Steve’s Views Rotating Header Image

Security

How Fear and Force Undermine Each Other

The physical universe is based on force. There’s gravity pulling you down with force. There’s matter telling you how you better get out of its way or get hurt. There’s wind trying to push you over, earthquakes tossing you around. There’s the stronger guy in school not getting beaten up because he’s the strongest. Guns, batons are all saying use me and win! Over and over we are reminded how force rules the day.

Or does it?

The physical universe has no intelligence. Does not care nor is aware of who’s affected and is merely held together by a design which is based on the attraction matter has towards itself.

Man has actually conquered the physical universe to a very large extent. The bully is conquered by a combination of intelligence and force. Earthquakes of the same – our buildings are designed to bend a bit and hold together. We have a group of people that keep an eye out for strong winds and issues warnings. We have planes that fly into the eye of the storm to see how it is made up to keep us abreast of what might be coming our way. We walk upright and do the most amazing motions in spite of gravity. The bully is simply insecure and is trying to shift attention away from himself and onto the impression that he should not be messed with, or questioned, which may reveal his insecurity.

Smart use of force between people is to only use it to the extent it is needed to get someones attention, then it serves no further positive value.

A child who has eaten a lot of sugar may not respond when you try to stop him from running on the walls breaking all in his way and may need to be physically stopped before you can get his attention. But once you got it you better back off, or you are simply telling him how you are bigger and stronger, which will not earn his respect, as you would just have become a bully in his eyes. That would teach him that force wins the day, and the cycle starts over.

To get out of the vicious circle we need to set a good example. Society is constantly showing itself by example how it needs to live in order to survive.

Fear is usually based on not being able to face the unknown, and will usually result in being afraid of something that does not exist. The fear itself will help create the condition of that which one is afraid of. Fear results in no inspection and less communication. And when man goes out of communication with man fear comes in to warn you of the threat of the unknown. If you were looking for a vicious circle look no further!

One of the most simple things ways of solving problems, by the way, is to look. For example, I had a air conditioner that stopped cooling. My immediate thought was it had run out of coolant. Now I was facing calling an a/c guy to come out and fix it. But before I got to the phone I thought I should look and see if there was anything obvious I could see. I opened the outside box and looked inside. It had a couple of relays and other components. Triggering the a/c to start I noticed how one relay did not appear to fully close. Using a voltmeter I could see that it was indeed not closing. A quick visit to a store and $10 later I had a new relay and the a/c was working again. It took maybe 15 minutes of my time to discover what was wrong. OK, so I understand electricity, but that just tells me that what you don’t know you can be in effect of. In other words education is quite valuable as a general tool. And if you live life willing to look and learn you can handle more of life.

All I had to do was to be willing to look and see what I may see. In my mind I had drawn up a wait for a technician to come out and certainly a bigger cost to get it operational. You see how easy it resolved once I looked?

This is not a unique example, simply how it gave a live example of the value of looking. Take the child afraid of what may be lurking under the bed! Once you gather enough to look, and maybe a flash light or two, you can establish that there’s nothing there and you can rest.

Here’s another example of force. Have you ever held a child on your lap. When you do he or she, will squirm and try to get down. While it will be perfectly content simply sitting there if it can leave on it’s own self determinism.

That tells you something else of value. In dealing with humans, things work easier if they can have their own self determinism. Your only issue is getting compliance in some situations where some control of the environment is needed.

Most people then will respond well if allowed to execute self determinism, and are not controlled by force anymore than is needed and a bit of good positive communication.

Good communication is dependent on the ability to communicate which in turn require you to be there and be able to look and observe others and how things change. If you act with certainty and respect you can get almost anything you need from others. Most people are very willing to help. It is a basic trait of man, his willingness to help.

If you bypass his willingness then you are probably using force and not so much respect. A real authority is a person who can control the environment or the subject at hand. An apparent authority is someone who is taken at face value without inspection. Looking was missing to allow the observation of the person’s ability and knowledge of the subject or situation.

Man is actually a simple animal who’s sometime trying to be complex to appear more valuable than what he or she thinks of themselves.

OK, so we learn that treating others how we ourselves wish to be treated is a way to happiness. This is indeed needed by society at large to function well.

In a military situation the use of overwhelming force is a good practice which saves lives. However it is not a good tool to build a society for mankind.

