Antivirus Inventor Says Security Pros Are Wasting Time 282
talkinsecurity writes "Earlier this week Peter Tippett, chief scientist at the ICSA and the inventor of the progam that became Norton Antivirus, had some interesting things to say about the state of the security industry. In a nutshell, Tippett warned that about a third of the work that security departments do today is a waste of time. Tippett goes on to systematically blow holes in a lot of security's current best practices, including vulnerability research/patching, strong passwords, and the product evaluation process. 'If a hacker breaks into the password files of a corporation with 10,000 machines, he only needs to guess one password to penetrate the network, Tippett notes. "In that case, the long passwords might mean that he can only crack 2,000 of the passwords instead of 5,000," he said. "But what did you really gain by implementing them? He only needed one."' Some of his arguments are definitely debatable, but there is a lot of truth to what he's saying as well."
Re:chicken egg? (Score:3, Informative)
Valid points from article (Score:5, Informative)
2) You're only as secure as your weakest password. We knew that.
3) This guy shouldn't talk about seatbelts.
Re:chicken egg? (Score:2, Informative)
No. The /etc/passwd file does not actually contain passwords, despite the name. It used to (hence the name), but hasn't in a while, since letting people read the hashes lets people brute force breaking the passwords a lot more easily (basically, hash every word in the dictionary, save it in a file, and compare those hashes against the one in the password file --- though this is less effective if salting [wikipedia.org] is used).
From my password file:
That "x" after the first colon indicates that the password is stored elsewhere --- in /etc/shadow, which is not world-readable:
Re:What did I gain? (Score:3, Informative)
The problem is management (Score:3, Informative)
"Attack trees" by Bruce Schneier (Score:5, Informative)
Bruce also wrote about "attack trees". Having long passwords ONLY helps if the attacker has unlimited access to crack them. A simple WordNumberWord combination can give you enough security as long as each login attempt is noted and tracked.
If there is a 15 minute delay between every 3 attempts to login, and a HUMAN reviews the logs every work day, your online security should be sufficient.
You only need the 1024bit security when the attacker can download the file and crack it at his leisure. But then, the failure is that you did not prevent the attacker from downloading that file.
There will ALWAYS be some risk. What's to stop the attacker from kidnapping your CEO's daughter and demanding that he let the attackers use his laptop to access your databases? The key is REDUCING the threat. If 99.99% of the attackers out there are not skilled enough or motivated enough to get through your security, are you "secure"?
Re:chicken egg? (Score:2, Informative)
By the time an attacker has the hashes, the game is essentially over! Do you think a 10 character password is really going to be that much weaker then a 14 character password in the situation where an attacker does *not* have hashes? (And simple controls such as account lockout features are enabled?)
I think Tippet would prefer passwords to be only complicated enough that they aren't susceptible to brute forcing when account lockout features are in place. His point is that anything past that is not netting you any practical security gain, and I think he's dead on.
I've heard the speech that this article is referring to and I have to tell you, it's pretty interesting. He talks a lot about trying to take a more practical approach to security, especially security research. Asking questions like "in a given environment, which controls result in an appreciable difference in security?" "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?" Putting aside how you answer such questions (it's not an impossible task) I have to admit that the answers themselves are relevant!
One of Tippet's messages he stresses in this talk is that the security industry does things differently then other industries and it doesn't make sense. He draws a lot of comparisons to the medical industry because he is a medical doctor as well. In medicine, when we want to know how effective something is, we study it, we design trials, we examine the effects in the field. In security, we tend to go straight from the theoretical realm, debating ideals and their implications, straight to hard and fast rules, without the testing in between. We do ourselves a disservice by doing so. Straight from thinking "Antivirus updates are important and need to take place daily" to a general believe that "if you don't update daily, you are stupid, and insecure" without the in between step of asking "Does updating virus signatures quarterly vs. monthly vs. weekly vs. daily make a difference?"
Re:What did I gain? (Score:3, Informative)
Re:chicken egg? (Score:3, Informative)
If you manage to crack that, try it at 127.249.17.156
Re:What did I gain? (Score:3, Informative)
Re:PBKAC (Score:2, Informative)