What Non-Experts Can Learn From Experts About Real Online Security 112
An anonymous reader writes: Google researchers have asked 231 security experts and 294 web-users who aren't security experts about their security best practices, and the list of top ones for each group differs considerably. Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates. Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down. Another interesting thing to point out is that non-experts love and use antivirus software.
Re: (Score:2)
Security experts care about confidentiality and integrity. Normal users care about availability. Film at 11.
Except it didn't work out that way. Non-experts:
1) Use AV -- grinding your system to a halt doesn't help availability
3) Change passwords frequently - Not being able to forget the password you just reset for the 3rd time in as many weeks to doesn't help availability
4) Visit only websites they know - Can't get content because I don't trust that website != availability
5) Don't share personal info - Can't use this feature because I won't give them my info != availability
Experts who use a password manager, rare
As a former expert (Score:3, Insightful)
I've been out of the field for 10 years, but what I've learned since then is that "experts" don't care if the clients can actually use the system. AV? Take it or leave it, but for software updates, well, the cost of breaking corporate software with an update (they just took out our scheduling program for 4 days) is very measurable and affects everyone in the company, while the cost of a security incident is not nearly as measurable and doesn't affect everyone.
If you want to win these fights, you have to present defensible numbers in units that the PHB's understand: Dollars or Euro. The cost of breaking the scheduling program is easy about 6 hours of salary for the entire fucking company due to lost productivity. The cost of cleaning up a security incident needs to be measured and presented. How much lost productivity did this cost, how much tech time did it cost, what's the cost of the stolen data, etc... IT, and security in particular, will always be a cost unless you show, in dollars, that it's worth keeping.
Re:As a former expert (Score:5, Interesting)
Re: (Score:2)
while the cost of a security incident is not nearly as measurable and doesn't affect everyone.
Depends on the security incident. Not every security incident will necessarily effect everyone in the company, but many can. It's just matter of which one hits the company first.
And honestly, the security incidents that do effect the whole company only greater for knowledge oriented companies.
In the end, Security Experts have to look at everything as necessarily effecting the whole company because any little security issue could potentially become a bigger security issue - a cascading effect. For inst
Re: (Score:2)
You missed the point. Not affecting everybody means you don't know how many people will be affected, and can't calculate costs accurately. It raises the cost of information. How much does a disruption cost that affects everybody? Easy to calculate. What if it can affect any number of people, and you have no idea in advance which ones? Very difficult to calculate, and worse, it costs real money unrelated to solving the problem in order to increase your level of information and be able to make claims about th
Re: (Score:2)
This is why estimates are used. Because these costs do need to be calculated. This is the job of a security architect. Everything can be calculated to a reasonable proximity and accurateness. You aren't going to calculate everything to the last dime. You want to give the management team an idea of what they are going to lose if they decide on a certain course in relation to security. Then the management ultimately makes the decision.
Re: (Score:3)
Where are your test systems and test cases?
And the core problem with estimating losses is that you are now trying to play in the realm of the PHB. You will always lose. That is because while you are spending time o
Re: (Score:1)
If you don't play the game, you will have already lost. You're fighting for budget. If you don't present why you need the budget in a clear argument, you will have lost. That's why we have so fucking many incidents in compliant organizations. The value of compliance is clearly stated, generally by someone outside of IT, but the value of security is never communicated in dollars.
The point of the numbers is not to bullshit and lie to the PHB, the point is to communicate in his language. Yes, as the IT guru,
Re: (Score:2)
Where are your test systems and test cases?
Seriously?
Re: (Score:2)
Hopefully your organization is going to have a list of apps that people use that need to work in order to get shit done. That stuff gets tested. If your software isn't on the list, then you are SOL. That is why companies try to control what gets installed on user systems.
Also, as far as the finance department, they are behind another very strictly control network policy to limit which data gets in and out of that network. In most cases, this upgrade happens separately from the upgrade for the normal use
Re: (Score:2)
Where are your test systems and test cases?
