Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Electronic Frontier Foundation Encryption Privacy Linux

How Security Experts Are Protecting Their Own Data (siliconvalley.com) 217

Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes: The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."

Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
This discussion has been archived. No new comments can be posted.

How Security Experts Are Protecting Their Own Data

Comments Filter:
  • by Anonymous Coward

    Hey, we were just wondering how you secure your data?

    I don't have any data.... What is this "data"

  • by AK Marc ( 707885 ) on Sunday August 28, 2016 @10:50PM (#52787575)
    The only times I've ever gotten a virus were when I had AV running. Without AV, I don't run anything that's untrusted. Worked out well so far.
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      You don't run AV therefore you've never had a virus? The force is strong with this one.

      • by AK Marc ( 707885 )
        If you can't tell whether you have a virus without an AV, then you are dumber than you look. I've cleaned many friend and family computer where they got a virus without an AV, then asked for help. Turns out it's quite easy to get a virus without an AV, and from my experience, not to hard to get one with.
        • by mwvdlee ( 775178 ) on Monday August 29, 2016 @05:44AM (#52788461) Homepage

          Profit in a visible virus; very little.
          Profit in a virus that acts as a slave in a botnet and monitors your computer usage; a lot more.

        • by Rakarra ( 112805 )

          If you can't tell whether you have a virus without an AV, then you are dumber than you look. I've cleaned many friend and family computer where they got a virus without an AV, then asked for help. Turns out it's quite easy to get a virus without an AV, and from my experience, not to hard to get one with.

          I've had a lot of Windows machines that act "funny" without any virus involvement at all. Sometimes it's a failing piece of hardware that neither windows nor the hardware driver detects as being a problem. Sometimes Windows just f's itself up in weird ways, whether it's the registry, a bad windows update, both, or something else.

    • by tsa ( 15680 ) on Sunday August 28, 2016 @11:45PM (#52787715) Homepage

      Same here. I hate AV software with a passion bcause it slows your computer to a crawl, gives a false sense of security and once it's on your computer it takes a complete reinstall of the OS to get it off again. The best AV practices are:
      Never use MS software to browse the internet and read email
      Use an ad blocker
      Never even read email from unknown sources, let alone open attachments from there.
      MAKE BACKUPS of your files.

      • by Anonymous Coward

        I dont know. I think AV is a great deterrent against skiddies. I woul much rather get owned by new undetected malware than a decade old one.

      • by mwvdlee ( 775178 )

        Same here. I hate AV software with a passion bcause it slows your computer to a crawl, gives a false sense of security and once it's on your computer it takes a complete reinstall of the OS to get it off again.

        Good AV software would have prevented you installing Symantec.

      • ...The best AV practices are...Never use MS software to browse the internet and read email...

        ...which of course is great technical advice to act upon right away, and so easily accomplished for the average US corporation addicted to Microsoft products...

      • by Rakarra ( 112805 )

        Never even read email from unknown sources, let alone open attachments from there.

        Or if you do, make sure all attachments are turned off. No auto-loading flash or linked images. There's nothing wrong with text-only email.

    • I don't run anything that's untrusted. Worked out well so far.

      Or you could run an OS that doesn't vehiculate viruses.

      • by cfalcon ( 779563 )

        >> I don't run anything that's untrusted. Worked out well so far.
        > Or you could run an OS that doesn't vehiculate viruses.

        He said he doesn't run anything that's untrusted, so obviously he's not on Windows, geesh!

    • by cfalcon ( 779563 )

      Many of the comments miss your very valid point- that without a false sense of security granted by an AV, you are likely to NEVER run anything untrusted, because you know it could absolutely ruin you, and you have no reliable out. That's referenced in the story. And it's a fact that people adjust risk to match their perceived security- seat belts save lives, but not as many as they should, because people drive with less care when seatbelted (statistically- though probably everyone reading this does too).

  • by mark-t ( 151149 ) <marktNO@SPAMnerdflat.com> on Sunday August 28, 2016 @10:53PM (#52787581) Journal

    The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security.

    By virtue of the fact that he has even mentioned that using Linux is part of his reason to not run antivirus software, wouldn't the fact that he is using Linux be considered to be lulling him into exactly the same sort of false sense of security that he is accusing antivirus software of creating?

