Forgot your password?
typodupeerror
Security IT

Security for the Paranoid 449

Posted by timothy
from the middle-firewall-is-spying-on-you dept.
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
This discussion has been archived. No new comments can be posted.

Security for the Paranoid

Comments Filter:
  • Burnett (Score:5, Funny)

    by Anonymous Coward on Wednesday April 27, 2005 @02:13PM (#12361792)

    Mark Burnett talks about his computer security methods...

    "Outwit, outplay, and outlast those pesky script-kiddies."

  • by xmas2003 (739875) * on Wednesday April 27, 2005 @02:14PM (#12361796) Homepage
    While being paranoid is argueably good (although Mark may be a bit extreme compared to most), I did wonder a bit about one comment near the end of the article which was: "And I install hotfixes the day Microsoft releases them" which seems to put an awful lot of trust in Microsoft (or any other vendor for that matter) not to release a patch that has problems.
  • paranoid? (Score:5, Funny)

    by Anonymous Coward on Wednesday April 27, 2005 @02:15PM (#12361809)
    get with it man, you're not important, nobody wants your porn
    • get with it man, you're not important, nobody wants your porn

      If it is homemade, they want it. It will end up on Kazza. Then when some kid at the local library is trying to download it, and the school catches him, and the principal sees your wife. Man, that would suck!. And all the parents wanted to do was save the experience on DVD for their own private use. Now the whole town can see them in thier most private moment.

  • by stefanlasiewski (63134) * <slashdot@@@stefanco...com> on Wednesday April 27, 2005 @02:15PM (#12361811) Homepage Journal
    The only truely secure computer is one which is switched off and disconnected from the network.

    And smashed with a sledgehammer.

    And set on fire, to the temperature of 600F, which should be sufficient to destroy the magnetic bits in the hard drive.

    And then nuke it from orbit, it's the only way to be sure.
    • by Anonymous Coward on Wednesday April 27, 2005 @02:23PM (#12361923)
      " The only truely secure computer is one which is ... disconnected from the network."

      That's why I recommend Comcast for all your security needs!
    • Don't say those things! There was once a "stupid boss" story on Shark Tank [computerworld.com] about a guy who heard the "only truely secure computer" adage, and intrepreted it literally. He had a server room built with no network connections. When his underlings asked him to explain how they were supposed to connect the servers to the network without cabling, he told them they were well paid to figure that out for themselves.

      If anybody comes near my desk with a blowtorch, I'm blaming you!


    • Nuke it from orbit you say?

      Isn't it more likely that a space alien can recover information from a nuked, burned, smashed and disconnected computer than a human?

      I'd keep that computer on planet earth thank you very much.
  • by winkydink (650484) * <sv.dude@gmail.com> on Wednesday April 27, 2005 @02:15PM (#12361816) Homepage Journal
    And this guy is set up very secure.

    Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.

    In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
    • by ClickNMix (218488) on Wednesday April 27, 2005 @02:21PM (#12361895) Homepage
      In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

      But if you did have a beer with him, come the Apocalypse, maybe he'd let you have some of his food and water.
    • Also someone with a very good memory, give those awfully lot fast changing passwords.
    • My redneck uncles did that for Y2K and they have probably never used a computer. I wonder what they are doing with all those 50 Gallon Drums of dried beans & rice. Who would want to live on beans and rice for 5 years anyway? Maybe if you had some Lousianna Hot Sauce.
    • by John Seminal (698722) on Wednesday April 27, 2005 @02:33PM (#12362078) Journal
      And this guy is set up very secure.

      Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.

      In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

      In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.

      For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.

      If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.

      Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.

      • by Hoi Polloi (522990) on Wednesday April 27, 2005 @02:51PM (#12362299) Journal
        "They have the greatest chance of continuing the species line."

        Not necessarily. A paranoid creature might be to fearful to ever hunt and/or forage properly and would constantly be weakened and vunerable to disease. Their lack of social contact would also exclude them from the safety in numbers and support of the group also lowering their chances.

