Re: Phishing E-mail Procedures

[Tim Doty <tdoty () MST EDU>]

On Thu, 2012-01-26 at 14:45 -0500, Valdis Kletnieks wrote:
> On Thu, 26 Jan 2012 12:24:10 CST, Tim Doty said:
> > "Default Permit"....  In short, it isn't something that security folks go preaching.
>
> Marcus's point is that it's a *dumb* idea - any security folks preaching it should
> probably be taken out back and shot.  Or maybe shot out front and made an
> example of. ;)

A good debater changes topics instead of giving in. What I originally
said was that he is "off target on every count" due to "personal bias or
an application development issue". I didn't say he was wrong, just off
base. My follow up was successfully distracted, but back to the point.

He says that "default permit" is one of the six dumbest security ideas,
that is so bad he equates it with brain damage. To back up his
contention he talks about firewall rules and code execution.

The immediate issue is he sets up a strawman. The premise is that people
are actively supporting and pushing 'default permit' which is not
something I've seen. The rest of it is just hamming for the crowd
because it is well known and doesn't need repeating to security folks.
They know it.

Where there is substance is in the broader application of the principle.
And this is where the logic completely falls apart. The premise, stated
at the top, is that these are security ideas. He then applies it outside
of that context. The application developer isn't thinking "wow, default
permit is such a wonderful idea" -- he most likely doesn't have a clue
that what he is doing is in fact that, much less the security
implications of it. It isn't a "dumb idea" its a "problem from
ignorance".

The second case you mentioned was "enumerating badness". Antivirus is of
course the obvious and easy target for this. But enumerating badness is
not necessarily a dumb idea, much less a bad one.

> > Guess what I do with Snort? I enumerate badness (detection rules are an
> > example of enumeration and with snort we don't try to detect what is
> > good, but what is undesired). Sorry, but I'm not giving up on snort.
>
> And you know to add an "undesired" rule, how? ;)

Let's stay topical.

> Might be illustrative to turn that around for a little while

Right... because you know so much about me and what I know and you will
teach me a little lesson. And in the mean time try and forget the point
that was made. Thanks, but no.

Enumerating badness is doomed to failure, at least in a theoretical
sense. Fortunately, the real world is a little more complex than that.
Maybe you honestly didn't get the point with snort, so lets try another
one.

In a similar vein to the rant originally linked (for those who feel
masochistic it is
http://www.ranum.com/security/computer_security/editorials/dumb/) you
can find other enumerations of badness. Like the linked page. At least,
it *claims* to enumerate badness: it is giving the top six dumbest, most
brain damaged security ideas ever that are still being floated around.
If you don't think that is an enumeration of badness... I can't help
you. But the recursive nature of that should be informative.

All in all I'm beginning to understand why you place such a low value on
user education. I'm no expert on that subject, but there are some basic
principles. Easy to say, harder to apply.

1. Users don't care about security, they care about getting the job
done. Lecturing them on how bad they are for violating security
principles doesn't help. Instead, address how they can effectively,
efficiently and reasonably get the job done while doing so in a more
secure fashion.

2. Don't stick to your guns with absolutes. Be flexible. Don't forget
that security is not a state, but a process. And, yes, this *does* apply
to user education. Be careful about what you are educating them on: that
security is pointless and useless, or how they can be productive and at
least more secure than before.

3. Give them a solution. And that means a real solution, something that
they can actually use in practice in the real world.

Its easy to create a page and slam people for solving real problems in
the real world, but it is much more difficult to provide better
solutions when smart, educated people have already raised the bar.

Finally, that is seriously a page of the 6 dumbest, most dangerous
security ideas. Seriously? And he doesn't even mention passwords. (Not
that I'm offering a real world solution for that one...)

Tim Doty