

Internet Security is a Failure - pquerna
http://journal.paul.querna.org/articles/2010/04/11/internet-security-is-a-failure/

======
AngryParsley
I agree with pretty much everything you said. Current OSes, protocols, and
practices all conspire to destroy any guarantee of complete security.

But 99% of the time for 99% of people, a complete guarantee of security is
overkill. With a few exceptions, as long as breaches are quickly discovered
and fixed, the damage is relatively minor. Stolen credit card? Report it to
your card company. Charges are blocked and you get a new card. Website
vandalized? Shut it down, clone the disks on any compromised machines (for
postmortem examination), restore from backups, blah blah blah standard panic
procedures.

In areas where security and reliability _really_ matter (basically: medical
devices and avionics software on planes that carry people), software is
_expensive_. Certain software development processes are required by law (See
<http://en.wikipedia.org/wiki/MIL-STD-2167> and
<http://en.wikipedia.org/wiki/DO-178B> ). Greatly increasing the costs to
create and use software kills new ideas in the womb. It becomes impractical
for startups or small groups to build stuff.

So is Internet security a failure? Yes. But really, I'm glad we're not so
risk-averse as to paralyze ourselves with more draconian measures.

~~~
thwarted
"Complete guarantee of security" is not just overkill, it's impossible.
Security is about risk management -- and your examples illustrate that.

------
ax0n
It's all about defense in depth. Local root exploits are part of why I run my
stuff chrooted on an OpenBSD system. It's not perfect, but it's pretty much
the best you're going to do. Still, you can't just stop there.

Having a one-time-password setup (SecureID, for example) to a cental "admin"
system that can access the remote servers directly is one layer of defense
against certain workstation compromises. Using properly-configured RBAC (or
better, Mandatory Access Control) with separation of duties and remote logging
gives security staff tools to enforce and analyze policies and incidents.

I'm not saying it's possible to be 99% secure. To that end, I suppose Security
is a "failure" ( _rolleyes_ ) and as was mentioned before: you don't need 99%
security, but you certainly should be able to go back and look at that other
1% after the fact.

The truth is that you really don't see security's boundaries when it's working
properly. You can tell when it's getting in the way, but security is truly the
most visible when it fails.

------
CulturalNgineer
Internet security, like any kind of security can never be absolute (as is
pointed out in a couple of comments).

So it's really a question of achieving whatever level of security is
practicable in relation to its costs in time, money and energy and as for the
rest...

Well read David Brin's novel "Earth" as well as his work on transparency.

The war against an Orwellian world may be better won by making EVERYBODY a
potential 'big brother'... which gives no oppressor an edge.

Not sure how it'll work out, but I'd rather have everyone on a level playing
field.

Should put quite a crimp in hypocrisy though... which is already happening.

------
redcap
I think the only way that computer software is going to get radically more
secure is if software creators can be sued for negligence if they create
secure software.

This would mean a fairly big change in the process by which software is
created, but if OpenBSD can do it why do commercial companies still have
problems.

Do I think this will happen? No. Will security improve much with out it?
Google Chrome has some decent mechanisms and Windows 7 appears to be better,
but without some kind of government legislation or regulation designed to
protect John Q. Citizen, I doubt much of substance will actually happen.

~~~
bruceboughton
I'm not at all convinced regulation is the answer. We have financial
regulators but did they prevent the sub-prime crisis? No. Bad stuff will
always happen, especially if people stand to profit from it (c.f. botnets).

------
swolchok
Two complaints with the linked "local root kernel exploit":

1) The linked page says that it's a local DoS bug. Being subject to denial-of-
service from local users is hardly critical.

2) Even if it were, as the link text seems to imply, a local privilege
escalation vulnerability, it is my understanding that that sort of
vulnerability is generally not considered critical, because an attacker needs
to have compromised a local account to use them. Of course, if you're a shared
hosting service, I suppose you might beg to differ, depending on how you're
set up.

~~~
pquerna
I'm sorry if you didn't like that specific link -- I am happy to provide
others:

    
    
      http://www.securityfocus.com/bid/36901
      http://www.securityfocus.com/bid/33412
      http://www.securityfocus.com/bid/33412
      http://www.securityfocus.com/bid/37806
      http://www.securityfocus.com/bid/34405
      http://www.securityfocus.com/bid/37036
      http://www.securityfocus.com/bid/37806
    

those were just from 2 minutes of googling, and only ones for 2009.

Regarding your second point, security is all about having multiple layers, but
the truth is the effectiveness of having code run in non-root users is a
useless precaution in this day and age.

My point is that people always talk about their great uptime on their servers,
without realizing how insanely insecure modern kernels and operating systems
are -- unless you are upgrading every month, there is most likely a well known
local privilege escalation vulnerability on your machine.

Once they have root, hackers can do all kinds of fun things, like replacing
your SSH binary and logging all your passwords. As Luke mentions above, if a
sysadmin's workstation is ever hacked into, the implications can quickly
become immense.

------
ErrantX
Two key points here:

firstly there is pretty much nothing you can do to stop a determined attacker.
All the trust based security in the world will break down at some point
because, ultimately, computers are complex things.

Secondly the rant about law enforcement is partially bull. The major problem
is catching and prosecuting hackers is involved, expensive, usually cross
border and difficult to convict. How do we solve those problems? I really
don't know.