When protecting people it becomes vital to have an understanding of man based on observation of proper application of force and respect, which with it needs a healthy dose of compassion. It does also require a bit of courage to look and deal with what is going on.

A man held down by overwhelming debt, maybe an equally upset wife from her goals being squashed and neither being able to look and discover what is behind their problems, might get disillusioned enough that he momentarily gives up. Which could manifest itself in loud and disturbing actions. Possibly with the show of force to counter the pressure he feels.

To calm down and stop the destruction such a person may demonstrate does not require more use of force as is so commonly done. Simply a proper acknowledgment usually does the job.

So what is a proper acknowledgment?

It is that which shows the person that he or she have been heard and have been duplicated. In other words the person feels he or she is understood. Once understood the person feels there is someone else who shares the burden. That can be a very big relief and should not be underestimated. In fact you can entirely disarm someone with a proper acknowledgment. I’ve single handedly, purely with a few words, handled a really large man that a number of bouncers could not handle. All I had to say was that he’s really large and the others are acting the way they are because they are afraid of him. He instantly stopped and got in good verbal (vs physical) communication with me.

You know force is not simply physical actions. Your voice can also demonstrate and at least threaten physical force. It depends on your ability to demonstrate intention in any one direction. You can enter a room full of with violent action and simply give a simple command with a strong intention and stop everyone in their step.

In fact you merely showing up with a calm presence and being there able to look and duplicate what is going on can stop violence. It looks like magic of some sort. But it is simply being a larger presence than the confusion. Being the stable datum that everything else can align itself with. You cannot be sucked into the confusion and have to be able to hold your position.

You hold a position with certainty and competence. Your competence will come from, you guessed it, being able to be there looking and observing. Knowing what you are doing and having demonstrated enough competence in the past. In turn that will give you certainty. Which comes right back giving you more ability to hold that position stably in spite of the tumbling confusion.

A confusion is only a confusion until a position, or viewpoint, can be held and be used to sort out the random particles in it.

That position is your certainty of self and the situation. If good enough would cover any situation.

The subject here is how fear and force undermine each other.

Fear undermines you and your ability to handle force. You will not look and observe what is going on. For example a fighter depends on being able to be there and look at the motion of others bodies and any particles involved, and take split second steps to handle them when they become a threat, or even before they can become a threat if you are good.

Fear depends on uncertainty and not looking or understanding, the present situation. It will feed on itself and if not handled ruin your day.

Force also depends on uncertainty and not looking or understanding the present situation. It too will feed on itself.

Compassion and love of your fellow man is actually your foundation that will make life a lot easier and return a lot of value to your life, and others in your environment. It too feeds on itself. Compassion breeds compassion. Care is part of that.

Indeed it looks like you will get what you put your attention on.

If all you look for is motion and your general attention is on finding and stopping motion before it moves too fast you will end up a miserable problem yourself.

Police and security people are at risk of falling into that trap. The way to stay well is to look at everything going on. Society has far more positive things going on than negative. When you see an upset or disorderly person don’t insist on immediately stopping him or her. Be willing to let the person be upset. Be willing to understand that person so that you can properly acknowledge them.

If you have enough care for your fellow man it will show. It will allow you to approach each person as a person with respect, which will make a positive impact, even if it is not immediately obvious. There might be more upset that you need to discharge. Simply be a safe terminal for the person to share his or her upset with. Presenting force does not make you a safe person. It simply adds more force, or promise of force which will simply escalate things.

True, you can scare people with enough force that they cave in and are subdued. But it is not a good general way of operating, again only use force until you get their attention.

So what do you do if you cannot get their attention?

You may need to have a good balanced use of enough force that you can control the person until such time that you can reach them. I’m thinking of drugs and maybe earlier show of force that made them hide so deep that you cannot easily reach them.

When a person is armed with deadly force it easily becomes a huge liability to society, unless that person is balanced enough and able to be there and communicate verbally and only use enough force to handle the situation. The first action cannot be an automatic draw and fire. If a person is afraid of other people and cannot be in their shoes and have care and compassion for them they are not suitable to keep us secure. They will end up being a bigger threat and undermine the people they are suppose to support and help.

If someone is upset they usually have a reason. Caring enough to hear and trying to understand them will make them hold you high long after you have left.

