Security for the Paranoid

Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."

Training is...

[zappepcs]

Training is the best security measure that can be taken; training user's to not do stupid things, to use secure passwords, to not share information they shouldn't.

If you start your kids off learning to use computers securely, with good self protection habits, then the likelihood that they will become victims of identity theft or other phishing is greatly reduced.

When it comes to security, there is no such thing as paranoid... they really are out to get your password, your ID, your SSN and everything else that will help them get your money...

Paranoia doesnt allow u to get anything done

[Anonymous Coward]

You can be paranoid about a meteor striking u and live deep in a cave underground (hopefully forgetting an earthquake can get ya).

The paranoid end up causing devastation in the long term. Let's have some reason to madness. The most "locked down" systems always crack for some reason or another. Either, and crucially people don't cooperate (writedown 14 char passwords on pieces of paper etc) or b it causes u to lose out on productivity. The Great Wall didnt help China too much did it?

where to start...

[a_greer2005]

If you were in a place where security was ABSOUTLY KEY, you would be on the right track, but at HOME??????

I cant see a need for this level of security on a home network, where the only thing an attacker would want to do is zombi-ize your windows boxes. strong passwords are good, firewalls are good, wifi mac address lock down is good, but smartcards? why not requier a hair sample.

Also, if you are that paranoid, you better put in a shark-filled mote, because a physical attack still leaves you volnerable, and with those insane levels of security, you sort of make yourself a target, people figure that if you go to those lengths, you have something great...

Useability

[caerwyn]

I'm sorry, I really thought my computer was supposed to be useable.

5 passwords to boot and check email on the laptop? What in the world are they *for*? BIOS, system login, email login, maybe one for decrypting if you're receiving encrypted emails all the time. What else?

Security is a balance. Very few security measures only make things more difficult for an attacker- most of them make life make difficult for the person taking them as well. It *is* useful to analyze the threat in any situation, because it helps you make an informed judgement as to how secure something needs to be made, balancing risk versus useability.

Not checking luggage when you fly? What, are you worried about someone snooping through your underwear? Oh, sure, don't put anything important in there if you're worried about that, but really... this truly is on the paranoid side of things.

This guy is a moron

[Uhh_Duh]

Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.

A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.

Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.

I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.

Re:Mark is Paranoid, but Trusting of Microsoft?

[Anonymous Coward]

Yes, that does sound silly.
Want to hear what I do for security?
1) Don't use any Microsoft products,
2) I write the passwords for my wife and kid
because I know theirs won't have a combo of
capital, small, numbers, and characters in it,
3) Have a single, secure firewall only letting in
ssh connections and broadcasting only Apache.

It's been 7 years, no problems yet. For someone to say they're paranoid about security, then say they use Microsoft products is kind of like saying "I'm a beer conneseur. Yeah, I'd like to order a Coors light."

I wouldn't want him as my ISO

[GPLDAN]

Seriously. I would fear the guy doesn't even begin to fathom risk analysis. He just breeds paranoia. Guys like that break budgets wide open and spend lots of money they shouldn't on lots of stuff they don't need. He's like Mel Gibson in Conspiracy. Three firewalls? I hope they are open source cause Checkpoint licenses are expensive.

You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.

Re:smart cards?

[An ominous Cow art]

or a home network? Paranoia is understandable, but smart cards on a home network? and 14 character passwords inside your house. OK, on the outside, that makes some sense. But what kind of secrets do you internally that you need that level of paranoia. If the entire network is open to the outside world, that a different matter, but what could possibly be so important that your kids need 14 character passwords to protect it inside your home?

Hiw whole point is that it doesn't matter whether he has anything "worth" protecting on his internal network, if he gets into the habit of practicing strong security everywhere, he's less likely to use weak security where it really matters.

I feel the same way, but based on what the article describes, I'm probably only 62.54% as paeranoid as he is. :-)

poor security choices

[sfjoe]

...require my kids to use at least 14 character passwords on our home network

What do you want to bet I can find the passwords written on a post-it under the keyboard?
A security policy that doesn't take usability into account is worse than no security policy at all.

Stupidity

[duffbeer703]

What's the point of all of this nonsense? Really?

His kids will probably never want to touch a PC after the trauma of memorizing 14 character passwords just to surf the net at home.

