Security for the Paranoid 449
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
Re:Mark is Paranoid, but Trusting of Microsoft? (Score:3, Informative)
Don't worry let him get one or two bad ones and that'll change his tune. Fortunately for him, MS hasn't released a bad one in a few years. (If you don't count SP2 which had its problems).
Re:Security,,,for the average user? (Score:3, Informative)
NOTE: all of these practices were against company policy..... but rendered the rep's jobs undoable without the "aids". So much for security to a paranoid level.
Cleansing Palates (Score:3, Informative)
Wasabi [wikipedia.org].
Eight character passwords are sufficient (Score:3, Informative)
Of course is someone steals a password-protected system he would have an unlimited number of attempts. So make it a nine character password. If the cracker can run one million tries a second he has only a 50% chance of cracking a truly random password in the first 16 years of trying.
Show your work:
Number of seconds in a year = ca. 3,153,600
36^9 = 101,559,956,668,416 / 1,000,000 = 101,559,956
101,559,956/3,153,600 = 32 years to search entire key space.
32 / 2 = 16 years to search half of key space.
Quality vs quantity (Score:3, Informative)
3 firewalls ? Why not 6 or 12 ? Or 1, properly configured.
5 passwords ? Why not 20 ? How is he tracking all his passwords - with "Password days" and all ? I'm betting the farm he isn't memorizing them all. If he is, they're not different enough, not good enough. I'm sure 4 of those 5 can be cracked with readily available cracker kits.
No, he's all about "a lot of security" as opposed to "good security".
Re:Convenience = 1/Security (Score:3, Informative)
That said, we have a lock on the door to our data center, and a camera that snaps a shot as you go in. Backups are made 3 floors above on a half-floor, that nobody knows about, and requires a key to access as well. The backup tapes for our operation are in one of those locked locations, or in the hands of a courier who carts them offsite to some remote salt mine or something.
We aren't keeping the formula of coke. We are keeping our donor database and membership roles. They are priceless to us.
Re:Mark is Paranoid, but Trusting of Microsoft? (Score:3, Informative)
He has an awful lot of trust in his kids.
No Dad, I didn't install that game... No Dad, I don't know who installed that driver... No Dad, I don't know who tried to delete the "WINDOWS" folder to make more space for MP3's.
Re:Isn't he going after the wrong things? (Score:2, Informative)
Nope. Most problems come from sloppy practices such as sharing passwords, not having a password, or leaving yourself logged in.
The best thing about forcing the kids to use 14-character passwords is that it sets the tone for their attitude. If you tell kids "Be secure!" and don't require strong passwords, they might not get the message. Require strong passwords and you don't have to tell them, they just get it.
The real problem with TFA's laundry list of practices is a false sense of security. If it takes 5 passwords to check your mail, it's really easy to think you can write whatever you want in that mail. It would also be easy to think you are safe, but then some completely new attack vector is discovered against which you have no defense - but you assume you do.
There is a case to be made for TFA's "better safe than sorry" approach. His leadership by example for his clients is good, too.
But I think a more apt cliche to apply is "pick your battles". Put your energy into protecting what you hold most dear. Don't make it hard to do the right thing. Don't waste time being 99.999% safe over some unlikely issue while possibly ignoring some more likely one altogether.
Re:Try to count them. (Score:3, Informative)
It looks like the enforcement of this requires the BIOS to interract. I have not been able to find a way to remove this password, but I've had no issues with pulling data from the drives with passwords by just putting them in external usb enclosures.
So although you will not be able to steal machines and sell the hard drive for parts, you can steal the machine and get data if that's what your target is.