Security for the Paranoid 449
Stephenmg writes "In Security for the Paranoid, Mark Burnett talks about his computer security methods after other Security profesionals say he is too Paranoid. 'Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid? I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards.' I don't see anything wrong with his methods."
Mark is Paranoid, but Trusting of Microsoft? (Score:5, Interesting)
Re:Mark is Paranoid, but Trusting of Microsoft? (Score:1, Interesting)
smart cards? (Score:5, Interesting)
Not quite right (Score:5, Interesting)
However, information security has to be appropriate to the data you wish to protect.
A system that annoys users by making it hard to access the information (long passwords changed weekly for example) will just leave you with a static store of information.
The information will never be *USED*. There will be no point in having it.
Use security appropirate to your data. He IS paranoid, and - offtopic: sounds a bit of a nob.
I know for sure if I was one of his kids, I wouldn't WANT to connect to his network!
what a pseudo-fool (in a nice way) (Score:5, Interesting)
... is about the only part of his screed that could make sense to me. Not because one should not divulge a password to one's wife, but because keeping passwords entirely private is good policy. Almost everything else about his life strikes me as goofy. If you read any of the "hacker" books, hacking and gaining access to people's stuff isn't about cracking passwords, it's about social engineering and dishonest behavior, most of which the author's behaviors won't prevent. But, if it makes him feel better.... (I wouldn't want to live on his network.)
I worked at a large company and called the administrator of their unix mainframe and complained that /usr/bin and /bin both didn't even have execute privelege so I couldn't even see what commands existed. The administrator dressed me down and explained they did that for security reasons so people couldn't hack in. He went on to tell me about the giant breach on that system from outside hackers and hence, the very tight "security". I gently reminded him the "breach" actually occurred with those very same directory permissions.... and they didn't prevent the hack. Sigh...
Smart cards (Score:2, Interesting)
paranoid my ass (Score:5, Interesting)
if he's so damn paranoid, what the hell is he using windows for?
too paranooid (Score:3, Interesting)
Its true, you never seem to realize your folly until its too late and your data is gone, but in my case, my home network isn't so important to me that I think its worth so much security that it interferes with my enjoyment or productivity.
Usually my stance is that I let the foil-hat wearing scurity gurus have their toys, but I continue to look for the solution that is "good enough" and that conforms to MY wishes, not theirs.
-d
Security,,,for the average user? (Score:5, Interesting)
Security for the sake of security, for example, can sometimes backfire.
For example, a company I used to work for had this policy that you had to change your password every 30 days, have at least 1 special character, one capital, one number, etc.
This was on an intranet, and most people hated this feature.
Most people ended up using a system like
Jul@1996 for their password. Mon
Kind of defeats the whole purpose of security.
I tend to think one should use security proportional to sensitivity on certain matters, knowing that nothing is perfectly secure.
But enforcing 'security' for the sake of security, especially random, and unsupported 'security' can make the average user resentful, and the process much less secure.
Err.... Overdoing it, maybe? (Score:3, Interesting)
I'm not a cracker, I'm not even much of a hacker, but I'm naturally sneaky bastich. (TM) And as real sneaky bastiches know, you don't ever stand in someone's face and tell them to you're going to beat the crap out of them, you wait until they turn around.
I try to be a nice guy despite my tendencies, but still... This kind of article reminds me of the French and their lines.
Read Dawkins, any studies on altruism... (Score:5, Interesting)
Is he mentally ill? Let's just say he doesn't sound like the type of person I'd want to have a beer with.
In fact, he sounds a lot more like the type of person who has food, water & weapons buried in the woods for the coming Apocalypse.
In any population, you will have a percentage of people who are very alturistic, they will sacrifice for everyone else. And you have some people who are so paranoid they will always hide and run. This is required for a species to continue.
For example, say you have birds. Say that 5 out of 100 birds will signal when a predator comes in range. Chances are greater those birds will be eaten, since it is making itself more known to the preditor. Now in that same 100 birds, say you have 5 that always hide, run, and are very paranoid. They have the greatest chance of continuing the species line.
If we all get soft, and say nuclear war does break out, in any form, the guy who has a chamber 50 feet under the ground with a room filled with water and food, and another room with oxygen tanks, he might be what's left to start the gene pool over again.
Instead of critisizing him as mentally ill, maybe you can add some of your distinct expretesse and help build a better shelter. One where 2 people can hold out longer, maybe making some filtration system for well water, adding lights with the correct wavelegnth to let plants grow underground and make natural oxygen. Then you will both survive, and your altruistic genes will get passed on too.