        A healthy sense of risk doesn't necessarily make you altruistic or "soft" as you snidely put it, just reasonable. Judging from how strong the urge to socialize is in primates (including us of course) after millions of years of evolution I'd say that paranoia is not a strong predictor for survival.
      • You forgot the greedy birds which signal predator when there's no predator in order to get at the food first. People do it too -- just look at Bush/Cheney signaling Iraq with WMDs just so Halliburton can eat well...
      • No.

        First off, Mr. Bomb shelter isn't going to be continuing any sort of species without a mate.

        Paranoids are lousy lovers.

    • by swb (14022) on Wednesday April 27, 2005 @02:43PM (#12362204)
      You won't be able to get to them in time. Besides, we know the threat is closer than than that. Some of us even know that the apocalypse isn't coming, it's here already.

      Look what happens in every zombie movie; you think you have an opportunity to drive even 25 miles and dig up your S&W 1006 and your M4? You're zombie food.

      You need your sidearm ON YOU, and your rifle at arm's length. You need 2k rounds for your sidearm and 5k rounds for your rifle on hand ALL the time, along with supplies to crank out another 10k rounds if necessary.

      More shit buried in the woods is a great idea, too, but don't leave yourself unarmed.
    • Pre Y2k, my Dad and I were discussing the Generators on sale at Costco. He asked if I was going to buy one.

      I said 'Nah. If the power is out on Jan 1, I'll step out on the front porch and listen. Three generators will start up within earshot,followed soon thereafter by three gunshots, then those generators will start up in different locations of the sub-division.'
    • No, the equation should be:

      kSC = 1

      where S is security, C is convenience, and k is a parameter which represents the security-godhood of your sysadmin (e.g. Bruce Shneier would be in the 0.9+ range, your average MIS grunt being ~0).
    • Is he mentally ill?
      Well, I thought that he was over-careful until I got to this part of the article:

      I don't do it because I think someone is going to go through my trash to reassemble bits of my research notes.

      He may well be correct, but, given he is an "independent researcher, consultant, and writer specializing in Windows security", I have my doubts that someone would want to make the effort of reassembling his shredded notes.

    • In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

      A poor choice of location. In the event that the shockwave from a nuclear blast hits the area (assuming you're still far enough from the epicenter to avoid the radiation) all of the trees in the forest will be burned and/or knocked down, covering your cache.
      As long as we're being paranoid here, let's at least plan accordingly. When it comes to the apocalypse, concrete is you

    • I would argue that inconvenient security is not secure. People will find ways around it, sometimes in the worst possible way from a security standpoint.

      Good security should be relatively unintrusive. E.g., your security badge includes a java button, you need it and your password to log on. (I'm not sure if jbuttons are wireless, but if not substitute some smart device that is.) Once you're logged in a kerberos TGT is written to your badge. You can then access most secured functions because they quietl
  • by empty drum (876694) on Wednesday April 27, 2005 @02:16PM (#12361818) Homepage Journal
    Paranoia's a good starting point for the IT Security beginner, but well-informed abject fear is the mark of a seasoned professional.
    • Paranoia's a good starting point for the IT Security beginner, but well-informed abject fear is the mark of a seasoned professional

      Apart from that I'd say less of jargons and catchy phrases and more of useful and practical information to end user.

  • smart cards? (Score:5, Interesting)

    by VolciMaster (821873) on Wednesday April 27, 2005 @02:16PM (#12361826) Homepage
    for a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?
    • I think he is trying to train his kids to use "good security pratices" as he sees them.

      Then the real world will not be a suprise for them.
    • or a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?

      Hiw whole point is that it doesn't matter whether he has anything
    • by Anonymous Coward on Wednesday April 27, 2005 @02:29PM (#12362029)
      kids need 14 character passwords to protect it inside your home?

      Their passwords are probably things like:

      my_dad_is_an_asshole!
      hereismy14characterpasswo rdyounutjob

  • Not quite right (Score:5, Interesting)

    by norfolkboy (235999) * on Wednesday April 27, 2005 @02:16PM (#12361832)
    Well, I can see the guys reasons.

    However, information security has to be appropriate to the data you wish to protect.

    A system that annoys users by making it hard to access the information (long passwords changed weekly for example) will just leave you with a static store of information.

