back to article Experts: Network security deteriorating, privacy a lost cause

Internet and network security is bad, and it's going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants. "We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    More protection - more risk taking?

    "[...] if you have a user who wants to run down the hallway with scissors, a security professional's job is to help them do that as safely possible, because they're still going to run with scissors."

    That doesn't fit with the perception that the more you protect people - then the more risks they take.

    1. Charles 9

      Re: More protection - more risk taking?

      The problem is when protection gets in the way of productivity. If the guy wants to run down the hallway with scissors because the boss is tangled up in his/her chair wheels, then you better just get out of the way because safety comes second when the boss is involved, otherwise the risk of stabbing will be the least of your worries.

      As for hunting the wolves, that's also a lost cause because the wolves have already established havens for themselves in countries antagonistic to the sheep: some of them complete with world-ending weapons if push comes to shove. In fact, some of the wolves are in the employ of those self-same countries. How do you hunt a wolf when he's got an ICBM backing him up?

    2. Mikel
      FAIL

      these are different schools

      They should have an air gap.

      1. Fatman

        Re: They should have an air gap.

        And (L)users will find a way around it!!!

        Remember Stuxnet??? IIRC the infection vector was a flash drive.

  2. Michael Hoffmann Silver badge
    WTF?

    Tallyho?

    Lots of talking about dealing with the threats the way we always have, which is of course by using the products these companies are pushing.

    Only near the end does it come to "oh and yeah, hunt the wolves". With not one sentence on how they propose to do that. Under the assumption that Symantec, Imperva, Sourcefire and the lot won't now add missile-armed drones to their network perimeter security arsenal, just what do they propose the average organisation should do to stop the attackers operating out of Russia, China, Romania, Syria, on an on?

    1. Yes Me Silver badge
      Megaphone

      Re: Tallyho?

      "by using the products these companies are pushing"

      Indeed. Here are security companies saying it's all getting worse so you need more of our products. Actually, that's the wrong conclusion. The correct conclusion is that the current approach isn't working so we need something different. Putting gates across exits from the M25 doesn't prevent bank robberies in Central London. Perimeter defence doesn't work. Better designed banks prevent bank robberies. Better designed operating systems and applications prevent cyber attacks and privacy invasions.

      People blame the network for, say, SQL injection attacks. Silliness.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tallyho?

        Here are security companies saying it's all getting worse so you need more of our products

        Logically, what they are really saying is "buy more stuff from us, because it didn't work last time either". That's a bit like the current , equally flawed fix to the financial system: "because they ignored our laws, we need more laws".

        I recognised that the current approach wasn't working almost 10 years ago and changed tack. The trick is not to restrict your thinking to technology..

    2. Mikel

      Re: Tallyho?

      All of the security companies have in their license agreement something like: "You accept that we have no chance in Hell of delivering actual security."

    3. JLV
      Black Helicopters

      >add missile-armed drones to their network perimeter

      Nah, unleash the black ice of hell.

  3. Anonymous Coward
    Megaphone

    "To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants."

    I think companies should hire better qualified personal and if they actually have those on the payroll also start listening to them.

    The main problem in many big companies ("Enterprises") are the sometimes endless layers of managers. In certain cases the management layer has actually grown into an entity of its own. With that I'm referring to Enterprise environments who would hire managers solely based on management skills even though the person in question either completely lacks any in-depth understanding of his department or simply doesn't have enough understanding to fully understand what his team is telling him.

    Such a person will more than often make decisions which make him look good. Or put differently: decisions which are most likely not to cause any members of the layer above him to become displeased (or worse) with him (put differently: his department). Even though, especially when talking ICT, sometimes such decisions have to be taken.

    "We need to upgrade the firewall today, there have been some flaws found in the operating system so we need to upgrade the kernel. It will require a reboot, so the website(s) will be down for a short moment".

    "Ok, but we have a big project coming up this week. Can you guarantee that the website won't be down for more than 5 minutes? No? Then I think we should postpone the upgrade to next week, then it's a much better time. Especially because we won't get as much visitors to the website as we will have this week".

    And what do you know; the admin who suggested the upgrade simply couldn't explain well enough that we were talking about a zero-day exploit which could allow 3rd parties to gain access to the server. The manager didn't understand enough from his department to inform about the risks involved, so that he could weigh the risk of a longer downtime to the risk of not upgrading the OS then and there.

