The Myths of Security 216
brothke writes "The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'" Read on for the rest of Ben's review.
The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.
| The Myths of Security: What the Computer Security Industry Doesn't Want You to Know | |
| author | John Viega |
| pages | 260 |
| publisher | O'Reilly Media |
| rating | 8 |
| reviewer | Ben Rothke |
| ISBN | 978-0596523022 |
| summary | A contrarian provides an interesting look at the information security industry |
Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.
From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.
The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.
While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.
In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.
Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.
Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.
Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.
While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.
Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.
Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .
You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.
Myths of Security? (Score:3, Interesting)
Re:Myths of Security? (Score:5, Funny)
There are no myth's of security
Sorry, but I'm going to have to send you to Bob's office [angryflower.com].
Re: (Score:2)
What's with the Day of the Triffids escapee? That flower looks mean.
Re: (Score:2)
Also, "there are algorithms"
Re: (Score:2)
I feel both you, and Bob, could do with a little perspective [motivatedphoto.com].
Re: (Score:2)
I think the OP meant to say "There are no myth is of security" =)
Re: (Score:2)
Your comment isn't very intelligible. Are you confusing cryptography with computer security, perhaps?
Re: (Score:2)
Buffer overflows aren't about whether an algorithm can be "reversed," and there is a hell of a lot more to infosec than crypto and buffer overflows.
Re: (Score:2)
It is, at least in theory, possible to make a program with no buffer overruns at all. Now in practice, the probability of such a thing is too low to consider.
Also, see Quantum cryptography [wikipedia.org].
Re: (Score:3, Insightful)
Re:Myths of Security? (Score:4, Insightful)
There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...
I disagree.
There are many security myths that have made it into company policy etc...
For-instance the idea that forcing all staff in a mid sized to large company to update their passwords every months or two is somehow more secure than allowing them to keep the same password indefinitely.
In practice, this causes them to use simpler passwords that just barely make whatever limits are imposed (I.e. a single number and one capital letter) and to rotate throgh slight modifications of this weak password.
Password#1
Password#2
Password#3
Etc...
Or worse yet. Some just write down the password in a place that's easy to find.
As for those Algorithms. Sure they can be broken. As long as you update them faster than the old ones are broken you should be fine. What bugs me though is when a single bug in an OS is exploited by a thousand different bits of malware and instead of fixing the bug we have a dozen antivirus vendors producing a detector for each of the thousand bits of malware.
Re: (Score:3, Insightful)
"What bugs me though is when a single bug in an OS is exploited by a thousand different bits of malware and instead of fixing the bug we have a dozen antivirus vendors producing a detector for each of the thousand bits of malware."
Which in turn makes my machine run like it's running malware and requires an additional core just to handle all the "security" software I have installed.
Re: (Score:2)
What computer is this on? I'd like to pen test it...
Re: (Score:2)
Re: (Score:2, Insightful)
Your statement, that's a myth, one of many. Sure, there is no ABSOLUTE security, but nobody claims that. There is no absolute physical security either- with enough resources anything can be stolen and anybody can be killed. It's the understanding of how secure you are in any given situation and how to improve your chances of staying safe (in virtual or real worlds) is what defines security and surely, that exists.
Re: (Score:2)
But with physical attacks, the attacker must make the effort to get physically close to you. Even in large crowds this means only a few potential attackers.
On the internet, by contrast, anybody can attack your system. That's several millions of potential attackers. The probability that you are under attack is close to 100%.
WTF? (Score:2)
Re: (Score:2)
First off, there are cryptographic protocols which don't involve one-way-functions. Consider one-time-pad, for example.
Secondly, the bigger mistake you're making here is presuming that a lack of absolute security is a lack of security. Security isn't a binary predicate: something that you have or don't have. You could just as easily argue that you don't have any security because there are human being who run the programs and control authorization and human beings are fallible. Really, the lack of crypto
The greatest myth of security... (Score:3, Interesting)
It can protect you (Score:5, Insightful)
If it raises the cost of hurting you to higher than the adversary is willing to spend, it protects you.
The trick is knowing how much security is worth paying for.
If the adversary is willing to spend $1000 to attack you, and you have to spend $100 a month to raise the cost of an attack to $1001, and if a successful attack will cost you $1 and the number of successful attacks will be 1 per decade because face it, you don't have much to offer, then it's not cost-effective. On the other hand, if an adversary is willing to spend the same $1000 and it will cost you the same $100 a month to make yourself too expensive to attack, but each breach will cost you $500 and there will be about 1 breach per month if you don't invest, then suddenly things look different.