    The information will never be *USED*. There will be no point in having it.

    Use security appropirate to your data. He IS paranoid, and - offtopic: sounds a bit of a nob.

    I know for sure if I was one of his kids, I wouldn't WANT to connect to his network!
  • Training is... (Score:2, Insightful)

    by zappepcs (820751)
    Training is the best security measure that can be taken; training user's to not do stupid things, to use secure passwords, to not share information they shouldn't.

    If you start your kids off learning to use computers securely, with good self protection habits, then the likelihood that they will become victims of identity theft or other phishing is greatly reduced.

    When it comes to security, there is no such thing as paranoid... they really are out to get your password, your ID, your SSN and everything else
  • by yagu (721525) * <yayagu.gmail@com> on Wednesday April 27, 2005 @02:17PM (#12361838) Journal
    ..., No one else, not even my wife, knows my network password....,

    ... is about the only part of his screed that could make sense to me. Not because one should not divulge a password to one's wife, but because keeping passwords entirely private is good policy. Almost everything else about his life strikes me as goofy. If you read any of the "hacker" books, hacking and gaining access to people's stuff isn't about cracking passwords, it's about social engineering and dishonest behavior, most of which the author's behaviors won't prevent. But, if it makes him feel better.... (I wouldn't want to live on his network.)

    I worked at a large company and called the administrator of their unix mainframe and complained that /usr/bin and /bin both didn't even have execute privelege so I couldn't even see what commands existed. The administrator dressed me down and explained they did that for security reasons so people couldn't hack in. He went on to tell me about the giant breach on that system from outside hackers and hence, the very tight "security". I gently reminded him the "breach" actually occurred with those very same directory permissions.... and they didn't prevent the hack. Sigh...

    • A good friend of mine, CCIE, network genius type, had his home network locked down tight. He did all the right things, kept his passwords to himself, not even sharing them with his wife. Then he died. Getting back into that thing was a chore. Make sure you address disaster recovery, especially if you ARE the disaster.
    • Most of my internet traffic goes through at least three firewalls. Is that too paranoid?

      One router, and one software firewall constitutes two firewalls. If he wanted his home office network to be separated by his family's computers, having a third firewall makes sense.

      After all, if his kids inadvertently get a virus, why let it spread on the network? (depending on the virus, of course)

      Sometimes I have a "Password Day" where I change every password I own on the same day, just in case someone might ha

    • ..., No one else, not even my wife, knows my network password...., ... is about the only part of his screed that could make sense to me.

      If your partner wants to hurt you badly enough, your password isn't going to stop her/him. Most partners know enough about the other person that they could have them arrested. Good thing is it works both ways.
  • Smart cards (Score:2, Interesting)

    by alecks (473298)
    Speaking of smart cards, anyone know where how to obtain a simple smart card home solution? All resources i've found are for large enterprize distributions... i'm only looking for 2 or 3 smart cards..
  • by mattmentecky (799199) on Wednesday April 27, 2005 @02:18PM (#12361852)
    Does it seem kind of stupid, especially for the 'security paranoid', to announce to the public that you use "at least 14 character passwords"? Seems to me you just set a lower bound and cut out 13^128 possibilities for a cracker :-p
  • paranoid my ass (Score:5, Interesting)

    by wardk (3037) on Wednesday April 27, 2005 @02:19PM (#12361863) Journal
    mark me troll if you must. but I see this as a legitmate question....

    if he's so damn paranoid, what the hell is he using windows for?

  • too paranooid (Score:3, Interesting)

    by MetalliQaZ (539913) on Wednesday April 27, 2005 @02:20PM (#12361877)
    I think you can be too paranoid. I seem to remember a story a while ago about security measures that were overly invasive. Require 14 character password with non-alpha characters, and get your users putting their passwords on their monitors with post-it notes.

    Its true, you never seem to realize your folly until its too late and your data is gone, but in my case, my home network isn't so important to me that I think its worth so much security that it interferes with my enjoyment or productivity.

    Usually my stance is that I let the foil-hat wearing scurity gurus have their toys, but I continue to look for the solution that is "good enough" and that conforms to MY wishes, not theirs.