Let’s talk about criminals.

A child will as soon as they can try to contribute to the family. By not allowing them to contribute you will end up fostering criminal behavior. I believe man needs to be able to contribute to feel good and be happy. When a man cannot contribute he thinks himself not very valuable. If not valuable and you cannot make a positive impact then it does not matter what you do.

Add some experiences where some of those impacts will be actions against the common good of society. Robbing someone, for example. If they succeed then they have learned they can be good at something. It may be the only option they feel they have since they cannot or are not allowed to hold a job and have some common decent respect of self and others.

That child which is not allowed to help with dishes is being taught their contributions are not wanted. They are completely the effect of the much bigger bodies around them and can only try to upset you to get even. Bed wetting, breaking things, screaming are all indicators of having disagreements. You could ask yourself if some broken dishes are more valuable than the child?

For that matter give them some plastic ones to clean. Maybe their own plates.

A gang member is a person who does not believe themselves able to contribute to society. A criminal is a person who have lost their self respect.

The way to turn both around is to allow them to get some respect back to learn they can contribute to our society and they will happily do so.

But it will require care and compassion to get there as the road may not be an easy one to walk down. It will also require a healthy dose of courage and belief in your fellow man. But it will ultimately be more rewarding than the other option.

I for one think a society based on care and compassion would be more pleasant than one based on fear and force. What do you think?

Networking 101

I’ll share some basics here:

All computers and devices on a network are each called a host. Each must
have a unique IP address just like each house has a unique address.

IP addresses are broken into the older IP version 4 (IPv4) which has
four numbers separated by a period ‘.’ like this 8.8.8.8.

Each number must be in the range of 0 to 255, but no host can have an IP
that ends on 0 or 255.

There are three main ranges of IP addresses which will not be routed
(forwarded) across the internet. These ranges are intended to be used in
local networks, which in practice means you can have a number of
computers with their own IP address on your network without it being
open to the world.

In other words these ranges will not work across the internet and is a
direct solution to not wanting to give up a “routeable” address for each
internal device. Otherwise the available IP addresses would be used up
very rapidly by large corporations. Plus, this way we have a layer of
security. There is a technology called Network Address Translation (NAT)
which ensures internal communication traveling from the inside of a
network to the outside is properly tracked.

The three ranges are:

10.0.0.0 – 10.255.255.255 with 16,777,216 IPs
172.16.0.0 – 172.32.255.255 with 1,048,576 IPs
192.168.0.0 – 195.168.255.255 with 65,536 IPs

There is an address for all computers to test networking without needing a
network card which is 127.0.0.1. It is called the loopback device.

The new IP version is called IPv6 and in theory allows for 2 to the
power of 128 (128 digits) versus IPv4 which only have about 4.3 billion
addresses. I’m not going into the details of it here.

A network that is under another one or is internal is generally referred
to as a subnet.

Each network reserves a few IPs for its own use:

For a network able to use all 256 addresses on a subnet , for example, 192.168.1.0 is called the network address, which obviously is the beginning of it.

Usable addresses then would be 1 through 254, except generally the first
usable one is usually the gateway to the network “above” it. So .1 is
usually reserved as the gateway IP.

Then the last IP is usually the broadcast address. The purpose with that
is when a device needs to reach another computer and does now know has
the IP sends out a broadcast asking “who has (IP)?” which is sent to the
.255 address. The gateway will then answer.

192.168.1.0 is the network IP
192.168.1.1 is the gateway
192.168.1.255 is the broadcast IP

We humans have a hard time tracking IP addresses so a system was
designed to allow up to use names instead. A server function called
Domain Name Server (DNS) translates the name to an IP address which is
needed to actually reach another computer.

Now for a computer to save time and not bother the DNS with questions
that it could answer a network mask was created which by its design can
tell if the computer you are trying to reach is on the local network or
needs to be sent to the gateway server to figure out. (And if it does
not know it sends it up to its gateway and so on.)

It is called subnet mask and for the above example it would look like
this 255.255.255.0. Thereby knowing that any host on 192.168.1.0-192.168.1.255 can be sent directly, anything else would need to be sent to the gateway, 192.168.1.1 for it to forward up the line.