This is probably a big part of the problem. People at home don't have a test system to screw around with. Even if they did, who wants to waste time doing crap like that. If the system is working now and updating it gives a chance of things breaking, don't update it. One woman they interview mentioned how she lost all her contacts in her smart phone when she updated the software. Yeah, I sure as hell would not update that any more. I don't do Microsoft updates either as safe computing gets me all the safety
Re: (Score:2)
Re: (Score:2)
I've been out of the field for 10 years, but what I've learned since then is that "experts" don't care if the clients can actually use the system. AV? Take it or leave it, but for software updates, well, the cost of breaking corporate software with an update (they just took out our scheduling program for 4 days) is very measurable and affects everyone in the company,
If routine operations (and updates should absolutely be part of a routine) break production you're doing it wrong. The answer is to test changes before committing them to production. The answer is not to forgo needed security updates.
Re: As a former expert (Score:1)
Most of the "security experts" I've met in the course of various security audits have been people that have no understanding whatsoever of how the systems they are examining work. Can they recite requirements of PCI 3.0 certification? Sure. So they have any idea how those are applied in a specific environment? Usually no.
We have had auditors make requests that would significantly reduce our security so they could tick a box, due to lack of understanding of how things work.
I've also bet my employer that afte
Re: (Score:2)
I've been out of the field for 10 years, but what I've learned since then is that "experts" don't care if the clients can actually use the system.
I'm not sure that this is strictly true but I think "experts" run up against the problem that "ordinary" people don't believe they will be the target of random attacks so end up having to take a belt and braces approach. "Nobody is going to bother to attack MY account so I can use 'password' as my password."
At the weekend my ssh server came under sustained distrib
Re: (Score:1)
Not true. If your production environment is set up correctly, you have a development, test and production setup. Dev and test guys don't get to touch the production stuff. I've been doing that for around 30 years. No problem. Those that don't, problems.
Let's be real here. Most companies don't care about security. For windows most of them will do the updates. For Linux, Solaris, (your favorite brand Unix) - often never. They forgetaboutit. Even then, almost all the time it's the windows box that gets hac
How, not what... (Score:5, Insightful)
.
For example --- software updates:
- do the experts use "custom" installs to avoid the installation of unwanted browser toolbars and adware, and that is why they are more likely to install updates?
- do the non-experts use the "default" installs, which pull in toolbars and crap adware, leading the non-experts to avoid updates?
I think the article is a good one, but there should be some more depth to it.
What Security Experts Can Learn From Non Experts (Score:5, Insightful)
Any system that depends on users doing the right thing has ALREADY failed.
1) If it's difficult or complicated, users won't do it.
2) If your security organization's working strategy is, "break stuff, walk away and tell the user it's their problem," your strategies will be subverted from within so users can get actual productive work done, for which *they* get *their* bonuses.
In short, users need productivity to get their extra money. Security people need a lower number of intrusions to get theirs. These two goals are always at odds, mostly because current security strategies burden nontechnical, uninterested users.
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall, application sandboxing and/or streaming applications for all office applications, improving intrusion detection and dynamic virus removal in real time. NOT training users not to download suspicious executables or engage in fantastic feats of memory regarding passwords.
Re:What Security Experts Can Learn From Non Expert (Score:4, Interesting)
Don't depend upon a user's memory. Tell them that it is GOOD to write down their passwords AS LONG AS THEY STORE THEM WITH THEIR CREDIT CARDS.
The REAL problem with security is that the VENDORS do not place a priority on it.
It isn't that we hate to hear that.
We're already DOING that. But it doesn't help much when a CxO installs some infected software on his laptop (which he can because he is so important that he NEEDS admin-level access) and then brings it into the most firewalled section of the network.
Right now I'm focusing on knowing when a site is compromised rather than trying to get EVERYONE to follow the best practices EVERY TIME on EVERY SYSTEM.
Re: (Score:1)
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall, application sandboxing and/or streaming applications for all office applications, improving intrusion detection and dynamic virus removal in real time.
All of those things are worthless with a user base that does not respect and actively subverts security. It is like being a doctor of a morbidly obese patient that gets angry and screams when you tell them they need to lose weight. There is only so much doctors can do with patients insistent on killing themselves.
There is only so much security people can do without the users taking responsibility too.
Re: (Score:1)
> All of those things are worthless with a user base that does not respect and actively subverts security.
Framing the situation that way is a mindset that guarantees catastrophic security failure.
Good security helps users to do their job securely. Bad security makes it harder for users to do their job securely.
Recognize that getting the job done is the end goal and make the secure path the easiest path for the user to take and they will stop trying to subvert security.
Re: (Score:1)
That is a mantra that is repeated by everyone except those that actually are trained in security practices. Without trust there is no security. Security is not a product you can buy. You can't just hire a security expert, give them an office and suddenly you are secure. No. It takes work. It takes everyone.
