The guy uses 5 passwords for his laptop, and I am sure that is fine for him.

Security for the sake of security, for example, can sometimes backfire.

For example, a company I used to work for had this policy that you had to change your password every 30 days, have at least 1 special character, one capital, one number, etc.

This was on an intranet, and most people hated this feature.

Most people ended up using a system like
Jul@1996 for their password. Mon

Kind of defeats the whole purpose of security.

I tend to think one should use security proportional to sensitivity on certain matters, knowing that nothing is perfectly secure.

But enforcing 'security' for the sake of security, especially random, and unsupported 'security' can make the average user resentful, and the process much less secure.

The guy's issues are not security related

[Deep Fried Geekboy (807607)]

It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.

You know, the only thing worse than having this guy run your IT would would be actually *being* him.

Oh Yeah?

[macthulhu (603399)]

Let's see if this guy's kung fu can survive a few rounds against international superhacker "bitchchecker". Just have him email his IP address to bitchchecker@madskillz.com... (Please allow for a lengthy response time, as bitchchecker is probably busy rebooting his machine for the 75th time today.)

I wouldn't want him as my ISO

[GPLDAN (732269)]

Seriously. I would fear the guy doesn't even begin to fathom risk analysis. He just breeds paranoia. Guys like that break budgets wide open and spend lots of money they shouldn't on lots of stuff they don't need. He's like Mel Gibson in Conspiracy. Three firewalls? I hope they are open source cause Checkpoint licenses are expensive.

You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.

poor security choices

[sfjoe (470510)]

...require my kids to use at least 14 character passwords on our home network

What do you want to bet I can find the passwords written on a post-it under the keyboard?
A security policy that doesn't take usability into account is worse than no security policy at all.

Re:14 character password?

[MrP-(at work) (839979)]

"What's the difference between a random 14 digit password and a random 6 digit password?" 8 digits?

Re:14 character password?

[saintp (595331)]

The former is on a sticky note under the keyboard.

Did I win?