Due to criminal elements online it is crucial that you have layers of
security. The first one is called a border firewall and is the first
layer of security. Other layers can be local firewalls on each computer,
educated users on what to do and not, log files that are monitored,
security patches applied in a timely fashion (immediately) and so on.

You do NOT need a separate subnet for VMs unless you WANT to have it. I
rarely do it. But if you do then simply assign IPs for the VMs that are
on the same subnet. If they need to go outside that subnet then make
sure you have a gateway assigned which sits across both subnets. That
will have port forwarding turned on which allows traffic to flow between
the network cards. (Google linux router.)

When you use virtual machines they too will each need an IP to talk to
any other host.

(You could create a subnet which does not have the ability to talk
outside that specific network, which could be handy when testing
something that could be interrupting other hosts on the main network.
Being totally isolated means it cannot be hacked nor leak something
outside that network.)

When you sit inside your subnet you may not allow random external (on
the internet) traffic to reach your internal computers unless there is a
hole on the firewall to allow some traffic in. For example, you might
have a web server which is reachable from the outside, which in turn
uses a database. Access to the database must be guarded to ensure it’s not reachable directly or via a flaw in the code.

You have to make the call if you can or should allow the VMs access to other networks.

First Amendment Rights?

Intended to those in charge.

As someone who has visited Auschwitz as a young man while traveling through Europe, who met people who were deformed from being concentration camp guinea pigs and saw the horrors that came because nobody would do anything about it before it became too late, I was utterly stunned to see how my all time favorite service appears to actually be taking a stance supporting extreme violence hate sites.

I’m guessing it has something to do with the 1st amendment which is generally a great thing to support, though one has to be aware that it only refers to what the government is not being allowed to violate:

“Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.”

Clearly free speech is a crucial part of society, but common sense can step in and say if, for example, you want to insult my wife in my own house, you must leave. If you want to proclaim death to my neighbors, you can’t stand on my stoop to do it from. If you try to promote violent rhetoric using my company – it will be removed.

Doing anything less is supporting what ultimately becomes criminal activities which at the very least is bad for business in the long run.

I also find it shameful. Certainly ignorance and stupidity alike can be very dangerous given the right situation. When I look myself in the mirror I much prefer to feel strength from doing the right thing, and not having acted from ignorance or misinformation.

There is a very real situation where people don’t bother to investigate what they are being told. They are commonly not very well versed with the world outside their own nor have a solid education. Thus being at a disadvantage frequently find themselves not finding any road to success but reasons to be unhappy. Some take advantage of that to misdirect their unhappiness towards people and activities that actually seek to help society. These “some” are stuck wanting to take the world down with them. Meanwhile the lesser educated and informed, but not automatically less valuable, fall pray to the lies and propaganda and with little to loose stand up ready to fight the false evil. Others even less educated about life become willing to meet the vestigial virgins supposedly waiting for them once they click the detonator. The price for freedom is constant alertness and willingness to fight back, not blindly supporting any activity or “right”.

Thus, I frequently assess who I associate myself with and as someone who has so far been a staunch supporter for a decade am now wondering what is your intention visa vie Nazi hate propaganda, and similar sites?

Google Suggests Reporting Their Charges as Fraud

In short I tried to cancel a commercial app service for my business but they claim unable to do so.

We had an account with Google which provided a few apps for us. Then that same functionality was moved in house and the use dropped to zero. The account sat there for about two years collecting the monthly charge with no use.

At one point I decided to cancel the service, which is when it got interesting. First I screwed up on how I canceled the service and in effect only killed the admin account. Then forgot about the whole thing while busy with some new and exciting things. After a while I did notice that the charge was still coming through from Google so I attempted to have them close it.

However they told me that the only way I could stop them from taking my money each month would be to login as that admin. Problem is I have a lot of different accounts and that one was cleaned up and deleted, a long time ago. There’s no way for me to recover that information.

However Google obviously have records of transactions and should be able to ask questions that would verify my identity and then stop taking my money for the service I don’t use. Not so, even after escalation to a supervisor, they still said they could not cancel the service.

Google does have a pretty good security record and maybe they only allow a very select few access to data that could authenticate me. But the idea that a company could not stop putting through a charge for a service I’m not using is, let’s be nice and call it odd.