Re: (Score:2)
In contrast, far too many people feel that better camouflage is the only solution.
(And far too many people think that reincarnation is the only solution... Have I taken this analogy a bit too far?)
Re: (Score:2)
Most people simply don't think about security (Score:5, Insightful)
Re: (Score:2, Insightful)
I try to educate people carefully and non-confrontationally every chance I get. It's an uphill battle, but one I think is worth fighting.
Re:Most people simply don't think about security (Score:5, Insightful)
Re: (Score:2, Interesting)
...You just can't preserve the user's freedom while doing so....
Apple has found out about this and has implemented their app store as the only legitimate place to download software for the iPhone that has been filtered and approved. This does limit the users freedom, but it's about the best security that can be had in any computer system. I hope that they will extend the system to the Mac sometime soon.
Re:Most people simply don't think about security (Score:4, Insightful)
Re: (Score:3, Insightful)
Now, getting people to cheer them for it is something that only one of the Steves can manage.
Re: (Score:2)
Re: (Score:2)
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
I think your sig is a more valid contribution to the discussion than your comment... You can toss as many security obstacles on a computer as you can, but if your end user is a knuckle-dragger who loves his FREE PR0N! and VI@GR4, then your attempt at security is wasted.
Re: (Score:2)
....then your attempt at security is wasted....
Well yeah, for those users who don't care about security. However, the majority of iPhone and iTouch users DON'T jailbreak their gadgets, because they do care about security or maybe they are just too lazy to care. The vast majority of users would be content to get guaranteed secure solutions on their Macs, just like they get on the iPhone. The small minority of the rest, especially /.ers, would of course figure out how to load lots of pron and other malware on
Re: (Score:2)
The idea that people buy stuff from spam is a myth rooted back when spammers were small time chumps. Modern spam operations are basically a component of organized crime funded by some mafia or big government. These people don't make money off Pr0n or V1@gr4, they make money off pump and dump schemes and fucking with government and private computer systems.
Re: (Score:2)
"Think about how careless the median person is. Now, realise that half of them are carelesser than that." - George Carlin amended
Strangely I had just finished reading a PDF by Allison Randall about tagmemics when I stumbled across the line
A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for.
Now, finally, I understand etic and emic.
And yet, most linux distros are an app-store (Score:2)
You think a the mythical "normal joe" is ever going to go "outside the box" and install stuff that isn't in the Ubuntu repository? I doubt it. If Ubuntu suddenly had 50% market share, 49.5% of that market would be installing applications only from the repository.
Re: (Score:2)
I can't think of a single Windows user who wishes that Microsoft controlled access to every piece of hardware or software that would ever plug into a Windows machine, or who would be happy to pay Microsoft for that right. All I can say is, "Wow".
I can't think of many that would care. Most of them would probably consider it convenient. After all a fair number of those very same people manage to hose their machines with worrying regularity. And that's among both home and corporate users.
I know I'd love it if Microsoft set up a Linux distro style repository with some half-decent quality checking. I'd have much less work to do for people around me fixing their broken machines (even though I hardly know anything about Windows).
Re: (Score:2)
Re:Most people simply don't think about security (Score:5, Interesting)
Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice. A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for. Hopefully people will focus on that, instead of the myth of the "educatable user".
Limiting what individual pieces software can do, rather than what the user can do, is key. Admin/root acount vs normal account is a first step, but no where near a last one, as it still requires too much user smarts. SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there. Taking a few more steps in this direction would be real research, and profoundly improve computer security.
Thinking that the answer is to improve the user instead of the system only makes sense from a religious perspective (and even them, half the religions would disagree that this is possible).
Re: (Score:2)
SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there.
In the broader sense, SE Linux fails because it is a fucking bear to configure and use, even for a relatively adept technical user. I can't imagine unleashing that thing on an "average" person.
Re: (Score:2)
It can't work if the user has to configure the per-process jails. The jail should come with the software, both from an authoritative source. Typical malware can only change the prcess, not the jail, so can do only limited damage (i.e., you can prove the malware could not install a rootkit). However, this ultimately fails because the malware will social-engineer the user into jailbreaking the malware. Still, that approach is better than the "root or not" model, because the finer-grained process permissio
How about this model? (Score:2)
A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for.
How about this security model:
Hunt down the people who deploy malware and take them out of circulation.
Re: (Score:2)
You make some valid points, but I don't think the myth of the "educatable user" is a myth at all. There's a reason why most security experts, and AV-software vendors, emphasize the need for educating users. It's not to deflect responsibility from the software. It's not to undermine their own business model. It's because you need, both, reasonably secure software and reasonably educated users. Sure, you can't expect users to be perfect; even the security experts themselves are fallible. But without basic use
Re: (Score:2)
Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice.