    The result? Well; you'll be the judge of that. Depending on the flaw and the increase in traffic they could obviously also attract people who might try to exploit said flaw. Or not...

    Even so; in my opinion it's issues like these which are the real culprit. The reason I'm pointing to enterprise (-like) environments should be obvious: in many cases when we're talking about break ins and such these are usually involved.

    Heck; this could even go as far as an enterprise(-like) environment which provides (hosting) services for smaller companies. In my case there are some very strict rules to follow, which was one of the reason's I started hosting with my current provider: if they detect that you run your own DNS server and it can do recursive lookups for everyone they preserve the right to block said server. If they detect that you run your own MTA and it provides an open proxy then the same rules apply.

    How many hosting companies (once again: talking about Enterprise (-like) environments) will simply let it go because they don't consider it their problem ("the customer is responsible for his own server")? Even though enforcing such rules could prevent a lot of Internet "casualties"...

    1. oolor

      I agree with the idea of hiring better people, but perhaps the problem is we simply do not have enough people who can think about the things required in an appropriate manner (speaking about managers). Corollary to that is the fact that many IT-types who have the abilities technically lack adequate communication skills as noted in the article.

      As for your assessment of the true nature of the problem, I think you are dead-on. The people mentioned in the article obviously have a vested interest in selling their services to 'solve' the fear they bestow upon their target audience.

      I learned about security only after I got hacked on a small personal site with no info on it, oddly enough that is what started me on the road to programming since I had to understand the underlying software. Though, I like the idea of designing data security and as part of this I focused on minimizing data collected to start, before I even sat down to lay out the database or connections to it.

      Small data, if I don't need it now, I don't need it.

      1. Charles 9

        "Small data, if I don't need it now, I don't need it."

        The BIG problem with that is the fear that you drop the big one, someone else gets it, and leapfrogs you. And in a cutthroat environment such as this, NO ONE wants to drop the big one and get relegated into obscurity or (worse) liqudation.

    2. deadlockvictim

      My response to this question

      Bossman» "Ok, but we have a big project coming up this week. Can you guarantee that the website won't be down for more than 5 minutes? No? Then I think we should postpone the upgrade to next week, then it's a much better time. Especially because we won't get as much visitors to the website as we will have this week".

      Me» No. But we have a hole in the firewall. Do you agree to take responsibility in the meantime for any penetration by intruders, data-loss or data-alteration and the resulting resources required to undo the damage caused? While we have a hole there, I can not guarantee it. I will need the answer in writing.

  4. preppy

    What about the LEGAL data aggregators?

    As usual, no one is worried about the privacy threat from perfectly legal data aggregators. Look up ChoicePoint or Axciom. These people know more about you even than Google or Facebook.

    .......and then there's the worry that someone has hacked THEM!

  5. heenow

    Bull

    Try hacking an iMessage. Even the U.S. Feds are on their knees begging Apple to help them.

    The IT types are years behind. Why? They want everything to go through their servers, which they are not smart enough to secure properly. And they want to be able to put their grubby paws into your email at their leisure, just like a hacker.

    It's time to wipe the slate clean, send IT packing, and start over. Servers shouldn't exist at corporate locations.

    1. Don Jefe
      FAIL

      Re: Bull

      Jesus man, WTF are you talking about: "Servers shouldn't exist at corporate locations"? It's obvious you have no idea what many servers are used for so we'll just move past that.

      In your scenario who the hell would own the servers? Where would they be located?

    2. Fatman

      Re: Bull....Servers shouldn't exist at corporate locations.

      Servers shouldn't exist at corporate locations.

      What's that smell???

      BULLSHIT!!!

      Do we have a cloud salesman here!!!!

      1. heenow
        FAIL

        Re: Bull....Servers shouldn't exist at corporate locations.

        They would be located away from you fools who don't have a clue about security.

        Why can Apple do it with something as public and seemingly vulnerable as iMessage (feds can't crack it), yet you lot can't do it with a closed (convinced the CEO you could, you lying sacks o'...) network.

        That's the BS, sport.

