Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Gartner Debunks Over-Hyped Security Threats 134

TPIRman writes "At Gartner's recent IT Security Summit, the research company's analysts identified five over-hyped security concerns. Among the supposed FUD are mobile malware, unsafe VoIP, and cracker-friendly wireless hotspots. Gartner, which has made a name for itself tracking hype, claims that irrational anxiety is holding back technologies that offer benefits greater than their security risks. A Techworld columnist argues, though, that Gartner is sending mixed messages."
This discussion has been archived. No new comments can be posted.

Gartner Debunks Over-Hyped Security Threats

Comments Filter:
  • by RobotRunAmok ( 595286 ) * on Friday June 10, 2005 @09:22AM (#12779595)
    And the hotspots less sympathetic to our racist neighbors south of the Mason-Dixon line? These are somehow more secure?

    I'm so confused...
    • by Anonymous Coward
      Actually, all of the cracker-NONfriendly wireless hotspots have relocated to the eastern perimiters of cities. Apparently, they can usually be found in luxury apartments that occupy the upper floors of various buildings.

      For some reason this causes them to be more secure.
    • Maybe they're referring to the alternative rock band. Or petroleum distillation.

      Why can't we drop the hacker/cracker nonsense and just use the word intruder?

    • The assumption that white southerners are all bigots is itself pretty bigoted.

      I've always thought it was dumb to call a malicious hacker a "cracker". It makes a hash of the whole concept of "hacking", and it just confuses non-techies. Besides, it sounds silly.

      Another word we need to get rid of: "FUD". Started out as Sun's way of saying that all criticism of Java was Microsoft propaganda. Then it became a way of dismissing anybody you disagreed with as being dishonest. Now this submitter is using it to

    • That would have been funny if you'd said "to our neighbors in Georga". Instead you repeated and reenforced a racial and ethnic stereotype: That (all) white southerners are all racists. This ruined the joke for a lot of your readers.

      I'm inclined to assume - THIS time - that it was ignorance rather than hatred-driven intent that led to this faux pas. But please be aware of how such statements might affect others - and that the same pun is available in a non-painful form.

      By the way: If you're living in
      • Not to get into the whole "pick your entertaining, I-get-to-look-down-on-you-redneck-elite-cracker-e a stern-hollywood-whitewine-beer-quiche redstate-bluestate" business, which seems sort of gratuitous and pointless in the current context,(and I agree with your objections to it, BTW)

        but I was wondering what you meant by this:
        It was no accident that Darrow and Scopes were both hired by a mine manager to break the local religion, which supported the unions and provided a place where workers could meet to o

        • I assume you're talking about the scopes trial, and this throws up heavy, heavy paranoid-misinformation alerts for me.

          Got it from a person with a history degree and labor union experience, who studied that period. This is apparently a quite well-known piece of union history - among academia, not just lore within unions.

          Check it out with your local history department if you don't believe me. (Be sure to ask someone who specializes in the history of unionization.)

          Scopes was a local High School teacher,
          • To get a few things out of the way first-
            I'm not a historian, my knowledge of the Scopes trial is limited to the movies and a few debunking articles ( I think Stephen J. Gould wrote one, can't remember the others). I've also read some of Mencken's original reporting.

            Your reply looked like it had a bit of research behind it, so I looked around a bit, not exhaustively of course.

            Here's 2 references that seem to dispute your statements:
            The first is an account by scopes, quite interesting in that it give

      • I did not mean to imply that all southerners were bigots. (My experience has been just the opposite, actually.) I sincerely regret if the phrasing of my original post seemed as a slur.

        I am making a mental note to always go with my first instinct, which in this case was to make a "cheese" reference...

        The point of it all, for those who can't see past the allegations of bigotry, is that the continued use of the word "cracker" in an IT context when it already has so many other definitions (particularly some
    • Jimmy crack kernel and I don't care
      Jimmy crack kernel and I don't care,
      Jimmy crack kernel and I don't care,
      McAfee's gone away.
  • by Gothmolly ( 148874 ) on Friday June 10, 2005 @09:24AM (#12779611)
    From the department of wishful thinking:
    Gartner, please debunk yourself as anything other than a PHB-opinion-bolstering old boys club. I battle the Powers That Be here constantly - any proposal is met with "well what does Gartner say about it?". Take your magic quadrant, and... well, you know.
    If everyone waits for everyone else's opinion before they can make a decision, no wonder we have organizations with forms to change forms, where Dilbert stories are all true, and employees read Slashdot all day instead of working (because 50% of their projects won't go anywhere, and the other 50% of their projects are pending some approval process or another).