Re: (Score:2)
> All of those things are worthless with a user base that does not respect and actively subverts security.
Framing the situation that way is a mindset that guarantees catastrophic security failure.
Hear hear! The user base doesn't actively subvert security unless security is obtrusive and overbearing. Subverting security is too much effort.
Re: (Score:2)
You pretty much nailed it. The good thing is that we have plenty of tools to help with compartmentalizing info, to the point where it is almost surprising to see them not used.
If it comes to a pissing contest of users versus IT security, the users will eventually win, either by cunning, or just telling PHBs they can't do their jobs... and if it is a guy out of sales who is making the numbers, the PHBs will listen to that guy almost certainly, since they view security has having no ROI, but the "quarterback
Re:What Security Experts Can Learn From Non Expert (Score:5, Insightful)
The solution, which security people hate to hear, is to get better at installing and maintaining multiple levels of firewall
Firewalls are not a solution. They're a small piece of a solution, but that's all. Firewalls segment networks, which is good because it reduces the scope of the attacks that have to be considered, but any good security design should assume that attackers will be able to get onto any network that has users.
application sandboxing and/or streaming applications for all office applications
Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.
improving intrusion detection
IDS is good, but primarily for reducing the duration of an intrusion and trying to estimate the scope of the damage. IDS almost never reacts quickly enough to stop an intrusion.
dynamic virus removal in real time
Preventing the installation of viruses is far better than removing them.
NOT training users not to download suspicious executables
If the users can't install and run what they download, then it doesn't matter what they download.
or engage in fantastic feats of memory regarding passwords.
Totally. Most enterprise password policies are ridiculous. High-entropy passwords are neither necessary nor sufficient for securing systems. Multi-factor auth is more secure, and makes it possible to set reasonable password policies. Say, eight characters, alphanumeric, maybe require one non-alphanumeric symbol. Annual rotation is good, unless there is some reason to believe the password may have been compromised. Users can deal with that.
Three-factor authentication is great, and not actually all that difficult. One factor is the password. Another is some sort of one-time password generator or, even better, a USB dongle that requires user activation (OTPs can be phished -- a user you can social engineer into giving you their password will also give you an OTP, in fact it's even easier to phish an OTP than a normal password). The third is a client-side digital certificate installed on the machine after verification that it complies with corporate security policies. Use Puppet or similar to not only keep the machine up to date, but identify if it gets out of date and if it does, revoke the certificate.
Another crucial key to successful security is single sign-on. I can remember one moderately good password easily. Require me to know several and I'll have to write them down or reuse the same one everywhere. If I reuse the password we have none of the security benefits of multiple passwords and all of the password management headaches. So users should have one, strongly-secured, account that crosses all company systems. This is another benefit of web apps over local applications: You can secure all of your web apps behind a single set of authentication credentials by deploying them behind a reverse proxy server. That server handles authentication and provides a signed, time-limited user ID token to the systems it fronts.
Re: (Score:2)
Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.
This is presumptuous. You're a security guy. You don't know enough about the myriad and varied work the company's employees do to make birght-line rules about how they must do it. Nor will you with any amount of training.
Re: (Score:2)
Even better, move all applications to the web, so everything runs on central servers which are much easier to manage and secure than a fleet of personal computers. Give users Chromebooks or another thin client configuration and don't let them install software.
This is presumptuous. You're a security guy. You don't know enough about the myriad and varied work the company's employees do to make birght-line rules about how they must do it. Nor will you with any amount of training.
You're presumptuously assuming that I don't understand that there are exceptions.
The approach I recommend will, however, work for the vast majority of employees, assuming the necessary apps exist or can be built (or front-ended... ick, but it sometimes is the best option). Then, with the majority use cases out of they way, the security team can turn their attention to dealing with the special cases -- isolating them, locking them down to the degree possible and monitoring what can't be locked down. Or, in
Re: (Score:2)
agreed.
I think the goal is really to limit the impact of a user being stupid and being compromised.
A good security policy with very tightly monitored separation of duties and least privilege is a good starting point.
Non-experts are concerned about the update's costs (Score:2, Informative)
As much as people want to believe, in the age of unattended Windows updates and package managers, that updating is painless and causes no problems, there are many [bloomberg.com] famous [arstechnica.com] examples [forbes.com] of times people installed updates [state.gov] that proceeded to destroy or seriously disrupt [techcrunch.com] operation of production environments.