Somehow that makes me think of the name "Theo". I don't know why. Must be some coincidence. ;-)
Re: (Score:2, Insightful)
Re: (Score:2)
Most SHOULD NOT think about security... (Score:5, Interesting)
It is a great failing in our industry that its viewed as a problem that "most don't think about security".
Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them.
EG, a good succes story is the modern car key. 10-20 years ago, it was trivial to steal a car. You break the steering lock, put two wires together, and drive off. We had horrible cludges like "the Club", and people had to think all the time about it, in theory.
Now our carkeys have RFID transponders which are cryptographically keyed to the car's computer. It is vastly harder to steal a modern car (either bring a tow truck or swap the computer), but the actual cognitive load for most people is vastly less. You do the same thing you did before, but now your new car is far more secure.
Re:Most SHOULD NOT think about security... (Score:4, Insightful)
Re: (Score:3, Interesting)
Re: (Score:2)
If you are smart enough, organized enough and motivated enough to clone RFIs, you probably won't steal cars though. Instead you might use your skill to, say, gain physical access to somebody's point-of-sale system and steal a few thousand credit card numbers.
Re: (Score:3, Insightful)
Many of the run-of-the-mill infections are based as much on misplaced trust ("I wanna see dancing bunnies") as they are on weaknesses in the system itself. And trust isn't something a compu
Re: (Score:2)
Re: (Score:2)
As in, when I give my keys to the valet, I have to trust that he actually works for the hotel and isn't just going to go for a joyride when I step in the door.
Or that he does work for the hotel but still won't just go for a joyride.
Re: (Score:2)
"It is a great failing in our industry that its viewed as a problem that "most don't think about security".
Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them."
Strictly speaking about IT security systems, I agree, security systems should be much more "automagic" then they are today. But if you're relying on an IT system for security you're already
Re: (Score:2, Funny)
Fixed that for you.
Re: (Score:2)
Another problem is that security often comes with a trade-off to accessibility.
Another problem is that security comes at the expense of "free shit." People just love to load up their computers with screensavers, smilies, banzai buddies, cracked software ... doesn't matter that they'll never actually use 90% of it.
"What do you mean I don't know where that software came from? It came from the website where I downloaded it ..."
Re: (Score:2)
You cannot make hundreds of millions of users care about computer security. Until there is a direct, provable correlation between their actions and a loss they feel, people won't care. Until there is an exploit where they click on WebObjectX and money disappears from their bank account, people will not care.
But such exploits do exist! (Keyloggers)
Common Problem (Score:3, Insightful)
Re: (Score:2)
Yes. And this raises the question of what issues can't. What are the issues we should postpone, because they only require some polish? I'd love to see a prioritized list of all the issues.
Re: (Score:2)
Security is only one of many issues that could be vastly improved if people cared more than they currently do.
I think you have identified the major problem with security: people do not care. They do not want to spend time setting up a firewall, evaluating sites, or patching a system. They want a computer to be like a toaster: you take it out of the box and it works right away. And it keeps working with no intervention. Until computers get to that point it will be a continual problem.
Re: (Score:3, Insightful)
The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.
Re: (Score:3, Insightful)
The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.
I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.
Re: (Score:2)
The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.
I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.
I know everyone here hates it, but that's what Ubuntu is for.
Re: (Score:2)
The problem is that when computers get to that point, they won't do what you want, they'll do what *they* (and the people who made them) want.
I think that is one of the big hurdles for Linux adaption in mainstream society. People don't want an O(1) scheduler. They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part.
Ironically, most major Linux distributions provide exactly that - the least effort to system maintenance, hiding the things users' really don't care about and providing what they do. uBuntu is very good about it; and I'd imaging RHEL and SLES are too.
P.S. I always wondered why Novell choose to go with SLES - it's just so easy to say as "sleaze" and doesn't make a good pnuemonic impression.
Re: (Score:2)
"They don't want nifty commands. They don't to fiddle with things. They just want it to work with the least effort on their part."
And that's not a bug in the user, it's a feature. If we're not using computers to *decrease* our cognitive load, but to increase it, then both we and the software designers are doing it wrong.
A nifty command that doesn't do what you want is not actually as nifty as it thinks it is.
Or they care, but the policy sucks (Score:2)
Perhaps the policy sucks and the people implementing the policy dont understand "security". Places that like to have you change your password once a month. Worse, websites that have you create a password with punctuation and a huge length. These things aren't secure. All they do is force people into writing the password down or saving it as a text file.
