Community Comments & Feedback to Security Absurdity Article
November 22nd, 2006Six months ago I wrote Part One of my Security Absurdity article. The article was written to spark off dialogue, discussion and debate on the significant security challenges we face. Thankfully the article received quite a bit of attention and generated discussion on various sites, blogs and forums.
I want to highlight some of the comments that the article generated.
Read it here: Community Comments & Feedback to Security Absurdity Article - the Good, the Bad and the Ugly.
November 29th, 2006 at 6:03 am
Trust: I would argue that the Internet is just one facet of the world, and that it is, thankfully, a “canary” demonstrating just how horrible the world could be aside from the Internet, and sadly is in albeit limited scope. “Eternal vigilance is the price of freedom.” - Wendell Phillips, (1811-1884) http://www.freedomkeys.com/vigil.htm I think this is a very old and much bigger problem than the online world.
The question I would like to raise is whether it is sane to expect the Internet to work the way Security Absurdity implies. When I see the problems of Internet secuirty within the context of all of the problems facing people on Earth, I have to wonder if the ugly state of the Internet shouldn’t be a wake up call for politics in general? Are we lucky to have the canary, the warning, the Internet in such a state? What is the source of civilzation? Does the answer to the declining civilzation of the Internet not apply also to the world of local interaction?
Abstractly, the Internet allows cause and effect to play out between humans and machines over great distances spanning those natural barriers that shield people on the streets of Chicago from the violent street crime people on the street in Mexico City endure as normal. It might be nobler for to expect a secure Internet, but is it foolish for Chicago to expect an Internet more secure than Mexico City expects? Could there be other cultural disparities (besides tolerance for violent street crime) that affect security when comparing participants in the transcontinental Internet? Should we, as a matter or protocol, be insular to those? Do we deserve security on the Internet?
Trust: I venture the claim that Security Absurdity sets a higher bar for civilization than the mode of peoples’ trust for each other has yet been able to realize anywhere in the history of humankind. Let’s not underestimate the gravity of progress on this issue.
November 29th, 2006 at 7:23 am
I’m interested why you make no mention of Linux, either on the serverside or clientside as a way to stop these sort of problems.
The vast majority of Linux distributions come with no open ports on installation, and the latest version of a secure, open-source browser.
The problem with the current security climate is that, due Microsoft’s vice-like grip on the market, people look to them for solutions, when in reality, they are a source of a lot of problems. It’s quite frankly ridiculous that operating systems like XP can allow RPC to allow arbitrary code execution across a network by any user. Its ridiculous that PHP is used so frequently, yet is so easy to write insecure code in. It’s ridiculous that most users are Administrators on their boxes.
The problem isn’t finding some better type of firewall or scanner or whatever, but for security experts to ACTUALLY CHALLENGE the status quo in software.
Ultimately, its this software that makes most non-social engineering attacks possible, and until you, the experts, advise your clients to simply not use PHP, XP, etc, we’re just going to see these problems getting worse.
November 29th, 2006 at 12:08 pm
On the blame game issue, ultimately security professionals aren’t the ones in an organization who make business and IT decisions. When I suggest using OpenBSD instead of Windows for an application, various members of staff and management push back because security is not their primary concern; productivity, usability, and supportability are. Is the warehouse management software supported on OpenBSD? No, it only works on Windows, and even then only when Windows is setup in a way that is patently insecure. Management will choose to deploy the software in an insecure manner in order to have a working solution. It happens far too often.
I’ve heard repeatedly that security must be driven from the top of the company down, but have yet to experience many companies that operate in that manner. Hell, most companies still put information security under the IT umbrella of the organization when it has no business being there.
Usually, companies that operate under regulatory compliance are better, especially financial institutions, but ultimately we must also understand that regulatory compliance doesn’t equal being secure and it never will.
And finally, you present some very real problems but no solutions. The sad fact is that there are so many broken areas that fixing it completely is virtually impossible. It is why we have failed and will continue to fail. Software companies will still make insecure products, engineers and IT people will still bow to management pressure to implement insecure solutions, and various nations and territories will continue to operate in blissful lack of concern for being good neighbors on the Internet. Fix any one of those or the other problems you mention, and the problem gets better, but it is still broken.
