[Security] The 0th Law of Security

[Reply] [View by Thread] [Help]
[Back To Article Discussion Forum]

View and vote on the article here: The 0th Law of Security

The 0th Law of Security

Category

Security

Summary

Body

There are supposedly 10 laws of security, laws that are a firm basis for understanding computer security. They're obviously not the be all and end all of computing security, but for beginners and those that aren't going to focus on security they're an important start.

The Ten Immutable Laws of Security
Microsoft's Security Response Center Manager, Scott Culp, as a part of his job, produced a list he calls "The Ten Immutable Laws of Security."

They are:
1. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.
2. If a bad guy can alter the operating system on your computer, it's not your computer anymore.
3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
4. If you allow a bad guy to upload programs to your Web site, it's not your Web site any more.
5. Weak passwords trump strong security.
6. A machine is only as secure as the administrator is trustworthy.
7. Encrypted data is only as secure as the decryption key.
8. An out-of-date virus scanner is only marginally better than no virus scanner at all.
9. Absolute anonymity isn't practical, in real life or on the Web
10. Technology is not a panacea.

Even without further explanation (which is available from http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx) it is a fairly straight forward and common sense list of laws.

Law 0
The fact is that these laws don't go far enough towards describing the problems that are faced by everyday users on the Internet. Security people often forget that it's not just big companies that are the target of attacks; they may indeed be the target of more personalized attacks.

0. If you can't read the source code for your operating system (and applications) then it's not your computer anymore.

I hate being the open source advocate, but the fact remains that if you and the community can't get into the source code for auditing and patching purposes then it's not your computer; it's Microsoft's. You are essentially relying on their good will and the competency of their programmers to protect you against any flaws in the operating system that may let attackers in.

Microsoft has in the recent past finally hopped on the security band wagon. They're better than they used to be, but it's still them against the world, and in practical terms this makes for an impossible situation. The odds are that one of the millions of hackers is going to find it before Microsoft does. Even with their ability to look at the source code, they're still vastly outnumbered.

Open Source
Open Source is not a complete solution to this problem, but it's better. The millions of security researchers out there, the developer community, and the general public all get the chance to look for flaws in the code. When a flaw is discovered, a patch is immediately written for it. Unlike a situation where you have to wait for a company to release a patch, you have the ability to patch the problem yourself. It's not you against the world, though. It's you and every other technically competent person that uses that particular software against the world.

Yes, hackers have the same opportunity of finding the flaws. But the playing field is more level. Even if they do find a flaw, chances are that it'll be patched much more quickly than if millions of eyes weren't looking at the source code.

Open Source vs. the Other Ten
When you look at open source as a solution to the problems above, it puts them in a whole new light. Let's start with No. 7, not because of the fact that it's a good number, but more the fact that it has long been the belief of the scientific community that closed encryption algorithms are useless.

"7. Encrypted data is only as secure as the decryption key."

While this deals with the key that is used to encrypt the data I would go further and say that encrypted data is only as secure as the algorithm and key that is used to encrypt the data. It doesn't take genius to work out that even if I encrypt my information using my own proprietary method that doesn't mean that it's safe. Unless someone else can test my encryption method, and try and break it, I have no way of knowing whether my information is protected by the encryption, because I have no way of knowing whether my encryption algorithm is sound, or whether there are fatal flaws in my design.

History is littered with examples of this, and if you look closely at companies like RSA you will notice that they post challenges, trying to get people to break their encryption.

More importantly if you can't look at the encryption algorithm and analyze it for yourself, how are you to know that the creator hasn't put in a backdoor for themselves, or governments, to use?

Watching the Watchers

"8. An out-of-date virus scanner is only marginally better than no virus scanner at all."

Nearly everyone that I know knows to use a virus scanner now. It's slightly harder to get them to workout Spyware and AntiSpyware programs, but here's the twist: if you can't look at the internals of the antivirus, how do you know that it's doing an adequate job of protecting you?

I'm not trying to say you should be using Linux because of the fact that it is less prone to viruses. The fact is that most viruses are written for Windows, and if everyone switched to Linux, then those same people would target Linux. It remains to be seen how well Linux would respond to this kind of problem.

What I am saying is that you pay good money for applications, you subscribe to a service by Symantec or McAfee, and you really have no idea how well you are being protected. The same goes for firewalls, and any other piece of security software that you use to protect your computer. If you can't look at the internals then you have no idea what the application is really doing.