    • by Black Parrot ( 19622 ) on Sunday August 28, 2016 @10:59PM (#52787593)

      Yes.

      I think my Linux is more secure than my Windows, but honestly it only takes one exploit.

      If the spooks or large organized crime want in, they're in. Small fry *may* be kept out by best practices, but I wouldn't bet on it.

      Anything secret shouldn't be on a computer, let alone a computer on the internet. But then there's the eternal trade-off between security and convenience.

    • by raymorris ( 2726007 ) on Sunday August 28, 2016 @11:24PM (#52787679) Journal

      If he did -nothing- about security, that would be true. That's not likely the case. More likely, he's using protective strategies that are appropriate for his environment and the threats most prevalent in that environment. The most common threats for Linux machines aren't viruses. Viruses specifically are more of a Windows thing. Not that there are no threats that affect Linux, they are -different- threats.

      On Linux, he may use the firewall, Tripwire or another IDS, some form of IPS if only fail2ban, SELinux, etc. Also of course browser-specific things like an adblocker and NoScript. Linux has long had good support for good partition and file encryption, so he might use that, and scheduled offsite pull backups protect against ransomware.

      ClamAV runs -on- Linux, but normally -for- Windows - you install on on your Linux mail server to remove viruses before your Windows clients download their mail, etc.

      • by tlhIngan ( 30335 ) <slashdot&worf,net> on Monday August 29, 2016 @12:29AM (#52787805)

        If he did -nothing- about security, that would be true. That's not likely the case. More likely, he's using protective strategies that are appropriate for his environment and the threats most prevalent in that environment. The most common threats for Linux machines aren't viruses. Viruses specifically are more of a Windows thing. Not that there are no threats that affect Linux, they are -different- threats.

        Just because Linux doesn't have as many viruses for it, doesn't mean it's immune to viruses. In fact, Linux probably a very popular carrier for viruses - Linux host gets broken in (usually via a PHP exploit) and some files are dropped onto it and files modified so whenever a Windows host accesses it, it obtains the payload and gets infected.

        Linux may not be harmed by it, but it certainly is an active participant in the propagation of viruses. Mostly because the malware authors want to target users, and 90% of them run Windows. But they can't target Windows servers, because 75% of the servers out there run Linux. So they will exploit those Linux-running servers to plant some WIndows malware on there so the Linux host distributes the Windows malware to everyone.

        Linux is a carrier, and perhaps having an anti-virus may be handy if nothing more than to ensure that you're not being part of the problem and serving up stuff that infects other users. The best part is, these scanners need not be intrusive since the host can be assumed to be free of malware, so you're really just looking for bad files.

        Same thing on MacOS - there's no reason to have a antivirus scanner other than to make sure you're not serving up infected files, or to alert you in case you get an email that won't infect you, but may infect someone else if you forward it on or something.

        Google, for example, scans emails and documents for viruses and other malware, not because they can infect Google, but to prevent spread.

        • Which means that for a normal user of Linux. Running anti-virus is useless.

          You only run anti-virus on Linux mail servers.

      • by mark-t ( 151149 )

        That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software.

        I run Linux, and I don't bother with AV software either, but it's not because I run Linux, it's because AV software is shit.

        • That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software.

          I run Linux, and I don't bother with AV software either, but it's not because I run Linux, it's because AV software is shit.

          No I think he mentions it because there ARE no anti-virus software FOR Linux, there AV software running on Linux but they are all against viruses targetting other platforms, primarily because while Linux get targetted by many different types of exploits, so far there haven't been any traditionally viruses.

          • by mark-t ( 151149 )
            Yes, there is... the place where I used to work had a Linux antivirus program on their email server that would check any atttachments for Windows viruses (most of the computers on the network ran windows).
          • so far there haven't been any traditionally viruses

            What are these? [wikipedia.org]

            • > What are these?

              The first one is an Intel processor instruction. Nothing really to do with either Linux or viruses.

              The second points out that executables contain unused bytes. In theory,there is space for someone to add code without making the file bigger.

              The third never existed in the wild, as far as I can tell.