How many systems are actually vulnerable to password cracking anyway? Most ATM machines eat your card if you enter 5 incorrect PINs... most enterprise networks disable accounts if you have multiple incorrect passwords.

This guy is on the same level as a mall rent-a-cop who always wanted to be a policeman, but can't pass the mental exam. He just gets a rise out of hassling people with arbritrary nonsense.

Isn't he going after the wrong things?

[Anonymous Coward]

Does a 14-character password make much sense, public network or private? I've got the impression that most security problems are due to either faulty code (buffer overruns) or malicious code within programs (email attachments, spyware, adware, or the slightly more legitimate software activation). Social engineering/phishing must make for a distant third, when it comes to computer security. Sure, one could do a dictionary attack on passwords...but isn't that the least of your worries? The most unguessable passwords won't stop a security breach if the software is faulty.

3 firewalls?

[yagu]

How is THAT more secure??? I once spent half a day tracking down a totally bizarre printing behavior/bug that turned out to be a LAN where machines had multiple firewalls running. Multiple firewalls can be more trouble than one well configured firewall.

Waste of time?

[koehn]

Some people waste their time watching "American Idol." Others waste their time high on drugs, while still others waste their time trying to make the rest of us believe in their deity of choice. Even if the guy is paranoid, it's his time to waste.

At least he's not wasting his time reading /.

Re:paranoid my ass

[theblueprint]

Maybe he's so paranoid because he uses windows.

Re:Convenience = 1/Security

[whoever57]

Is he mentally ill?

Well, I thought that he was over-careful until I got to this part of the article:

I don't do it because I think someone is going to go through my trash to reassemble bits of my research notes.

He may well be correct, but, given he is an "independent researcher, consultant, and writer specializing in Windows security", I have my doubts that someone would want to make the effort of reassembling his shredded notes.

There are lots of opinions on altruism

[Hoi Polloi]

"They have the greatest chance of continuing the species line."

Not necessarily. A paranoid creature might be to fearful to ever hunt and/or forage properly and would constantly be weakened and vunerable to disease. Their lack of social contact would also exclude them from the safety in numbers and support of the group also lowering their chances.

A healthy sense of risk doesn't necessarily make you altruistic or "soft" as you snidely put it, just reasonable. Judging from how strong the urge to socialize is in primates (including us of course) after millions of years of evolution I'd say that paranoia is not a strong predictor for survival.

This guy is a moron

[TiggertheMad]

The word paranoid is the important point. He is being stupid, because a casual hacker looks for easy targets. To stop them you only have to secure your system well enough that it isn't easy to get into, so they move on, as the internet is a big place.

The only reason you would do all the silly crap that he has done, is because someone is out to get YOU, and is only after you. They are determined to get into your system, any way they can. Now, if your system is the Strategic Missile Command computers, then I could see why someone might really want to get in. However, this guys is a nobody. He isn't rich, he isn't influential, and he isnt powerful. Nobody is out to get him, so yes, he is paranoid.

I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.

It's a joke, people

[Daedala]

As soon as I read this article, I sent it to many of my friends, because it's funny. It's an elegant, understated, hilarious demonstration of an important point. It starts perfectly reasonably and gets progressively sillier, until by the end it's way over-the-top hyperbole. [answers.com] This essay is a really lovely piece of writing, because at first it suckers you in with its reasonably paranoid stance, and when you realize you've been had -- I guess that's if you realize you've been had -- makes you think about diminishing returns.

Re:Not secure enough...

[Anonymous Monkey]

You jest, but don't we all live like that. I joke that Paranoia is a Religion. People worship personal information, and before letting it into go into some sort of purgatory, it's destroyed to protect it 'sole' for lack of a better word.

Treating your password like a good luck charm against ID theft, treating your fire wall like a shrine that gets sacrifices of software, and the Death Rights of a hard drive. And, like with most religions, the more devout you are the safer you are.

Now, convert or pay!

Re:Read Dawkins, any studies on altruism...

[EvilTwinSkippy]

No.

First off, Mr. Bomb shelter isn't going to be continuing any sort of species without a mate.

Paranoids are lousy lovers.

Re:paranoid my ass

[The Bungi]

Are you saying that it's impossible to secure Windows?

Or that some other OS (Linux? OS/390? OS X?) is perfectly secure?

Re:Convenience = 1/Security

[Jtheletter]

In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.