November 29th, 2006 at 2:10 pm
The assertion the Vista will have some kind of noticeable or observable positive ripple effect on the security landscape is rather naive. While it incorporates some promising features, each of those features is implemented by code, and the codebase for all of vista, if indeed it is a ‘ground up’ effort, is very young. Any seasoned coder will tell you that it takes time to vet out the problems in any codebase. The larger the codebase, the more eyes and longer time it takes. To be certain there are tools to catch many problems, but nothing substitutes for peer review of code to catch weaknesses. This is why various security products sold are only partially effective at their best. The underlying code has problems (as all code does).
My point here is that new bells and whistles notwithstanding, vista is immature code, including the code that implements the new safeguards. Anyone who has coded anything of any appreciable size can attest to this as a fundamental principle of software development and deployment.
Vista may improve things in time, but nobody should bet on it as a solution. In terms of design it makes strides to bring Microsoft up to date, but it remains to be seen if its architecture provides the kind of basic structure to foster a more secure computing environment.
November 29th, 2006 at 2:16 pm
A note on best practices:
You have a valid point about the mindless mantra of “just follow best practices.” Security-by-numbers offers no more security than paint-by-numbers offers fine art.
However, I think you don’t give enough credit to the best practices. Best practices if properly understood very often have the effect of reducing exposure to network attacks and exploits. In particular, I think your comments about changing passwords indicate a certain arrogance towards the problem. The basic reason why changing passwords is still recommended is that many professionals assume that there may be a state of limited compromise at any time and this is a way of reducing temporal exposure. Maybe you disagree on the balance of harm, but disregarding the point out of hand is a possible issue.
I have been in cases where out of a balance of harm, I had to disclose my network password to an individual whom I needed to fix a problem on a remote network when the WAN interface was down. In this case the downtime was a bigger immediate issue than the possibility of compromise. However, proper password management helps to ensure that there is less exposure if one forgets to change the password and down the road the consultant decides to do something untoward. Again it is just one more layer to protection but not one to be mindlessly followed.
In the end, security professionals should see their work as much as an art as a battle. Security is about risk management. And this is something that cannot be done without consciousness, and a process of reviewing and understanding what the exposure is. So despite my sharp criticism, I think your articles are important here.
November 29th, 2006 at 3:28 pm
One of the main reasons the “swiss cheese software” exists is because the software companies have successfully removed their liability. The problem has to be fixed at the software/hardware level first. There is absolutely no way you can teach the community of users, where many can’t even handle the oil light on their car, to deal with security issues.
If you have followed the manufacturers recommendations and in the event of an accident your car fails to protect you due to a manufacturing design flaw or failure, you can successfully seek reparations from that car manufacturer. That same ability to recover damages from software manufacturers doesn’t exist. It’s been wiped out by willing legislatures, judges, and the rights removing EULAs perpetrated by almost every software package on the market. This is why Microsoft can take months or Oracle can take years to patch a known vulnerability - they have little to no incentive to do so.
I can personally guarantee that any attempt to make commercial software systems more secure will ALWAYS fail without the primary liability put back where it belongs - on the software manufacturer.
Trusted computing isn’t the answer. TC is computer totalitarianism, not a security solution. It’s DRM on a worldwide scale where your data is jailed and the keys are held by the software manufacturers (who can then do what they want with your data or the keys). As we’ve seen with Microsoft’s and Apple’s failures with music, DRM holds up about as well as gun laws - the law abiding citizens become prisoners in their own homes and only the criminals have guns. In this case, law abiding citizens have paid for data that either is useless (can’t be transferred to another music player), or becomes useless (Microsoft changes the standard so consumers have the privilege of re-buying every track for the new Microsoft standard - the Zune). Meanwhile, the same music tracks are available for download for free without any of these restrictions from pirate systems worldwide.
November 29th, 2006 at 4:32 pm
In reply to Mike Arthur:
I agree that Microsoft software is generally over-engineered, overly complex, and often insecure. I do not believe that Vista will solve these problems because there are dependencies in Windows that make for braindead security issues.
However, I also think that people make the mistake of looking to products for security, and security professionals are a big part of this problem! Linux by itself will not make an organization much more secure, nor will firewalls, nor will any other product on the market or open source project anymore than firearms and armed bodyguards might make one safe in Bagdad.
The primary tools in the search for security of any type (not just information security) are awareness, consciousness, and thought. Everything else is secondary. There are techniques, best practices and some products that, when wisely used, can help. But if you don’t start with the awareness factor, you can never have security.
