Solid Block of Ise

Thanks to my generous parents I fairly regularly receive gift-subscriptions to Time. Those subscriptions combined with my daily dosage of skeptically scanning the big media helps keep me somewhat afloat as to the situation around the world.

Now, I personally feel that Time is one of the better rags out there. Admittedly I do feel they have a very slight bias to the more conservative end of the spectrum, but it’s a very slight one and I feel that overall the articles are fairly objective and of very high quality. The most refreshing thing about them is that they’re not very sensationalist, and rather tend to report on things as it unfolds.

Nevertheless, I do occasionally find things about this publication that rubs me the wrong way. Almost always are these things about technology, and I feel that Time is way to quick to accept the corporate view of technology as some kind of fact.

Last night I was perusing the latest issue and in the “briefing”-section there as a little blurb entitled “The Biggest Online Threats” where they briefly (and probably extremely compressed) reported what the SANS Institute recommended in order to avoid the majority of threats on the ‘net today. The SANS Institute is one of the oldest computer-security groups around, and I respect most of what they publish. Hence, I should point out that I think that the problem here is Times extreme over-simplification of complex subjects as well as their aforementioned tendency to go on the corporate line when they talk about things they don’t understand themselves.

But, here’s my response to these four “threats” listed in the blurb. I’ve copied them straight from the magazine in order for fair use, but they’re also available at Times website.

Vulnerable Websites
Sites can be “poisoned” if holes exist in the applications they host. SANS recommends using only apps written by experienced programmers.

I might be slightly paranoid about this one, but I got the distinct impression that by “experienced programmers” they mean “proprietary developers”. There’s an extreme bias against free/open source software in the corporate world, and this is of course cultivated by proprietary developers who stand to benefit from just such a prejudiced opinion. It would be wise to remember that the world of proprietary software is rife with uncertainties - you don’t know what the software does, and the developer doesn’t need to enlighten you as to it’s functions either. When you invest in proprietary software, you also invest in not knowing full well what the software does, and you have no possibility to extend or control such software. From a security standpoint Free/Open Source-software is vastly superior, since it’s constantly being improved upon and since security issues are constantly being fixed.

One should also keep in mind that the proprietary IIS (Internet Information Server) from Microsoft has a long history of being insecure, and every day I find hundreds of attempts to use exploits for that server. Of course, I’m running Apache (which is open-source, and has a long history of being very secure) and thus none of those exploits work. Security is also a state of mind just as much as it is a choice of software.

Of course, there doesn’t exist such a thing as a 100% secure application, and even the mighty Apache has had it’s share of holes. The turnaround-rate is however much faster in the world of Free/Open Source Software, and anyone in the world can download Apache’s source to peruse at their own leisure and make sure that it’s verifiable. This is impossible with proprietary software, you can only hope that issues get discovered quickly and patches are produced by the developer. Microsoft is known to have a policy of not releasing patches to security issues that aren’t actively being exploited in the wild. That’s re-assuring, isn’t it?

Gullible Users
Computer users are sometimes too busy or ill educated to recognize spam e-mail that can drain away personal information. Security-awareness training is only the first step, but it’s a good start.

Now, this I mostly agree upon. No chain is stronger than it’s weakest link, and as far as computer security goes it’s always the Average Joe that’s the biggest hole in the fence. I personally blame Microsoft for this - Microsoft exploded Windows upon the world, and while it’s good that computers became a commodity item thanks to that, I deeply dislike how Microsoft always handles security issues. See, Windows users aren’t security conscious. They’ve been conditioned to click every button they see and never read any warnings since those are “annoying”. This is why phishing is so popular - phishers know that 95% of Windows users will happily click anything that pops up. This is even worse in Vista, where you essentially have to click “Allow” regardless of what you’re doing.

Zombie Computers
Internet-connected computers that are hacked can be turned into “zombies,” which are used to launch further attacks. Tight firewalls and up-to-date antivirus programs will help keep you safe.

I find it very annoying how antivirus software and firewalls are constantly made out to be some kind of “magic bullet” when it comes to computer security. Surprisingly often the firewalls and antivirus programs that most users have are the ones that came with the computer, and those are glorified demo-versions that have long since expired. This gives a false sense of security, and users tend to think that I can click anything since this impenetrable shield of software will protect me and before you can say “botnet” they’re belonging to just such a thing. This again shows that security is a difficult thing to arbitrarily construct, since the weakest point is still the user.

Add to this that operating systems designed with security in mind doesn’t really need either antivirus or firewalling software. I’m running Ubuntu and I have neither. I don’t need neither as well, since Ubuntu is a Linux-distribution, and Linux has it’s roots in goold old UNIX, a system designed from the bottom up for security. And if you’re going to hit me with the “security through obscurity”-argument, feel free to shut up. Windows is inherently insecure, and needs to be reinforced with third-party additions. Pretty much any Linux-distribution as well as MacOS X (which has it’s roots in BSD, a variation of UNIX) will be vastly more secure out of the box than anything Windows can produce, while at the same time not hindering the user in his/her daily routine.

Unprotected Chatting
Instant-messaging applications and peer-to-peer file-sharing programs can leave a system open to compromise. SANS suggests using “tightly secured versions” or even prohibiting them entirely.

Fairly surprising it seems that me and Time/SANS agree on this point. If I was the sysadmin for a corporation or school I would completely ban IM-applications. P2P applications would also be blocked of course. This is simply since both of these types of applications open up a wide range of attack-vectors as well as invite abuse of systems. That’s not to say that people should start running through the streets screaming, it’s simply that neither of these types of applications belong in a workplace or school. Admittedly though, IM is very handy for people communicating over projects rather than doing endless conferences or running around the office - and if such a situation was required then the ban would be lifted.

To round things off, I again repeat something that I was told many years ago: the only truly secure computer is one that’s turned off, unplugged and locked inside a vault deep below the surface of the earth guarded by vicious dogs and armed guards - and even then I wouldn’t be completely sure about it.

License

This work is published under a Creative Commons Attribution-NoDerivs 2.5 Sweden License.