A poor choice of location. In the event that the shockwave from a nuclear blast hits the area (assuming you're still far enough from the epicenter to avoid the radiation) all of the trees in the forest will be burned and/or knocked down, covering your cache.
As long as we're being paranoid here, let's at least plan accordingly. When it comes to the apocalypse, concrete is your best bet for protecting valuable hordes of food, supplies, and weapons. ;)

"These are the rules of New Quahog!"

Beyond Fear

[JerkyBoy]

This guy should have a look at Bruce Schnier's site [schneier.com], especially with regards to understanding pracitcal security. This seems enlightening:

Schneier invites us all to move beyond fear and to start thinking sensibly about security. He tells us why security is much more than cameras, guards, and photo IDs, and why expensive gadgets and technological cure-alls often obscure the real security issues. Using anecdotes from history, science, sports, movies, and the evening news, Beyond Fear explains basic rules of thought and action that anyone can understand and, most important of all, anyone can use. The benefits of Schneier's non-alarmist, common-sense approach to analyzing security will be immediate.

Schnier would probably concur that the author of this article is paranoid, but it is even more likely that Schnier would describe him as unreasonable.

Re:what a pseudo-fool (in a nice way)

[offal]

A good friend of mine, CCIE, network genius type, had his home network locked down tight. He did all the right things, kept his passwords to himself, not even sharing them with his wife. Then he died. Getting back into that thing was a chore. Make sure you address disaster recovery, especially if you ARE the disaster.

The Nature of Paranoia

[Morosoph]

Being trusting of a single large vendor may appear to be contrary to the spirit of paranoia, but this is to ignore what paranoia really is:

Paranoia is the misordering of priorities though irrational fear. For example, I am posting to Slashdot using links2 run from a Gentoo livecd from my second machine. If I was doing this for any reason other than because my main system had suffered disk failure, requiring a reinstall, or random geek value, I would be seriously paranoid, for I'd focused so strongly upon having an unhackable system over implementing anonymisation over ipv6.

More seriously, being excessively slowed down though having to jump through security hoops, and having your mindspace taken up can end up reducing productivity, and risks seriously eating into profits. Hence we have security specialists, who call themselves "paranoid" because they would be, if they had a normal (meaning non-security) job. It is entirely possible that someone in security is too paranoid for security, and trusts those that they should be weary of on grounds of insufficient competence because of irrational fears of those who's motives they do not trust.

Avoiding obviously taking sides, it's clear to [Democrats|Republicans] that [Republicans|Democrats] are paranoid about various risks. This isn't just relativism: those who seek power tend to perceive a greater need to control the masses than the rest of us. Someone has to be getting it wrong!

Paranoia is a strange thing...

further analysis...

[TiggertheMad]

Some people will view this kind of paranoia as a challenge, which will only encourage them to attack him.

Ahh, the self-fullfilling prophesy of paranoia: Act out enough, and you get all sorts of unwelcome attention that just confirms your egomania.

Of course, if I were really interested in getting into this guy's computers, I would shoot him once in the foot and tell him that the next bullet would go into his head if he didn't spill all his passwords. Computer security is only as good as the weakest link...

openBSD anyone?

[Tharkban]

ok...so my real question is, why in the world is this guy running microsoft products? Not to say, microsoft isn't secure, I would be asking the same question if the article implied he was using linux.

If I was that paranoid nothing but a locked down openBSD machine behind the nastiest firewall imaginable would be good enough for me.

Re: Mod Parent Off-topic

[10101001 10101001]

The point is that Linux, BSD, and any other OS that's open source can actually be examined. If you're paranoid, you have to audit all the code yourself and hand-write the base assembler to assembly the quasi-compiler; refer back to the thought experiment of the bugged compiler which would infect compiler and login program to propagate itself. Even further, you'd want to use an open system where you can verify all the firmware, including the BIOS, to make sure no hooks are in place to compromise your security. And even further than that, you need to validate all the chips and processors in your system that they're not bugged either.

So, for one who claims he's really paranoid, he's very much a far way off from real paranoia. He's not even taking the basic step of validating his operating system.

Re:Microsoft is not the problem

[Soruk]

I think the figures were somewhat different, but taking those ones in the parent, that only tells you that 40% were too dumb to invent a bogus password for free chocolate.