Re: (Score:2)
I didn't see anywhere in the article that the security experts suggested blindly installing updates without testing them first.
Re: (Score:2)
Sounds like the people testing software in your company suck at your job. It also sounds like the people writing that particular software suck at their jobs too if it happens monthly. I realize you can't test for every use case but testing 90% of what a user is going to do should limit support calls quite a bit and will be less of a financial risk overall than being exploited by whatever zero day the security update is patching.
Re:Non-experts are concerned about the update's co (Score:4, Insightful)
Sure they do. They tell non-experts to install updates. When's the last time you heard about someone's grandmother testing a patch?
Re: (Score:2)
Were any of the patches linked above installed by someone's grandmother?
The table in the article does not match the paper (Score:1)
In the paper, the authors reported that experts recommended using anti-virus software more frequently than using a password manager.
If I were to make recommendations to a novice user, the first would be to use anti-virus software followed by anti-malware and I would guide them to Major Geeks.
Learning is fun (Score:4, Funny)
Here's what you can learn from this security expert. If you click on those attachments we told you not to click on it will take me 2 days with your laptop to "analyze the threat" if you get infected. If it's not the first time then we were unable to recover your files and it will take 3 days.
Key detail: Security experts have IT skills (Score:5, Insightful)
People don't shun (non-OS) updates because they "might" install malware - They shun them because they do install unwanted tag-alongs (if not outright malware). Flash tries to install its partner-of-the-week every time you update it. Chrome just added push notifications. Java... Let's not even go there. And let's not overlook the fact that most users can't tell a legit update prompt from a drive-by installer.
Security experts have a bias here because they:
1) can usually tell the legit updates from the bogus ones (and know enough to get the bloat-free version of the update); and
2) can themselves remove or repair the occasional spyware that slips through, without needing to pay BestBuy $150 for five minutes' work on a machine only worth $300 in the first place.
What Experts can learn about reality (Score:5, Interesting)
Experts recognize the benefits of updates, while non-experts are concerned about the potential risks of software updates.
"Experts" are much better equipped to work around an update that makes a mess, and "Experts" are better able to pick up UI changes than "Non-Experts". Security is a good reason to update/upgrade, but every non-expert I know whose phone got the Lollipop update described it with obscenities, and would have been perfectly fine with a 'security patch only' update. The problem is that there's no consistent way for non-experts to know whether this will be a "transparent security fix" kind of update, or a "this will f'k up my s't and rearrange everything for no good reason" update. Even updates that don't make a mess of the UI cause other problems. Windows XP, circa 2001, needed 256MB of RAM to run acceptably. by the end of its run, the UI hadn't changed, but somehow, it required at least 1GB of RAM when it was (supposedly) the same OS. Admittedly an obscure example (but the only one I can think of at the moment), an Intel wireless NIC driver update I did once removed the ability to specify my own MAC address. A router firmware update I did once notably decreased the throughput of the network traffic it was processing. We all remember the Slashdot outcry when Sony removed OtherOS from the PS3. "Update" has a long history of having mixed impact on end users, so any "Expert" who both unilaterally applies updates and doesn't understand why "Non-Experts" don't share this practice may well have a thorough understanding of computers, but a piss poor understanding of humans.
Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down.
Many password managers use Teh Cloud (tm). There's a damn good reason to be reluctant to store all of your passwords on somebody else's hard disk. Local password managers solve that problem, and now we're back to the classical problem of 'backing data up' and 'single point of failure'. Even at that, who do you trust? Heartbleed was a particular mess from a PR perspective because Open Source ("More secure than Microsoft!!11") had a spectacular failure that was used by "Experts" - people who were supposed to be putting security at the forefront. If such a widely circulated OSS project could have such a problematic bug, what possible hope does a regular user have with respect to betting on the right horse? Even if they do, there's nothing that they can do for the far end doing stupid things - all the password managers in the world won't change a blessed thing if the password was for Sony or Ashley Madison. It's all risky at some level, and ultimately, password managers overcome a shortcoming of computers themselves. Non-Experts have things to do. Writing passwords down in a nondescript password book, kept in a room separate from the computer itself, with each of the passwords changed annually, is probably the simplest and cheapest way a non-expert can put themselves comfortably in the third standard deviation.