Security can never be obtained at the cost of being able to continue to do business easily and efficiently. The challenge (and a rewarding challenge at that) is almost always to help people implement something that does what they want it to do in a secure manner. This often takes creativity, but it always takes awareness.
I have a customer that is struggling right now with the need to access some high value target applications (i.e. applications that do credit card processing) over a public wireless network. Creating compensating controls that meet the rigors of the PCI-DSS requirements in this case is not an easy task. But it is both possible and, by going the route we are going, the customer will be more secure than they would have been even before we started this project.
November 29th, 2006 at 5:30 pm
And a note on Microsoft (my former employer):
It is certainly true that Microsoft products have a bad security track record. However, I think that Noam misses the point when he states that this is not Microsoft’s fault. Microsoft as an organization that due to its market power has the cash necessary to throw a lot of engineers at computing problems without sufficient design review. Also, since the industry is “innovation-driven,” new features take center stage while security is at best an afterthought.
Please don’t misunderstand me. Microsoft has had every intention of producing reasonably securable operating systems yet it has failed. I do not expect Vista to be any different.
The reason is that Microsoft software in general is very (I would say overly) complex, and this is always undesirable from a security perspective. Again, the issue is Microsoft’s success at leveraging economy of scale for their own financial benefit. Many of their products seem polished on the surface until you run into corner cases and then the software has a very unfinished feel about it. Worse from a securability perspective, Windows has a large number of built-in dependencies which are truly braindead from a securability perspective (how many things depend on RPC?) and so one has a much harder job on Windows balancing security and usability.
Don’t get me wrong– mindlessly migrating away from Windows isn’t going to bring security. In fact, I have serious architectural security converns over Firefox (in that the user interface is not inherently separate from content, which means that the boundary between user interface and content is a major point of attack).
But the goal of software developers (including myself) needs to be to develop software which will withstand as much in the way of attacks as possible and then, when it fails, fail gradually and gracefully, exposing as little as possible in the process to outside attack. But then isn’t that the goal of network security too?
November 29th, 2006 at 7:59 pm
I certainly agree that security procedures are failing across the board. When penetration tests have near 100% success rates, even against some of the best defenders, something is clearly wrong.
I’m reminded of something science fiction author Larry Niven once wrote, which I’ll paraphrase: Writing sci-fi is a game, but I have to make all my moves first. What he meant was that as the author, he gets only one shot to get it right; but the fans get forever to take it apart and show how he got it wrong.
I think information assurance is in a similar situation; we have to design secure systems, but we only get a limited amount of time to do so. The attacker has all the time in the world to discover the things that we miss.
Since the treat is so dynamic, so rapidly changing, so too must our defenses become dynamic. What this means to me is that systems need to become more like biological immune systems, capable of sensing and adapting to threats all on their own. But we don’t know how to do this yet.
Another problem that I think stacks the deck against us is that we have yet to find a good way for humans to interact with security relevant information. But we don’t know how to do this yet either. Part of this problem is we don’t even know what the security relevant information would even be! There’s a lot of good work going on in this area, however; there have been some interesting collaborations lately between the Human-Computer Interface research community and the information assurance communities. I’m confident that we’ll see some progress there soon; the hard part will be getting the software authors on board.
November 29th, 2006 at 8:03 pm
After reading about what happened to Blue Security I realised that basically organised crime had control over the internet and no-one is doing anything about it.
I agree with one of your respondents that you can’t just be defensive. Offense must be a major part of defense.
Recently after a fairly serious attack on one of my servers I scanned the attacker. One of the other IT security people said to me I shouldn’t do that because it might invite a DDOS attack. Have we been reduced to this? We are actually scared of even scanning attackers. Not only that but a lot of the laws in place to “stop” hacking mean that serious scanning ot attackers is against the law!!!
I think we have to start clearing the internet of organised crime. I don’t know how but I don’t think laws of any single national state will help here, it will have to be done by people on the internet and will have to be fought not only on the internet but legally like the actions lately initiated by spammers like the one against spamhaus are only going to increase.
(Why do I think of David Brin’s Earth here?)
November 29th, 2006 at 11:42 pm
Certainly agree Kim, I was nodding when I read offense is the best defense. It doesn’t have to be an eye for an eye, but live in fear or backdown is defeat.
Noam, agree with most things in your first article. Your productive approach is to be commended.
