Results 1 to 11 of 11

Thread: Best security Article I've read in a long time.

  1. #1
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,664
    Thanks
    53
    Thanked
    385 times in 314 posts

    Best security Article I've read in a long time.

    http://www.ranum.com/security/comput...itorials/dumb/

    The Six Dumbest Ideas in Computer Security

    What a great read - its not an OS specific rant , but as set of idea I found to be well presented and equally well thogught out.

    I shall certainly be doing my best NOT to implement any of them
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  2. #2
    Seething Cauldron of Hatred TheAnimus's Avatar
    Join Date
    Aug 2005
    Posts
    17,147
    Thanks
    798
    Thanked
    2,151 times in 1,407 posts
    an intresting project i made a while back was a block on loading, before any proccess could be created, any library loaded, it had to be in the allow list, if it changed, it would scream at you. I wounder if i should dig that out and see if i can satisfy myself that i could make it work for administrator users with debug privledges.... would be quite usefull no?

    (anyone who's instrested in making lists of allowed software, or GUIs email me, i just like the device driver parts of such projects, i've got the code lying about somewhere).
    throw new ArgumentException (String, String, Exception)

  3. #3
    Senior Member
    Join Date
    Mar 2005
    Posts
    4,612
    Thanks
    147
    Thanked
    314 times in 252 posts
    • badass's system
      • Motherboard:
      • ASUS P8Z77-m pro
      • CPU:
      • Core i5 3570K
      • Memory:
      • 32GB
      • Storage:
      • 1TB Samsung 850 EVO, 2TB WD Green
      • Graphics card(s):
      • Radeon RX 580
      • PSU:
      • Corsair HX520W
      • Case:
      • Silverstone SG02-F
      • Operating System:
      • Windows 10 X64
      • Monitor(s):
      • Del U2311, LG226WTQ
      • Internet:
      • 80/20 FTTC
    Quote Originally Posted by Moby-Dick
    http://www.ranum.com/security/comput...itorials/dumb/

    The Six Dumbest Ideas in Computer Security

    What a great read - its not an OS specific rant , but as set of idea I found to be well presented and equally well thogught out.

    I shall certainly be doing my best NOT to implement any of them
    Oddly enough the default deny approach is exactily the approach I shall be taking to lock down works computers and protect them form web based malware in general. I have warned the boss that it will take a *lot* of testing however.
    "In a perfect world... spammers would get caught, go to jail, and share a cell with many men who have enlarged their penises, taken Viagra and are looking for a new relationship."

  4. #4
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,381
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts
    Basic premis should be deny all except those services that MUST be enabled. And the second is defence in depth - don't rely on just one product/technique. Third is don't be complacent - make sure all your software has the latest patches, and review your security policy frequently to ensure it still meets your needs - and of course, follow it!

  5. #5
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Interesting, but more aimed at corporate environments than home users I feel.
    A few personal observations of the "top 6" points rasied:

    1. Can you imagine an OS with a "default deny" approach that a regular home user would try to use? I would guess that right now even with secure environments being possible, most users run with administrative privileges.
    This would definitely be appropriate for the workplace though - I have encouraged the practice of disabling USB ports & floppy drives and removing the ability for users to install software wherever possible (really annoys developers though!).

    2. "Enumerating Badness" is, as the author says, a specific case of "default permit", so I believe this has the same caveats as the above.

    3. "Penetrate and Patch" is often the only way to analyse legacy applications, but I fully agree with the concept that code being developed today should have security as part of the design process, not testing.
    Totally agree with the nonsense which is public disclosure of vulnerabilities and "proof of concept" code.

    4. I'm not sure the "hackers" are particularly concerned about whether it appears cool to the general public or not, as they often do it for a challenge to impress their peers (who naturally consider it "cool") or anonymously (possibly for gain).
    I don't share the optimisim that reducing the public image of "hacking" would be that significant a deal.

    5. "Educating Users" - yes, yes and YES. Educate the users as to how to use their systems and the risk and significance of other issues is reduced. I would place this higher in the list of importance, however.
    Again, educating users in a corporate environment is much easier than expecting to achieve global awareness.