              The fourth is a legit virus.

              The fifth is another research curiousity - it allows root to break files. It's supposed to demonstrate a concept for a trojan, but instead if makes them not run at al

    • by tchdab1 ( 164848 ) on Monday August 29, 2016 @01:50AM (#52787983) Homepage

      These security experts wouldn't recommend it, but they're relying on security through obscurity.
      Think about it, but don't actually think about *it* because that might endanger the security experts.

      • by TheRaven64 ( 641858 ) on Monday August 29, 2016 @04:58AM (#52788373) Journal

        In terms of Linux, it's not classical security through obscurity, it's security through diversity. One of the reasons Slammer was so painful a decade ago was that most institutions had a Windows monoculture. The time between one machine being infected on your network and every machine on your network being infected was about 10 minutes (a fresh Windows install on the network was compromised before it finished running Windows Update for the first time). If you'd had a network that was 50% Windows and 50% something else, then it would only have infected half of your infrastructure and you'd have been able to pull the plug on the Windows machines and start recovery. It's possible to write cross-platform malware, but it's a lot harder (though there's some fun stuff out of one of the recent DARPA programs writing exploit code that is valid x86 and ARM code, relying on encodings that are nops in one and valid in the other, interspersed with the converse). Writing malware that can attack half a dozen combinations of OS and application software is difficult.

        This is why Verisign's root DNS runs 50% Linux, 50% FreeBSD and of those they run two or three userland DNS servers, so an attack on a particular OS or particular DNS server will only take out (at most) half of the machines. Even an attack on an OS combined with an independent attack on the DNS server will still leave them with about a quarter functional, which will result in a bit more latency for Internet users, but leave them functioning.

      • Re: (Score:3, Interesting)

        by tburkhol ( 121842 )

        These security experts wouldn't recommend it, but they're relying on security through obscurity.

        The wouldn't recommend that obscurity be your only security, but I think they would all agree that obscurity can be a useful component of a comprehensive security plan.

        For example, if you run a web server, everyone knows it. Controlling the server signature to not obscure the specific version or modules that server runs means an attacker can not target known version-specific vulnerabilities, but has to try a bunch of them. This gives the server the opportunity to detect multiple exploit attempts and ban t

      • They aren't relying on the secrecy of their implementations as their main method of providing security, therefore they are not using security through obscurity.

        I'd recommend you read up on what security through obscurity really is.

      • by Rakarra ( 112805 )

        These security experts wouldn't recommend it, but they're relying on security through obscurity.

        Yes, it's an acknowledgement that obscurity IS an additional layer to security. It's not the means to security, it's just an additional roadblock to throw up. When discouraging hacking, if your target is hard or obscure, most people will look elsewhere. Sure, it won't dissuade the truly dedicated who are looking to take you in particular down, but some obscurity is better than no obscurity.

      • There is a difference by making a targeted attack (slightly) harder and using obscure means to hope for security.

    • Yes. No. Have you seen the success rates of current Anti-virus? It's a bit like preventing STDs by asking potential mates to submit to a screen after sex and keeping a set of drugs in the fridge to treat a few of the diseases we share.

      Anti-virus despite coming pre-installed on every out of the box machine and being present on every corporate network has really done little to actually stem the spread of viruses on computers.

    • by jeffmeden ( 135043 ) on Monday August 29, 2016 @07:59AM (#52788941) Homepage Journal

      The icing on the cake is that several of them (notably Bruce) basically saying security by obscurity really is a thing (well at least if you're famous)

  • It's common knowledge that if you knock out Chuck Norris with a roundhouse kick you become the new Chuck Norris.

    Similarly, if you manage to steal Bruce Schneier's identity, you become the new Bruce Schneier. [schneierfacts.com]

    No wonder he's a target. Everybody wants to be him.

    My personal favorite Bruce Schneier Fact [schneierfacts.com]: "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

  • by fahrbot-bot ( 874524 ) on Monday August 29, 2016 @02:18AM (#52788033)

    ... inside a locked box that requires a 10-digit code + retinal scan + penis imprint, stored at the bottom of a lake, filled with sharks, wearing lasers.

