I have often thought about the mindset required to be good at the security game. I hang out with Duane Laflotte alot and he has the whole hacker mindset which lends itself nicely to security even when you aren’t trolling on the dark side.
But it was an article that got picked up on Slashdot today about Bruce Schneier’s thoughts on this subject that revived the thread for me.
I have what I think is an interesting twist on this perspective in that I believe that the only way to teach what Bruce is holding out as unteachable is what I believe taught me to think this way. When I grew up I didn’t think the way Bruce Schneier thinks. But I do now. The reason I believe is the military. When the Army trains infantry leaders it teaches them how to defend while looking always for ways to attack. The mild mannered programmer is taught to build, but if part of that training put in their mind that to be successful they had to tear down the abilities and infrastructure of the hackers then we might get a different result.
There is nothing to make you think like a hacker than to stand on a hill and realize that you are defending it at dawn and if you fail you and all your soldiers die. It also makes you want to get that unfair advantage and lay traps for the enemy. During a major training exercise in Germany I put soldiers in foxholes with signal mirrors and had them flash the enemy armor to draw fire while our vehicles flanked and destroyed them.
So I think if you want to be a hacker and you don’t think like one I think the Army recruiter would be happy to help get you trained…
Most companies pay lip service to security, but the emphasis is just not there. There is bluster and maybe even a few conversions soon after an embarrassing security breach, but all too often a scapegoat is found, fired and then it is back to business as usual.
The missing element is real financial cost. Looks like Massachusetts and hopefully the feds will change that with new laws that make companies that get hacked pay for the cleanup.
I really like this kind of accountability. While I don’t think it will be a panacea solving all our problems it will put those to blame for these problems clearly on the hook for paying to clean them up.
Hopefully other states and Congress follow the lead of Massachusetts.
If you bought a combination based high security lock system for a new car would you change the default code? What if the code was 0000? Would that be enough for you to realize that anyone who ever took a test drive or just made an effort to think about it could guess your code? Read the article and just think about how ridiculous this would be in any other arena other than computers. If we could just get people thinking about this stuff I think we would go a long way to reducing the security problems we see. The Spam storm that is clogging the Internet lately and other incidents might be much less common if this one little change could occur…
Forbes.com has a story about the use of typing patterns to identify whether a user is the actual user or a hacker.
I like the idea, though I fear it won’t catch on. Defense in depth, adding an edge is important, but the key element from this article comes at the very end where they say that if they suspect the user is not legit they will ask additional questions. This is the key to preventing (for the most part) denials of service to valid customers while still having a chance to catch the bad guys.
My good friend, Eileen Rumwell, has started blogging. Her blog is something I plan to keep watching especially since in the short time it has been up she has already thrown out some great insights. The really cool thing is that having come from a marketing background, Eileen has been thrust among developers for quite a few years now. Working at Microsoft she has great insight and maybe more importantly she also has insight into how we developers outside MS work and think about our role.
Eileen’s latest post starts off talking about her dogs and quickly points out that developers seem to think that security is not their problem. I have seen this attitude quite a bit, but typically I get to beat it out of those who exhibit it to me since I am often cleaning up after a problem or onsite to beat it out of them.
Ignorance and apathy are both alive and well in the development community. It isn’t the people who are motivated and willing to drag themselves to the user group meetings that are the problem it is those that are likely too lazy to even read a blog about their chosen profession let alone one about something tangential to it. If we hold our breath long enough the world will evolve and security will be baked in to everything that matters, but that is still a long way off if a majority of those building the future think that this whole security thing is a fad. Lets vote them off the island.
Time magazine’s cover story is about how people are scared of very, very unlikely things such as bird flu which hasn’t killed anyone in the US while the regular flu kills tens of thousands each year.
Security is the same way. I often see organizations worrying about “Carlos the mad hacker” when their own IT staff might be the real threat.
Microsoft has just released their new Anti-XSS library which helps developers do the right thing more often without as much effort as before.
If you are interested in this (and trust me, you are) your first stop is to go to the tutorial and see how it is done. As you will see it isn’t stupid simple, but an improvement.
Once you get confortable then go to the official page and download the library and make it part of all your web projects.
Chad Hower is a smart guy and I came across his post on protecting the software you write from pirates right at a time that we were revisting the question ourselves.
On the whole I agree with Chad, while he comes off as against anti-piracy in the beginning of the post, in the end you realize that he is just advocating for a measured response. I couldn’t agree more.
This is very much the whole, “In order to save the village we had to destroy it lesson” where you get very diminishing returns if you go too far off the deep end in trying to make your code pirate proof.
I have commented before on this issue and a recent blog post forwarded to me has dredged up the topic again.
If you want to get rid of a drive after retiring a server or getting indicted then most of the things you can think to do to that drive will not remove the data. You can rewrite the drive over and over, you can shatter the platters with a hammer and as we see in the link above you can even roast the drive and it is still possible to get at some of the data if not all of it.
For my money the only way to go is acid bath. If you don’t remove the surfaces of the platters then someone will figure out how to get the data.
Sometimes the Fear, Uncertainty and Doubt (FUD) argument is very well disguised. In an article the Chief Scientist at McAfee is decrying some of the new features that MS is putting into Vista to try and stop virus infection and the spread of spyware. This is terribly self serving as in my opinion his argument is that you can’t sell people better doors for their house because then they not only won’t need my security system, but the doors will keep the police out when a criminal arrives.
Everyone is entitled to their opinion and the comments under the article show that alot of people who read this opinion, share mine.