    -d
  • where to start... (Score:2, Insightful)

    by a_greer2005 (863926)
    If you were in a place where security was ABSOUTLY KEY, you would be on the right track, but at HOME??????

    I cant see a need for this level of security on a home network, where the only thing an attacker would want to do is zombi-ize your windows boxes. strong passwords are good, firewalls are good, wifi mac address lock down is good, but smartcards? why not requier a hair sample.

    Also, if you are that paranoid, you better put in a shark-filled mote, because a physical attack still leaves you volnerable, a

  • Useability (Score:3, Insightful)

    by caerwyn (38056) on Wednesday April 27, 2005 @02:20PM (#12361881)
    I'm sorry, I really thought my computer was supposed to be useable.

    5 passwords to boot and check email on the laptop? What in the world are they *for*? BIOS, system login, email login, maybe one for decrypting if you're receiving encrypted emails all the time. What else?

    Security is a balance. Very few security measures only make things more difficult for an attacker- most of them make life make difficult for the person taking them as well. It *is* useful to analyze the threat in any situation, because it helps you make an informed judgement as to how secure something needs to be made, balancing risk versus useability.

    Not checking luggage when you fly? What, are you worried about someone snooping through your underwear? Oh, sure, don't put anything important in there if you're worried about that, but really... this truly is on the paranoid side of things.
  • by Uhh_Duh (125375) on Wednesday April 27, 2005 @02:21PM (#12361890) Homepage

    Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.

    A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.

    Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.

    I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.
    • by TiggertheMad (556308) on Wednesday April 27, 2005 @02:55PM (#12362362) Homepage Journal
      The word paranoid is the important point. He is being stupid, because a casual hacker looks for easy targets. To stop them you only have to secure your system well enough that it isn't easy to get into, so they move on, as the internet is a big place.

      The only reason you would do all the silly crap that he has done, is because someone is out to get YOU, and is only after you. They are determined to get into your system, any way they can. Now, if your system is the Strategic Missile Command computers, then I could see why someone might really want to get in. However, this guys is a nobody. He isn't rich, he isn't influential, and he isnt powerful. Nobody is out to get him, so yes, he is paranoid.

      I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.
      • I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.

        Yeah, conspiracy and paranoia are oddly appealing. It's so much nicer to believe that the governments, corporations, and secret networks are out to get you than to believe that nobody really gives a shit whether you live or die, and that your failures are either the result of an unordered universe, or worse, your own damn fault.

  • by nebaz (453974) * on Wednesday April 27, 2005 @02:21PM (#12361898)
    The guy uses 5 passwords for his laptop, and I am sure that is fine for him.

    Security for the sake of security, for example, can sometimes backfire.

    For example, a company I used to work for had this policy that you had to change your password every 30 days, have at least 1 special character, one capital, one number, etc.

    This was on an intranet, and most people hated this feature.

    Most people ended up using a system like
    Jul@1996 for their password. Mon

    Kind of defeats the whole purpose of security.

    I tend to think one should use security proportional to sensitivity on certain matters, knowing that nothing is perfectly secure.

    But enforcing 'security' for the sake of security, especially random, and unsupported 'security' can make the average user resentful, and the process much less secure.
    • I worked for a place that the customer service people typically used more than 30 (I am not making this up) different systems. And the passwords and rules were amazing, different, obtuse, and really fscked up. The claim was this provided maximum security. My experience out on the "floor" when visiting these clients (we did software for them) was either:
      • spiral bound notebooks with matrices for the systems and passwords for easy access.
      • yellow stickies on the sides of monitors with systems and passwords.
  • Paranoia is the key to success in the security world

    I'll admit it too, I am a bit paranoid and depressed. I try and keep my system secure. I keep everything behind a router with NAT. I have a software firewall. I keep tough passwords. But I still get attacks. If only someone would pay me for the time I spend securing my system. If only someone would pay me for all the frustration. It is not fun.

    I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them

  • From the article:
    It takes five passwords to boot up my laptop and check my e-mail.