"Blame it on the user" is always a cop out. Blame it on the idiot paranoid sysadmin. Blame it on the idiot programmer who can't be assed to design a us
Re:Common Problem (Score:4, Insightful)
And yet... I'm often considered paranoid by my peers (IT and otherwise) with respect to my personal information.
Re: (Score:3, Insightful)
Part of the problem is building it in from the beginning. There is much more fun and/or marketing appeal to build in eye candy, support the latest games, multi-media capabilities, mobile devices support etc. than to design in security.
A vendor or kernel programmer group should design it in from the ground up. But there isn't really any money in it for vendors and few programmers think of it as fun. With the exception of these guys maybe http://www.openbsd.org/security.html [openbsd.org]
So in other words, many people are
Re: (Score:2)
http://en.wikipedia.org/wiki/Barings_Bank [wikipedia.org]
Barings Bank (1762 to 1995) was the oldest merchant bank in London[1] until its collapse in 1995 after one of the bank's employees, Nick Leeson, lost £827 million ($1.3 billion) speculatingâ"primarily on futures contracts.
After that, many banks implemented rules to prevent that. Some were cheap, "Make sure every employee takes at least 2 weeks vacation at a time". Some were expensive like making dozen of people sign off on every decision.
There are cheap ways to achieve the most benefit from your security dollars. There's also a lot of expensive security theater.
My Cheap and fullproof method (Score:5, Funny)
See, I have no security. Anyone can access my data. Folks come across the data and think, "There's no security. This can't be real!" I throw in some names like "Dick Hertz, Harry P. Ness, Mike Hunt, Haywood Jablowme, etc..." and the data thieves think it's bogus.
I call it "Security through rudenss."
Re: (Score:2)
# pages, including Harry V. Ness [whitepages.com]
Mike Hunt is all over Nebraska.
And of course [whitepages.com]
Do we really need to read it..? (Score:3, Insightful)
Re: (Score:3, Funny)
I think the solution is clear - we need biometrically protected stickies!
Re: (Score:2)
What I suspect many /.ers do not adequately consider is that the most ridiculously complex security systems are especially likely to be thwarted by user behavior.
The folks who design security systems need to realize that human beings are part of the system (i.e., pay attention to usability and to the peculiarities of human cognition, motiva
Evolution will produce security (Score:2, Interesting)
While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.
Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Po
Thanks! (Score:5, Interesting)
Re: (Score:2)
So this book was written to educate fanboys about their bad habits? I don't need another book on security that assumes I'm an irresponsible, apathetic, zealot. Your apparent attitude has just unsold this book for me.
Re:Thanks! (Score:4, Insightful)
But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old.
The thing is, you're not convincing me that the book is out of date. There is plenty of material in the Internet that is over a decade old and is still relatively current. I read the Cathedral and the Bazaar [catb.org] for the first time last month, and drew a good amount of benefit from its words, even if I'm not ready to swallow it whole. The Mythical Man Month [wikipedia.org] shed quite a bit of perspective on project management in a field that our industry has fifty or so years of experience in, and yet we still do terribly at.
The principles of cryptography are still the same today as they were in the days of the Roman Empire and the Caesar Cipher, with all the bits about Alice and Bob with Mallory in the middle. Our toys are much more advanced today, and their rate of advance continues to increase, but just what is it that makes our pulling of information from a 10+-year-old book harmful?
I'm no Schneier "fanboy", and haven't actually read the book; I just genuinely want to know.
Re: (Score:2)
The field moves very fast because it is an "arms race." On that alone, i think it warrants having someone go back and re-evaluate the underlying assumptions that were in play during the last edition.
Re: (Score:2)
"On that alone, i think it warrants having someone go back and re-evaluate the underlying assumptions that were in play during the last edition."
I'm not convinced either. If the fundamental underlying assumptions of a field change completely in ten years, then surely they weren't fully understood to begin with and we shouldn't listen to what the new trendy ideas are either. Come back when you've got something to say which won't be invalidated in the next patch release.
Trends and fashions and demographics ch
Re: (Score:2)
If you even have to think like it's an arms race, you're doing it wrong to begin with.
Tell that to antibiotics, MRSA, and such...The "wrong" way is sometimes better than no way.
Trends and fashions and demographics change. Mathematical principles don't.
But that is the problem. Mathematics won't solve the security problem. Security is a people problem.
