Security?!

[mdlbear]

Security Absurdity.com > Security Absurdity; The Complete, Unquestionable, And Total Failure of Information Security.

They say if you drop a frog in a pot of boiling water, it will, of course, frantically try to scramble out. But if you place it gently in a pot of tepid water and turn the heat on low, it will float there quite complacently. As you turn up the heat, the frog will sink into a tranquil stupor and before long, with a smile on its face, it will unresistingly allow itself to be boiled to death. The security industry is much like that frog; completely and uncontrollably in disarray - yet we tolerate it since we are used to it.

It is time to admit what many security professionals already know: We, as security professionals, are drastically failing ourselves, our community and the people we are meant to protect. Too many of our security layers of defense are broken. Security professionals are enjoying a surge in business and growing salaries and that is why we tolerate the dismal situation we are facing. Yet it is our mandate, first and foremost, to protect.

(from spaf_cerias)

This article falls a little short of the mark, I think. You can avoid almost all security problems by following three simple rules: 1. Don't run Windows. 2. Don't read email in HTML, or any other format than plain text. 3. Don't trust any medium that can be easily tapped, which includes wireless and the Internet.

Much of what's called the "security industry" these days consists of people and companies making money off the fact that people don't follow these rules, rather than fixing the problem. At this point, merely educating the public will probably not be sufficient.

Comments

[mdlbear]

Up until quite recently, most routers and NAS boxes were based on Linux; some still are, but Linksys has been replacing it with VxWorks, and the NAS boxes are moving to Windows NT Embedded. I think there's a potentially huge market for more open devices that can be easily modified and upgraded by customers, but the vendors don't seem to agree with me.

The public has been carefully taught, mainly by Microsoft, that computers are inherently unreliable and have to be wiped and re-installed every couple of months. It will take a lot of work to re-educate them, and I don't see anybody putting in that work yet.

[technoshaman.livejournal.com]

I wouldn't mind if they did what Linksys has taken to doing... there's a WRT54G v.4, which runs VxWorks, and there's a WRT54GL, which costs like $10 more and runs Linux. (Basically the wireless community beat on their doors until they said, "OK, OK, please don't destroy our doors, the building managers will kill us, here's your penguins!") As long as they continued that line, those of us who wanted to mess with things could, and those who wanted point and drool could as well. I do not mind paying a nominal fee for that. Freedom ain't free, I don't expect it to be, and I'm willing to vote with my wallet. And the fact that the mutiny worked once means it will be that much easier to keep it going.

As far as unreliability... I think Steve Jobs is poised to take over the world here by usurping Microsoft and allowing Windows apps to run native on OS X. When that happens, folks will unlearn PDQ... (we hope)

Gripping hand, I hear tell the Intel source to OS X has just gone proprietary. I hope this doesn't bode ill for future versions' security...

[mdlbear]

I know about the WRT54GL; I saw them briefly in places like Fry's, then they disappeared. Maybe they only sell them mail-order; don't know. And the price differential on the street was more like $20, if I remember correctly. Still, it's a good idea, and I hope it spreads.

See here for my post on MacOS X.

[technoshaman.livejournal.com]

Saw that. Think Apple's being a dumbshit.