    One of those passwords is over 50 characters long.
    The first day he wakes up with some memory loss is going to be rough! Password-protecting your laptop is not only a good idea, but essential. But this is a just a little over the top. -- Paul
  • by MrAnnoyanceToYou (654053) <dylanNO@SPAMdylanbrams.com> on Wednesday April 27, 2005 @02:23PM (#12361921) Homepage Journal
    This is an interesting article, but brings up one little thing for me about security - when you go this far out, you make yourself a target. The first thing I thought at the end of the article was, "man, I'd love to show this guy." And I didn't think along the same lines he did. I thought small focused high-speed cameras placed under the neighbors' eaves, I thought replacing his keyboard with a snooped replica... Again, social engineering and hitting someone where they are not looking seems to be the key to any cracking, not technical powerhousing. And pronouncing to the world that you use three firewalls is just asking for trouble.

    I'm not a cracker, I'm not even much of a hacker, but I'm naturally sneaky bastich. (TM) And as real sneaky bastiches know, you don't ever stand in someone's face and tell them to you're going to beat the crap out of them, you wait until they turn around.

    I try to be a nice guy despite my tendencies, but still... This kind of article reminds me of the French and their lines.
  • What about the (theoretical) guy who says Mark doesn't go far enough?

    "Hah, you have a 50 character password? Well, all of my passwords are at least 64 characters, and it has to be a sufficiently random distribution of numbers, letters, capitalization, and non-alphanumeric characters or the system automatically rejects it. And every password is issued from a one-time-pad so even if it's intercepted, nobody can do anything. All my computers are encased in bulletproof plexiglass with motion alarms activate

  • How do his kids remember their passwords, especially since i assume they are random and are changed weekly? I assume they don't write them down. Why doesn't he just give his kids limited accounts and let them have easy passwords, that way even if they are broken into they can't do much damage.
  • He may be paranoid, but his methodology is sound. Always be prepared is a good motto to follow. People think it's weird that I always drive with both my hands on 2 and 10 (I don't have airbags), but it's saved me once, and once is enough. I also drive with my headlights on.

    Basically, preparing for the worst is a good thing to do, because when it comes, you won't have to scramble to deal with it.

    -Jesse
    • " I also drive with my headlights on.
      "
      thus making it tough for people to see if someone is behind you. Knowing who is behind other vehicals is critical to safe driving.

      "...but it's saved me once, and once is enough. "
      how do you knnow not having them at 2 and 10 you wouldn't have been saved?

  • by Deep Fried Geekboy (807607) on Wednesday April 27, 2005 @02:26PM (#12361971)
    It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.
    You know, the only thing worse than having this guy run your IT would would be actually *being* him.
  • I'd like to use more and larger passwords on different accounts, and probably change them more often, but honestly, my head is too small to hold all of those passwords. In this day and age, do you _realize_ how many different logons I have?

    What's a good console based password program to keep these different passwords? This way I should be able to get to them through SSH if I need to. Or, is doing this defeating the whole reason for having multiple passwords?

    --Lance
  • Oh Yeah? (Score:5, Funny)

    by macthulhu (603399) on Wednesday April 27, 2005 @02:27PM (#12361984)
    Let's see if this guy's kung fu can survive a few rounds against international superhacker "bitchchecker". Just have him email his IP address to bitchchecker@madskillz.com... (Please allow for a lengthy response time, as bitchchecker is probably busy rebooting his machine for the 75th time today.)
  • by GPLDAN (732269) on Wednesday April 27, 2005 @02:27PM (#12361995)
    Seriously. I would fear the guy doesn't even begin to fathom risk analysis. He just breeds paranoia. Guys like that break budgets wide open and spend lots of money they shouldn't on lots of stuff they don't need. He's like Mel Gibson in Conspiracy. Three firewalls? I hope they are open source cause Checkpoint licenses are expensive.

    You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.
    • I actually wonder if the ironic point he's making is that security consultants demand stupidity from corporations that no one would tolerate on a personal level. Consider:

      I try to run my own network the same way I tell my clients to.

      Then he goes on to present a stupid laundry list of excessive security measures that are, by implication, what he's telling his clients to do. It's obvious that, personally, they're ridiculous, so why wouldn't they also be ridiculous in a corporate environment?