Re:Mark is Paranoid, but Trusting of Microsoft? (Score:5, Interesting)
Precisly correct. He does all this to "feel good" without understanding the threat. Does he check his firewall logs daily? Did he disable LM hashes on his Windows box? (If not, the 14 char password is really just two sevens...)
I've always maintained that strict adherence to protocol is the last bastion for the truly evil and truly stupid...
High Cognitive Cost == Low Compliance (Score:3, Interesting)
14 Character pwds for his kids, on his home network, that isn't connected to the outside (his VMware box is for internet). Yeah, that's useful.
He reminds me of the guy in town who advertises websites that a backwards compatible to Netscape 1.2 - very shrill, gets some attention, but is really clueless.
What a freaker (Score:3, Interesting)
Most of my internet traffic goes through at least three firewalls. Is that too paranoid?
Almost definitely, yes.
Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter?
Yes, it does. Welcome to the real world, where you have finite resources and impatient users. If you only have X amount of resources, do you spend them on protecting things that are a target or on things that nobody cares about?
Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me.
So, can anyone tell me exactly what he's thinking? It seems like he doesn't even know.
It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.
50 characters long? Why stop there? Why not 128 characters long? Why not memorize your entire public and private keys?
I think that this fact alone -- that he has a 50-character password -- shows that he's not playing with a full deck of cards.
Re:Mark is Paranoid, but Trusting of Microsoft? (Score:3, Interesting)
FTFA: "I do my Internet browsing from a locked down VMWare box that has no rights on my network."
All that he needs to do is revert to a previously known-good vmware image.
Re:Read Dawkins, any studies on altruism... (Score:3, Interesting)
Bad patches are the least of your problems. (Score:2, Interesting)
The problem comes from bugs with exploits in the wild, but no patches yet.
Unpatched IE vulnerabilities [secunia.com]
Unpatched Windows XP Vulnerabilities [secunia.com]
Re:14 character password? (Score:3, Interesting)
Why this really is annoying to me is because I use a 4 tier password system. Tier 1 is for my bank accounts, when that is changed the password is reused for tier 2 applications--my passwords on my home computers. Tier 2 password becomes tier 3, my email, and those passwords become tier 4, i.e. all my passwords at work. That way I only have to remember 4 passwords at any one time (and 2 truncated ones) and no sticky note security.
Re:Microsoft is not the problem (Score:3, Interesting)
A six pack? You're thinking way too big. Wasn't there a study a few months ago where it was shown that like 60% or more of users would disclose their passwords in exchange for chocolate?
"Hey kid, want some candy?"
Re:oww (Score:3, Interesting)
He didn't state what type, but I can guess...
1) Software Based firewall (Possibly two if you don't trust the first.
2) Wireless AP to internal network Firewall.
3) Internet firewall.
I have two of these on my home network (for the windows client), ZoneAlarm + Hardware. When I install a wireless access point I will then add another one to firewall that segement.
Enjoy.
Re:Convenience != 1/Security (Score:3, Interesting)
Good security should be relatively unintrusive. E.g., your security badge includes a java button, you need it and your password to log on. (I'm not sure if jbuttons are wireless, but if not substitute some smart device that is.) Once you're logged in a kerberos TGT is written to your badge. You can then access most secured functions because they quietly get the ticket from your badge. You could set up the system so your tickets (not TGT) only live for 10-15 seconds - you walk away from your desk to go to the bathroom or "coincidently" run into that cutie at the water fountain and the ticket can't be renewed and the applications are disabled (and screen blanked?) until you return. Then you have to repeat your password (since somebody might have taken the badge off your still-warm body) and everything is as you left it.
If you need special rights you provide the password for another TGT, one with a short lifetime. Think 'sudo' as an analogy.
It's far more secure than having to maintain a separate username/password for multiple applications, yet simultaneously far more convenient. Nobody will complain, esp. if badges are required or they're already used to get through doors. Most people won't even understand how the badge around their neck gives them access to their workstation (and possibly others when working with others).
A slightly weaker version uses a USB dongle attached to your keys. Nobody walks away from their car keys for long.
Pet peeve: (Score:3, Interesting)
Paranoid admins who like to practice "information denial techniques" on their systems, making them essentially unfixable. The thinking is, "We don't want a hacker to have any information about our network. We don't want him to even know what kind of system he's on if he ever does get in. So we've got to hide as much system stuff as possible."
