This week is the RSA Conference 2005, and today I’m doing one of the opening talks at a Trusted Computing Group lunch. I’m trying to find a nice way to say that I think the most common approach to security problems these days is completely whacked, but I have struggled with the “nice” part. Here are some of the things that are bothering me.
Much of the grief we are currently experiencing comes from e-mail that that appears legitimate but isn’t. Users open a hostile application or go to a hostile Web site that captures their personal information, and some criminal uses the information to access their bank accounts or open credit lines. Anyone who has been victimized in this way knows it can take months or years to recover from the damage to credit ratings.
The elderly seem to be the biggest target for such attacks. But there are attacks targeting children that are even worse. Children are tricked into believing they are talking to other kids and are introduced to pedophiles or kidnappers.
We resist the idea of solid user identification because of privacy concerns. Yet many of the sites we don’t want people to know we go to contain advanced spyware that broadcasts to unknown others our activities, eliminating this privacy benefit.
I think that we the users should have the ability to blanket-reject communications from anyone who does not have an identity that can be traced. We should be able to decide whether we are willing to take the risks associated with receiving mail from strangers, and we should be better protected from receiving mail from impostors pretending to be friends.
We seem to ignore that incautious users are the biggest problem. They are the ones opening questionable attachments, using trivial passwords, and exposing otherwise secure systems. Until we make users part of the overall solution, I don’t see how we can get to where we need to be. This not only requires some level of training, it also requires that we formally abandon passwords as a security method and move to something more robust. Whether that is a smart-card approach, biometrics or a combination of the two, we desperately need a secure way for people to log into their systems.
We spend an incredible amount of time coming up with creative ways to secure systems and almost no time ensuring that the people accessing them are legitimate. It doesn’t matter how strong you make the vault if anyone can open it.
Granted, companies like IBM and MPC are aggressively putting extended security on laptop computers, but these machines are largely targeted at corporate users, leaving the vast majority of consumers unprotected.
Security starts with the user. If you aren’t willing to ensure that only authorized users have access to sensitive systems, then you deserve what you get if your systems are penetrated. If you refuse to put locks on your door and someone steals your stuff, isn’t that your fault?
It isn’t just people we need to be sure of. We are constantly patching our systems, and we are now required by our internal audit departments to show that we have extensive automated patching processes in place in order to avoid a dreaded non-compliance report to our board of directors. But we don’t yet have in place, particularly for open-source platforms, a trusted computing environment that ensures our patches come from legitimate sources.
How long will it be until the links put in place to manage systems remotely are compromised in a way that it will cripple a national defense system, a major bank or the network backbone we can’t live without? The concern about Microsoft using such a system to take over the world is silly on two fronts: First, Microsoft already is dominant, and, second, IBM is currently an even more active driver of this initiative than Microsoft. IBM is trying desperately to secure Linux, where the greatest exposure currently exists.
Wouldn’t it be nice if, before raising these silly red flags, people spent some time looking at who really is creating these problems? The hardware vendors are being killed by the proliferation of malware, and they are trying to find ways to protect their users. Dell, HP and IBM aren’t trying to lock in users; they are trying to ensure a safer user experience to contain support costs. Why would any sane user want to stop this? I understand paranoia, but Valium has been on the market for a while. If you have this problem, please take some and let the rest of us sleep at night.
Grass Is Greener Security
The belief that open source is more secure is largely unfounded. Take Firefox — a 1.0 product with two active support folks and a key designer who just left to work for Google. Yes, it works on a lot of sites just as Opera did when it was the hot browser; yes, it isn’t (or wasn’t) targeted by as many exploits; yes, it does seem faster (so did Opera). But if it used to be obscure, it certainly isn’t today, and that means it will increasingly be targeted.
It is hard to figure out how many security vulnerabilities the product actually has. You can go to Security Focus and search on Mozilla as the vendor and then Firefox as the title and come up with 39. On Secunia, you’ll see not only that the number of reported vulnerabilities is increasing, but also that 88 percent remain unpatched or only partially fixed. Internet Security Systems documents 62 security exposures, but I can’t tell easily how many of those 62 have been corrected in the 1.0 product.
In the world I thought I lived in, if you ran around telling people to migrate to a 1.0 product over a 6+ product from a branded vendor, particularly when the 1.0 product only had two full-time support people, you’d be taken to a quiet padded cell. Firefox is getting a ton of press, and people will attack it. How will two people and a handful of volunteers be able to protect you? If you are in a company and are audited for this choice, the word “oops” doesn’t protect you.
Security: Think for Yourself
In the end it is your privacy, or your company’s privacy, you are protecting. Stay focused on the bad guys, the people who want to steal your stuff, your identity and your piece of mind. Do your own research and think through the process. Don’t think just of the exposures that exist today — think ahead to the exposures you will need to address next week, next month and next year. You may make the same choices, but at least you’ll be vastly better at defending those choices. Given the career implications, this approach will do a lot to cover your assets.
Rob Enderle, a TechNewsWorld columnist, is the Principal Analyst for the Enderle Group, a consultancy that focuses on personal technology products and trends.
Actually, using the default repositories for your linux distribution of choice can ensure that you do not get any malicious versions of the program/patch/update you are installing. Package management systems on linux also allow you to double check exactly what addresses you are updating yourself from (so that you know you havn’t been hijacked) and checksums are easy to verify. Unless the actual repositories are compromised (which would also be a problem with microsofts update site) you’re pretty much safe.
I think the whole firefox misinformation has been dealt with in the above comments…
if you are truly concerned about email abuse – then you should be working to jail and fine the top SPAM 200. CAN-SPAM is a big failure, because $ drove the legislation and because $ is the only consideration – not security. Then you need to look at Spyware, another big hole being created by major Wall Street backers. Then you need to look at MSFT without the Rose-colored glasses and start opening your eyes to the fact that the world is a dangerous place, and that MSFT isn’t the greatest thing since sliced bread. It is a corporation, whose track record leaves a lot to be desired.
I AM not saying MSFT cannot fix their problems, but only a fundamental redesign of the OS could do that, and I seriously doubt that will happen anytime soon. Shorthorn might help, but then Windows 95/98/NT/XP/2003 going to fix everything before it. This is just the hype cycle all over again. You need to come off your high horse about Linux and start being honest about it. Your singular lack of examination of facts simply ruins your credibility, and your focus on the negative makes your articles a real bore.
Have a nice day.
I was only able to find ten vulnerabilities for Firefox 1.0 on Security Focus. I would guess the other 29 are from earlier versions of the program? You seem to be playing a numbers game. You should at least state the correct facts if you’re going to bring it up.
To conclude IE is more secure (than Firefox) because it is backed by a larger staff is ludicrous. This is Microsoft we are talking about here– a company with no credibility with regards to either security or general progamming expertise. Look at Windows– the only legacy, non-UNIX OS left in any significant numbers in the market place. A dinosaur.
No, I’ll bet on Firefox security, any time. And aside from that concern, Firefox renders more accurately and has better features (tabs, etc) for the user. Security isn’t everything.