    Gartner is just a multiplicity of Dvoraks, all groupthinking what the Next Big Thing is.
    • It seems to me that Gartner gets paid to say stuff like this. Someone hands them a stack of studies and some cash, and tells them to "spin this and make us look good."

      The question here is whether in this case they were paid by the VoIP and mobile technology providers, to convince everyone that everything is alright and nobody needs to worry, or by the virus writers, to convince everyone that everything is alright and nobody needs to worry...
    • "If everyone waits for everyone else's opinion before they can make a decision, no wonder we have organizations with forms to change forms, where Dilbert stories are all true, and employees read Slashdot all day instead of working (because 50% of their projects won't go anywhere, and the other 50% of their projects are pending some approval process or another)."

      You work for the federal government too??


    • Yeah, I'm starting to believe that Gartner is a Microsoft funded alias for Dvorak. The shit that these guys come up with (and reverse their opinions) is absurd.

      However, Dvorak and Gartner are great flamebate stories for slashdot!
      • Please add to this list "Rob Enderle" -- of, the "Enderle Group". This one guy is a committee.

        You often see a press release with "The Enderle Group has determined that our new product is great." On the new product page, of course.

        It seems to be a lucrative job these days repeating crap.

        Overall, I do think there is an over paranoia about security on some of these wireless networks. With the poor security of major organizations that already have all your important data (like Wachovia), anyone who wanted to
    • Besides that, they're being way too optimistic.
      Often company's setups are not as secure as they should be.
      Sometimes is that people are too lazy. Or they're too occupied with things assigned by the powers above.
      Example:
      Company that I'm temporarily working in as a techie has approximately 80 machines, with a mix of Win2k and WinXP. I just found out yeseterday that 3 of the XP machines were still running Service Pack 1a. I don't want to come across as a self-promoting bastard, but none of the IT guys here both
  • Overhype??? (Score:1, Funny)

    by jeepnut ( 887336 )
    Overhype in the computer world???? Paranoia??

    I didn't even know they existed in this world of secretarial computer experts and "computer enthusiasts".

  • Warhol (Score:4, Funny)

    by MECC ( 8478 ) * on Friday June 10, 2005 @09:25AM (#12779623)

    A "Warhol Worm" is a worm that infects all
    vulnerable machines on the Internet within 15 minutes.


    Warhol must be a new spelling for Windows...

    • Probably, they're both overhyped. Their aesthetics are similar. You take a good look at both of them and ask yourself, "Should I be enjoying this or something?".

      Bring it on Warhol fans.
  • by mattr ( 78516 )
    I didn't RTFM but no mobile malware? Just in time for the bluetooth crack mentioned the other day. Par for the course for Gartner..
    • Re:Mobile (Score:1, Insightful)

      by Anonymous Coward
      AFAIK, Verizon and other BREW carriers are immune from this. It's hard enough to intentionally get unsigned code to run:
      1. send phone to Qualcomm to be test enabled
      2. be an authenticated developer and get a test sig for that specific phone (not model, phone)
      3. connect to phone with cable and install code
      You might be able to break bluetooth enough to bypass that last step, but as shipped they don't support the object exchange profile. (at last a benefit of that)
    1. Windows
    2. Microsoft Windows
    3. MS Windows
    4. Windows(tm)
    5. Windows family products
  • by udderly ( 890305 ) on Friday June 10, 2005 @09:39AM (#12779746)
    I did not RTA, but it seems to me that your degree of paranoia should be relative to the importance of what you're protecting.

    For instance, I don't use wireless on my work network because I have a lot of confidential client information to protect. But at home I like the convenience of being able to roam the house and yard.
    • "I like the convenience of being able to roam the house and yard."...and other people like it too - especially when "you" use a VPN back into work or a laptop. They can roam your house and your yard straight into all that confidential information. :)
  • I've learned this over the last few years, the people running the show over at Gartner are nothing but world elitists that are more than happy to usher in the New World Order. They have a game plan and there's nothing we can do about it. Consider yourself nothing but cattle because that's what they consider you as. Gartner will be pushing for global RFID tagging programming for humans soon, they'll just say the benefits are similar to the global smallpox vaccine that the united nations forced onto the w
  • So, if the developers of this new technology develop a system quickly, and with little regard for security, is it really paranoia? Yeah, new technologies are cool, but you HAVE to think about security during the design. It's fine to use things like TFTP for configs when you're doing a proof of concept, but before production release, maybe it be good to take out the unsecured protocols?
  • by ThosLives ( 686517 ) on Friday June 10, 2005 @09:41AM (#12779761) Journal
    The summary and article talk about
    ...holding back technologies that offer benefits greater than their security risks...
    This leads to the question, "What do you mean by benefits of technology?"

    This is actually a good question, especially in light of the security risk question. I think the only way to evaluate benefits of technology is to look at how much a technology reduces the cost of living and/or how much it improves quality of living. For instance, a plow greatly reduced the cost of living for farmers - they now had to spend less time plowing for a given amount of production. The invention of air conditioning increased quality of living quite a bit. It's a little more difficult to measure just what having VOIP, for instance, gives us. VOIP doesn't really reduce the cost of living, and it really doesn't improve the quality of living compared to POTS. Perhaps it does slightly reduce the costs, if VOIP is less expensive than POTS, because that means VOIP users spend less of their "time" paying for communications.

    The risks need to be weighed against the benefit though. For instance, there's a greater risk of getting injured by a plow than by digging things by hand, but the benefit is huge. The way I think things should be examined is what is the added risk for added benefit?

    My personal assessment is that VOIP or wireless hotspots, or whatever, are not going to improve my life quality over what it is now, nor will they reduce my cost of living significantly. So, if there is *any* added security risk, it's not even in my consideration.

    • "It's a little more difficult to measure just what having VOIP, for instance, gives us. VOIP doesn't really reduce the cost of living, and it really doesn't improve the quality of living compared to POTS. Perhaps it does slightly reduce the costs, if VOIP is less expensive than POTS, because that means VOIP users spend less of their "time" paying for communications."

      Do you not see how to perfectly contradicted yourself? First you say that VOIP does not reduce cost of living, then you say it does. Make u
      • Ah, it only appears to be a contradiction, because I left out some information. Here's some clarification: Perhaps I shouldn't have said POTS, as I personally have a cell-phone only (which I got because it was cheaper, and has added benefit of no telemarketers. I pay $35 / month for cell phone.)

        I guess I should clarify that what constitutes 'quality of life change' or 'cost of living change' is different per person. My personal assessment was correct though. True, if I was paying $65 for phone and could go

    • by tgd ( 2822 ) on Friday June 10, 2005 @10:22AM (#12780086)
      Um, plows didn't reduce the time spent plowing, they created the time spent plowing. Without a plow, how are you plowing? You can't plow without a plow.

      They reduced the time spent planting, and allowed planting of fields with harder soil.
      • Used to be people would jab a little hole in the ground with a stick, put a seed in it, and move on.

        Then came plows, for cutting a giant trench to put seeds in, and then convering them over.

        Now the new thing is No till [usda.gov] farming. Basically a high tech stick poking a hole in the ground, and moving on. Cuts down on erosion, and reduces the need for fertilizer.

        Yay progress.
      • They also created all the time spent hoeing. No masses of pointlessly overturned earth, no weed problem. Not to mention that the plow creates its own need for plowing, since now you have to raise enough food for yourself and your plowhorse; and sell enough excess to cover the debt for the horse and plow.

        One seed. One hole. Works like a charm.

        Thoureau even questioned the necessity of the hole and one season simply scattered seeds on the ground. He raised enough peas to eat with enough left over to sell, le
        • In the short term, okay. But if the soil isn't turned under between seasons in production, how can it regenerate the nutrients that it needs to remain fertile?

          In fact, crop lands that are played out are typically planted in a 'soil food' crop and then plowed under during fallow seasons to rebuild the nutrients for later production seasons.

          "For every complex problem, there is a solution that is simple, neat, and wrong. "
          - H. L. Mencken
          • How did the plants ever manage to live before man came along to manage them?