Here some other thought’s:
A) Some aids to fighting spam (eg. SPF, SenderID, DomainKeys) seem to require immense ISP/infrastructure cooperation or regulation across the global Internet. Is this level of unity ever realistically attainable in the foreseeable future ?
B) Though you may exonerate Microsoft of major fault in our security crisis, and casting blame doesn’t necessarily propel us forward, I think they have something to answer for still holding us back.
As you stated in your article, people have tended to lose sight of how bad or unacceptable things (bad malware detection, mass botnet farms) really are. Well I also think you can add the actions of Microsoft to that blindness.
I think it is outrageous and unethical for the monopoly OS provider of the world to even ponder getting into the anti-virus racket. I don’t care how they slice it. Sure they can also hype Vista all they want from a security improved point of view, but ultimately whichever avenue they create its about us giving them more money for some expected intrinsic functionality we already paid for. Since when is basic security an add on feature.
I keep hearing MS never absolutely positively guaranteed us a bullet proof secure system, but average users had a level of expectation that wasn’t met. Like that your new car won’t spring a fuel leak when running over a bump and blow up.
A monopoly like Microsoft sold a deficient product that they patch constantly, which in itself isn’t the major issue in the software business. Its next to impossible to make software perfect within a deliverable time frame. Its a general trend that MS has also adopted to download fixes and enhancements, often automatically. Its a realistic approach to a complex industry.
But, whatever it takes of that juicy profit, should go into 100% effort into fixing their product. That includes their Office and other bread and butter suites that the majority of people around the world paid for and use every day. If they were doing a sterling job and there were no critical security bugs or flawed designs in their products and they wanted to start their own anti-virus project, then its hard to argue with that. But things aren’t rosy. If their OS and MS-IE were fully secure, because they were fixed by auto patching there would never have been a need to switch to other browsers, except perhaps for other functionality.
Its not acceptable for MS to go, um this is proving a bit difficult to nail all the bugs, even though we have limitless resources. Instead we’ll just create another time and resource consuming project with huge potential for flaws, and tout it as a necessary piece to the puzzle to keep our beloved customers safe. Even if its just their name whacked on some work done by another company they bought, its still a distraction from what they owe us paying customers.
So Noam, while its a bit of a MS bash, do they not have a lot to answer for and to fix with more conviction ? Because they didn’t just virtually lead us to this position, but aren’t actively taking enough steps to lead us out of it. They should pure and simple be banned from being affiliated with any anti-virus software as a conflict of interest.
C). I noticed you didn’t mention any other OS’s (Linux, BSD, OS-X) at all. I can understand you didn’t not want to bring geek holy wars into this, but at the same time, omitting mention of them seems like excluding their viability as part of the security solution. For example, a huge percent of the public only have basic computer needs (email, chat etc) and other OS’s like Linux offer a highly out of the box secure virus free environment. But due to corporate agreements, your average person barely has even heard of it, nor are they offered this in normal PC shops. These days hardware support is good and the application range is huge also. Mac’s fall into the same argument, but costsrather than brand awareness may be the setback here.
Also on Linux OS’s most application installations are offered via a centralized controlled repository (with nice GUI selection mechanism). So there is inherent enhanced security there as all programs there may be vouched for by their distribution maintainers, or at least they choose wisely. Of course if the selection is not adequate, you may have to resort to the Windows approach of finding a website and trusting the binary you install from there. Not to mention the whole build it from source angle.
So while an alternate (more secure OS) offers some real benefits, perhaps it won’t be seen as helping problems like spam or DDOS attacks. But in way it can. If more PC’s were secure, especially out of the box, and more impervious to vulnerabilities then there is less chance they will end up being part of a botnet used for those purposes. In a way that is that is the only way to solve large scale problems. Start right with the new generation.
Anti-ad-spyware-virus detection software make sense on any platform, as a 3rd party (installation) binary/script you run on your machine could do damage.
-fatcop
November 30th, 2006 at 4:10 am
Part of the problem is that we’re looking at a monoculture. The lack of variety means that a parasite — a virus, trojan, spyware, etc. — can flourish quite successfully despite any localized concerns. The failing of security professionals is that they’re not, in general, actively discouraging this monoculture. The fault lies with the customers, who keep buying stock PCs with Microsoft Operating Systems, and the security professionals, who don’t point out that this is a short-sighted and stupid thing to do. The best practice of “Get a Mac” sorta-kinda touches on this, but I don’t think even that would bring enough variety into the mix.