In the end I was told to go to my bank and tell them the charges are fraudulent so the bank would no longer pay Google. That is supposed to lead to the account being suspended and stop the charges. Of course once I told the bank they simply don’t accept the charge anymore, solving my problem. I found the whole thing is pretty unusual. There must be a ton of people that made the same mistake and could not get out of it in a simpler way.

How To Give Away Your Bank Accounts To Criminals

Sherri Davidoff, Author of “Network Forensics: Tracking Hackers Through Cyberspace” has documented a real life example of someone giving away all their credentials which means someone else now have the same access to your identity and subsequently, money, that you have.

It is a very effective demonstration of what not to do, share it with others!

And not necessarily very hard to protect yourself from. The best is of course to never accept and use links in emails, IM, etc. Which can be hard when you think it is from your friend or family member, or in the above case, your bank.

A safer method would be to use a LiveCD (a CD which you boot and run programs from) which does not have the ability to be altered. Which means each time you boot it – it is completely untouched by any virus. But it means booting into it each time you want to visit your bank, or other sensitive websites.

Joanna Rutkowska is a Polish security researcher who released a modified Operating System called Qubes OS which I think is a great compromise, and the best I have seen. It accomplishes that by setting up virtual environments in a particularly nifty way. First the whole O/S have been modified to be hard to break into, then it uses dedicated virtual computers for each sensitive website (all according to your preference).

I created one environment for each bank, Paypal etc. Then I ONLY visited that one website using that virtual environment. In other words if you have Paypal you would use the Paypal virtual environment to only visit Paypal. And so on.

Now it requires that the banks website gets infected with the malware needed to infect my virtual computer but only for that bank. Not for any other. It is also particularly easy to fix. Remove it and add a new one.

Another virtual environment is used for casual browsing. Another for business, email etc.

This means an infected email cannot corrupt your other environments and you have a very effective tool against online malware.

Security is about balancing security and work-ability. Too secure and nothing can get done. Too easy and you’ve given easy access for criminals. You need to strike a balance. It took very little to get used to and is about the safest and best balance I’ve seen anywhere.

As you can see at the bottom of the above article LMG Security offers workshops and her book is a very good read.

Make the extra effort to be security aware and avoid being a victim while at the same time not being the tool used to wreck someone else’s life.

Abandon IT Dept for the Cloud?

People have some interesting affinity for the latest and greatest solution, which gets applied to any and all problems. The grass is apparently so readily seen to be greener on the other side, that even common sense is left behind. I’m guessing there’s frustration afoot, which might be because of a slow or inept IT dept. But could also be because not enough funds are allocated to properly run the IT dept. Just saying.

This urge to always jump on the latest new technology is often done as if there’s a great emergency. The idea behind the Cloud is certainly interesting. But is moving your IT into the Cloud the right move, or are you asking for even more trouble?

Your IT dept has physical control, are motivated by how you run your business. In other words you can hire, fire and make demands to ensure they are aligned with supporting your business plan.

The Cloud however, is ENTIRELY out of your control.

In-house you can observe and handle security issues. On the Cloud you are hoping that they don’t have a staff failure, upsets, or whatever, which results in them not caring properly for your data/information.

In the Cloud which you are part of, you are part of many others, which certainly makes the Cloud a bigger target as far as, in the eyes of the criminal hacker, having higher potential payoff to hack. It’s more worthwhile to break into the Cloud.

When that happens, how do you act to protect your data?

There are many ways to “hack” into something. For example, in social engineering, where by pretending to be someone else, you talk people into giving you knowledge that opens the doors you want “unlocked” A simple phone call, or email, and someone might hand out the “keys”. It is very popular and easy to succeed with. It could also very well be that the people working the Cloud know better than Your average staff, than to fall pray for it.

Ultimately you need to look at your budget, evaluate the business impact of not having much of an internal IT dept, versus handing it out to someone else, and hope for the best.

True, you might already be hoping for the best. That your computers don’t get broken into, that IT knows what they are doing, etc. Data loss, for example, are more often caused by an upset employee, than some outside body. Making an argument for the Cloud. In theory it looks like the Cloud can be viable alternative.

I just don’t trust my business information, to be kept completely safe where things such as motivation, competence, reliability, etc. is not only unknown, but mostly unknowable. Where you can’t take advance action to ensure that the person being fired will not be able to cause you harm in a vengeful moment. Where, if the internet is down, you can’t do anything because all your data lives elsewhere.