            Naturally healthy soil does not get played out and gets turned under without the use of plows.

            Your Mencken quote is apropos. . .to the plow.

            KFG
            • "How did the plants ever manage to live before man came along to manage them?"

              The plants lived just fine. They lived, reproduced and died. What we need from them is more demanding. We need them to efficiently produce more and more food while taking up less and less farm land and consuming less and less human effort in the process.

              If you grow the same crops on the same ground repeatedly, by whatever farming methods, the nutrients are used up. Fertilizers can make up some of the difference, but elements not
              • How much human effort does it take to produce, maintain, finance and fuel a combine?

                Most of our modern agricultural methods exist only to solve a bigger problem created by our previous "solution" to a smaller one.

                Just because there is "motion" does not imply there is progress. Reasonable men do not prop up bad ideas with worse ideas.

                KFG
    • VoIP or, more specifically, packetized voice data, has allowed telcos to internally cut costs, since they don't have to have one physical wire/radio-channel or fixed-fraction-thereof to carry a voice channel. This has not only brought the costs of domestic long-distance down to the $2/hr range before taxes, but it's also allowed "clear as a bell" long distance.

      VoIP has allowed some customers to have free worldwide (where permitted by law) long distance between VoIP-equipped endpoints, and very low-cost (
  • by Old VMS Junkie ( 739626 ) on Friday June 10, 2005 @09:44AM (#12779771)
    Over-hyped? Garntner makes their living on hype generation. This is just another attempt at getting more people to subscribe to Gartner reports.
    • Well put. Gartner is often in the business of SELLING FUD as well as reporting it. Many many times Gartner has been wrong. They often re-report the hype Company X's Marketing Team tells them, without any validation. Too many managers put faith in Gartner versus doing the research before making a decision. Also, Garther is just like Google in that you can pay to have you products "placed" in strategic locations or described with certain key words designed to attract attention. Take what they say with a LOT o
  • by GGardner ( 97375 ) on Friday June 10, 2005 @09:44AM (#12779775)
    I guess this is the definition of overhyped?
  • by Anonymous Coward on Friday June 10, 2005 @09:44AM (#12779776)
    to what Gartner is saying. I have worked in the IT security arena now for almost 5 years and I have noticed this very thing. Security companies, almost without exception, hype the threats to sell their wares. They sell wolf tickets at extremely high prices when 98% of all threats can be mitigated by using good processes and common sense. Remember what Bruce Schneier keeps harping on is true: SECURITY IS A PROCESS, NOT A PRODUCT. Until people get this mantra embedded in their thick skulls, they will continue to be duped by security vendors and their own fears.
    Common sense is, unfortunately, not that common. Defense in depth security measures can be achived without spending a lot of money. BUT... your best security is useless if the people behind it are lacking in common sense.
    • SECURITY IS A PROCESS, NOT A PRODUCT

      Sorry, but I've seen that once too often.
      Patching insecurities is a process, patching with bandaids is a neverending process. If something actually is secure, it is secure and there is no process about it. OpenBSD is uber secure. However, note that they do not make the claim without some sort of qualifier. ("Out of the box" is a qualifier. Sorry.) Secure is the ability to run an upatched vulnerable server being attacked by competents and watching the process with a tota
  • by jc2it ( 759457 ) on Friday June 10, 2005 @09:46AM (#12779795) Homepage
    The blog referenced in the slashdot post, by George Ou was very insightful. I don't know how many times I have heard of people implementing the MAC address filtering scheme. I always thought it was a stupid method of securing a network, because it is so simple copy the MAC address. What I had not realized is that I could so easily find out what a specific MAC address is. I had not thought of using a sniffer for this. I always assumed physical security would need to be breached to determine the MAC address of a preffered client. It makes sense though, for the wireless client to access a wireless AP they must broadcast the MAC address.
    • Of course, if you use access point hiding, WEP, MAC filtering, AND boot the Access Point at exactly 1 minute after midnight on Friday 13th on a leap year when the moon is full and in via combusta, the combined protective scheme makes the Access Point mysteriously unhackable.