Another Iteresting thing to point out is that non-experts love and use antivirus software.
As well they should. Antivirus software is a layer of security, and one that non-experts tend to use more consistently than any other form of threat mitigation. It's not a cure-all (more likely the problem that exists with non-experts using AV software; they throw caution to the wind under the assumption that the antivirus will protect them), but it will be very difficult to convince me that properly updated AV software does more overall harm than good.
Re: (Score:3)
Antivirus software is a layer of security
AV software may be a layer of security; but it often adds more security holes than it closes. Overall, AV software generally is more of a placebo than anything else. You can actually solve the issue better by being more security aware and careful to start with.
Re: (Score:1)
Re: (Score:1)
I actually installed McAfee AntiVirus Plus 2015 on a computer for someone last week as per usual it could not detect anything...also would not install until i removed the adware inserting web proxy that was installed on the computer i don't know why they don't offer a offline installer
i think its a awfully expensive placebo...and the computer runs slower now without the ads than it did before with them..thats always a plus
Re: (Score:2)
Well, McAfee is definitely more placebo than others; even Norton detects stuff here and there. Kaspersky and ESET are my go-to pair, though Security Essentials isn't the worst scanner in existence, either. Typically, I find that Norton DNS + NOD32 + AdGuard tends to keep the computers of my friends and family clean with a solid amount of consistency.
Re: (Score:2)
Well, McAfee is definitely more placebo than others; even Norton detects stuff here and there. Kaspersky and ESET are my go-to pair, though Security Essentials isn't the worst scanner in existence, either. Typically, I find that Norton DNS + NOD32 + AdGuard tends to keep the computers of my friends and family clean with a solid amount of consistency.
So aside from the performance hit you take by adding all those applications, you've also increased the footprint of security issues as each of those have issues regarding security that you must now also monitor, not to mention the backdoors that can be taken advantage of.
The open source ClamAV is listed among the best products for detecting viruses last I checked it was one of the top three; McAfee hasn't been on that list in ages. That said, the APIs and drivers they insert into the kernel to work (and
Re: (Score:2)
"Experts" are much better equipped to work around an update that makes a mess, and "Experts" are better able to pick up UI changes than "Non-Experts". Security is a good reason to update/upgrade, but every non-expert I know whose phone got the Lollipop update described it with obscenities, and would have been perfectly fine with a 'security patch only' update. The problem is that there's no consistent way for non-experts to know whether this will be a "transparent security fix" kind of update, or a "this will f'k up my s't and rearrange everything for no good reason" update. Even updates that don't make a mess of the UI cause other problems. Windows XP, circa 2001, needed 256MB of RAM to run acceptably. by the end of its run, the UI hadn't changed, but somehow, it required at least 1GB of RAM when it was (supposedly) the same OS. Admittedly an obscure example (but the only one I can think of at the moment), an Intel wireless NIC driver update I did once removed the ability to specify my own MAC address. A router firmware update I did once notably decreased the throughput of the network traffic it was processing. We all remember the Slashdot outcry when Sony removed OtherOS from the PS3. "Update" has a long history of having mixed impact on end users, so any "Expert" who both unilaterally applies updates and doesn't understand why "Non-Experts" don't share this practice may well have a thorough understanding of computers, but a piss poor understanding of humans.
I didn't see any experts in the article suggesting blindly installing updates without testing (if possible, like in a corporate environment for instance) or reading the release notes. Anyone with the technical skill to be upgrading a NIC driver or a router firmware should also have the technical skill to A) Test the update, B) Read and understand the release notes, and C) roll back the update if it has unintended side affects
Many password managers use Teh Cloud (tm). There's a damn good reason to be reluctant to store all of your passwords on somebody else's hard disk. Local password managers solve that problem, and now we're back to the classical problem of 'backing data up' and 'single point of failure'. Even at that, who do you trust? Heartbleed was a particular mess from a PR perspective because Open Source ("More secure than Microsoft!!11") had a spectacular failure that was used by "Experts" - people who were supposed to be putting security at the forefront. If such a widely circulated OSS project could have such a problematic bug, what possible hope does a regular user have with respect to betting on the right horse? Even if they do, there's nothing that they can do for the far end doing stupid things - all the password managers in the world won't change a blessed thing if the password was for Sony or Ashley Madison. It's all risky at some level, and ultimately, password managers overcome a shortcoming of computers themselves. Non-Experts have things to do. Writing passwords down in a nondescript password book, kept in a room separate from the computer itself, with each of the passwords changed annually, is probably the simplest and cheapest way a non-expert can put themselves comfortably in the third standard deviation.