We need the variety in the marketplace so that customers can make decisons on something other than “what is everyone else using?” — given a choice between a secure-by-default system and a insecure-by-default system, with all other functionality being equivalent, wise customers (yeah, yeah, most purchases are emotional, but we’ve got to assume that most people aren’t actually self-destructive idiots) will choose the more secure system. Competition will drive the insecure-by-default vendor to improve, and overall security ought to increase.
Without competition, there’s no real incentive to put security before glitz, and quite a lot of incentive to put glitz before security. Economics trump security every time.
Another problem area is trust, which, again, is nothing new. People trust certificate authorities — darn few people have actually gone through the default list of certificate authorities to deselect the ones they know nothing about. Further, it’s actually quite tedious and annoying to do this in the average browser, although not quite so tedious as /adding/ a new certificate authority. Security professionals should pressure software developers to ship their products without any trusted authorities (that they aren’t willing to guaranteed themselves), and then to make it easier for the user to select which authorities they wish to choose to trust.
Likewise with live data. Best practices recommends turning off Javascript, ActiveX, Flash, and so forth… but darn few professionals actually follow this advice, and those who do are often stared at with frank astonishment, and asked “how do you find the web at all useful?”
And the fact is, it’s often hard. It takes a strong sense of pervisity and/or significant discipline to not do business with companies that require that you enable javascript / trust activeX / install flash plugins. Again, this problem comes down to economics — customers need to simply refuse to do business with companies that make such demands on them. Security professionals need to drive this lesson home: if you let a business get away with forcing you to relax your security settings, you deserve any grief you get.
Likewise with sending around data-formats that contains programs, like MSWord or MSExcel. Sending around supposed data that contains programs is amazingly stupid, from a security standpoint. And yet, it’s still done, again and again; even some security professionals do it on a frequent basis.
In short, the real problem is that people do unsafe and rather stupid things on a routine basis; you can’t protect people who refuse to be protected. If I were to go to my doctoer and ask why he can’t keep me from getting sick, despite my refusal to follow his advice about not abusing drugs, sharing needles, getting drunk and having unprotected sex with strangers, eating poorly, getting too little rest, and refusing to wash my hands, the doctor is entitled to give me a dope-slap and possibly have me committed for being incompetent.
Granted, there are tools that can help us, and there could be better tools. But if the users won’t use ‘em and the developers bypass ‘em, what good are those tools?
Consider Java. The Java Virtual Machine has quite a lot of code just to deal with security. You can run a Java program in a pretty locked down sandbox, and only open up what you need — perhaps you want to run a server program, so you give it read access to its configuration file, write access to a directory it has all to itself, and access to the network — five minutes is all it takes to create the appropriate configuration to do this — but will it run?
Chances are, it won’t, at least, if it’s open-source. An awful lot of (open-source, even) Java programs include their own classloaders, which means that in order for these programs to run, you have to also enable the use of customer classloaders. But that cracks open the VM, and you can no longer have any trust that your program won’t access whatever it wishes.
Whoops.
And those who point out such things are called paranoid.
We need better tools to isolate programs (why don’t all operating systems offer Java-style resource control and management for any arbitrary program?), but we also need to break this cycle of developers providing features that bypass security, vendors who expect users to Just Trust Them, and user who happily go along, trusting the vendors and ooh-ing and aah-ing over security-compromising features.
But where to start?
Start with giving people a choice. Those who choose poorly can pay the price for their poor choices — because it was a choice — and economic incentives ought to bring about change. Without a choice, there’s no way the average user can do anything other than follow the herd…. off the cliff.
Merely building better tools won’t work.
Passing more laws won’t work.
Ranting at software developers won’t work.
What else might work?
The only other way that puts pressure in a systemic way would be to pass laws absolving anyone who breaks into a computer system of any wrongdoing for that action. (Add in a reward if they report the flaw, and fine the owner of the [IP of the] compromisable system.)
Again, the economic incentive would change people’s proorities. Botnets would, by necessity, vanish, as the owners of compromised systems would take those systems offline to protect their own self interests. They’d demand, rather than just whine, for secure software; they’d follow best practices, and get upset with anyone who asked them to “lower their security setting”.
The transition would be rough.
It all comes down to incentive. People *talk* about wanting security, but they don’t *act* like they want security — so they don’t have security.
