Monday, October 08, 2007

'Meta' or 'Metta' security....

Basically I'll let Mr. Bejtlich summarise from his 'Three Wise Men' of security, practically all there needs to be currently known about the state of play in and around the IT Security Industry and IT Security Risk areas. On the shoulders of giants and all that!

http://taosecurity.blogspot.com/search?q=three+wise+men

Dan and Marcus are definetly on my list, though I haven't really read this Ross Anderson guy, however Richard himself is on my list, along with Rob Thomas from Team Cymru.

On another note, to save you signing (or reading about signing up) for tonnes of bullshit, please find below a great 'Point:CounterPoint' from Bruce Schneier and Marcus Ranum. DRM/Copyright.. nah...

Erm, hopefully without getting in trouble and making others spend 5 minutes signing up to read the below, here it is in all it's glory.

Bruce Schneier

Point: To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of its operating system out of the box, but there is still a dizzying array of rules, options and choices users have to make. How should they configure their antivirus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on.

How is it possible that we in the computer industry have foisted on people a product that is so difficult to use securely, it requires so many add-ons? It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application--IM, peer-to-peer file sharing, eBay, Facebook--to make computers useful and enjoyable to the home user. At the same time, we've made them so difficult to maintain that only a trained sysadmin can.

And we wonder why home users have such problems with their buggy systems, why they can't seem to do the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.

At work, I have an IT department I can call if I have a problem. They filter my Net connection so I don't see spam, and most attacks are blocked before they get to my computer. They tell me which updates to install. And they're available to help me recover if something happens to my system. Home users have none of this support.

This problem isn't going to go away as computers get smarter and users get savvier. Next-generation computers will be vulnerable to different attacks, and next-generation attack tools will fool users in different ways.

This isn't simply an academic problem; it's a public health problem. In the hyperconnected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam and attack other computers. We are more secure if those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is, what's the best way to get there?

I wonder about those who say "educate the users." Have they tried? It's unrealistic to expect home users to be responsible for their security. They don't have the expertise, and aren't going to learn. And it's not just user actions we need to watch; computers are insecure out of the box.

The only way to solve this problem is to force the ISPs to become IT departments. There's no reason they can't provide home users with the same level of support my IT department provides me, or a "clean pipe" service to the home. Yes, it will cost more, and require changes in the law to make this mandatory. But what's the alternative?

In 1991, Walter S. Mossberg debuted his Personal Technology column in The Wall Street Journal with the words, "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, it's doubly true when it comes to computer security.

If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There isn't any other way.



Marcus Ranum


CounterPoint: I'm sure that many of the things Bruce points out about computers at some point or another applied to automobiles or any other technologically interesting and complex device. There was a time, in the early days of the automobile, when any idiot could go 75 miles per hour with no requirement for training, safety equipment or sobriety. As Bruce says, eventually that kind of thing becomes a public health issue and then society begins to enforce constraints. Question is, do society's constraints make a difference, or does time cure these ills?

When I was growing up, there was just one kid in my entire high school who had a computer. Today, it seems every kid 8 and older is a Windows sysadmin. And some of them are better at it than you might expect. That's because they grew up doing it, and the human brain appears to be able to integrate amazingly complex tasks as "normal" as long as we're introduced to them early enough. Bruce, I think the problem is not with all the home users--I think it's with the adult home users.

I see the generational distinction most clearly with my parents. My father still writes using an old Underwood typewriter. My mom has adopted a computer, but she's exactly the kind of user you're worried about--she clicks "OK" on anything, and seems to be trying to collect spyware. Thinking about it, most of the generation before mine is pretty uncomfortable with computers, and I was one of the early experimental kids who grew up networking on the ARPANET and BITNET. Does that have something to do with the fact that I have always had a good grasp of the concepts of transitive trust and distributed systems? I think it does; I think the analytic parts of our brains, if given a task early on, are able to make sense out of all kinds of insanely complicated things.

"Educate the user" is an old mantra in security, and its uselessness is one place where Bruce and I agree. I think, though, that building simpler systems is not the answer. The answer is to let the current user population die off! It's going to happen, anyhow.

Forcing ISPs to support home users, or re-engineering computers to be simple enough for us old coots to understand, completely misses the point. At the point where enough customers want simple-to-use Internet terminals, a market will develop. Arguably, it already has--witness the evolution of handheld PDAs and centralized "no spam" managed free email services. The complexity of the Internet and software administration is getting absorbed into the IT infrastructure of Google, Yahoo and MySpace.

I'm not demanding that Detroit make cars that are simple enough for me to repair; I choose to buy vehicles that are usually reliable, and I outsource the repair work to the mechanic up the street. Perhaps what we're doing is shifting complexity around in our lives: I never learned how to fix a transmission, but I can still scratch-bake a firewall with a custom filtering reverse Web proxy in a weekend. I've seen home users who can't manage a Windows XP upgrade, but who can successfully instrument-land a jet fighter.

Bruce, when you and I are old coots sitting on the porch, you'll be amazed to see the current generation of kids nimbly navigating their way through software and system configurations that completely blow our minds. Relax; it's just what progress looks like from our side of the hill. Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.

2 comments:

Anonymous said...

This is the sort of stuff that worries me. If enough users opt to be dumb terminals the rest of us will be priced out of the market as niche geeks.

I'll have to resurrect my old Sinclair 128K this side of the pearly Gates.

Anonymous said...

So it's all our fault, hm? Tsk tsk ... we'll die off and all will be well.

Have a look at this. Forget about the poor newbie at Monster who got all the stick from Irish bloggers. See what the "IT professionals" in Cork did, and they got no flak at all.

here

[Follow-up all over the Irish blogosphere. Made a mess of the guy in Monster.]

I've been blogging since 2003 but you won't find my email addy posted on any blog I've worked on. :)