Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Government Privacy

We Live In The Dark Ages of Internet Security, Says Kaspersky Labs CEO 83

An anonymous reader cites a report on TheMerkle: It is never a positive sign when one of the world's leading security firms mentions how the world is currently in the "Dark Ages" of computer security. That particular statement was made by Kaspersky Labs CEO Eugene Kaspersky during the NCSC One conference in The Hague. Enterprises and consumers need to step up their protection sooner rather than later, as the number of security threats keeps increasing. Update: 04/05 18:41 GMT by M :Reader Rob MacDonald has posted the following insightful comment (slightly edited for clarity and length): We're in the dark ages by design. We've allowed the alphabet agencies to compromise our security, at every level, including hardware. The one that doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it.
This discussion has been archived. No new comments can be posted.

We Live In The Dark Ages of Internet Security, Says Kaspersky Labs CEO

Comments Filter:
  • by Anonymous Coward on Tuesday April 05, 2016 @01:07PM (#51847339)

    That's only true if you force yourself to live in the dark.

    If you don't want to, you can always use OpenBSD. If security is what you care about, then OpenBSD is your best choice. Its developers have proven time and time again that they put security first and foremost, and this has resulted in one of the most trustworthy operating systems to have ever have existed. Best of all, it's free and open source! There's really no reason not to use it, especially if you want and need security.

    The one thing that I think really sets OpenBSD apart from its peers is that the OpenBSD team will go out of their way to secure software they didn't even write. They'll fork, fix, maintain and improve third-party software that doesn't meet their standards. LibreSSL is a superb example of this, but they've done it with other software in the past, too.

    Nobody claims that OpenBSD is perfect, but it's as close as anyone is going to get today. As we become more and more aware of the risks that we face, it becomes clearer that OpenBSD is the operating system that's best poised to stand strong against these threats.

    OpenBSD is where it's at. If you want to live in the dark, then by all means ignore OpenBSD. But if security is what matters to you, then OpenBSD is the light.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      BULLSHIT

      An operating system is as secure as its administrator makes it. OpenBSD with it's inferior performance due to lack of tuning (stop blaming it on "being more secure" because that's a straight up lie,) lack of a reliable modern filesystem (good grief, port ZFS already...oh wait, you can't because it's almost literally impossible...THANKS THEO,) and a project "leader" who is actually an impossible to work with asshole who thinks he knows everything and knows better than everybody else what his little o

    • OpenBSD (or any other OS) can't workaround backdoors in Intel/AMD hardware or firmwware.
      http://mail.fsfeurope.org/pipe... [fsfeurope.org]

    • Sure, as long as you only care about the security of devices you personally control, and you can install any software you want on them. For most people, the world is a little broader than that. Practically every week we hear about another website that got hacked, and they were storing user information in plaintext. Or a router that has a hardcoded administrative password. Or a "smart" TV that opens up an unsecured gateway into your home network. Running OpenBSD on your laptop might protect the laptop i

    • by zixxt ( 1547061 )

      OpenBSD and it's security is vastly overrated. FreeBSD and Linux are more Secure than OpenBSD has ever been.

  • by Rob MacDonald ( 3394145 ) on Tuesday April 05, 2016 @01:09PM (#51847369)
    Yes, they are Russian. Yes it's a fucking solid, quality, AV solution for enterprise. In fact, there's a shit load of functionality there that most people wouldn't expect from an AV solution. So yeah, when one of the world leaders in the industry says that, he's not talking out of his ass. The point not stated, at least in the summary, is the fact that we're in the dark ages BY DESIGN. We've allowed the alphabet agencies (not google you dolt) to compromise our security, at every level, including hardware. That which doesn't have an exploit at shipping, gets intercepted and modified in transit. The encryption algorithms we've been using were compromised at such a level it took this long to see it. TLS, SSL, sha. all compromised at the core. Jesus we can't even trust random number generators. We can't trust encryption based on primes as it's proven these can be broken if you have the hardware (they do) and the time (they do). Nothing short of a do over can fix this. The infrastructure is compromised, the undersea trunks are tapped, they can even decipher passwords and information from an AIR GAPPED COMPUTER. Seriously. I can't see a way out of this. Encryption for all!!!!! FBI much? Encryption is a joke when they've helped build the encryption system. We hae been pwnd from day 1.
    • Then we just have to turn it around and spy on them and air their dirty laundry. As long as they don't have the advantage, it's all good.