You can apply this same principal to at least some of the other laws, and in truth it serves to cement the 0th law in place.

Regarding Patches
It is not often that I have the chance to talk about security, but one of the things that occurred to me in my day to day work is the fact that Microsoft's move to allow only 'Genuine' users to download patches and applications, most notably SP2 and Microsoft AntiSpyware, was a foolish one.

Regardless of the fact that most, if not all, of my clients have legal copies of Windows, it is rare that they keep them patched and up to date. (I tend to fix this.) It leads me to believe that there is a large number of legal Windows users out there who don't properly patch their computers.

Now it's not overly smart of them, but the fact of the matter is that denying patches and other downloads to 'non-genuine' users ends up negatively affecting even those with legal copies in a round about way. Look at it like this:

"The greater the number of un-patched computers on a given network, the more chance that a bad guy/worm will get in."

This is easy to apply, but what is more important is that it takes into account not only small local networks, but also the Internet. The more un-patched computers that remain on the Internet, the more chance that the bad guy will get control of them. The more computers that are either part of botnets or infected by viruses, the easier it is for such infections to spread, or for the attacker to use the given host as a base for another attack.

A Note on Piracy
I'm not in anyway condoning and supporting piracy, but there comes a point when you need to make smart moves and accept that a problem isn't going to be solved. Becoming tight and vindictive about piracy only makes the given company (Sony) look bad.

Locking your legitimate users out is bad methodology, and putting so many 'copy protection' methods into a given technology that it negatively affects the technology is not healthy either. Security is important, but it needs to protect the interests of the user, not the interests of the greedy Mega Corporation.

This article was imported from zZine. (original author: nirus)

There are no replies to this post yet.