      (before you mod this down, it's true. It's on Wikipedia!)
  • Summary (Score:2, Informative)

    by 823723423 ( 826403 )
    [1]
    Gartner analysts project that through 2007, the Internet will meet performance and security requirements for all business-to-consumer traffic, 70 percent of business-to-business traffic and more than half of corporate wide area network (WAN) traffic.

    [2]
    "Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans," Mr. Orans said.
    • So, based on [1] we can expect that the Internet will NOT meet performance and/or security requirements for 30 percent of B-to-B traffic? If true that IS scary. Of course the network itself can be quite secure, just the bozo's servers on the other end as easily hacked and the data stolen there. You mean people PAY to get [2]? That is just common sense!
  • whaaaat? (Score:2, Interesting)

    by ohzero ( 525786 )
    Gartner debunked something? When did they become objective? This is the same Gartner that i've heard say "and for this consulting engagement price, i'm sure that our findings would favor your solution." Please. Any "research" they've done is obviously either just a mish mash of other people's findings, or it's sponsored by a vendor.
  • WTF!?!?!? (Score:2, Insightful)

    by Anonymous Coward
    This is one of the most irresponsible statements I have ever heard.

    1. VoIP is UNSAFE!
    While Gartner contends that VoiP is safe because it is protected like all other data on the LAN, they fail to realize or point out that public internet usage of VoIP has now exceeded that of corporate use thanks to the likes of Vonage, SpeakEasy, Time Warner and Verizon who all offer ineternet based VoIP to millioins of subscribers. These subscribers ARE vulnerable to eavesdropping but, more importantly, they are vulnerabl
    • Regarding your VoIP hype: Go try and turn off my phone service... Regarding WiFi Hotspots: What is the point in encrypting the WiFi link, when the whole public internet in unencrypted? To work, encryption must be end to end and who needs general browsing to be encrypted anyway? It will just slow things down. Encryption on public hotspots is plain stupid.
      • Re: Re: WiFi Hotspots: The point in encrypting the WiFi link is that it's relativly easy to effect a man-in-the-middle type of attack in an unwired environment. While I don't think that most users require encryption for their bulk internet use, at least the logon procedure should be properly protected. The only reason that I mention this is that the grand parent specifically mentioned phishing attacks and encryption is necassary ( but not sufficient ) to mitigate them.
        • I'm not sure, but I think SSL protects against that concern and any important online activity should be via some form of VPN, be it as simple as HTTPS or as complex as IPSEC.
          • I think that we're saying the same thing. Properly implemented SSL can provide the authentication protection in the absence of critical client software flaws and provided the end user takes the time to verify that they're connected to the site that they think they're connected to.
      • A public hotspot needs some sort of encryption with a guest. You may not be doing anything important, but what most people do on the web is check email. A login, or an important bit of info can get grabbed.

        The only reason this is not an issue is that there aren't a lot of crooks taking advantage of it. But let this become a widespread utility of business by people thinking "the security issue is overhyped", and then you only have people reacting after they have been badly stung.

        I can easily see a lot of c
        • No, if you are a biz traveller and check your email, you should establish a VPN session to your corporation, or use a webmail service with https capability. The point is that if a crook really wants to get your data, then half-assed security measures are not going to help the least bit.
    • 1. VoIP is UNSAFE!

      How are you defining "unsafe"? There are security concerns, yes, but your tone is a bit shrill. Especially regarding eavesdropping, which is actually *harder* to accomplish in a VoIP environment, even when that environment includes the public internet.

      With POTS, tapping only requires a "buttset" (available at Home Depot) to clip onto your line anywhere between your home and the nearest pole or pedestal, for a third party to be able to listen freely. Or they could use a cheap RF scann
  • "Gartner, which has made a name for itself tracking hype"

    Shouldn't this really be, "Gartner, which has made a name for itself CREATING hype"?

  • by GodBlessTexas ( 737029 ) on Friday June 10, 2005 @10:22AM (#12780093) Journal
    Last year, the only security training my company's Infosec director and manager took was to Gartner's Security Conference, but only because they paid for everything including travel and hotel costs because attendance is always low. When my boss got back, and she's not exactly a security expert by any sense of the word, she said it was horrible. That says a lot coming from someone as ignorant of security as her. She said people would show up, the presentations would start, and over the next hour or so people would file out the doors and never return. She said the rooms ended up being less thant 10% full by the end of the talks because no one wanted to hear them.