And this is a lot more incoherent and rantish than I expected. Oh, well.
November 30th, 2006 at 9:24 am
While I agree with most of what you have said in this article, I do have a couple issues. First is your, as others have phrased it, naive hope in Vista. Microsoft has yet to put out a piece of software that is secure, or even reasonably securable. The blame for this doesn’t sit on MS alone; one of the biggest holes in Windows security is the reliance of software for privileged access. This is a flaw in both Windows itself (for giving the access by default), and the third party software manufacturers (for using it even when it isn’t actually necessary).
The only real path to securing software is to start by removing the spreading vectors. It is not reasonable to expect users to be the first line of defense, just as you wouldn’t expect a random citizen from being the first line of defense against an invading army. Software needs to be created in a way that prevents automated spreading of these bugs/exploits/etc.
Once it is reasonably safe to go to a website without thinking an image on the page would blow up your OS, you can move on to the next level, which would be creating effective tools that anyone could use without a CS degree. As long as securing your computer requires manually running multiple anti-virus/spyware programs daily, users will not secure their computers. Firewalls are even worse when it comes to complexity. Even when the firewalls are designed to a yes/no interface for the consumer, it becomes a mindless click through process.
Once we have given users control back, and tools they can effectively use, we can focus all of our efforts on education. The reason this wouldn’t be a first step is that there is too much out there to be educated about. Virus, trojans, worms, phishing, spam, open ports, and more are all too much for most users out there to comprehend. This isn’t a dig at computer users; I, a software developer, can’t keep up with all of the new exploits, etc. I’m not sure, if it were my full time job to keep up with this stuff, that I could keep up.
And a specific comment about your Vista comments - the required driver signing isn’t a way for MS to secure their OS, it is an implementation of DRM and mostly just a way to make MS more money. Hardware drivers, to my knowledge, are an uncommon attack vector. Requiring MS to digitally sign the drivers before they can be installed is just a way for MS to limit innovation and further their monopoly. Manufacturers have to go through MS before their product can be used in 90% of computers. It was bad enough when MS had near total control of the software on a computer, but now they will have control of the hardware.
November 30th, 2006 at 1:31 pm
Re: organized crime and the internet:
the real problem with offensive security measures is that you almost never really know who your attacker is. A network scan may be OK (I personally don’t think it crosses the line when this is part of the investigation of an attack), and certainly even more passive means are always OK. However, if one actually retaliates with hostile force against a computer attack, it opens up a major problem: you don’t usually really know who your attacker is with any certainty.
For example, if I thought you were going to take serious offensive measures against me if I attacked your system, maybe I would fine some other system that I wanted you to attack instead. Even simulating an attack as if it came from, say, a US DOD installation might have interesting effects.
Unfortunately, organized crime has a strong hold over the internet and there are no easy solutions. Because the internet is a global phenominon, it allows people, say, in Iraq, Nigeria, Russia, or Indonesia an ability to attack with near perleft legal impunity (the previous countries were selected due to a lack of rule of law). What is worse, these organized crime cartels are increasingly profit-centered with ties to everything from spam to human trafficking. I personally am very concerned that this has reached a critical mass and hence we may be in a conflict without resolution.
In the end, the only way we are going to be able to get real information security is if we focus very clearly on building security into every application we create, and in managing the risk carefully in every network we manage. I fear dark days are ahead. But in the end, I think as long as we focus on things both from the engineering and human factor (I know, Noam, you don’t like security training, but I think that such training, done right, can have a very positive impact– it has to focus on awareness building rather than best practices though).
November 30th, 2006 at 4:54 pm
Re: Stewart Stremler
I think that the monoculture is dangerous and that Windows is a problem, but I think that the real issue is simply a lack of awareness. Note that my business offers PC repair to end users, business security assessments, software development, and nearly every other service available.
When I tell people that I frequently see at least 100 automated hits against my firewall every day (and this is filtering out virus outbreaks), most people are astounded. They have *no idea* the situation is as bad as it is.
But these issues aren’t that complicated. I have taught classes where I teach retired consumers (who are often feeling lost with computers anyway) how to not only understand computers but understand security advisories. The concepts and principles aren’t that hard.