Guest:
Subject:
Message:	On 2007-04-29 10:02:22, nirus wrote >View and vote on the article here: [url=/library/article?id=1421]The 0th Law of Security[/url]<br/><br/><hr width="90%"/><center><h3>The 0th Law of Security</h3></center><table width="100%"><tr><td valign="top">[b]Category[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%">Security</td></tr></table></center></td></tr><tr><td valign="top">[b]Summary[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%">There are supposedly 10 laws of security, laws that are a firm basis for understanding computer security. They're obviously not the be all and end all of computing security, but for beginners and those that aren't going to focus on security they're an imp</td></tr></table></center></td></tr><tr><td valign="top">[b]Body[/b]</td><td width="100%"><center><table border="1" cellpadding="3" cellspacing="0" style="border-collapse: collapse" bordercolor="#000000" width="95%" bgcolor="#364C7D"><tr><td width="100%">There are supposedly 10 laws of security, laws that are a firm basis for understanding computer security. They're obviously not the be all and end all of computing security, but for beginners and those that aren't going to focus on security they're an important start. > >[b]The Ten Immutable Laws of Security[/b] >Microsoft's Security Response Center Manager, Scott Culp, as a part of his job, produced a list he calls "The Ten Immutable Laws of Security." > >They are: >1. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. >2. If a bad guy can alter the operating system on your computer, it's not your computer anymore. >3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore. >4. If you allow a bad guy to upload programs to your Web site, it's not your Web site any more. >5. Weak passwords trump strong security. >6. A machine is only as secure as the administrator is trustworthy. >7. Encrypted data is only as secure as the decryption key. >8. An out-of-date virus scanner is only marginally better than no virus scanner at all. >9. Absolute anonymity isn't practical, in real life or on the Web >10. Technology is not a panacea. > >Even without further explanation (which is available from [url]http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx[/url]) it is a fairly straight forward and common sense list of laws. > >[b]Law 0[/b] >The fact is that these laws don't go far enough towards describing the problems that are faced by everyday users on the Internet. Security people often forget that it's not just big companies that are the target of attacks; they may indeed be the target of more personalized attacks. > >0. If you can't read the source code for your operating system (and applications) then it's not your computer anymore. > >I hate being the open source advocate, but the fact remains that if you and the community can't get into the source code for auditing and patching purposes then it's not your computer; it's Microsoft's. You are essentially relying on their good will and the competency of their programmers to protect you against any flaws in the operating system that may let attackers in. > >Microsoft has in the recent past finally hopped on the security band wagon. They're better than they used to be, but it's still them against the world, and in practical terms this makes for an impossible situation. The odds are that one of the millions of hackers is going to find it before Microsoft does. Even with their ability to look at the source code, they're still vastly outnumbered. > >[b]Open Source[/b] >Open Source is not a complete solution to this problem, but it's better. The millions of security researchers out there, the developer community, and the general public all get the chance to look for flaws in the code. When a flaw is discovered, a patch is immediately written for it. Unlike a situation where you have to wait for a company to release a patch, you have the ability to patch the problem yourself. It's not you against the world, though. It's you and every other technically competent person that uses that particular software against the world. > >Yes, hackers have the same opportunity of finding the flaws. But the playing field is more level. Even if they do find a flaw, chances are that it'll be patched much more quickly than if millions of eyes weren't looking at the source code. > >[b]Open Source vs. the Other Ten[/b] >When you look at open source as a solution to the problems above, it puts them in a whole new light. Let's start with No. 7, not because of the fact that it's a good number, but more the fact that it has long been the belief of the scientific community that closed encryption algorithms are useless. > >"7. Encrypted data is only as secure as the decryption key." > >While this deals with the key that is used to encrypt the data I would go further and say that encrypted data is only as secure as the algorithm and key that is used to encrypt the data. It doesn't take genius to work out that even if I encrypt my information using my own proprietary method that doesn't mean that it's safe. Unless someone else can test my encryption method, and try and break it, I have no way of knowing whether my information is protected by the encryption, because I have no way of knowing whether my encryption algorithm is sound, or whether there are fatal flaws in my design. > >History is littered with examples of this, and if you look closely at companies like RSA you will notice that they post challenges, trying to get people to break their encryption. > >More importantly if you can't look at the encryption algorithm and analyze it for yourself, how are you to know that the creator hasn't put in a backdoor for themselves, or governments, to use? > >[b]Watching the Watchers[/b] > >"8. An out-of-date virus scanner is only marginally better than no virus scanner at all." > >Nearly everyone that I know knows to use a virus scanner now. It's slightly harder to get them to workout Spyware and AntiSpyware programs, but here's the twist: if you can't look at the internals of the antivirus, how do you know that it's doing an adequate job of protecting you? > >I'm not trying to say you should be using Linux because of the fact that it is less prone to viruses. The fact is that most viruses are written for Windows, and if everyone switched to Linux, then those same people would target Linux. It remains to be seen how well Linux would respond to this kind of problem. > >What I am saying is that you pay good money for applications, you subscribe to a service by Symantec or McAfee, and you really have no idea how well you are being protected. The same goes for firewalls, and any other piece of security software that you use to protect your computer. If you can't look at the internals then you have no idea what the application is really doing. > >You can apply this same principal to at least some of the other laws, and in truth it serves to cement the 0th law in place. > >[b]Regarding Patches[/b] >It is not often that I have the chance to talk about security, but one of the things that occurred to me in my day to day work is the fact that Microsoft's move to allow only 'Genuine' users to download patches and applications, most notably SP2 and Microsoft AntiSpyware, was a foolish one. > >Regardless of the fact that most, if not all, of my clients have legal copies of Windows, it is rare that they keep them patched and up to date. (I tend to fix this.) It leads me to believe that there is a large number of legal Windows users out there who don't properly patch their computers. > >Now it's not overly smart of them, but the fact of the matter is that denying patches and other downloads to 'non-genuine' users ends up negatively affecting even those with legal copies in a round about way. Look at it like this: > >"The greater the number of un-patched computers on a given network, the more chance that a bad guy/worm will get in." > >This is easy to apply, but what is more important is that it takes into account not only small local networks, but also the Internet. The more un-patched computers that remain on the Internet, the more chance that the bad guy will get control of them. The more computers that are either part of botnets or infected by viruses, the easier it is for such infections to spread, or for the attacker to use the given host as a base for another attack. > >[b]A Note on Piracy[/b] >I'm not in anyway condoning and supporting piracy, but there comes a point when you need to make smart moves and accept that a problem isn't going to be solved. Becoming tight and vindictive about piracy only makes the given company (Sony) look bad. > >Locking your legitimate users out is bad methodology, and putting so many 'copy protection' methods into a given technology that it negatively affects the technology is not healthy either. Security is important, but it needs to protect the interests of the user, not the interests of the greedy Mega Corporation. ></td></tr></table></center></td></tr></table><br/><br/>This article was imported from [url=http://www.zzine.org]zZine[/url]. <small>(original author: nirus)</small>
Signature:
Optional Image Link:
http://

CyberArmy::Forum v0.6
Generated In 0.04441 seconds