        1. Anonymous Coward
          Anonymous Coward

          Re: Bull....Servers shouldn't exist at corporate locations.

          @heenow, take the knife in your kitchen and cut out your left testicle/mammary and those of your offspring, and offer a burnt sacrifice to Apple. But don't send it to them. They might not understand your well intended actions. Just let the smoke fill the air. I'm sure your gods will appreciate your rituals.

          Here, however, we do not worship corporations or anything for that matter. So your praises and bended logic is not welcome here.

  6. Anonymous Coward
    Anonymous Coward

    "It's the hacker you need to worry about, not Google itself."

    Amen!

    1. Anonymous Coward
      Anonymous Coward

      Re: "It's the hacker you need to worry about, not Google itself."

      If you're in the US maybe, otherwise I *would* worry. At the moment, if you're an EU company and use Gmail for corporate email you're simply breaking EU Data Protection laws and taking the rap for Google..

      1. Tomato42
        Boffin

        Re: "It's the hacker you need to worry about, not Google itself."

        there's a corporate version of Google Apps that's hosted in Ireland for exactly such purpose

        but with generic account, yes, you're right

  7. Anonymous Coward
    Anonymous Coward

    There's a better way

    "I think that for the last 20 years or so we've taken the approach as an industry of trying to armor the sheep. I think we need to start hunting the wolves,"

    Or even better, follow the money and start hunting the wolves bankers.

    1. Charles 9

      Re: There's a better way

      You'll just find that the bankers are in cahoots and in the same black side of the industry (IOW, the hackers simply turned to financial groups who know how to run shadow accounts and the like). Also, there's a very real possibility of the backers (already antagonistic to the sheep) also being the bankers. Does the phrase "state-sponsored cyberwarfare" ring a bell?

      1. Anonymous Coward
        Anonymous Coward

        Re: There's a better way

        I think the economic embargo on wikilieaks showed that this can be applied effectively.

        As for state sponsored hacking, that is targetted at espionage not fraud. Countries can print their own money (well, except for those in the EU but that's another story) so they hardly need to skim your bank account.

        1. Charles 9

          Re: There's a better way

          You can't use Wikileaks as an example because it was striving to stay on the "legal" side of the coin. All their proceeds had to come from legitimate sources or they'd lose their legitimacy. Black hats have no such moral/legal restraint and can use any and all means to obtain money, including but not limited to money laundering, mules, shadow accounts, and investments in other illicit businesses.

          1. Anonymous Coward
            Anonymous Coward

            Re: There's a better way

            Banks, even foreign ones, also try to maintain an air of legitimacy. They also depend on an interconnected financial network for viability. Threaten a bank with a complete financial embargo and I pretty much guarantee they'll start questioning the value of their 'shadow' accounts. You may think this is difficult but here's where the Wikileaks embargo is exemplary. It showed that the US is prepared to flex it's global economic muscle when it is pissed, and that global financial organizations are quite happy to help.

            Wikileaks is also germane because it and hackers share another common trait. They piss people off all over the world. That makes it easier for govts and organizations that would normally block a US-led embargo to stand aside and allow it to happen.

          2. Anonymous Coward
            Anonymous Coward

            @ Charles

            "including but not limited to money laundering, mules, shadow accounts, and investments in other illicit businesses"

            None of those things you mention are methods of obtaining money.

            1. Charles 9

              Re: @ Charles

              Mules are a way. They're not under the eye of the law, so they start the chain in a way that the law can't see. Laundering, shuffling the money multiple times, muddies the trail, and the shadow account helps to hide the money from people like taxmen. Another way is to extort/blackmail/glean financial details, which are then used to withdraw money, take a cash advance, or something else that's hard or impossible for a bank to fully reverse. If the transactions are done a little at a time (smurfing) it will be harder for the banks and law to spot before the point of no return.

              The trick is to employ routes that avoid banks and other financial institutions as much as possible. Firms that want to maintain legitimacy keep within their purview as a show of security. The black market wants the opposite: to avoid them.

  8. Anonymous Coward
    Anonymous Coward

    political will

    .. is not just not there.

    I dont want to sound like a bleeding heart hippy but security eats into profits for alot of companies and "the man" is only after profit.