  • by sfjoe (470510) on Wednesday April 27, 2005 @02:31PM (#12362060)
    ...require my kids to use at least 14 character passwords on our home network

    What do you want to bet I can find the passwords written on a post-it under the keyboard?
    A security policy that doesn't take usability into account is worse than no security policy at all.

  • If he really was paranoid, there was be a blue dot for his picture, the column would be written by "Joe Noneofyourbusiness", and the font would be ancient Phoenician.
  • Stupidity (Score:3, Insightful)

    by duffbeer703 (177751) on Wednesday April 27, 2005 @02:36PM (#12362113)
    What's the point of all of this nonsense? Really?

    His kids will probably never want to touch a PC after the trauma of memorizing 14 character passwords just to surf the net at home.

    How many systems are actually vulnerable to password cracking anyway? Most ATM machines eat your card if you enter 5 incorrect PINs... most enterprise networks disable accounts if you have multiple incorrect passwords.

    This guy is on the same level as a mall rent-a-cop who always wanted to be a policeman, but can't pass the mental exam. He just gets a rise out of hassling people with arbritrary nonsense.
  • 3 firewalls? (Score:3, Insightful)

    by yagu (721525) <yayagu.gmail@com> on Wednesday April 27, 2005 @02:38PM (#12362135) Journal

    How is THAT more secure??? I once spent half a day tracking down a totally bizarre printing behavior/bug that turned out to be a LAN where machines had multiple firewalls running. Multiple firewalls can be more trouble than one well configured firewall.

  • by count0 (28810) on Wednesday April 27, 2005 @02:40PM (#12362159)
    This guy doesn't get it. Security is much more about people, not about 50 character passwords and redundant firewalls. Social engineering is much more of an issue than triple firewalls.

    14 Character pwds for his kids, on his home network, that isn't connected to the outside (his VMware box is for internet). Yeah, that's useful.

    He reminds me of the guy in town who advertises websites that a backwards compatible to Netscape 1.2 - very shrill, gets some attention, but is really clueless.
  • Waste of time? (Score:4, Insightful)

    by koehn (575405) * on Wednesday April 27, 2005 @02:42PM (#12362182)
    Some people waste their time watching "American Idol." Others waste their time high on drugs, while still others waste their time trying to make the rest of us believe in their deity of choice. Even if the guy is paranoid, it's his time to waste.

    At least he's not wasting his time reading /.
  • What a freaker (Score:3, Interesting)

    by Percy_Blakeney (542178) on Wednesday April 27, 2005 @02:42PM (#12362185) Homepage
    This guy needs to get out more. Some of my favorite parts:


    Most of my internet traffic goes through at least three firewalls. Is that too paranoid?


    Almost definitely, yes.


    Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter?


    Yes, it does. Welcome to the real world, where you have finite resources and impatient users. If you only have X amount of resources, do you spend them on protecting things that are a target or on things that nobody cares about?


    Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me.


    So, can anyone tell me exactly what he's thinking? It seems like he doesn't even know.


    It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.


    50 characters long? Why stop there? Why not 128 characters long? Why not memorize your entire public and private keys?


    I think that this fact alone -- that he has a 50-character password -- shows that he's not playing with a full deck of cards.

  • by windowpain (211052) on Wednesday April 27, 2005 @02:46PM (#12362234) Journal
    Even if the password is not case-sensitive eight characters allows for more than 2.8 trillion passwords using the 26 letters and 10 digits. Many systems time out after three or so attempts. Even if you allow a thousand attempts (an absurdly high number) you'll still be very safe.

    Of course is someone steals a password-protected system he would have an unlimited number of attempts. So make it a nine character password. If the cracker can run one million tries a second he has only a 50% chance of cracking a truly random password in the first 16 years of trying.

    Show your work:

    Number of seconds in a year = ca. 3,153,600

    36^9 = 101,559,956,668,416 / 1,000,000 = 101,559,956

    101,559,956/3,153,600 = 32 years to search entire key space.