    6. "Action better than inaction" - I too have seen the wounds of people trying to use cutting edge technology (but then if noone adopted the technology it will never take off or mature, so it's a catch 22).


    The author seems to have some idea of what he is talking about, but I disagree with his prioritization of the points.
    In the real world, having a static environment with a nice sandbox of "good" applications that never even have version updates is a rarity.

    I would have rejigged his list to make a top 10, as some of the minor points are more common and merit public awareness, but it was a good read and nice to see the views of those with concepts of security.
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  6. #6
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    And at the other end of the scale we have this kind of thing as reported by The Register.

    Seems to be a combination of cutting edge, lack of security in the design and a complete lack of awareness of security (both the people hosting the system and those using it).
    Think twice before using public computers (especially if you have a mistress it seems ).
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  7. #7
    The late but legendary peterb - Onward and Upward peterb's Avatar
    Join Date
    Aug 2005
    Location
    Looking down & checking on swearing
    Posts
    19,381
    Thanks
    2,892
    Thanked
    3,403 times in 2,693 posts
    Which comes back to the top three security measures.. "User education, user education and user education"

  8. #8
    One skin, two skin......
    Join Date
    Jul 2003
    Location
    Durham
    Posts
    1,705
    Thanks
    0
    Thanked
    1 time in 1 post
    Quote Originally Posted by Paul Adams
    Interesting, but more aimed at corporate environments than home users I feel.
    A few personal observations of the "top 6" points rasied:

    1. Can you imagine an OS with a "default deny" approach that a regular home user would try to use? I would guess that right now even with secure environments being possible, most users run with administrative privileges.
    I agree to an extent, but shouldn't the option be available to everyone, including home users, in order to allow them, if they so wish, to use 'default deny'? Just because there will be several users in the market who can't understand, let alone make use of, a 'default deny' system, it doesn't mean that the option shouldn't be available for those users who would wish to make use of such a system at home.

  9. #9
    Ex-MSFT Paul Adams's Avatar
    Join Date
    Jul 2003
    Location
    %systemroot%
    Posts
    1,926
    Thanks
    29
    Thanked
    77 times in 59 posts
    • Paul Adams's system
      • Motherboard:
      • Asus Maximus VIII
      • CPU:
      • Intel Core i7-6700K
      • Memory:
      • 16GB
      • Storage:
      • 2x250GB SSD / 500GB SSD / 2TB HDD
      • Graphics card(s):
      • nVidia GeForce GTX1080
      • Operating System:
      • Windows 10 x64 Pro
      • Monitor(s):
      • Philips 40" 4K
      • Internet:
      • 500Mbps fiber
    Quote Originally Posted by Big RICHARD
    I agree to an extent, but shouldn't the option be available to everyone, including home users, in order to allow them, if they so wish, to use 'default deny'? Just because there will be several users in the market who can't understand, let alone make use of, a 'default deny' system, it doesn't mean that the option shouldn't be available for those users who would wish to make use of such a system at home.
    It's a double-edged sword.

    Corporate environments can have test labs and processes to ensure the integrity of the builds and impact of applying any changes, one of the major benefits is provided by having more than one box to work with and it not being a big issue if it is broken and has to be flattened.

    When it comes to IT literacy for home users there is a vast range of knowledge levels from "it frightens me" to "I know everything" - the ones in the middle ground are the dangerous ones that might find such a feature and play with it, managing to lock themselves out of their own machine (and of course complain that "it just broke itself").
    The same kind of principle that has people following the instructions of a guy who says "these are the services you absolutely must disable, and delete these registry keys and modify these files"... without a clue of the real impact of what they are doing or any kind of regression plan.

    Ironically, the people that might like such a feature for a home system are possibly those that are aware of hardening processes and don't need it.

    Also, I am sure that many people when presented with an "application X is trying to apply a dooberry firkin to the wotsit" message will click the "OK, whatever, just stop hassling me" button as a knee-jerk reaction anyway (and there are a lot of people that actually complain when their personal firewall product does exactly this).
    ~ I have CDO. It's like OCD except the letters are in alphabetical order, as they should be. ~
    PC: Win10 x64 | Asus Maximus VIII | Core i7-6700K | 16GB DDR3 | 2x250GB SSD | 500GB SSD | 2TB SATA-300 | GeForce GTX1080
    Camera: Canon 60D | Sigma 10-20/4.0-5.6 | Canon 100/2.8 | Tamron 18-270/3.5-6.3

  10. #10
    One skin, two skin......
    Join Date
    Jul 2003
    Location
    Durham
    Posts
    1,705
    Thanks
    0
    Thanked
    1 time in 1 post
    Quote Originally Posted by Paul Adams
    It's a double-edged sword.