    Someone once made it to the lock-box, but... I just didn't have to feed the sharks that day.

    I even have a sign posted: Do not look at sharks with remaining good eye.

    • by mysidia ( 191772 )

      ... inside a locked box that requires a 10-digit code + retinal scan + penis imprint, stored at the bottom of a lake, filled with sharks, wearing lasers.

      One of these days team A is going to dive down there with anti-shark enclosure and anti-shark weaponry wearing diving suits with laser-proof Googles,
      and haul the box away to be dissected.

    • ... inside a locked box that requires a 10-digit code + retinal scan + penis imprint, ...

      One look at the crusty penis scanner should scare most people away.

    • Grammar nazi strikes: your use of the comma indicates the box is wearing lasers. Or maybe that is what you meant. It might be smart to have both the box and the sharks wearing lasers, as long as they could not be fooled into lasing each other.
    • Was going to ask...how do you make use of it, but then I figured out it was connected to your open wireless router.

  • by Anonymous Coward on Monday August 29, 2016 @02:34AM (#52788051)

    ...but I still install AV on every single system which I set up for other people, and I recommend that they keep using AV. Why? Because it would be considered negligent to omit it. If they get infected, which they inevitably do, then not installing AV would put me in an indefensible position. Asking a professional how they protect their data is a useless endeavor. It doesn't teach you how to keep your data secure, because you don't know all the other things they know which stop them from doing stupid things.

  • Moron Monday (Score:2, Insightful)

    "I don't take precautions because they make me complacent." I'm glad that the idiots in that article aren't the ones making any decisions in the computer security industry. Note how the CEO of MalwareBytes is the exception in that article - that's the person who's worked with exploits and viruses. Kudos for not having your head in the sand.
    • Putting quote marks around something that wasn't said is dishonest.

      Nobody said they didn't take precautions.

      What one person said, referring to anti-malware software on his Linux computer:
      "I don't like to get complacent and rely on it in any way,"

  • by Opportunist ( 166417 ) on Monday August 29, 2016 @03:51AM (#52788191)

    And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag? Most likely not. Your car is still a wreck if you crash.

    The same applies to malware. I do have an AV kit running. But I also know that it ain't no silver bullet. It's not my first but my last line of defense, another layer of security that is there in case everything else failed. Treating it any different is dumb (and yes, I know, there are people out there who go by the logic that they can turn their brains off now that they turned their AV kit on), but simply saying that you don't need it because it gives you a false sense of security isn't too smart either.

    • And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag? Most likely not. Your car is still a wreck if you crash.

      Actually, several studies have shown that the number of accidents and fatalities tend to drop when new safety equipment is made mandatory, but starts to rise again a while later, when people get complacent.

      For instance, when ABS brakes were introduced on a significant number of new cars sold, the accident rate dropped because people were still driving as if they didn't have ABS. Some years later, everyone had gotten used to the shorter stopping distances and started driving much close to the cars in front,

      • ABS brakes are a different kind of beast because they do make drivers actually get more reckless due to them noticing they can get away with it. It's different with equipment that only engages once you already wrecked your car.

    • "And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag?"

      I've been a skydiver for many years, and this is absolutely true in the sport. The gear is much safer than it used to be and is continually improving, but the fatality and injury rate remains fairly steady. People absolutely take bigger risks knowing their gear is safer, which cancels it improvements in safety. It's called Booth's law.
  • And replicating what they do like monkey-see-monkey-do is not an advised way to protect yourself, even if you learned what they aren't telling you.

    You can do things differently and recognize/avoid risks other people would not be
    able to avoid, when you're the security guy.

    Protecting an organization's endpoints and servers, OR someone else's computers against themself... is very different than protecting your own computer that nobody else is allowed to touch (although you might put it on a hostile network).

  • The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...")

    He's quite right. We lull ourselves into a false sense of security all the time. I try to avoid it, complacency is a killer.

    I drive at night without any lights on, because then if I'm in an accident it will probably be my fault. This keeps me wide awake and aware of all possible hazards.

    During the day this doesn't work of course. Hence I have to drive in bare feet, so if there is an accident I'm not going to get very far trying to run away.

  • Security isn't hard (Score:4, Interesting)

    by LichtSpektren ( 4201985 ) on Monday August 29, 2016 @07:40AM (#52788843)
    For your average workstation, the easy way to lock it down is by examining all of the vectors that malware can take. From there it's usually simple.

    Probably about 95% of malware comes through malicious websites. Solution: use tools like NoScript and an adblocker. Also use SELinux/AppArmor/grsecurity etc. to make sure that whatever slips by cannot do anything that your browser doesn't have permission to do. If you want to be really safe, only run your browser in a virtual machine (this is the premise of Qubes OS, by the way).

    Also apply SELinux (or whatever you're using) to any programs that have listening Internet ports, like SSH and CUPS.

    If you use a local email client instead of webmail, don't be dumb and allow your client to auto-execute JavaScript or attachments in emails. Also, don't be dumb and mount random peoples' portable drives without some precautions.
    • You can also use something like firejail (https://firejail.wordpress.com/) for this. I'm not involved in the project but, it's very simple to use compared to something like SELinux. It comes with a number of pre-configured profiles for major pieces of software and, by default, things like Firefox can only see a limited view of the filesystem. For example, by default, Firefox can see ~/Downloads but not ~/Documents. I haven't noticed any performance or stability issues with it so, it has been a welcome e

  • "the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data."

    And while you're at it, tell us where you hide your cash and other valuables...

  • by myowntrueself ( 607117 ) on Monday August 29, 2016 @09:57AM (#52789453)

    Do everything Internet-related in a guest VM.

    I learned this from Joanna Rutkowska; you have at least 3 virtual machines.

    One is 'green' and you only ever use it for very sensitive things like online banking.
    One is 'yellow' and you only ever use it for semi-sensitive things like social media.
    One is 'red' and you do this for random web browsing, searching etc. This one gets re-imaged or reverted to snapshot regularly.

    If you like (and have the system resources for it) you can have multiple 'yellow' VMs for multiple social network sites or email accounts.

    You can set these VMs up on separate networks with routers/firewalls between them. You can use egress filtering on the green VM so that literally the only sites it can possibly reach are your online banking sites.

    You NEVER EVER read email in your green VM or on your host. You NEVER use a web browser in your host.

    The basic red,yellow,green VM setup is very very easy to build, doesn't take a lot of skills. Modern PC's and laptops are quite capable of running these 3 VMs.

    • by Qzukk ( 229616 )

      I did exactly this, using Qubes at home. It took a little getting used to, but once you get the hang of it, it makes sense. It greatly reduces the risk of things like XSS and browser exploits leaking banking or other important information. I don't particularly consider myself the enemy of any state, but the increasing number of drive-by exploits targeting Joe Nobody for the purpose of extracting money (whether ransomware, stealing card numbers, whatever) makes this a reasonable course of action even for p

  • I only surf fully sandboxed. Twice in the past four years zero-days told me I was infected. A reboot said otherwise as the sandbox was deleted. There is no reason to surf the web other then virtualized.
  • There is exactly one reason to run Anti Virus software: To be able to say you did, if something bad happens. E.g. your bank account gets hacked. Your bank will ask whether you were running AV software. Even it the software is crap, you have to run it otherwise they will try to put the blame on you. Same with your work computer: Somebody in the intranet (not necessarily you) catches a virus. The admin will check whether everybody runs AV. If you don't, you will be blamed. Even if the admin knows that AV is m

  • It won't stop malware from being installed but it will sure show you where it's at (root-kits iffy).
    https://technet.microsoft.com/... [microsoft.com]

    If you use a Mail reader like Forte Agent: Options unhide Microsoft entries, and save resources by disabling all of MS's email sub systems (and there are many).

    It will also show any files missing (mostly Codec's),

    But well worth running (as admin) often.

    I haven't run an AV in ages, I put a lot of trust in my HOSTS file, and autoruns just to keep check.

  • He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."

    How on earth do you use encrypted mail unless all your recipients also do the same, i.e. have public/private keys of their own that are configured in their email clients? He probably does communicate with other security minded folk who also use encryption, but the vast majority of ordinary people neither know nor care about these th

To be is to program.

Working...