I have often thought about the mindset required to be good at the security game. I hang out with Duane Laflotte alot and he has the whole hacker mindset which lends itself nicely to security even when you aren’t trolling on the dark side.
But it was an article that got picked up on Slashdot today about Bruce Schneier’s thoughts on this subject that revived the thread for me.
I have what I think is an interesting twist on this perspective in that I believe that the only way to teach what Bruce is holding out as unteachable is what I believe taught me to think this way. When I grew up I didn’t think the way Bruce Schneier thinks. But I do now. The reason I believe is the military. When the Army trains infantry leaders it teaches them how to defend while looking always for ways to attack. The mild mannered programmer is taught to build, but if part of that training put in their mind that to be successful they had to tear down the abilities and infrastructure of the hackers then we might get a different result.
There is nothing to make you think like a hacker than to stand on a hill and realize that you are defending it at dawn and if you fail you and all your soldiers die. It also makes you want to get that unfair advantage and lay traps for the enemy. During a major training exercise in Germany I put soldiers in foxholes with signal mirrors and had them flash the enemy armor to draw fire while our vehicles flanked and destroyed them.
So I think if you want to be a hacker and you don’t think like one I think the Army recruiter would be happy to help get you trained…

Most companies pay lip service to security, but the emphasis is just not there.  There is bluster and maybe even a few conversions soon after an embarrassing security breach, but all too often a scapegoat is found, fired and then it is back to business as usual.

The missing element is real financial cost.  Looks like Massachusetts and hopefully the feds will change that with new laws that make companies that get hacked pay for the cleanup. 

I really like this kind of accountability.  While I don’t think it will be a panacea solving all our problems it will put those to blame for these problems clearly on the hook for paying to clean them up.

Hopefully other states and Congress follow the lead of Massachusetts.

ZDNet recently had an article about new attacks that allow systems to be exposed to the worst kind of attacks just by visiting a web page with a bit of Javascript.  The root of the problem is actually not changing the default passwords on those ubiquitous home routers from linksys and netgear (among others).  As Duane Laflotte and I work on our book (I know it is about 2 years overdue), we are struck by the fact that there really aren’t many new kinds of attacks, just more ways to exploit the same old stupid mistakes people seem intent on ignoring forever.

If you bought a combination based high security lock system for a new car would you change the default code?  What if the code was 0000?  Would that be enough for you to realize that anyone who ever took a test drive or just made an effort to think about it could guess your code?  Read the article and just think about how ridiculous this would be in any other arena other than computers.  If we could just get people thinking about this stuff I think we would go a long way to reducing the security problems we see.  The Spam storm that is clogging the Internet lately and other incidents might be much less common if this one little change could occur…

Forbes.com has a story about the use of typing patterns to identify whether a user is the actual user or a hacker.

I like the idea, though I fear it won’t catch on.  Defense in depth, adding an edge is important, but the key element from this article comes at the very end where they say that if they suspect the user is not legit they will ask additional questions.  This is the key to preventing (for the most part) denials of service to valid customers while still having a chance to catch the bad guys.

Time magazine’s cover story is about how people are scared of very, very unlikely things such as bird flu which hasn’t killed anyone in the US while the regular flu kills tens of thousands each year.

Security is the same way.  I often see organizations worrying about “Carlos the mad hacker” when their own IT staff might be the real threat.

I have commented before on this issue and a recent blog post forwarded to me has dredged up the topic again.

If you want to get rid of a drive after retiring a server or getting indicted then most of the things you can think to do to that drive will not remove the data.  You can rewrite the drive over and over, you can shatter the platters with a hammer and as we see in the link above you can even roast the drive and it is still possible to get at some of the data if not all of it.

For my money the only way to go is acid bath. If you don’t remove the surfaces of the platters then someone will figure out how to get the data.

Sometimes the Fear, Uncertainty and Doubt (FUD) argument is very well disguised.  In an article the Chief Scientist at McAfee is decrying some of the new features that MS is putting into Vista to try and stop virus infection and the spread of spyware.  This is terribly self serving as in my opinion his argument is that you can’t sell people better doors for their house because then they not only won’t need my security system, but the doors will keep the police out when a criminal arrives.

Everyone is entitled to their opinion and the comments under the article show that alot of people who read this opinion, share mine.