    32 / 2 = 16 years to search half of key space.
  • Quality vs quantity (Score:3, Informative)

    by bigmouth_strikes (224629) on Wednesday April 27, 2005 @02:47PM (#12362248) Journal
    This guy doesn't have a clue. He's suffering from the delusion that "quantity has a quality in itself" (Stalin quote).

    3 firewalls ? Why not 6 or 12 ? Or 1, properly configured.

    5 passwords ? Why not 20 ? How is he tracking all his passwords - with "Password days" and all ? I'm betting the farm he isn't memorizing them all. If he is, they're not different enough, not good enough. I'm sure 4 of those 5 can be cracked with readily available cracker kits.

    No, he's all about "a lot of security" as opposed to "good security".
  • by Daedala (819156) on Wednesday April 27, 2005 @02:57PM (#12362388)
    As soon as I read this article, I sent it to many of my friends, because it's funny. It's an elegant, understated, hilarious demonstration of an important point. It starts perfectly reasonably and gets progressively sillier, until by the end it's way over-the-top hyperbole. [answers.com] This essay is a really lovely piece of writing, because at first it suckers you in with its reasonably paranoid stance, and when you realize you've been had -- I guess that's if you realize you've been had -- makes you think about diminishing returns.
  • Pet peeve: (Score:3, Interesting)

    by Kphrak (230261) on Wednesday April 27, 2005 @04:14PM (#12363697) Homepage

    Paranoid admins who like to practice "information denial techniques" on their systems, making them essentially unfixable. The thinking is, "We don't want a hacker to have any information about our network. We don't want him to even know what kind of system he's on if he ever does get in. So we've got to hide as much system stuff as possible."

    We've got quite a few of those here, most of who have had "security at ANY COST" drilled into them by the higherups. Here are a few gems:

    • One of my managers from a few years back forbid putting manpages on any DMZ systems. Just in case a hacker got in and needed to know how to use a command. Of course, if it's 3AM and we're working on something esoteric in there, we wouldn't have to walk to another system to check the manpages. We keep all the commandline args in our heads. And manpages, as we all know, are secret information -- they're not available on Google. No sir.
    • The other day, someone asked me how we could hide the route info in our outgoing email headers indicating that internal servers (192.168, etc) were sending mail to our mail gateway. Best if no one has any clue what mail servers sent the mail. At least they didn't ask me to spoof all senders to secret@myorg.gov -- I was expecting that, by that point.
    • Our password policy requires a password that has letters, alphanumeric chars, and numbers. Every thirty days, you've got to change your password. OK, that's not so bad. But wait, there's more! It remembers your last three passwords and won't let you use them. Up to a short time ago, if you entered a password wrong three consecutive times, it locked you out of all systems on the network until further notice. The potential DOS is left as an exercise for the reader.
    • A short time ago, one of our admins created a "locked down" DMZ system incorporating the minimum amount of packages he could use. Something went haywire in our network connectivity using an update program, so I tried to do some troubleshooting. Telnet to the remote server on port 80 to see if we could get HTTP connectivity? Nope, telnet (the CLIENT) was gone. How 'bout snoop? Nope, I couldn't watch network packets short of going into the room and plugging in an ethernet tap. I ended up doing the same stuff from another system in the DMZ that had not been locked down in this fashion.

    I'm sure there's another super-paranoid person on this topic who may flame me for this and say I'm a rotten admin for keeping any debugging tools on a system. But a lot of people forget that 50% of security is keeping the bad guys out, and the other 50% is allowing the good guys to do their job without a huge hassle. Sure, having people logging in via telnet, or allowing "password" as a password sucks. But timely patching, keeping an eye on your system services, EDUCATING YOUR USERS, and having a good firewall policy will keep far more trouble out than instituting the Fourth Reich on a production system.

  • by redelm (54142) on Wednesday April 27, 2005 @04:51PM (#12364336) Homepage
    "Absolute security at all costs" means zero functionality at high cost.

    More important is a credible threat, probability and loss analysis, compared with a list of countermeasures and their costs.

    Otherwise, it's just the cops featherbedding, just like the CIA did over the strength of the USSR -- even just before the collapse and perestroika.

    Don't give in to fear.

Their idea of an offer you can't refuse is an offer... and you'd better not refuse.

Working...