Security for the Paranoid 449
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
Training is... (Score:2, Insightful)
If you start your kids off learning to use computers securely, with good self protection habits, then the likelihood that they will become victims of identity theft or other phishing is greatly reduced.
When it comes to security, there is no such thing as paranoid... they really are out to get your password, your ID, your SSN and everything else that will help them get your money...
Paranoia doesnt allow u to get anything done (Score:1, Insightful)
The paranoid end up causing devastation in the long term. Let's have some reason to madness. The most "locked down" systems always crack for some reason or another. Either, and crucially people don't cooperate (writedown 14 char passwords on pieces of paper etc) or b it causes u to lose out on productivity. The Great Wall didnt help China too much did it?
where to start... (Score:2, Insightful)
I cant see a need for this level of security on a home network, where the only thing an attacker would want to do is zombi-ize your windows boxes. strong passwords are good, firewalls are good, wifi mac address lock down is good, but smartcards? why not requier a hair sample.
Also, if you are that paranoid, you better put in a shark-filled mote, because a physical attack still leaves you volnerable, and with those insane levels of security, you sort of make yourself a target, people figure that if you go to those lengths, you have something great...
Useability (Score:3, Insightful)
5 passwords to boot and check email on the laptop? What in the world are they *for*? BIOS, system login, email login, maybe one for decrypting if you're receiving encrypted emails all the time. What else?
Security is a balance. Very few security measures only make things more difficult for an attacker- most of them make life make difficult for the person taking them as well. It *is* useful to analyze the threat in any situation, because it helps you make an informed judgement as to how secure something needs to be made, balancing risk versus useability.
Not checking luggage when you fly? What, are you worried about someone snooping through your underwear? Oh, sure, don't put anything important in there if you're worried about that, but really... this truly is on the paranoid side of things.
This guy is a moron (Score:5, Insightful)
Being paranoid is fine -- but it's only 1% of the battle -- and it makes no sense to run around closing up every possible hole you find.
A security expert is supposed to identify ALL of the possible ways in which the organization may experience a negative impact as a result of poor security (both logical and physical). His job, brace yourselves kids, is not to close all of the holes!! Rather, his role is centered around determining the cost/benefit of taking care of each specific issue. If there's a 0.5% risk of a particular security hole costing a large organization only $1,000 in damages and cleanup, and closing that hole will cost $5,000 in man-hours and hardware, it's pretty clear what the correct choice is. On the other hand, the risk may be low, and the cost may be low, so you just do it. Or the risk me be high, and the cost high, so you STILL do it... you get the idea.
Being paranoid is fine -- it will help you identify security problems that others may or may not see. However, what to DO about the holes you find is where the real work begins.
I can't imagine a cost-benefit scenario that justifies issuing smart-cards to family members on a home network. This guy has officially achieved 'retard' status.
Re:Mark is Paranoid, but Trusting of Microsoft? (Score:2, Insightful)
Want to hear what I do for security?
1) Don't use any Microsoft products,
2) I write the passwords for my wife and kid
because I know theirs won't have a combo of
capital, small, numbers, and characters in it,
3) Have a single, secure firewall only letting in
ssh connections and broadcasting only Apache.
It's been 7 years, no problems yet. For someone to say they're paranoid about security, then say they use Microsoft products is kind of like saying "I'm a beer conneseur. Yeah, I'd like to order a Coors light."
I wouldn't want him as my ISO (Score:5, Insightful)
You start breaking down security prinicples and over doing it, and you just look stupid. Other security professionals are telling him he's paranoid, but that's just being nice. What they are THINKING, is that the guy is incompetent. And doesn't understand productivity versus security tradeoffs. Somebody needs to have him go read Schnier on a island somewhere. Unpucker.
Re:smart cards? (Score:2, Insightful)
Hiw whole point is that it doesn't matter whether he has anything "worth" protecting on his internal network, if he gets into the habit of practicing strong security everywhere, he's less likely to use weak security where it really matters.
I feel the same way, but based on what the article describes, I'm probably only 62.54% as paeranoid as he is.
poor security choices (Score:5, Insightful)
What do you want to bet I can find the passwords written on a post-it under the keyboard?
A security policy that doesn't take usability into account is worse than no security policy at all.
Stupidity (Score:3, Insightful)
His kids will probably never want to touch a PC after the trauma of memorizing 14 character passwords just to surf the net at home.
How many systems are actually vulnerable to password cracking anyway? Most ATM machines eat your card if you enter 5 incorrect PINs... most enterprise networks disable accounts if you have multiple incorrect passwords.
This guy is on the same level as a mall rent-a-cop who always wanted to be a policeman, but can't pass the mental exam. He just gets a rise out of hassling people with arbritrary nonsense.