All software has bugs. Security is always a trade-off between convenience and usa
Re: (Score:3)
"Experts" are much better equipped to work around an update that makes a mess, and "Experts" are better able to pick up UI changes than "Non-Experts". Security is a good reason to update/upgrade, but every non-expert I know whose phone got the Lollipop update described it with obscenities, and would have been perfectly fine with a 'security patch only' update. The problem is that there's no consistent way for non-experts to know whether this will be a "transparent security fix" kind of update, or a "this will f'k up my s't and rearrange everything for no good reason" update. Even updates that don't make a mess of the UI cause other problems. Windows XP, circa 2001, needed 256MB of RAM to run acceptably. by the end of its run, the UI hadn't changed, but somehow, it required at least 1GB of RAM when it was (supposedly) the same OS. Admittedly an obscure example (but the only one I can think of at the moment), an Intel wireless NIC driver update I did once removed the ability to specify my own MAC address. A router firmware update I did once notably decreased the throughput of the network traffic it was processing. We all remember the Slashdot outcry when Sony removed OtherOS from the PS3. "Update" has a long history of having mixed impact on end users, so any "Expert" who both unilaterally applies updates and doesn't understand why "Non-Experts" don't share this practice may well have a thorough understanding of computers, but a piss poor understanding of humans.
I didn't see any experts in the article suggesting blindly installing updates without testing (if possible, like in a corporate environment for instance) or reading the release notes. Anyone with the technical skill to be upgrading a NIC driver or a router firmware should also have the technical skill to A) Test the update, B) Read and understand the release notes, and C) roll back the update if it has unintended side affects
I don't dispute that. The point I was making was that updates are not universally better than their predecessors. Yes, I rolled that firmware back, but the fact that I needed to do so was more where my objection was focused.
Many password managers use Teh Cloud (tm). There's a damn good reason to be reluctant to store all of your passwords on somebody else's hard disk. Local password managers solve that problem, and now we're back to the classical problem of 'backing data up' and 'single point of failure'. Even at that, who do you trust? Heartbleed was a particular mess from a PR perspective because Open Source ("More secure than Microsoft!!11") had a spectacular failure that was used by "Experts" - people who were supposed to be putting security at the forefront. If such a widely circulated OSS project could have such a problematic bug, what possible hope does a regular user have with respect to betting on the right horse? Even if they do, there's nothing that they can do for the far end doing stupid things - all the password managers in the world won't change a blessed thing if the password was for Sony or Ashley Madison. It's all risky at some level, and ultimately, password managers overcome a shortcoming of computers themselves. Non-Experts have things to do. Writing passwords down in a nondescript password book, kept in a room separate from the computer itself, with each of the passwords changed annually, is probably the simplest and cheapest way a non-expert can put themselves comfortably in the third standard deviation.
All software has bugs. Security is always a trade-off between convenience and usability.
Agreed. Where each lies, however, is not always cut and dry. PM's make it more convenient to have 20-character, random generated strings in active rotation, but less convenient than simply using "Hunter2!" everywhere.
A properly written "Cloud" password manager *CAN* do both by only storing the encrypted information in the cloud. It also encourages (and can generate) unique and random passwords for each site. That way when Sony or Ashley Madison get hacked, the perpetrator gets a unique random password that won't give them access to anything else. A properly-written cloud based (all encryption is handled locally, plaintext is *NEVER* in the "Cloud") password manager has the added benefit of working on mobile platforms where the physical book in the other room can't help you if you are on your laptop in the coffee shop or on your phone waiting in line at the grocery store.
The problem with your "properly written" qualifier is that it presents
Re: (Score:2)
The problem with your "properly written" qualifier is that it presents an inherently problematic challenge. LastPass says that it operates the correct way, but how can I verify that? Because their website says so? I have no meaningful way to acquire proof that it does what it's supposed to do. Additionally, if I do may unique, gibberish-string passwords, I officially become dependent on LastPass; that dependency has its own points of concern. It may not convenient to have passwords written in a book that's left at home, but its tradeoff between "not being available in a grocery store" and "not being susceptible to LastPass hacking / ending service / software vulnerabilities / NSL" has definite advantages on both sides.