    Using more rational phraseology, the current smart meters in the UK is a good example. They are as secure as a paper bag, and would have proceeded with "its good for you" push from government.... but now it seems "national security" may be at risk, it gets a little more of the security attention it deserves.

    While there is a divide in what is considered worth protecting, security will continue to be an issue.

    1. oolor
      Facepalm

      Re: political will

      Wow, so a clever teenager living in his mom's basement (<- insert English equivalent of North American stereotype here) can figure out how much 'leccy' you use and when. If they are really clever, they can hack your payments history and find out what appliances you purchased, but they have to be practical to deduce what is being used and when - and what do you care - or perhaps you are worried they will notice an 18/6 or 12/12 cycle and rip your grow?

      1. Richard 12 Silver badge

        Re: political will

        Smart meters do more than that.

        They allow different billing rates at different times.

        - So a miscreant can raise (or lower) your bill, by moving those times around. Perhaps make the Economy period from 1:00am to 1:05am?

        Many allow customers to be remotely disconnected.

        - Cutting a significant proportion of a single substation's load instantaneously could easily destroy the remaining customers' equipment due to overvoltage, and may even damage the substation. This has occasionally happened when a JCB has an accident, covered by the excavation insurance. Who pays for your new TV if it's killed by smart meter hacking?

        - Imagine what would happen if 10% of a region's demand were suddenly cut off without warning? What if it was more than that?

        Given that all potential miscreants will be provided with their very own example of the equipment to play with...

        1. Anonymous Coward
          Anonymous Coward

          Re: "billing rates" - Understanding fail

          The meter does not decide how much money you are charged. The meter measures how much energy you use.

          The billing system then works out how much you should pay based on the times and numbers given by the meter.

          The clues are in the names really.

          me·ter

          noun

          1.

          an instrument for measuring, especially one that automatically measures and records the quantity of something, as of gas, water, miles, or time, when it is activated.

  9. Anonymous Coward
    Anonymous Coward

    Privacy

    "Give it up," he said, "it's over – everybody's going to know everything".

    Well, he may be right about that, but that lack of privacy is a major factor in the ease with which the miscreants are able to get into systems and hack around. So if he's advocating hunting wolves, I'm sure it wouldn't be too hard to locate Google and the like.

    Until that lack of privacy is rolled back somewhat any other actions are likely to prove futile

  10. Joe Montana
    FAIL

    Sheep

    These days noone bothers armouring the sheep, they just armour the pen they're kept in... If a wolf gets into the pen, he can have his pick of any of the sheep who will have become fat and lazy due to the false sense of security provided by the fences.

  11. jubtastic1

    The problem is that our devices are too easily subverted by unexpected inputs.

    No one would accept a washing machine that could be reprogrammed simply by a malformed laundry load (unmatched sock), computers need to get to the same place.

    We shouldn't be in a situation where every web facing app has to recreate the wheel, some degree of validation needs to happen by the underlying system before anything gets to see the bits.

    1. Charles 9

      Re: The problem is that our devices are too easily subverted by unexpected inputs.

      Actually, that can happen in real life. Imagine a sock of just the right material able to slip in through the gap between the tub and the frame, fall into the motor mechanism, and fry it. Congratulations, you just did the mechanical version of a Denial of Service attack: better known as good ol' Sabotage. As for reprogramming it, think of lockpicking or developing a tool to undo one of Apple's screws (or any other "one-way" screw you can imagine).

    2. Ben Tasker
      Stop

      Re: The problem is that our devices are too easily subverted by unexpected inputs.

      But that should already be happening at a basic level. If I'm expecting an integer I should be checking it, certainly before passing it to a database.

      The thing is, implementing any system wide set of validation rules is sort of tricky without knowing what your software is supposed to be doing and expecting. It's down to devs to write safe code (and mistakes will always happen) and its down to sysadmins to understand their own servers and secure them adequately. Additional software gives some extra protection but if either of those first two fail you're on a hiding to nothing anyway.

      1. Charles 9

        Re: The problem is that our devices are too easily subverted by unexpected inputs.

        Plus sometimes there are constraints to consider. There's a reason C and other less-sophisticated languages are still around. More sophisticated languages that build in garbage collecting and type checking inevitably introduce overhead which can cost you in speed, space, or both. If one or both are at a premium, then you're between Scylla and Charybdis. You can be lean or you can be safe but you likely won't have the capacity to be both unless you bodge it yourself. It's like trying to cram a bigger machine into a smaller frame: physics dictates some things won't make into the finished product unless you customize.