At the same time, there are a *lot* of software developers, as you mention, that have no idea how to build secure software. At least with open source software, the projects can be forked if necessary, open discourse is possible, etc. In fact I have forked projects due to security concerns and one of those projects (LedgerSMB) is now moving quite a bit faster than the original despite the fact that we frequently have to freeze development and pull put stupid security issues (before we forked, the parent process was using timestamps as authentication tokens and “validating” them simply meant checking to see whether they referred to a recent time, a method that even if it works like it is supposed to offers absolutely no security at all).
As a software developer, the answer is to demand better software, engage in discourse where appropriate, and actually work to rectify the problems. Open source itself may not be a panacea, but it offers an avenue for engagement and a way we can be a part of the solution.
But the hardest issue is to get over the notion that we will ever have “secure” software. We ought to design software with the idea that we will always make mistakes, that the software can always be attacked, and that some attacks we never though could be used may turn out to be exploitable. Therefore, we must learn not to trust our own code. We must assume that applications will always become at least partially compromised and we must create South-Korea-like defences to slow down and ultimately limit the scale of attacks. Total compromise ought to require a large number of difficult but minor compromises which need to be made independantly.
As security professionals, we need to select software which follows these principles. IMO, this means avoiding MSHTML-based browsers (like Internet Explorer), XUL-based browsers (like Firefox), ActiveX (but not necessarily Java or Javascript), .Net web browser plugins if they ever become available, software that requires unnecessary permissions, and so forth. And we need to advocate secure alternatives (I use Galeon as my browser, for example). In our purchasing decisions and product recommendations, we can no longer afford to be exploit-driven; we must be architecture-driven.
December 1st, 2006 at 7:16 pm
While not the first to say it the article does do a good job of laying out what is wrong and some ideas on how to make a change. We have lost the balance and there is a lot of incentives to both sides of the coin. From a security prospective how many stupid clients do I need to have loaded on my already bloated desktop to “feel safe”. I don’t subscribe to the idea that if hackers didn’t find holes and then say please fix them we would be OK. If that is true why do we need vaults or pin numbers to protect our bank?
There is a need for the traditional hacker to explore, understand and then educate everyone about these issues and the problems with a bit of software, a piece of hardware or anything else that may have some flaw that is known or unknown.
As a side note someone who breaks the law and is able to make money from cracking into something is way different from someone exploring and trying to understand how something works.
Back to security, too many clients, too many ways for someone who wants to get in to get in and exploit your machine.
This is all good if we decide one day to change how we compute and how we will access our information. The one thing that must be made clear is that it is “Our information” and if I decided to lend that information to a company or to sign up for a service that information either expressed or unexpressed is still my information. If companies were to treat it that way and were held liable I imagine their prospective would change.
So we have an opportunity here to change how we do security. Here are some of the things that need to change.
- Client Education
- Less clients: No spam, virus, malware, host based intrusion detection
- HoneyPot Land (some place where companies can place their gear out in the wild to learn how to harden it)
- Tighter coding
- Focused attention on the criminal side and not the education piece
- Forgien threats
- Evil insider education
- Less laws, more accountability
January 19th, 2007 at 3:52 pm
Two points.
First, in re Vista: I expect it to make the situation considerably worse. Part of that
expectation is based on Microsoft’s track record;
part of it is based on the enormous amount of new
code that’s been added; and part of it is based
on the inclusion of DRM measures which constitute
a designed-in backdoor. (They have to: they won’t
achieve their intended purpose otherwise.) I highly recommend this excellent analysis:
A Cost Analysis of Windows Vista Content Protection
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.txt
by Peter Gutmann.
Second, I’ve become convinced that despite all the advances we’ve made in coding practice, we’re still
a long, long way from the point where we actually
know how to write secure programs and combine them
together into secure systems. I think the algorithm we have to approach that goal is:
1. Write code.
2. Put code in front of many clueful eyeballs.
3. Wait.
Yeah. I’m arguing that open source is a requirement. (Note: it’s not necessary, not
sufficient. It’s not a magic bullet.)
To put it another way: it’s not secure until
everyone knows exactly how it works and it’s
still secure. (And maybe not even then.)
Cryptographers learned this some time ago:
security must always rest on the key and never
the algorithm. We need to apply that lesson
and stop pretending that unpublished source code
enhances the security of the final product.
(Besides, as we’ve seen multiple times — Cisco,
Oracle, Microsoft, etc. — “unpublished” source
code is unlikely to stay that way.)