Simply jumping on the Cloud because it is the hot thing that “everybody” is talking about, is not a very well evaluated reason. Most of the time common sense is the most reliable tool you have. Use it!

Physical Security Maxims

Security whether physical, computer or any other area, is seldom understood. Arbitrary ideas that saves someone from doing something is usually chosen. It is next to impossible to overstate the amount of ignorance and stupidity demonstrated whenever security is considered. This list brings home the balance of secure vs insecure. Of course security is about balancing security vs useable and practical.

Here’s excerpts from a list of maxims produced and assembled by Roger G. Johnston, Ph.D., CPP in the Vulnerability Assessment Team at Argonne National Laboratory.

(You can see the whole list at  www.schneier.com)

Physical Security Maxims
Roger G. Johnston, Ph.D., CPP

Security Maxims
The following maxims, based on our experience with physical
security, nuclear safeguards, & vulnerability assessments, are
not absolute laws or theorems, but they will be essentially
correct 80-90% of the time.

Infinity Maxim: There are an unlimited number of security
vulnerabilities for a given security device, system, or program,
most of which will never be discovered (by the good guys or
bad guys).

Arrogance Maxim: The ease of defeating a security device
or system is proportional to how confident/arrogant the designer,
manufacturer, or user is about it, and to how often they use
words like “impossible” or “tamper-proof”.

Ignorance is Bliss Maxim: The confidence that people have in
security is inversely proportional to how much they know about it.

Be Afraid, Be Very Afraid Maxim: If you’re not running
scared, you have bad security or a bad security product.

High-Tech Maxim: The amount of careful thinking that has
gone into a given security device, system, or program is
inversely proportional to the amount of high-technology it uses.

Schneier’s Maxim #1: The more excited people are about a given
security technology, the less they understand (1) that technology
and (2) their own security problems.

The threat from email

TRACE (Threat Research and Content Engineering) is a group of Marshal security analysts who constantly monitor and respond to Internet security threats. TRACE provides a service to Marshal customers as part of standard product maintenance. The service includes updates to Marshal’s unique, proprietary anti-spam technology, SpamCensor. TRACE analyzes spam, phishing and Internet security trends and provides frequent automated updates to Marshal customers. TRACE also provides “Zero Day” security protection to secure Marshal customers against new email and virus exploits the day they emerge.

There are several terms that are typical in this area:

Phishing, is a play on the word fishing, and does pretty much the same but for information instead of fish. By gathering information from computers and or people they gain enough of an edge to gain access and control over others computers.

Malware is software which is written to basically help cyber-criminals gain information and access to other peoples computers and networks. It might be hiding in web code (html) or some attachment like an mp3 or pdf file.

A Botnet is a network of “contaminated” computers that are under the control of the cyber-criminals. It is used to send bulk emails and to conduct mass attacks.

“It would be incomplete to discuss spam without commenting on the
malware and criminal activity that sustains it. Distributing spam and
malware is firmly in the domain of professional criminals looking for
financial gain. In the last six months, cyber-criminals have, unfortunately,
reached new heights of sophistication and capability.

“Not only have the large botnets taken over in terms of spam volume, they
have also evolved to reach new levels of sophistication. During the middle
of 2007, the Storm botnet grew rapidly following mass spamming of emails
containing links to websites hosting malicious code. The websites not
only hosted executable files that could be downloaded by users, but they
also hosted malicious code that attempted to exploit a number of different
known browser vulnerabilities.

The above are quotes from www.marchal.com. The link points to a page where you can read the whole report, and others.

In the report Marshal talks about cyber-criminals, “They operate in a thriving underworld marketplace where services, software tools, and software development are freely bought and sold. Computer skills are no longer necessary to execute cybercrime.”

They point out that in a recent case a botnet was rented out for $200/week which a spammer can use to send 100 million spam messages. With the considerable income from naive Internet shoppers a lot of money can and is made, which is of course what is attracting people who feel unable to earn an honest income.

Big sites are also hacked to help distribute the malware. MySpace, monster.com are but two examples. By generating a large amount of accounts with gmail, hotmail and the like they are able to spam from these accounts in bulk.