        1. Anonymous Coward
          Stop

          NOT correct

          You don't really need the inefficiency of Java or C# to have a memory-safe Programming Language. Most of the useful C++ efficiency can be retained in a memory-safe language. See this creation of mine:

          http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/doc/SAPPEUR.pdf?force=True

          http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/trunk/

          It has

          + C++ style Destructors

          + object arrays (as opposed to reference arrays)

          + almost all objects and arrays can be stack-allocated

          + efficient object aggregation (as opposed to aggregation by reference)

          + pointers which are automatically reference-counted and call synchronous destructors when required (as opposed to asynchronous GC)

          + is soft-realtime capable (as opposed to GC)

          + type support for memory-safe multithreading

          + efficient generic types

          Essentially, Sappeur is a safe subset of C++ and retains almost all performance features while getting rid of things like "pointing inside an array" and "funny casts out of laziness".

          1. Charles 9

            Re: NOT correct

            Memory-SAFE...but what about memory-EFFICIENT? Can you compile a Sappeur program to run in a limited memory profile, say an embedded device? IOW, can you be BOTH memory-safe AND memory-efficient? What safeguards bounds and other things as such at runtime if there's no extra memory to manage it? That's the tradeoff I'm talking about. It's not always about performance efficiency.

  12. Destroy All Monsters Silver badge
    Thumb Down

    Start off with a turd? Expect me to read this?

    "We've got North Korea with ICBMs and we've got Iran developing an atomic bomb, but that's not our biggest problem" Brocade Communications chairman David House said

    Iran is developing an atomic bomb? Says AIPAC and various sycophants of BushCo, which includes the sorry editorials of WaPo (yes, you Hyatt, you prick) and the War Street Journal.

    Instant disqualification as mouthpieces of the War Lobby.

    You, Mr. House, are just another useful idiot.

  13. Nate Amsden

    lost my ass

    I just checked -- I have 7,253 hosts/domains in firefox that are blocked from storing cookies in my browser. Only 378 are allowed to store cookies forever(most of those appear to be work related). Another 2,832 hosts I trust enough to allow cookies for the browser session only. This list is built up over the past probably six years now I have had firefox prompt me for each and every cookie that comes in. The number of cookies on some sites is astonishing. Sometimes I just turn off cookies entirely when I am browsing around gaming sites(which is quite rare), the sheer number of prompts is just insane.

    I checked the numbers by looking at the firefox permissions sqlite database.

    There are times when I have to click through 50 cookie dialog prompts to get to the website in question, because all of these objects are loaded at the same time and they all want to try to set a cookie. But that's the price I pay. Once the preference is stored in firefox I don't get further prompts from that host.

    Sometimes I have to go in and undo a cookie preference if it breaks a site I need to use. That can be annoying, though often times I just use another browser temporarily (it's pretty rare).

    Most of those tracking places(I worked for one of them for a couple years they have a good privacy rating) don't track you by any other means than cookie, if you block the cookie you're invisible. There are other ways I am exposed of course through linkedin(been wonderful for my career over the years), or my blog(similar -- though took me many years to cave in to that. blog is hosted on my personal colo server) or something. But those I have more control over. I am willingly surrendering that information to the public. Cookies are a different category. I don't use other social media sites. I do my own web site and email hosting(again on my personal colo), etc...

    Though I admit for the more typical user the privacy war is lost -- but for most of those average users they didn't care to begin with, I go back to that survey a while back which placed the value of privacy for folks at about the price of a candy bar(that is they would give up their privacy for the candy bar).

    1. Anonymous Coward
      Anonymous Coward

      Re: lost my ass

      I work the other way around, let the cookies in but delete them pretty quickly.

      After I've been to my bank or a gaming site I just Ctrl+Shift+Delete and all cookies, history, cache is gone.

      Try this experiment. Install NoScript and Ghostery in Firefox.

      Go to Sky News or the Daily Telegraph, nothing will work.

      In NoScript "Temporarily allow all this page".

      Watch as Ghostery starrts. to block all the trackers and notice that NoScript has detected yet another script!