November 6th, 2007 at 1:27 pm
Thank you for confirming my suspicions in that indeed, internet security is not working. I run a small business and use the internet heavily for both concerns, purchasing and managing bills, etc., and I ponder the hours and hours of my life lost to managing the multiple security features that I juggle, which often don’t work well with each other, and for which I pay an inordinate amount of money. I think of Microsoft, whose security is awful, but who yet manage to have access to the entirety of the hard drive and doings of every one of their customers and collaborate with the government in monitoring it. This to me is an interesting disparity that if it were examined to the depth it deserved, would yield some pretty disconcerting answers. Why, in general, are the snooping softwares and systems so developed and efficient, but yet there is such a lag in security? Is this a matter of priority, and for whom?
My latest security problem is with Pay Pal. Can you tell me why a company so prone to security problems doesn’t seem to have the outlay to deal with it? Emails go sometimes months unanswered, account corrections the same. I regret having had anything to do with them and have attempted to close the account, key word attempted - it is still in existance, still my main vulnerability, though I ordered it closed months ago.
April 6th, 2008 at 4:48 pm
Re: the blame game.
This isn’t a matter of “a large crime increase”, this is a complete collapse of civil order. The city has fallen, every citizen is expected to be armed and living in an armed compound behind defensive razor wire. And the police aren’t allowed anything better than billy clubs.
If a city is under military attack, and the police are unable to stop looters, then do you blame the police or the people who are responsible for the attack? If there is no military to defend the city, then who is responsible? The police, or the government?
If a city is suffering a national disaster, and the police are unable to stop the looters, then do you blame the police? If there is no national guard, then who is responsible? The police, or the government?
If a city is suffering an epidemic, and the police are not allowed to arrest the guy handing out smallpox-infected blankets because the government doesn’t believe in smallpox, what do they do?
Who is responsible if today’s best practices are hard to follow? The police, forced to stand by as trucks stock the stores with dangerous goods and the people selling safer products are forced to make do with stalls in the flea market?
You write “Cooper actually advocates that people no longer use PHP to allow visitors to post comments - and he sees nothing wrong with that suggestion?! (PHP is only the most popular server-side scripting language that powers some of the most popular web sites.) What other technologies should we throw out and avoid due to security risks? Email? Blogs? Web Sites?”
No, that’s an obvious straw man. Throwing out PHP is not the equivalent of throwing out blogs. Throwing out PHP is the equivalent of throwing out the smallpox-infected blankets, not the equivalent of throwing out bedclothes completely. If you, a security professional, don’t see that getting rid of software that has a horrible track record for safety is necessary, then how are we supposed to get ANY real changes to happen?
You write “Today’s security Best Practices are counterintuitive, difficult to implement, quickly outdated by new threats, and are constantly changing.”
We call these things “best practices” because we can’t make them laws. What do you think we ought to do about software that’s got no fundamental security design?
If Microsoft cared about security they wouldn’t be messing around with user access controls and limited privilege sandboxes, they would be eliminating the software that makes these guidelines necessary. The HTML control wouldn’t provide the tools to let people hide the destination of links, in email messages or on the web. The HTML control wouldn’t provide a path out of the sandbox at all. Mail and web software wouldn’t use desktop applications to display untrusted content. Real helper applications would need to be registered explicitly as capable of dealing with untrusted content, and parameters passed to them would be passed through secure APIs that don’t need an ad-hoc agreement on quoting. Active content would be strictly sandboxed, even if that made it harder to do “cool stuff” in web pages. These are all REALLY BASIC design rules that should have been in place by 1998, at the latest, but it’s 2008 and not only Internet Explorer and Outlook, but also Firefox, Safari, Opera, Thunderbird, Apple Mail, and virtually every other program that I have ever examined violates some or all of these simple “best practices”.
You write: “Security professions need to work with Microsoft, not against it.”
I’ve been trying. When I had the opportunity to visit Microsoft in 2000, I made a point of letting them know that I approved of the fact that Pocket Internet Explorer was designed more securely than the desktop version: in fact, Pocket IE in 2000 was a better program, from the point of view of security, than any of the leading browsers today… because of what it didn’t do.
Working with Microsoft means giving them the thumbs up when they do things right, not when they do things that may be slightly less wrong.
Working with Microsoft means not just concentrating in Microsoft. Firefox and Safari have been getting a free ride for a long time, and even now criticism directed at them is rarely directed at the systematic faults that they share with Internet Explorer.