    Corporate environments can have test labs and processes to ensure the integrity of the builds and impact of applying any changes, one of the major benefits is provided by having more than one box to work with and it not being a big issue if it is broken and has to be flattened.

    When it comes to IT literacy for home users there is a vast range of knowledge levels from "it frightens me" to "I know everything" - the ones in the middle ground are the dangerous ones that might find such a feature and play with it, managing to lock themselves out of their own machine (and of course complain that "it just broke itself").
    The same kind of principle that has people following the instructions of a guy who says "these are the services you absolutely must disable, and delete these registry keys and modify these files"... without a clue of the real impact of what they are doing or any kind of regression plan.

    Ironically, the people that might like such a feature for a home system are possibly those that are aware of hardening processes and don't need it.

    Also, I am sure that many people when presented with an "application X is trying to apply a dooberry firkin to the wotsit" message will click the "OK, whatever, just stop hassling me" button as a knee-jerk reaction anyway (and there are a lot of people that actually complain when their personal firewall product does exactly this).
    True, but the option should still be there, otherwise we REALLY should stop home users from utilising 'start -> run -> regedit', by the same token!

  11. #11
    Gentoo Ricer
    Join Date
    Jan 2005
    Location
    Galway
    Posts
    11,041
    Thanks
    1,014
    Thanked
    944 times in 704 posts
    • aidanjt's system
      • Motherboard:
      • Asus Strix Z370-G
      • CPU:
      • Intel i7-8700K
      • Memory:
      • 2x8GB Corsiar LPX 3000C15
      • Storage:
      • 500GB Samsung 960 EVO
      • Graphics card(s):
      • EVGA GTX 970 SC ACX 2.0
      • PSU:
      • EVGA G3 750W
      • Case:
      • Fractal Design Define C Mini
      • Operating System:
      • Windows 10 Pro
      • Monitor(s):
      • Asus MG279Q
      • Internet:
      • 240mbps Virgin Cable
    I think more importantly Microsoft and application developers need to encorage users to stop using with administrative privilages, so when a user clicks "yea yea, whatever/OK", any kind of trash has much more of a problem getting on the system.. In fact, half of the current 'home' programs I've installed and tried out on Windows this year required Administrative rights to run certain software properly, and I really couldn't be bothered having to 'run as' administrator for everything. It really is rediculous that at a time where pure multi-user systems exist application developers are still going about writting single-user apps, games are especially criminal at this point for no reason at all other than lazy/sloppy work.

    regedit isn't much of a problem providing its use is restricted, thus the Default Deny policy should be applied to mainstream operating systems. Disabling services not essential to the system booting will mean the user will learn the consquences of enabling whatever service they're after in course of figuring out 'how' to install/enable it.. This kind of aproach is what makes OpenBSD so secure.
    Last edited by aidanjt; 23-09-2005 at 05:47 AM.
    Quote Originally Posted by Agent View Post
    ...every time Creative bring out a new card range their advertising makes it sound like they have discovered a way to insert a thousand Chuck Norris super dwarfs in your ears...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 42
    Last Post: 31-05-2004, 12:36 AM
  2. It's been a long time......
    By Bazzlad in forum General Discussion
    Replies: 12
    Last Post: 20-03-2004, 04:31 PM
  3. funnyest thing i have seen in a LONG TIME
    By 5lab in forum Automotive
    Replies: 7
    Last Post: 30-11-2003, 02:55 AM
  4. long time player; first time forum
    By PubZombie in forum PC
    Replies: 30
    Last Post: 06-11-2003, 07:38 PM
  5. is this hype?9800 pro owners beware
    By CrapshoT in forum Graphics Cards
    Replies: 9
    Last Post: 16-10-2003, 02:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •