Kevin Schofield's Weblog
Musings on life, kids, work, the Internet, Microsoft, politics, orcas, etc.

 
Home

Microsoft Research

Danceworks Studio


Subscribe to "Kevin Schofield's Weblog" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.

 
 

  Monday, September 12, 2005

The Six Dumbest Ideas in Computer Security

I also picked up from Slashdot yesterday a pointer to this opinion piece on computer security. OK, it's more like a rant. and it's a rant that I don't entirely agree with.The author is naming his six pet peeves about the way that people implement computer security.

Let's take this point by point.

1.Default Permit. This is absolutely spot-on. This has its roots in academic UNIX, and has held on for far too long to everyone's detriment. It wasn't a big deal until the mid-90's when the Internet boomed and all the machines got linked up together. Then everything went kablooey.

2. Enumerating badness. This is an interesting point, but I think the point is much more general about software engineering. Good designers think about simplicity -- whether it's a user interface, or in the case that the author brings up, things that might connect to a computer. Focusing on the design with the smallest number of cases, and thinking to the future about how many cases there might be then, is critical. But the case he gives isn't as much "enumerating badness" as "enumerating attackers." Badness can take lots of forms. In one sense, it's "Enumerating vulerabilities" vs. "enumerating exploiters" and while there's an upper bound on vulnerabilities, there's no upper bound on exploiters -- thus a signature-based approach to detecting exploiters is less than optimal.

3. Penetrate and Patch. OK, I was thinking about making this point on #2, but I'll make it here. There is nothing inherently wrong with Penetrate and Patch. What's wrong is if this is your only method for eliminating vulnerabilities. The author is falling prey to what I call "The Tyranny of the One Thing." MY grandmother referred to it as "putting all your eggs in one basket." Anyone who relies on just one thing for their security is doomed to failure. Smart people take advantage of every practical method they can to enhance their security, and in fact aim for a diversity of methods. Microsoft uses Penetrate and Patch techniques; they also build world-class source-code analysis tools, they do threat models, and they do extensive code reviews. They do other things too.

4. Hacking is Cool. Agree in part and disagree in part. I agree that lioninzing hackers is counter-productive. I disagree on whether professional developers should study hacking techniques. If it helps one to get insights on how to design hack-proof systems, it can only be a good thing. I think the author is confusing concepts with specific vulnerabilities.

5. Educating Users. See "Tyranny of the One Thing" above. We should absolutely educate users. In fact, the author contradicts himself: that next generation of users who come in with a healthy skepticisim about phishing, etc. will have it because they were educated about it. But the bad guys will continue to adjust too. We need many weapons, and educationis absolutely one of them.

6. Action is Better than Inaction. What he's really saying is that security-conscious people are naturally in the Early Majority (in Moore's terms) -- they are not early adopters; they let others work out the bugs. Sometimes there's a good business reason to be an early adopter -- like crushing competition guaranteed to put you out of business unless you take a business risk and find a sustainable advantage. But it is a risk, including security risk, that must be calculated and managed. I do like his comment that "it's easier not to do something dumb than it is to do something smart."

As for his "minor dumbs" most of them are once again applications of the Tyranny of the One Thing. Never pass up a chance to do something to enhance your security, particularly if it increases the diversity of your efforts -- the only caveat being that you need to manage the complexity down, otherwise you will not be able to administer your own system. It's a hard tradeoff to make well.

"Let's go production with it now and secure it later" -- this is probably the biggest dumb thing on his entire list. This one drives me crazy.

And finally: "we can't stop the occasional problem." The author says "Yes you can."

No, you can't. All software has bugs. You can work very, very hard to reduce the bugs, to stay patched, to configure correctly, etc. etc. and you will STILL have problems with bugs, with DDOS attacks, with a rogue employee, and myriad other problems. But part of having a good and thorough security system is having the procedures in place to mitigate and recover from those situations as well.

Security is hard, and it requires you to be smart -- especially if you intend to live on the bleeding edge. Redundancy and diversity are your friends. Overreaction isn't.


9:47:03 PM    comment []

God Bless You, Mr. Rosewater

Last weekend I finished reading God Bless You, Mr. Rosewater by Kurt Vonnegut.

Eliot Rosewater is the heir to a large fortune -- or to be more specific, a large Foundation. He can't touch the capital, but he can do whatever he wants with the earnings. That is his life, and it makes him... well, a little nuts. Which in turn makes a rabid corporate attorney see an opportunity to get him declared insane and grab control of the Foundation.

Eliot has other ideas, much to the concern of his wife and his rich, ultraconservative father the Senator.

This book is classid Vonnegut. It's parody without resorting to silliness. It's sharp social commentary on the ills of the United States that rings as true now as it did in 1963 when he wrote it. It's definitely worth reading.


8:57:21 PM    comment []

Marc Broussard

An artist named Marc Broussard gets a lot of play on the radio station I listen to here in Seattle. Actually, the only play one song of his, entitled "Home." (ironically, it's about New Orleans)

Last weekend I picked up his CD, Carencro. I can't stop listening to it. It's amazing. This guy is going to be the Bob Seger of his generation. But it makes me wonder why they never play any of the other songs on the radio...


8:49:25 PM    comment []

CS Curriculum

Here's an interesting article (got Slashdotted yesterday) asking the question "What classes should be in a Computer Science curriculum?" with much commentary about classes that seem useless for a programming job (i.e. Bayesian Networks).

So here's the deal: there are "research universities" and "teaching universities" (throw community colleges and voc-tech schools in with teaching universities, for the purposes of this argument). Teaching universities teach you to be a mainstream programmer, such as would work in an IT department. Research universities don't do that: they teach you to be a grad student. Because that's in their own best interest: they want their undergraduates to go on to become grad students.

Now, it turns out that the skills that would make you a good graduate student, also make you an excellent developer at a technology company that is on the bleeding edge of innovation. For one, you need to be able to deal with incorporating new technologies all of the time. Second, you need to be able to solve problems that no one has ever solved before. Now that doesn't imply that someone who goes to a community college can't do that, or wouldn't ever be required to do so, but let's face it: 99% of the software created in this world is a duplicate of something that someone else already built.

The moral: all computer science degrees are not alike. And you should find one that matches what you want to do with it.


8:43:41 PM    comment []

Click here to visit the Radio UserLand website. © Copyright 2005 Kevin Schofield.
Last update: 10/4/2005; 3:19:19 PM.

September 2005
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
Aug   Oct