    • Uh bullshit. I wouldn't trust Kapersky Labs with anything. I am astonished anyone actutally runs it in an Enterprise.
      • I don't recall saying I trust them. I trust our ability to monitor and control our network traffic. But again, to each their own, Trend Micro is installed by many idiots. There's always forefront too, but good luck actually maintaining a large base of machines running that.
    • by mlts ( 1038732 ) on Tuesday April 05, 2016 @02:09PM (#51847919)

      I wouldn't say it was alphabet agencies.

      The real culprit, in my experience, is the "security has no ROI" philosophy which has been part of many companies since 2000. When told by a previous manager that "a lock brings no money except to the lock maker", with the implications that security is, at best, an afterthought in product design.

      Now combine that with the fact that so far, there have been no real consequences for security breaches. All a company has to do is tell the Windows admin to do a "dsquery user | dsmod user -mustchpwd yes", pay for the victims to have a year of LifeLock, toss some PR ads, and stock prices will be back to normal in 90 days or less, even for the most egregious breaches. Even regulations have no teeth. HIPAA is rarely used. The only person who went to jail by Sarbanes-Oxley law was someone fishing who went over their bag limit with grouper, and that use of the law got tossed overboard by SCOTUS. The only "regulation" that has any respect whatsoever is PCI-DSS3.x, and that is because Visa will pull merchant status.

      It is common to criticize blaming the victim... but with security being an afterthought at best in many places, it is actually astounding that far more attacks have not happened.

      How can this be fixed? Well, right now, there still isn't any interest or caring for the most part in general. It is going to take an event like GM's OnStar being compromised and disabling all vehicles during a hurricane evacuation, causing astounding casualties, before something actually will get done.

      The ironic thing is that, of all places, security is where the TLAs are actually on the ball. NIST has a lot of security guidelines on their website, from basic stuff like killing the guest user, but there are a lot more useful and esoteric things as well (for example, using trustchk on AIX to keep unauthorized libraries from being loaded.)

      • by Tom ( 822 )

        with the implications that security is, at best, an afterthought in product design.

        And that, exactly, is the reason everything is going to shit (and has been doing so for 30+ years).

        If you would design security into your product, not afterwards as a fix, but from the very beginning, from the first stroke on the drawing board, the whole thing would be twice as good and five times less expensive and you could integrate it into your normal design and implementation workflows.

        As it is, you pay a shitload of money to people like me so we tell you afterwards where and how much you've fucked up

      • by Agripa ( 139780 )

        I wouldn't say it was alphabet agencies.

        I would.

        The NSA in cooperation with NIST undermined various internet security protocols like IPSEC to either weaken them or prevent them from being deployed. Neither agency can ever be trusted as far as security related issues again. I now believe they were never trustworthy to start with.

    • intel yellow books on their processors.

      never heard of them? again, by design. dell, asus and those guys are rumored to have them, in order to truly design motherboards.

      you and I could not design a motherboard that actually WORKS using only public info from intel or amd. you NEED that yellow book. the one that no one has any photos of or can even prove exist.

      yeah, we are fucked down to the logic gate level. no way out, either.

  • >> one of the world's leading security firms mentions how the world is currently in the "Dark Ages" of computer security

    What leading firm? All I saw here was "Kaspersky." (Ducks.)

    (And of course, they're going to say that. What else would they say: "you guys can pull back a bit on IT security spending - things are getting better?")
  • by gstoddart ( 321705 ) on Tuesday April 05, 2016 @01:11PM (#51847393) Homepage

    We're getting this stuff from three directions:

    1) The manufacturers of products are lazy and incompetent, and carry no liability for that;
    2) Organizations take short cuts from within, and don't realize just how vital security is;
    3) Entities like the FBI want to undermine our security so they can be assured access to our stuff, while stupidly refusing to accept they're causing security to suck even more;

    As long as these things keep happening, we basically live in a world where security is an afterthought, or too complicated, or something to be actively undermined to allow idiots to bypass it.

    And all three of those combine to more or less ensure that having real security is almost impossible. Because no matter what the assholes who want to spy on us say, leaving it open for them also leaves it open for everyone else.

    The people who claim to be protecting are as much fault for this as anybody else. Only they're too stupid to accept that the world doesn't recognize that only the good guys will bypass security when it's been built to have holes in it.

    This is why we can't have nice things.

    • The manufacturers of products are lazy and incompetent, and carry no liability for that;

      It's worse than that.

      The manufacturers are in a race to get new products and features to market. First through the window collects the customer base and market share. First three or so through the window slam it and everyone behind them crashes and burns. (For a startup that's IT. Go find more money and do another one - and have the same pathology.)

      So doing things securely (which is hard and time consuming) means you

      • by Tom ( 822 )

        So doing things securely (which is hard and time consuming) means you miss the window.

        Only because you're doing it wrong. Security is like plumbing: Easy to do when you think about it from the start, a shitty mess if you need to add it in later when you've already moved in and only then realize you forgot something important.

        Maybe they fix it later, once they're established.

        At which stage it will cost 5 times as much and be half as good as if they had thought about it from the start. I'm not complaining, it's why I earn good money. But sometimes you go home shaking your head and saying "really?" to yourself for an hour or so.

  • by JMZero ( 449047 ) on Tuesday April 05, 2016 @01:13PM (#51847421) Homepage

    Does he remember the dance you had to do to install Windows 2000 on an unfiltered connection (if you didn't want it to be instantly owned)? You had to install completely disconnected, disable a bunch of services, and then try to connect and download patches as quickly as you could in order to get to a viable state. And everyone else's Windows computer you used had 9 layers of browser toolbars and adware and anti-anti-anti-adware that made their system effectively unusable?

    I'm sure there's lots of security battles to come - maybe even a World War or two - but the real dark ages of security are in the past.

    • Yes but that's a half assed battle against kids with slingshots. We're in a battle against state sponsored agents, and indeed, governments and intelligence agencies actively circumventing our protections.... to protect us. It's not the same battle, and I'd go as far as to say this one is a hell of a lot worse than what we dealt with back then. But yeah, I recall having to pull some shenanigans to grab all of the updates for offline installation. This was before WSUS existed, or at least I never heard of
      • by JMZero ( 449047 )

        Well, that's the point - there's bigger stakes now, and the actors are more significant using more sophisticated tools.

        It used to be more like the Dark Ages, with nobody really knowing what was going on, and lots of petty squabbles and dangerous streets and what not.

        • by Tom ( 822 )

          Well, that's the point - there's bigger stakes now, and the actors are more significant using more sophisticated tools.

          No, you missed the entire point.

          When we were up against script kiddies, we would start with a system in a secured and defined state. Our task as security people was to keep it in that state.

          Now that we're up against our own governments fucking us over, the system you freshly unpacked from its box is already compromised. You don't know how and by whom (plural, you also don't know how many), and you need to bring it into a secured and defined state that you do not know how to verify because you don't have a d

          • by JMZero ( 449047 )

            Yeah, but it's more like 1984 than the bloody Dark Ages. I'm not saying things were worse then, I'm saying they were more like the Dark Ages. This is really, really a simple point.

    • I see the single biggest threat to security is that decision makers in companies feel they should be able to do whatever the fuck they want and should never have to ask for anything. I work in security. Security is only made difficult by the fact that security people are forced to make security utterly transparent to the "entitled ones". Whitelist based security in layers is exceedingly easy to keep secure. When you configure layered systems so that only truly needed things work and everything else fails by

      • by JMZero ( 449047 )

        I remember having these conversations with corporate IT departments in the mid 90s. We had services we wanted to run between companies, and we wanted them to open up corresponding firewall rules, so both parties could manage the traffic. They wouldn't. They said, "if we open up holes for everyone who wants one, our firewall will be Swiss cheese [actual quote]". So we made all our services run over the web, and so did everyone else in a similar place. By trying to stay in tight control of security, corp

        • Ridiculous. I'm talking even whitelist the sites that people should be going to as part of their work day and nothing else. Not opening 80 and 443 wide open to everything. That is part and parcel of the problem. I am saying whitelist EVERYTHING. Apps, ports, sites, everything. It works. It works for work, but it is not politically sensitive to the executive level because they are too good for that.

      • by Tom ( 822 )

        I see the single biggest threat to security is that decision makers in companies feel they should be able to do whatever the fuck they want and should never have to ask for anything.

        Go to a better company, yours is going to go under.

        Good management understands that it needs to lead by example, and if management needs special rules, that is fine as long as they are special rules, i.e. properly documented parts of the official policy.

    • You had to install completely disconnected, disable a bunch of services, and then try to connect and download patches as quickly as you could...

      Or you could perform the installation from behind a firewall that blocks inbound connections like a sane person.

      • by JMZero ( 449047 )

        Well sure. Most home users have a hardware firewall by default now, configured by their ISP - it's the norm.

        Many/most home users didn't have any such thing in 1999, and many still wanted to have a Windows PC connected to the Internet. That's why it was the dark ages of Internet security. That's my point.

    • by Tom ( 822 )

      He remembers, but he's talking about something else. Not script kiddies attacking you, but government agencies breaking into your system before it even reaches the shop that you'll eventually buy it from.

      That's a little bit of a different threat.

      • by JMZero ( 449047 )

        Yes there's scary stuff, but "The Dark Ages" is a terrible, terrible metaphor to express the current state of affairs. Dark Ages doesn't imply "lots of things look nice and peaceful on the surface, but there are threats from sophisticated players that is likely soon to result in serious large scale conflict".

        The Dark Ages implies that there isn't a bunch of big established powers, there's lots of disorganization, nobody has any idea what's going on, few people are recording a detailed state of affairs, and

  • Wasn't it Kapersky who stated something to the effect that people don't need privacy?

  • by Anonymous Coward

    I've had a PC on the internet since the early-mid 1990's, and so far have had precisely zero security problems with this.

    But then, I don't do a bunch of stupid shit, either. I don't let random web sites run javascript. I don't run "HotBabe.jpg.exe". In fact, I've never even run Windows on an internet connected computer, due to the security clusterfuck of that ecosystem. If I ever want to do something that could potentially be risky, I'll use a VM jail. And to more modern issues, I won't let IoT devices

    • I've had a PC on the internet since the early-mid 1990's, and so far have had precisely zero security problems with this... But then, I don't do a bunch of stupid shit, either.

      Sure. But do you have credit cards and/or bank accounts? Medical records? Employment records? A social security number? It's great that your own personal hardware and software are housed in a citadel of common sense and best practices bolstered by specialized knowledge probably not attainable by Joe and Jane Average; but what about your personal data, out there in the hands of people who don't know and/or don't care about security?

      The people I see with weekly or monthly malware infestations are the ones absolutely refusing to learn. Even after the 20th time they do Stupid Thing X and get infected yet again, that doesn't seem to stop them from doing the very same thing again next week. Yet they act bewildered about what could have happened.

      Too true. And in the physical world we have pressure, and sometimes laws, to

    • I don't do a bunch of stupid shit, either. I don't let random web sites run javascript. I don't run "HotBabe.jpg.exe". In fact, I've never even run Windows on an internet connected computer...

      When you're done patting yourself on the back, take a moment to consider that none of the things you mention address the issues of backdoors in hardware or weaknesses in prevalent encryption protocols.

      have had precisely zero security problems...

      That you're aware of.

  • And Kaspersky's use of an adware site (softonic.com) to download their software is not helping any.

  • There's nothing defective about Internet security, it does exactly what it was designed to do, that is connect computers using an ubiquitous networking protocol. The problem lies with the defective computers that are at either end of the connection.
  • "It is never a positive sign when one of the world's leading security firms mentions how the world is currently in the "Dark Ages" of computer security. " Well what to do you expect a security firm to say? "There is no need for our products."?
    • by Tom ( 822 )

      I expected about that, but it turns out the guy said something smarter then I had thought.

      Yes, the problem very much is that when you buy a device today, you don't know anymore who has backdoors to it already, before it's even in your hands.

      That is a very real and very serious problem, and it makes pretty much everything you do afterwards, including buying his products, completely pointless.

      • "it makes pretty much everything you do afterwards, including buying his products, completely pointless" LOL well said!
  • The Dark Ages had nothing to do with ignorance, naivety or any other way he's using the phrase. It's called the Dark Ages because it's dark, ie, we have very little recorded information about that period in history.
    • by gweihir ( 88907 )

      Fascinatingly stupid and insightless comment. We do actually have a lot of recorded information from that time, and it basically says all the same: Suppression of most science and advancement of society by the church. This makes mots of the recorded information (recorded by the church) tedious and exceptionally boring, but it is there. It is just that nothing much did happen.

  • . . . . a RUSSIAN firm complaining about computers being pwned by "Alphabet Agencies". . .

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...