Community Comments To Security Absurdity Article 190
An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"
We wouldn't be having this problem if... (Score:3, Insightful)
people would use common sense.
Wrong approch (Score:4, Insightful)
Virus scanners, network behavior analyzers, "app armor", stack canaries, random load addresses, nothing. 'Search and destroy' the spybots? Please. The biggest problem is C and all the other non-typesafe languages. Safe languages simply trade a certain amount of performance for the impossibility of buffer overflows, underflows, stack 'smashing', heap corruption, double-free's, pointer arithmetic errors, and all of the other low-level attacks. Everything at that level is toast in Java or in "managed" C# for instance.
This entire class of low-level flaws can be solved completely. Then it's just the higher-level problems like impersonating web pages, xss, some trojans, that kind of thing. Still a problem, yeah, but without the entire class of automatic propagation it is so much less of one.
three solutions (Score:5, Insightful)
I assume the operating system was Windows? Solutions:
Re:We wouldn't be having this problem if... (Score:5, Insightful)
Even of the items that I know about - which is most of them - that doesn't mean that I follow them. As far as them being common "geek" sense, they might be, but:
So really, most, if not all, of that list isn't a "never do that", but a "use common sense before you do that", and that's most of what it amounts to in the first place. Security would be better if it wasn't for the hideous defaults that we put up with - which in an ideal environment without worms and viruses and such would make for better usability, but since most people don't use their computers in a hermetically sealed room with no connection to the outside world whatsoever...
I'll go out on a limb here... (Score:3, Insightful)
Right approach; at least for some. (Score:3, Insightful)
Where I come from, they call this "securing your revenue stream."
Seems like the security companies are doing A-OK there; they've got more business than they can shake a stick at, and it's not going anywhere soon. They have a vested interest in not 'solving' the problem, even if they knew how to do it.
Like all arms races, if you're in the arms business, you can laugh all the way to the bank. (Until someone decides to rob you, that is.)
Re:Seems a little Windows-centric ... (Score:5, Insightful)
Oh wait. That's right. Linux machines ARE visible targets, yet are not pwned in proportion to their use. "Ah," you cry, "but those are servers, not desktops." True. They are servers with purposefully exposed ports and running outside of firewalls; heck, many a Linux Box (PC or embedded) *IS* the firewall for Windows machines. They COULD in principle be compromised and used in botnets like any other computer out there.
The "bigger target, more problems" arguement is flawed. The underlying problem at the system level (ie, not coutnting phishing, physical security problems, etc) is WINDOWS, period. You can argue about whether it is simply the default security model or braindead design all you want, but until that basic reality is accepted, this point of Windows market share is a deflection from the issue.
Re:We wouldn't be having this problem if... (Score:4, Insightful)
Computer security is a state of mind. Maybe if the internet was more like a construction site, where not being safe = losing a finger... people might take the time to learn how to anticipate threats instead of just blindly applying a set of rules.
Re:We wouldn't be having this problem if... (Score:2, Insightful)
Response from Joe Luser (Score:5, Insightful)
Too much work. I bought this computer to make my life easier.
* Disable the preview pane in all your inboxes.
How do I do that? I'm not smart like you when it comes to computers.
* Read all email in plain text.
I wouldn't get to see the pictures my friends send me if I did that.
* Don't open email attachments.
What? And miss out on the lasest web games my friends are playing?
* Don't use Java, JavaScript, and ActiveX.
No problem. I don't even know what those are. I'm not smart enough to learn all that fancy software.
* Don't check your email with Microsoft Outlook or Outlook Express.
But Outlook is what my computer came with. I can't afford a new computer this month.
* Don't display your email address on your web site.
Unacceptable. My customers need to be able to contact me.
* Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
How do I know what it links to before I click?
* Don't let the computer save your passwords.
Sorry, I don't have a photographic memory like you techno-geniuses. And don't tell me to write it down either, I'll just lose the piece of paper.
* Don't trust the "From" line in email messages.
Then how do I know who sent me the mail?
* Never Use Internet Explorer and instead Switch to Firefox.
I've used Internet Explorer for years. I have a busy life, I don't have time to learn Firefox or else I would.
* Never run a program unless you know it to be authored by a person or company that you trust.
How do I know who wrote the software, it just shows up on my computer?
* Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
Yeah right. Those are longer than the internal revenue code, even my computer nerd brother doesn't read those.
* Don't count on your email system to block all worms and viruses.
Then what do I count on? And why can't a big company like Microsoft figure out how to block viruses?
* Get a Mac
At home? I can barely keep up with gas prices let alone get a new computer. At work? The company makes us use Windows, we don't have a choice.
Re:Seems a little Windows-centric ... (Score:4, Insightful)
B.
Outlook not so good - and as for exchange (Score:4, Insightful)
There is a thing called email which is far more useful and has been around longer - you also can use mbox files readable even by a text editor instead of some weird database that requires shareware to fix when it gets corrupted. If Microsoft provided tools to support their own products properly I would recommend it - but no, conventional email servers available from a lot of different sources are superior in almost every way. Even the horrible sendmail configuration file is superior to weird registry hacks to change the behavior of exchange.
Disclaimer - I've only looked after 3 MS Exchange servers and one bare metal rebuild from backup to recover old mail (nightmare that would never be required with a sane mailbox format - the whole thing is just too fragile and finicky and required an install with the same service packs, identical company info strings in the install, same registry hacks etc). Open relay by default with one patch too aparently - or perhaps that just has to be fiction because they could not be that stupid could they?
Re:Response from Joe Luser (Score:3, Insightful)
JS/Java interpreters should not be able to enter a state where they can damage the user's computer. Maybe they'll crash the tab that they were loaded from, but that's it. This isn't quite how things work today, but software can be improved. Firefox and Java are open source, so that makes finding and fixing any insecurity easier.
The same goes for clicking links in e-mail. You should be able to click any link. The worse thing that can happen is you think the site is your banks (sorry, you're just dumb), or you get the goatse guy. Get over it and move on -- clicking a link should not cause any code execution on your computer.
Re:Wrong approch (Score:5, Insightful)
The problem is that the typesafe languages are not realistic for writing desktop software in. Both Java and .NET are plagued with serious technical problems - which is why so few desktop apps are written using them. Even trivial optimisations like stack allocation cannot be done by the programmer in these languages, they take advanced analyses running inside complex optimizing compilers .... running on the users desktop.
Basically, you are right that using these languages would eliminate whole classes of vulnerabilities. But they would not eliminate all of them, and the costs are huge in terms of writing efficient, pleasant-to-use software. Stuff written in Java today is just uncompetitive, secure or not.
you got it slightly wrong (Score:3, Insightful)
...if Sysadmins and Programmers did their jobs (Score:5, Insightful)
I'm not sure I agree with this notion of putting all the security onus on the end user at all. What if every time I got on the subway it was my job to check to see if the wheels were about to fall off? Or if every time I sent a letter through the regular mail it was up to me to make sure the envelope was unopenable by anyone but my intended recipient?
When you start having the list of "common-sense" security measures taking up more than a paragraph, that means there's something wrong somewhere up the food chain from the end user.
I know it can be done. I work at a small University and I haven't seen a single spam in my inbox in the last year. I get a list every so often of what the spam filter caught and it's amazingly accurate. And this from a system that's run by the usual half-bright academic computer services staff member.
And what about an operating system that's basically a leaky boat? Before it wastes another minute on giving me transparent windows, Microsoft needs to make Windows impenetrable to spyware without the help of half a dozen spyware catchers, firewalls and adware monitors. If an operating system can't provide basic security, then what good is it anyway?
A huge percentage of the traffic in the internet's tubes goes through a limited number of systems and providers. They might start doing their part too.
And before you lazy bastards who are making a living at "internet security" tell me "you don't know anything about internet security"... You are goddamn right I don't know anything about internet security, and I have no interest in learning. In fact, I own a house and I don't know anything about motion detectors or satellite surveillance (well, actually, I do, but I shouldn't NEED to) to be able to secure my house. I lock the front door and feed my mastiff and that takes care of it.
I am getting impatient with the ever-lengthening list of security measures regular end-users are supposed to take to use the internet. And I'm way past impatient with security measures that involve giving up utility, such as "don't click on hyperlinks, type in your URLs".
Now you there, with the bad skin and "/." t-shirt. Get to work and figure this security thing out and leave me alone with your "common sense".