First of all, while the physical book of unique passwords for every site is the best solution as far as security goes, the average user isn't going to be able to deal with not having access to xyz.com in the grocery store. It's much easier to be lazy and use the same password everywhere and store that in the browser's crappy, unencrypted password manager so they don't even have to put in the effort to remember it.
You are right in that Lastpass does provide an auditing challenge. As you noted earlier, even
Re: (Score:2)
The point I was making was that updates are not universally better than their predecessors.
Most of the software I rely on is years old. I almost agree with the "expert" advice, except I follow it in a different direction. Software that frequently has updates available is not to be trusted. I agree that in order to safely run software, you need to install updates, because security bugfixes almost never have a separate channel than other changes.
However, another way to maintain updated systems is not to install updates, but to uninstall anything that updates frequently. You still have only updated
Re: (Score:2)
I didn't see any experts in the article suggesting blindly installing updates without testing (if possible, like in a corporate environment for instance) or reading the release notes.
If they don't know that is the result their advice will achieve, they're not very expert.
The biggest challenge to security is user actions, so if they don't understand how users use, they aren't very expert. Speaking or writing words will not cause users to read other, larger numbers of words. That is just not a technical result that is achieved by giving advice.
Or, what smug assholes can learn from real users (Score:2, Insightful)
A) Anyone using the term 'best practice' has already lost half their audience. Being the 'best' is a hard claim to make.
B) Real world usability trumps ivory tower douchebaggery. Stop making people have eleventy digit passwords with special characters that they rotate weekly. You aren't helping.
C) The world is mostly people who just want to get shit done - as an IT guy, your stuff is an appliance. People don't care about nuance.
Re: (Score:2)
A) "Best practices" are a set. The entire set, which is known to be incomplete, includes all the practices that are candidates for being best in different situations. That is why it is "best practices" and not "best practice." I do admire your dedication to rejecting absurd absolutes, but you missed the mark on this one. That pluralization changes the entire character of the statement.
B) While in general this is a "pet peeve" of mine, you state it way too broadly. There are times and places for various diff
"Security Experts" are mostly fraudsters (Score:2, Interesting)
"Security Experts" are mostly fraudsters working for the anti-virus industry. You don't get security from anti-virus software. You compromise it by running additional proprietary applications which can't be inspected. This is not to say the sources being available make it secure, but it is a critical found for which any failure to do so is the equivalent of building a house on sand. It might work, until the earthquake hits. The lack of security is the result of holes (bugs) and user-related design issues. I
to much security BS out there (Score:1)
I've known too many self proclaimed security experts out there to buy what they're selling.
Too often the self-proclaimed expert just reads a few blog articles that sound good, claiming "Best Practices", without actually knowing what they're talking about.
Then there are the ones writing the blog articles who pull crap out of their ass, and call them "Best Practices", just because it sounds good.
Lastly there are ones like Jason McNew, who doesn't seem to actually know anything about security. Mr. " I watched
Re: (Score:2)
These are people who explicitly sought out this employment. And it's a reasonable restriction. This isn't someone speeding down the highway. This is someone who asked for special privileges (in terms of seeing data, etc.)
If that happens as an accident, I guess you tell them to go p
Re: (Score:2)
I totally agree. The first thing I teach security trainees is that if it is your own security, you have to know and care about thousands of technical details. If you're being hired to deal with somebody else's security, then you have to follow the standard Best Practices because the goal is to provide a measured level of security precautions, not to promise end results. It isn't art, it isn't creative writing, it is a matter of providing the correct type of service.
Just like, the job of a security alarm com
the credit card playbook (Score:2)
The credit card system works pretty well - so easy to use that family members usually don't have any trouble using each other's cards. Behind the scenes however, there are comprehensive fraud detection systems, as well as clear responsibilities of fraud liability (usually card issuer).
I agree with another poster who mentioned that the onus of security should be mainly on the system - much more than the end user. What this means is that if you're going to setup any kind of password or multi-factor authentica
Tricky sell to "the suits" (Score:2)
Updates are often expensive and disruptive to an organization. The security expert may not care because it's "somebody else's problem". (I suppose this works both ways.)
Software often depends on multiple layers. Updating one layer often breaks another. Typical steps involve:
1. Keep an eye out for updates
2. Read up on any changes
3. Create a test stack or station to test an update in your org's environment and/or with the other layers.
4. Fix or devise work-arounds for any problems caused by the update found
non-experts? (Score:2)
>"Non-experts are less likely to use password managers: some find them difficult to use, some don't realize how helpful they can be, and others are simply reluctant to (as they see it) "write" passwords down."
