blarg?

Must Be Nice

Marcus Ranum, inventor of the proxy firewall and author of a short paper on network security called “Low-Carb Security” which is near to my heart, has recently written a document called “The Six Dumbest Ideas In Computer Security”. They are:

  1. Default Permit

  2. Enumerating Badness
  3. Penetrate And Patch
  4. Hacking Is Cool
  5. Educating Users, and
  6. Action Is Better Than Inaction

I would like to work where Marcus Ranum works, where technology is designed with security in mind and chosen purely on technical merit, and your employer never insists on being able to install whatever they like, whenever they like, because it’s their computer.

I note, under these conditions, that when you are trying to delicately explain to your boss’s boss why you don’t think they should be permitted to install Gator or Bonzi Buddy or god knows what else then you are not only educating a user, but really really hoping that it takes.

I also note that all the designing-for-security in the world doesn’t absolve you from testing. It might, though, affect that “time to market” metric which I have on good authority is important. And I’ve got to say, even though you’ve basically chosen to strap a bomb to your chest, choosing default-permit does get a whole lot of niggling short-term problems off your desk, and if it’s All About The Short Term where you’re working, that’s not a flaw that good security can fix.

Marcus writes:

“When I was CEO of a small computer security start-up we didn’t have a Windows system administrator. All of the employees who wanted to run Windows had to know how to install it and manage it themselves, or they didn’t get hired in the first place.”

and all I can think to say is “it must be nice.” It must be nice to never have to send or read a .doc file. It must be nice to be able to find secretarial staff, at secretarial-staff salaries, who know how to lock down Windows boxes. It must be nice to have staff who all know not to execute the passworded, zipped file that makes it past your mail filters. It must be super-nice to not have any naively-written legacy code lying around, that can’t be removed or replaced without time or cost that you can’t, at this moment, afford.

It’s nice to be one of those people who know how the technology works, how to secure it, what’s good tech and what’s bad tech and so on. But you know what? The people in that category aren’t just outnumbered by people who don’t understand the tech; they’re outnumbered by the people who think they understand it, and don’t.

And just because the People Who Know are so badly outnumbered, you often find that those other people got to whereever you are first, and the reason that you got hired is because now it’s go time, and your employer needs things that go. Which means, at least in my experience, that you’re going have to take action, and graft a bunch of ugly, hackish crap overtop of their existing systems to Make Them Work Now, because that’s what they’re paying you to do.

On the second day of one of my first admin jobs, the terminal server went crazy and started refusing connections at a time when my new boss and co-workers were nowhere to be found. The business I was working for was basically dead in the water until this problem got fixed, and I didn’t even know where the server room was. Once I’d found the room and, lacking passwords and keeping my fingers crossed, hard-reset the offending box, the problem was temporarily solved. Some difficult phone calls some log-chart watching and tooth-gnashing later, I figured out that that the server was holding onto dead sessions, and our users were chewing through our 50-user-max licenses every morning when they restarted their thin clients.

So what do I do at that point? If I knew enough, and had enough time, and NT Terminal Server was open source, I could fix the code. Or, if I had more say in the purchasing decisions and the company wasn’t just barely in the red, I could advocate a switch to something else. And, if I had a pony, I could ride to work on it! But I don’t have any of those things, so the answer is: deal. So once I got an admin password to the offending server, I scheduled a reboot every morning at 3:00 A.M. Pretty, no! But that problem never came back, and I’m told that business’ terminal servers still works like that today long after I’ve moved on.

If you’re in my line of work, the reason you’re in it is probably because making things work is cool. I think Ranum is right, insofar as yes, the world should indeed be like that. That’s entirely correct, and doesn’t change the sad fact that the world is not like that at all, and the number of times you will get to start projects with a blank slate, an arbitrary budget and exclusively brilliant colleagues is vanishingly small. For most of us, never.

5 Comments | Skip to comment form

  1. Mike Kozlowski

    I find that a great way to be incredibly annoying is to strongly advocate things that are a) essentially correct, but b) horrifically impractical.

  2. Mike Hoye

    Preach it, brother. Without a way to get from here, this muddy, complicated mess we’re all swimming in, to there, this set of near-ideal conditions, you do not have a “plan”. You have a “dream”.

  3. Melanie

    And then there are the people like my husband who works for a company (name witheld) on a form of “security” that he objects to philosophically, because it pays the mortgage and for other nice things. That’s the other end of your problem, Mike.

  4. Anonymous

    “A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server where users can log in with an SSL-enabled browser (requiring a password will quash a lot of worm propagation mechanisms right away) and pull them down.” Sounds great to me — a security policy like this means I can’t do any work. I CANNOT ask sysadmin permission to run something new, or install something new on my PC. They aren’t there at 10pm when I really need it.

  5. Guillaume

    I remember reading that article a week ago or so. I pretty much came to the same conclusion. Sure, it would be great if things worked like that, however reality is quite different. I like the part about not educating users, it brings about a sort of “stupid loop”. If you don’t educate users, then they won’t ever have the skills to replace you when you leave that job, then they won’t teach anything to others and so on. I can see where he’s coming from though, I taught my parents to use the Digital Cable and VCR together, but whenever something goes wrong, they press the buttons they think will fix it essentially making things worse. If I hadn’t taught them to use it, they wouldn’t try and fix things themselves, however I’d have to go set up new recordings constantly.