I strongly recommend that if nothing else you read the conclusion and recommendations at the last two pages. (marshal.com)

Why not to give admin or root access by default

[This is a reply to why setting your OS to give admin (root) access without a password on your computer is a not a good idea. It appeared on a Pardus review.]

Your argument is very understandable and is shared by most people. Not to be flippant about your knowledge, but it is from a very limited understanding of security, or shall we say how computers are hacked.

For example, needing to enter a password means that a remote hole in an application running as non root will not have root access automatically.

Thinking you are secure when you really don’t know what makes something insecure is folly.

Breaking into a computer it’s not done by “playing by the rules”. But is done by doing things “wrong”. As an example, back when IP firewalls came out they had rules about who’s allowed access simply by IP.

The firewall has to allow replies to requests back in or is useless. So it looked to see if the inbound packets followed the TCP rules of a reply, and if so allowed it access. That was broken by not following the standard TCP rules and they in effect gained access by saying here’s your reply. The firewall allowed the new connection thinking it was a reply.

After that we got stateful inspection which tracks outbound requests, and can therefor tell if a reply originated from an internal request or not. This is a very old example but the principle still holds true. Holes are found by doing the unusual and often wrong thing.

Take buffer overflows, they have been the most commonly used method. Which consists of writing a lot more information into a field than is expected. The poorly written program cannot process the extra information and they end up someplace in memory where it is executed, resulting in illegal access. This is a simplified view but still holds true.

When you think security, unless you have actually seen not one but how many illicit accesses are gained, don’t make the mistake in thinking that you even have a clue of what is or is not secure. It takes a LOT more than that. What’s even worse is that new holes are discovered all the time. Thus, you need to think in concepts of secure methods. Security becomes not if they can get in but finding the balance of secure vs productive methods of operating. Adding multiple levels of secure behavior with the final level being users who follow the established rules and has some respect for it all.

Look up some challenge when someone said we’ll pay you X dollars if you can break in. Then see how they did it. There were f.ex. a challenge on a shopping cart where it had some 600,000 attempts with a few successful entries. They were so ingenious nobody not experienced in real hands on hacking would have figured it out.

A bad but typical poor security example is from the early days on NT. Microslop claimed NT had received a government security rating. What they did not tell us was it required that the floppy and network card was disabled.

This false sense of security was then promoted by others, like those who wanted to defend their poor choice in OS or with an inflated self importance, by promoting how secure it was. Subsequently others who knew they themselves did not understand security listen to those who knew even less and believed they actually had a secure OS.

Security is a pain in the butt, which simply has to be balanced with the pain of loosing confidential info or loss of operation, and must not be done by coffee shop security wanna bees.

At the very best you end up shooting yourself and others in the foot with your ignorance. There are plenty of places where you can find discussions by pros discussing holes in various programs and what not. Spend some time with them and get a feel of things. (See Full disclosure, bug track. Crypto-Gram by Bruce Schneier is a very informative list for a layman. You’ll find good links and info on insecure.org.)
Good luck!

Why Windows is less secure then Linux

It’s one thing to know by your own experience, another to be told by others.
Sometimes you run into something that communicates very well. Like images. Here’s an article that does just that. It communicates graphically in a way that is hard to put in words.

Why Windows is less secure than Linux by ZDNet‘s Richard Stiennon
— Windows is inherently harder to secure than Linux. There I said it. The simple truth.

Many millions of words have been written and said on this topic. I have a couple of pictures. The basic argument goes like this. In its long evolution, Windows has grown so complicated that it is harder to secure. Well these images make the point very well. Both images are a complete map of the system calls that occur when a web server serves up a single page of html with a single picture. The same page and picture.

A system call is an opportunity to address memory. A hacker investigates each memory access to see if it is vulnerable to a buffer overflow attack. The developer must do QA on each of these entry points. The more system calls, the greater potential for vulnerability, the more effort needed to create secure applications.

This is a comparison between Linux and their web server and Windows and their webserver. The first picture is of the system calls that occur on a Linux server running Apache.

syscallapachesmall

This second image is of a Windows Server running IIS.

syscalliissmall

The difference is clear. Thanks to Sana Security for generating and providing these images.

Please note that 1. I am not a journalist. 2. I do not work for ZDnet. 3. I am an independant blogger. 4. This is a blog entry not a news article.