      It is almost never ending and whatever you try the videos won't play. If I really want to see the video I search for it on YouTube.

    2. Anonymous Coward
      Flame

      Re: lost my ass

      You assume they only track via Cookie. Sure as hell the "expert" collectors such as Google and Facebook will collect based on IP address. Flushing the cache and maybe even complete blocking of Cookies won't help much, as they still have your IP address, which is typically good for an entire day. It's sufficient to log into webmail once to nail that IP to your account. For the rest of the day, they don't need any cookie to associate all your browsing quite effectively to your person. And of course, they can go back in time if you log into your email after having done other web-based traffic. That works for many scenarious of DSL routers.

      And, sure as hell the webmail companies will sell the Clearname/day/IP address tuple to whoever pays most. Except if it is Google, they want it for themselves and the powers that be.

      Use a proper anonymizer if you want privacy !

      1. Michael Wojcik Silver badge

        Re: lost my ass

        You assume they only track via Cookie. Sure as hell the "expert" collectors such as Google and Facebook will collect based on IP address.

        The IP address is hardly reliable, assuming we're talking IPv4, which we very likely are; they're almost always assigned by DHCP and sitting behind NATting routers, so they don't uniquely identify users. Trackers are likely to start with more reliable techniques, such as so-called "web bugs" and ETag-based "respawning cookies" (which are not cookies at all), before falling back on something as low-signal as an IPv4 peer address.

        For some of the big data collectors it's questionable how soon they hit the point of diminishing returns on tracking mechanisms, though. With cookies and Javascript analytics, Google gets the vast majority of its users. The same is true of sites like Facebook and Amazon. They could employ more aggressive tracking, but the incremental improvement to their data will be small. Even for users whose history is obscured, those sites get useful information to add to their aggregate statistics; it's just the history that's missing. That relatively tiny bit of additional history information probably won't affect their models significantly, so why bother with heroic measures?

        Firms that sell tracking data as their primary product - KISSmetrics is a good example, since they were at the front of the ETag-tracking controversy - have a reason to use aggressive tactics: they're marketing points ("we can even track users who delete cookies!"). Sites with smaller user bases that really need to get their recommendation systems up to snuff or provide metrics to show advertising performance (hello, Hulu) may also need to get tricky. But Google and Facebook? If they're using the more-intrusive techniques, it's probably developers trying to justify their salaries. I strongly doubt it makes any difference in the models they're building.

        1. Anonymous Coward
          Anonymous Coward

          WHOOSH @ Michael

          The OP wasn't referring to the internal, local, private IP addresses - which in any case are not available to Internet servers anyway.

          He means your public IP, duh, the one your router has. The one all of your clients sit behind using NAT, and therefore appear to have to everyone out on the Internet.

  14. Mikel

    Network security?

    Network security isn't any worse now than it ever was. And it's no better. Also, Unicorns are neither more nor less available. All of these are mythical objects having no substance whatsoever.

  15. Anonymous Coward
    Anonymous Coward

    Iran is not developing a nuclear bomb! Does every regular Joe just accept the ridiculous war propaganda without a second thought?

    1. Anonymous Coward
      Mushroom

      I am quite sure they do, as Israel has done a long time ago. Or Britain, France, Russia and of course America. Where is the moral and legal justification for denying Iran to have nukes ?

      America invented and used nukes. Iran merely wants to defend itself against USrael.

  16. Anonymous Coward
    Anonymous Coward

    Privacy isn't lost - it only got more expensive

    Privacy lost? That's a defeatist argument of someone who has given up and seeks to justify that.

    Privacy isn't lost, but it has indeed become harder to protect, especially since technical people seem to think that it's only a matter of putting some crypto in a product. It just takes more skill.

    1. Charles 9

      Re: Privacy isn't lost - it only got more expensive

      It is BOTH defeatist...AND realist. Network security is like crimefighting. You're never gonna stop ALL of it. It is the case of "you have to be lucky all the time, they only have to be lucky once" AND they outnumber you. It's just that with network security, ONE breach is usually enough.

      So the challenge of network security is to prevent ANY breach (since only once is enough to basically ruin you). Only a perfect security solution can achieve that level of success.