Yeah, because only non-experts would worry about a closed-source, unknown, third party having access to all their extremely sensitive passwords, stored on a server outside their control, stored with unknown methodology, connected to the Internet, with who-knows what access to the data.
Yeah, only non
Re:Experts know more than non-experts (Score:4, Insightful)
That's missing the point. Identifying 1 or 2 differences in approach between experts and non-experts shows 1 or 2 things you can tell the non-experts to do to greatly improve security overall.
In this case, the take away action would seem to be to make sure you keep all the software updated.
Re:Experts know more than non-experts (Score:4, Informative)
That's missing the point. Identifying 1 or 2 differences in approach between experts and non-experts shows 1 or 2 things you can tell the non-experts to do to greatly improve security overall.
In this case, the take away action would seem to be to make sure you keep all the software updated.
The other take away is to figure out why the non-experts don't use the expert approach already. Are the password managers poorly advertised or otherwise unwieldy? For instance I know a lot of sites have login windows that the Firefox password manager doesn't recognize.
Re: (Score:2)
I suspect the "Password Managers" referred to in the article are third-party utilities like KeePass or LastPass and not the insecure-by-default and feature-lacking password managers provided by the browser.
Re:Experts know more than non-experts (Score:4, Interesting)
This is the key problem. Only experts are able to assess the risk of a password manager and use it appropriately. How can a normal user know whether a password manager is trust worthy? Do any of the big web sites recommend a trust worthy password manager?
The only viable solution for a normal user is SSO. Login in Facebook, Google, Microsoft Live, that is the way forward. 3 accounts are easy to remember, and it would also be faster to detect suspicious activity. But does any bank offer SSO?
No, of course not. In fact my bank requires me to remember 4 PINs, 3 passwords and one user ID. How idiotic is that?
Re: (Score:2, Insightful)
You want to trust your financial log-ins to Facebook, Google or Microsoft? Hope you keep most of your money stuffed in your mattress, it would certainly be safer there.
Re: (Score:2)
You want to trust your financial log-ins to Facebook, Google or Microsoft? Hope you keep most of your money stuffed in your mattress, it would certainly be safer there.
Whilst I dont expect that Facebook, Google or Microsoft will deliberately steal money, they certainly wont make it as hard as the banks currently have to.
Beyond this, the possibilities for datamining and targeted advertising is just scary. Roseanne Barr and Margaret Thatcher erotic fan fic scary.
That being said, I'd still not keep money stuffed in a mattress, I'd buy some precious metals and keep them buried in the back yard as metals have the chance to appreciate.
Re: (Score:2)
SSO.. eeew no.
Single point of failure. If your one password is compromised, then every single service you use with SSO is them compromised.
Its great if you are in a corporate environment with plenty of corporate protection.
Also, from the sounds of it, these "experts" may be well versed in a specific domain but not really expert in everything related to online security.
With websites being hacked daily, you pick the websites you want to deal with based on some set of trust relationship. You wouldn't go to a
Re: (Score:1)
For your bank.
That holds your money (or at least your debt). That you will hold responsible for anything that goes wrong.
Not stupid in the slightest.
Having a different PIN/Password for your card, telephone banking and internet banking as well as a second factor of authentication for internet banking transfers compartmentalises different attack vectors so that someone who overhears you
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Jesus Christ. What it is it? The news or a fucking film? How am I to plan my life with this kind of vacillation going on? Huh?
Film. The phrase came about in the days before mobile trucks with microwave links or even video tape. "On-scene" news was shot on film, which had to processed and edited (yes, manually, as in cut-and-splice), and then readied for broadcast later in the evening.
Re: (Score:1)
Re: (Score:3)
Discuss.
Considering systemd is developed by non-experts...
Out of the loop on cow/moo thing. (Score:1)
Does anyone know what's up with the cows/moo thing? Is this just a new Golden Girls theme song thing or is there something more to it?
Re: (Score:2)
No one knows for sure why sexconker is doing it, but he is apparently doing it to all threads
Re: (Score:1)
Did he ever actually have one?
Mooo!
Re: (Score:2)
You misunderstand. Security isn't cow sh** it's bullsh**.