Rant about computer (in)security

  |   Source

It seems that the more important something is to computer security the more byzantine and patchy the documentation will be at explaining how to make sure your computers actually are secure.

The problem is security is difficult. You only have to mess up once and all bets are off.

Invarialby, getting stuff up and running involves a lot of hacking around. Eventually, you get the thing working, but by then it is probably too late, even if you go back and plug all the holes And that assumes you can remember what you did along the way.

In the open source world products are generally configured in a secure way out of the box. You have to explicitly switch off things that are there for your protection.

That is all well and good, but without excellent documentation non-expert users (which in fact is every user a project will have: we are all novices when we start using a new product) are going to have problems getting the thing working.

The result is insecurity everywhere. And that is before we get into all the backdoors that various organisations have been more than happy to leave in products for their own purposes.

I don't have a good solution to this problem, the subject is complex. What is clear is that the current situation just is not working.

Following industry standards

To all those company's who are following industry standards you are a huge part of the problem. Those industry standards are horribly broken, possibly by design.

There is no substitute for hiring someone that actually understands the subject and listening to their recommendations. Blindly following standards that were introduced 30 years ago and which nobody can remember why they were introduced is lame.

It might get you off the hook with your boss: we are just doing what everyone else does, nobody got fired for choosing IBM, etc, etc. But the fact is that your security is really dependent on the fact that there are more attractive targets, such as companies that actually call themselves Target ;)

http://dailyangst.files.wordpress.com/2012/02/birthmark.jpg

As an example, every place I have ever worked has a you must change your password every 90 days rule. Really? This rule was introduced based on the time it would take a good sized computer to crack a password given the hashed value that gets stored in password files... in the 1980's.

The idea being that if you change every 90 days it will be unlikely the crackers will crack your password before you change it.

NEWSFLASH: to all CIO's out there, computers have got faster since 1980. If you really want to protect against crackers that have your hashed passwords then you probably need all your employees to change their passwords about every five minutes.

Perhaps the one good thing that will come out of all the high profile breaches we are hearing about at the moment is that some of this archaic nonesense will be replaced by measures that genuinely increase security.

However, with the technologies that most companies are dependent on, the difficulty (or indeed near impossibility) of introducing genuine security without making it impossible for everyone to do their jobs, I think we are in for many more breaches in the coming years.

Indeed, I would wager that there have been lots more very significant security breaches, we just have not heard about them (yet).

Comments powered by Disqus