Marcus Ranum, inventor of the proxy firewall and author of a short paper on network security called “Low-Carb Security” which is near to my heart, has recently written a document called “The Six Dumbest Ideas In Computer Security”. They are:
- Default Permit
- Enumerating Badness
- Penetrate And Patch
- Hacking Is Cool
- Educating Users, and
- Action Is Better Than Inaction
I would like to work where Marcus Ranum works, where technology is designed with security in mind and chosen purely on technical merit, and your employer never insists on being able to install whatever they like, whenever they like, because it’s their computer.
I note, under these conditions, that when you are trying to delicately explain to your boss’s boss why you don’t think they should be permitted to install Gator or Bonzi Buddy or god knows what else then you are not only educating a user, but really really hoping that it takes.
I also note that all the designing-for-security in the world doesn’t absolve you from testing. It might, though, affect that “time to market” metric which I have on good authority is important. And I’ve got to say, even though you’ve basically chosen to strap a bomb to your chest, choosing default-permit does get a whole lot of niggling short-term problems off your desk, and if it’s All About The Short Term where you’re working, that’s not a flaw that good security can fix.
“When I was CEO of a small computer security start-up we didn’t have a Windows system administrator. All of the employees who wanted to run Windows had to know how to install it and manage it themselves, or they didn’t get hired in the first place.”
and all I can think to say is “it must be nice.” It must be nice to never have to send or read a .doc file. It must be nice to be able to find secretarial staff, at secretarial-staff salaries, who know how to lock down Windows boxes. It must be nice to have staff who all know not to execute the passworded, zipped file that makes it past your mail filters. It must be super-nice to not have any naively-written legacy code lying around, that can’t be removed or replaced without time or cost that you can’t, at this moment, afford.
It’s nice to be one of those people who know how the technology works, how to secure it, what’s good tech and what’s bad tech and so on. But you know what? The people in that category aren’t just outnumbered by people who don’t understand the tech; they’re outnumbered by the people who think they understand it, and don’t.
And just because the People Who Know are so badly outnumbered, you often find that those other people got to whereever you are first, and the reason that you got hired is because now it’s go time, and your employer needs things that go. Which means, at least in my experience, that you’re going have to take action, and graft a bunch of ugly, hackish crap overtop of their existing systems to Make Them Work Now, because that’s what they’re paying you to do.
On the second day of one of my first admin jobs, the terminal server went crazy and started refusing connections at a time when my new boss and co-workers were nowhere to be found. The business I was working for was basically dead in the water until this problem got fixed, and I didn’t even know where the server room was. Once I’d found the room and, lacking passwords and keeping my fingers crossed, hard-reset the offending box, the problem was temporarily solved. Some difficult phone calls some log-chart watching and tooth-gnashing later, I figured out that that the server was holding onto dead sessions, and our users were chewing through our 50-user-max licenses every morning when they restarted their thin clients.
So what do I do at that point? If I knew enough, and had enough time, and NT Terminal Server was open source, I could fix the code. Or, if I had more say in the purchasing decisions and the company wasn’t just barely in the red, I could advocate a switch to something else. And, if I had a pony, I could ride to work on it! But I don’t have any of those things, so the answer is: deal. So once I got an admin password to the offending server, I scheduled a reboot every morning at 3:00 A.M. Pretty, no! But that problem never came back, and I’m told that business’ terminal servers still works like that today long after I’ve moved on.
If you’re in my line of work, the reason you’re in it is probably because making things work is cool. I think Ranum is right, insofar as yes, the world should indeed be like that. That’s entirely correct, and doesn’t change the sad fact that the world is not like that at all, and the number of times you will get to start projects with a blank slate, an arbitrary budget and exclusively brilliant colleagues is vanishingly small. For most of us, never.