Discussion between Bruce Schneier and Marcus Ranum

[loughtog]

I read the whole article here: http://www.schneier.com/blog/archives/2007/12/security_in_ten.html. What interested me the most was this part:

What's shocking and disappointing to me is that our responses to those problems also remain the same, in spite of the obvious fact that they aren't effective. It's 2007 and we haven't seemed to accept that:

• You can't turn shovelware into reliable software by patching it a whole lot.
• You shouldn't mix production systems with non-production systems.
• You actually have to know what's going on in your networks.
• If you run your computers with an open execution runtime model you'll always get viruses, spyware and Trojan horses.
• You can pass laws about locking barn doors after horses have left, but it won't put the horses back in the barn.
• Security has to be designed in, as part of a system plan for reliability, rather than bolted on afterward.

The list could go on for several pages, but it would be too depressing. It would be "Marcus' list of obvious stuff that everybody knows but nobody accepts."

I'm not too computer-saavy, so I looked up alot of the terms in the list. I found some of them, but I was wonedering if anyone could shed some more light on the last 4 items on the list.

I highly recommend reading the article. Very interesting.

 

[PabloTeK]

You need to know what goes on around the network, if you don't keep track of it all something could be introduced that causes a problem such as a crash. The third to last I have no idea about. The second to last is on about prevention of problems so you can sort out holes before they cause a problem and the last one says security needs to be thought about when designing the network, not something that you think about then everything else is done.

 

[paratwa]

On the one about runtime model, I am guessing he is talking about Java and Directx.

 

[tlarkin]

I think you mean Java and Active X, but I understood what you meant. I have to agree with a lot of what he says in his blog and a lot of it is common sense. If you are going to deploy 1000s of desktops in your network, it is best practice to use business class models, and typically all the same model. Don't mix or match, keep it simple. It drives me to near insanity when IT people over complicate things. Keeping it simple is really the best method.

Security comes in layers. You have your hardware level firewalls, your high end routers running NAT, gateway servers and proxy servers communicating to systems between subnets. Next comes software, your anti-virus and the other security suites that go with it, software level firewalls, and it goes on. You have network and group policies in place so that users can't do harm to systems, and to protect the most important thing on the computers, which is the data.

I am on the fence about some of his other thoughts, I don't really agree or disagree. I do however agree that there are a plethora of IT people that are getting more lazy and sloppy as time goes on. I mean Microsoft obviously has the means (the capital) to hire some of the best software coders in the world, yet they can't even make a secure OS. They can't realize by simply requiring admin authentication to install software will kill half of those script kiddy exploits that are out in the wild on the world wide web.

I am not going to go off on a diatribe about everything I hate about OSes and security, because that will just start a large debate where the uneducated will come out of the wood work and making claims they can't back up. Which is another huge problem with computer security. I think a lot of times people get the concept of if they can maintain a couple computers at home they can do the same thing securely over a large network. Try maintaining 1,000 clients, 500, or heck 200 client machines on a network. The 50th time you clear spyware off a computer in one day, will make you go out and beg for the management to OK a purchase of deep freeze for the network.

Here go some good starting points to learn how to secure an OS.

http://www.nsa.gov/snac/

http://www.nsa.gov/snac/downloads_macX.cfm

However, I have to disagree about using encrypted home directories or file systems on user computers, or heck even servers. If you get a crash, and your file system is encrypted, good luck getting that data back. If you have a hiccup in your file system, good luck getting your encrypted data back. Encryption is best used when sending data over a network IMO.

Oh and I almost forgot, no OS or network is safe from social networking, or the human factor. This is something no one trains anyone on. I always share things between my co-workers in my department but I make it clear when I share access to something, that no one outside our department is allowed access. You can't have tons of people configuring the same things, it just causes confusion and chaos, and the inevitable over complication of a configuration.

*EDIT*

here is a better link to the NSA security docs

http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1