Isn't he going after the wrong things? (Score:2, Insightful)
3 firewalls? (Score:3, Insightful)
How is THAT more secure??? I once spent half a day tracking down a totally bizarre printing behavior/bug that turned out to be a LAN where machines had multiple firewalls running. Multiple firewalls can be more trouble than one well configured firewall.
Waste of time? (Score:4, Insightful)
At least he's not wasting his time reading
Re:paranoid my ass (Score:3, Insightful)
Re:Convenience = 1/Security (Score:3, Insightful)
I don't do it because I think someone is going to go through my trash to reassemble bits of my research notes.
He may well be correct, but, given he is an "independent researcher, consultant, and writer specializing in Windows security", I have my doubts that someone would want to make the effort of reassembling his shredded notes.
There are lots of opinions on altruism (Score:5, Insightful)
Not necessarily. A paranoid creature might be to fearful to ever hunt and/or forage properly and would constantly be weakened and vunerable to disease. Their lack of social contact would also exclude them from the safety in numbers and support of the group also lowering their chances.
A healthy sense of risk doesn't necessarily make you altruistic or "soft" as you snidely put it, just reasonable. Judging from how strong the urge to socialize is in primates (including us of course) after millions of years of evolution I'd say that paranoia is not a strong predictor for survival.
This guy is a moron (Score:4, Insightful)
The only reason you would do all the silly crap that he has done, is because someone is out to get YOU, and is only after you. They are determined to get into your system, any way they can. Now, if your system is the Strategic Missile Command computers, then I could see why someone might really want to get in. However, this guys is a nobody. He isn't rich, he isn't influential, and he isnt powerful. Nobody is out to get him, so yes, he is paranoid.
I always thought that paranoids were the absolute height of egomania, since you have to think pretty highly of yourself to think that you're worth the effort.
It's a joke, people (Score:5, Insightful)
Re:Not secure enough... (Score:2, Insightful)
Treating your password like a good luck charm against ID theft, treating your fire wall like a shrine that gets sacrifices of software, and the Death Rights of a hard drive. And, like with most religions, the more devout you are the safer you are.
Now, convert or pay!
Re:Read Dawkins, any studies on altruism... (Score:3, Insightful)
First off, Mr. Bomb shelter isn't going to be continuing any sort of species without a mate.
Paranoids are lousy lovers.
Re:paranoid my ass (Score:2, Insightful)
Or that some other OS (Linux? OS/390? OS X?) is perfectly secure?
Re:Convenience = 1/Security (Score:3, Insightful)
A poor choice of location. In the event that the shockwave from a nuclear blast hits the area (assuming you're still far enough from the epicenter to avoid the radiation) all of the trees in the forest will be burned and/or knocked down, covering your cache. ;)
As long as we're being paranoid here, let's at least plan accordingly. When it comes to the apocalypse, concrete is your best bet for protecting valuable hordes of food, supplies, and weapons.
"These are the rules of New Quahog!"
Beyond Fear (Score:2, Insightful)
Re:what a pseudo-fool (in a nice way) (Score:3, Insightful)
The Nature of Paranoia (Score:3, Insightful)
Paranoia is the misordering of priorities though irrational fear. For example, I am posting to Slashdot using links2 run from a Gentoo livecd from my second machine. If I was doing this for any reason other than because my main system had suffered disk failure, requiring a reinstall, or random geek value, I would be seriously paranoid, for I'd focused so strongly upon having an unhackable system over implementing anonymisation over ipv6.
More seriously, being excessively slowed down though having to jump through security hoops, and having your mindspace taken up can end up reducing productivity, and risks seriously eating into profits. Hence we have security specialists, who call themselves "paranoid" because they would be, if they had a normal (meaning non-security) job. It is entirely possible that someone in security is too paranoid for security, and trusts those that they should be weary of on grounds of insufficient competence because of irrational fears of those who's motives they do not trust.
Avoiding obviously taking sides, it's clear to [Democrats|Republicans] that [Republicans|Democrats] are paranoid about various risks. This isn't just relativism: those who seek power tend to perceive a greater need to control the masses than the rest of us. Someone has to be getting it wrong!
Paranoia is a strange thing...
further analysis... (Score:3, Insightful)
Ahh, the self-fullfilling prophesy of paranoia: Act out enough, and you get all sorts of unwelcome attention that just confirms your egomania.
Of course, if I were really interested in getting into this guy's computers, I would shoot him once in the foot and tell him that the next bullet would go into his head if he didn't spill all his passwords. Computer security is only as good as the weakest link...
openBSD anyone? (Score:2, Insightful)
If I was that paranoid nothing but a locked down openBSD machine behind the nastiest firewall imaginable would be good enough for me.
Re: Mod Parent Off-topic (Score:3, Insightful)
So, for one who claims he's really paranoid, he's very much a far way off from real paranoia. He's not even taking the basic step of validating his operating system.
Re:Microsoft is not the problem (Score:3, Insightful)