    This company, which I left recently, based all of their decisions on Gartner's Magic Quadrant. Of course, it was always funny doing the conference calls with their analysts to discuss technologies we were interested in, and they could never go beyond the script they had prepared for the call. When my boss wanted to buy some form of HIDS, they basically did a call on why we should purchase Symantec's new product over Symantec's older product. Nevermind that there were better products from their own literature. The guy couldn't answer any question about the product that wasn't on the literature he'd sent or was reading from. It was depressing, because his opinion mattered more to my management than the opinions of those who would be using and monitoring the software and knew what our requirements were.
  • by Anonymous Coward
    The message is clear: Pay us and we will report anything you want.
  • Aren't They? (Score:3, Interesting)

    by Comatose51 ( 687974 ) on Friday June 10, 2005 @11:05AM (#12780544) Homepage
    Aren't they the same group of people who fired someone for suggesting that people switch to Firefox from IE because IE wasn't secure? This was before SP2 was out I believe. Maybe they thought that was hype too... A group that fires someone for speaking the truth makes me question their qualification as consultants.
  • We're often blamed for over-hyping things, and sometimes with justification. However, there is under-hype as well: there are issues out there which are much less secure than people think.

    One example is VPNs. Seen by most as improving security, and uncrackable due to strong encryption, but poor config and vendor flaws often make them the easiest way in.

    Some of the things I've seen, even with large financials, are downright scary. This link gives some examples of the problems: http://www.nta-monitor. [nta-monitor.com]

  • ...I'm sure they would have said that the need for lifeboats had been overhyped. By greedy lifeboat companies trying to spike sales.
  • If they've had valid opinions, I haven't heard them. So if Gardner pans something, I'll consider that it's plausibly something good.

    OTOH, I must admit that most of what they talk about is just of zero interest to me whether what they claim is right or wrong...so in those cases I just assume they are wrong. It hasn't hurt me yet. (N.B.: Presume does not me that I believe something, merely that I consider it more probable than not.)
  • It is important to honesty state the risks of new technology.

    True, having an honest assessment may delay rollout of new technologies and may cause others to be abandoned because the vendors think the payoff won't be as great if they expect to have only 10 million customers instead of 20 million in the time before the tech is obsoleted, but in the long run this is better than the technological equivalent thalidomide [nih.gov].

    The bottom line:
    If risks are properly understood, those who can afford to take the risks wi
    1. I could buy an Armani suit and an MBA from a second-rate school and my customers would think that I posessed the Wisdom of the Ages.
    2. No obligation to actually know what I was talking about or even be consistent. I could say anything I want, say something completely contradictory in six months, and they still would think I posessed the Wisdom of the Ages.
    3. No messy problems of actually making stuff work.
    4. Stock manipulation.
    5. I wouldn't even have to think of five real reasons.
  • The problem with all of these reports is that someone in senior management will read "wireless LAN insecurity overhyped" without understanding the context, go down the local PC store, buy some consumer wireless router, plug it into the network and when the security guys complain, they point to the Gartner article.

    We get this everyday at work. What (at least our) senior management guys don't understand is that it's possible to implement virtually anything, but there's a stupid way of doing it (with big secu
  • Anything Gartner (or any other analyst company) says is bought and paid for by someone.

    Ignore them the same way and for the same reasons that you don't watch the shopping channels: They are peddling over-priced garbage that you don't need.

  • What about Iraq? Oh, wait - we made sure that Iraq would be a threat, after creating its myth. Dreams really do come true, with a $2.5T budget!
  • Wireless access points are pretty easy to create a man in the middle attack. Want to know how? Create an access point that mimics a corporate wireless access point that will take a user log in and redirect them to the real access point they are trying to connect to and pass their MAC and login to the next access point. Most people won't check the authenticity of their access point so as long as they can log in and get to the network, they won't think a single thing is different.

    You now have their login,
  • our company produces a software product that is evaluated along with our competitors, by gartner ... the magic quadrant and all that. we paid over $10k for a gartner consultant to spend ONE DAY with us and tell us about the shape of the industry. from what i can gather, there was very little truly useful information exchanged.

    this consultant is the same fellow that will be reviewing our product later on in the year. it's not that out company is doing anything underhanded, that's just the way it works with

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...