The math might not have changed. But the engineering principles are based on what is feasible on today's (+10 years) hardware. So the math behind public-key
No Need (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2, Interesting)
I met John Viega at defcon and he seemed put off that people didnt know him. Hes got a chip on his shoulder - especially about Schneier - Viega doesnt have anything but derivative works to his name and knows it.
This books is basically a manifestation of his personal self esteem issues, hes making up a windmill to tilt at. If theres any myth about security - its him. Hes a hack repeating other peoples ideas to create a place for himself.
Re: (Score:2, Insightful)
This book would have been better off as a series of blog posts. At least then people wouldn't expect things like internal consistency.
Seriously, was publicly disclosing what you consider to be a harmful vulnerability two chapters after your rant about how bad full disclosure is intentional irony? Or did you just not proof read your own book?
Don't care or plain lazy? (Score:2)
I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.
Case in point, SQL injection att
Re: (Score:2)
I would argue that in many cases its simply laziness on the part of developers rather than not caring. Obviously people care whether their credit card number and personal information are acquired by someone with devious intentions, but when its not your data in the system and going the extra mile to implement what are sometimes even the most basic security measures in an application requires a few more hours or days of coding, many developers will just dismiss the extra work.
Don't blame the developers, at l
Re: (Score:2)
"many developers will just dismiss the extra work."
Or it will be their managers?
What about physical security? (Score:2)
The problem is not computer security but security, period. Most physical security (locks, alarm systems) is based on obscurity, barriers to entry that are easy to leap, and overall bad design. Why would it be different for computer security?
Re: (Score:2)
Physical security and securing your Internetworked computer are actually qualitatively different issues.
Sure, your network security can be circumvented if physical access is easy.
However, ANY criminal ANYWHERE in the world can get at your insecure Internetworked computer. Furthermore, they can often do it in automated fashion with minimal risk!
Physical access, on the other hand, requires that the criminal show up in person. That vastly limits his scope for criminal behavior and vastly increases his risk.
Just stole the book (Score:2)
From the book: "Even though I recently retired from McAfee, I still believe it is doing far better than the rest of the security industry for a few core reasons."
Google "Who is John Viega" I get this: John Viega is CTO of the SaaS Business Unit at McAfee and the author of many security books, including Building Secure Software
Sorry folks, but I don't believe that McAfee is the end-all and be-all authority on security. I'll read the book, and see what I can learn, but McAfee and I go back a long way. It's
Re: (Score:2)
> McAfee and I go back a long way. It's been one crummy relationship.
I dunno, man. Back in the early 90s, their e-mail tech support was top-notch.
Re: (Score:2)
You should see your therapist. I'm reading a PDF. If you are hearing voices from a PDF, you MAY just have a problem. Or not, as the case may be. Jean D'Arc did well with hearing voices, until the very end.....
These are not the tech specs you're looking for... (Score:2)
Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that give
Re: (Score:2)
From my point of view, I just want to know how security product Y is doing what it's doing, but to tell me that is to reveal details about the implementation, so they re-cast using something like a firewall as "anti-packet technology"
If the vendor can't explain how their security works without compromising it, then it's not security, it's obscurity and it's also probably snake-oil.
What *they* don't want you to know! (Score:3, Interesting)
It must work...
Self-perpetuating BS (Score:2)
Now reviewers of books on Slashdot shill their own books as proof of their own credibility as a reviewer? Awesome.
Re:I have a full-proof security code (Score:4, Interesting)
Actually, during the last Access-all-areas held in London I brought along a Samsonite briefcase with a digital lock.
Someone spent the ENTIRE weekend trying to open the lock and didn't manage, which was due to a bit of evil from my side. The lock has 4 digits, so I entered a code and opened/closed it - he tried everything from 0000 to 9999 and didn't manage.
The reason was me pretending to press keys. That case had a cute feature: you didn't have to use all 4 digits, so the actual combination was just "9" with me pretending to hit other buttons :-)
Ah, those where the days..
PS: that lock had a major weakness anyway so I didn't use it long - it was just amusing..
Re: (Score:3, Funny)
Someone spent the ENTIRE weekend trying to open the lock and didn't manage
I knew security geeks were people with high boredom thresholds but this takes the biscuit.
Re: (Score:2)
Re: (Score:2)
The only way to truly achieve security is to remove the power cord of the systems involved. That will prevent anyone from breaking into them, or anything else...
Reminds me of the story about the consultant that was hired to audit a company's security. He walked out of the building with their server not five minutes later.
Re: (Score:2)
Chapter 31: People like to believe in absolutes. Some people will believe their computers are completely safe and others think security is a complete joke. In between those two sets of people are a large number of reasonable people.