We've got quite a few of those here, most of who have had "security at ANY COST" drilled into them by the higherups. Here are a few gems:
I'm sure there's another super-paranoid person on this topic who may flame me for this and say I'm a rotten admin for keeping any debugging tools on a system. But a lot of people forget that 50% of security is keeping the bad guys out, and the other 50% is allowing the good guys to do their job without a huge hassle. Sure, having people logging in via telnet, or allowing "password" as a password sucks. But timely patching, keeping an eye on your system services, EDUCATING YOUR USERS, and having a good firewall policy will keep far more trouble out than instituting the Fourth Reich on a production system.
Re:This guy is a moron (Score:3, Interesting)
Yeah, conspiracy and paranoia are oddly appealing. It's so much nicer to believe that the governments, corporations, and secret networks are out to get you than to believe that nobody really gives a shit whether you live or die, and that your failures are either the result of an unordered universe, or worse, your own damn fault.
B#llsh!t Paranoia is egotism (Score:3, Interesting)
More important is a credible threat, probability and loss analysis, compared with a list of countermeasures and their costs.
Otherwise, it's just the cops featherbedding, just like the CIA did over the strength of the USSR -- even just before the collapse and perestroika.
Don't give in to fear.
Re:what a pseudo-fool (in a nice way) (Score:3, Interesting)
One router, and one software firewall constitutes two firewalls. If he wanted his home office network to be separated by his family's computers, having a third firewall makes sense.
After all, if his kids inadvertently get a virus, why let it spread on the network? (depending on the virus, of course)
Sometimes I have a "Password Day" where I change every password I own on the same day, just in case someone might happen to have one of my passwords. I frequently change my passwords after traveling.
Fair enough. If you have something like keepass [sourceforge.net], going down the list of passwords isn't too hard. Then again, I wouldn't change the password of something stupid and insignificant (like a dating site account) very often, especially if it's a strong password that I don't use anywhere else.
I use very long passwords for everything, even with the lamest accounts I have.
If you have keepass, why not?
I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards. No one else, not even my wife, knows my network password.
Why the hell not? Shouldn't you be teaching your children good security practices anyway?
I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.
Oh yeah... Just what I want... my backyard to be flooded with little bits of paper. Lovely.
I used to tell my clients to set files in their web content directories to read only. Some thought this was too extreme and too much of a hassle, but then along came a worm named Code Red that failed on all the clients who followed my advice.
And linux people have known this for how long?
I use a unique, secret e-mail address for each sensitive online account I have. I have always done that. I guess this would look paranoid to most people, but when I get e-mails from my bank, I can check the address the e-mail address they used to see if they sent it to the secret address.
Does this matter? The only real concern here is phishing. If your bank sends you an email, you TYPE IN THE URL YOURSELF. That is good security.
Plus, he doesn't mention who his emails are with? A hotmail or yahoo account? Bad choice. If you're really serious about mail security (and not spam), why not have one email account on its own dedicated machine... running qmail... with iptables blocking all incoming ports but 25 and 22 (but limit port 22 to your private IP). Check your mail locally using pine, so that POP3 or IMAP isn't open.
I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.
If you're running keepass, you don't need to worry about that for sniffing of passwords. Just copy and paste your password in.
I never check in luggage when I fly.
Does this matter if your laptop is WITH you?
I do my Internet browsing from a locked down VMWare box that has no rights on my network.
If your office documents are important enough, why not? If you work from home, if you have the money and the space, why not do work on a separate machine with limited rights / access? Or the other way around?
I use terrafly.com to see what others might be able to see about my home.
Crackheaded. If someone knows your address, there's a lot more they can find out about your house than what's on an aerial map.
It takes five passwords to boot up my laptop and check my e-mail. One of those passwords is over 50 characters long.
BIOS, OS, Email Account? What are the other two? Also, passwords should be out of the range of brute force crackers. Not insanely unreachable. 20 characters should do it.
I also delete unused services on my server
Re:I wouldn't want him as my ISO (Score:3, Interesting)
I actually wonder if the ironic point he's making is that security consultants demand stupidity from corporations that no one would tolerate on a personal level. Consider:
I try to run my own network the same way I tell my clients to.
Then he goes on to present a stupid laundry list of excessive security measures that are, by implication, what he's telling his clients to do. It's obvious that, personally, they're ridiculous, so why wouldn't they also be ridiculous in a corporate environment?
Re:what a pseudo-fool (in a nice way) (Score:3, Interesting)
If your partner wants to hurt you badly enough, your password isn't going to stop her/him. Most partners know enough about the other person that they could have them arrested. Good thing is it works both ways.