      However, man is imperfect. Therein lies the contradiction.

      1. Anonymous Coward
        Anonymous Coward

        Re: Privacy isn't lost - it only got more expensive

        It is BOTH defeatist...AND realist

        No, it's lazy. This is the sort of attitude that creates security budgets that are only sufficient to cover liability in case something goes wrong, but does not allow a decent crisis plan and customer care for such a situation to be put in place. This means when a breach occurs you get the sort of mealy mouthed crap politicians come out with like "we did everything we could" - generally a claim not investigated further.

        There is a LOT more that can be done than just amoeba level "challenge- response" activity, but it takes hiring brighter (read: more expensive) people instead of glorified "I follow process because that's all I am capable of" overpaid administrators.

        The options are simple. Do it right, or end up a dead cert for a breach. And stop giving up *before* the battle.

        1. Charles 9

          Re: Privacy isn't lost - it only got more expensive

          "The options are simple. Do it right, or end up a dead cert for a breach. And stop giving up *before* the battle."

          That's the problem. There is NO "do it right". That implies perfection in an imperfect world. As someone else has said, network security is an oxymoron: much like Digital Right Management. The INHERENT risk of making something available on a network is that the wrong person accesses it: either by breaking the defenses (brute force hacking) or by disguising as one of the trusted (phishing). It's like the front door: strong crooks break the door down, clever ones get an impression of your key. Not even the vaunted air gap is 100% effective, as Stuxnet showed.

          In the final analysis, network assets should be a value/risk evaluation. How useful is the asset on a network vs. the risk of someone exposing it. Instead of trying to keep hardening the target, the targets themselves should be evaluated to see if they're worth the risk and taken off if not. If the system will fail eventually, the best one can do is to fail safe and minimize the damage.

  17. Christian Berger

    Network security is an oxymoron

    Networks can never be secure, as they are typically outside of your reach. You cannot prevent people from tapping your wires, unless you go through extreme measures.

    Instead the more sensible approach is endpoint security. Make sure that whatever data you throw at your endpoints, they will not break and that all data that needs to be secure is properly encrypted and authenticated.

    This is something modern Unixoid systems are fairly good at. If you want to transfer files between 2 networked Linux boxes, you are likely to use ssh which is encrypted and authenticated. Same goes for web services. A good percentage of those are already reachable via https, and even though that's https has it's serious flaws, it's still relying on some imaginary network security.

    1. Anonymous Coward
      Stop

      Re: Network security is an oxymoron

      That's not enough. Crypto solves some problem very well and others not at all. If you get an encrypted message containing an xlsx file, how do you make sure there is no buffer overflow-based virus inside* that xlsx ? Or if there is one, how do you limit the damage. Currently, this kind of bug means "user account owned". It does not have to, as sandboxing could contain it. See the Google Chrome security model.

      * Or: How do you make sure your xlsx does not contain a Flash movie which contains an exploit for Flashplayer ? Not kidding, that's how they owned RSA and Lockmart. You see, commercial IT is wholly corrupted.

  18. gnufrontier

    Tin cans and a string

    The issue isn't network security it's communications security. As soon as some form of relay is established, security is compromised and one faces tradeoffs.

    Does one send a single messenger on horseback (slower, less conspicuous but more vulnerable), surround the messenger with armed guards for protection (slower, more expensive, more conspicuous, less vulnerable) or presume monitoring but encode like smoke signals (conspicuous, faster, decipherable)?

    Technology has made the means of communication orders of magnitude more complex but the same basic trade-offs haven't changed. What technology has also done has increased the number of domains and instances of messages categorized as needing to be secure. No longer is security just the provenance of battlefield communication.

    For some reason there is a growing acceptance that loss of privacy for individuals is inevitable but what hasn't yet caught on is that privacy for abstract entities such as governments, corporations etc. will also be eroded.

    Right now, people accept cameras everywhere monitoring our behavior but institutions are allowed to go about much of their business without such constant monitoring. We can't Imagine that there would ever be cameras in every board room, every court, every meeting. What would be the effect of such transparency ? And yet this transparency is happening not with cameras but with every form of communication within institutions and they don't like it.

    People think monitoring is fine when they think they have nothing to hide but does refusal to be monitored mean there is something to hide? Institutions give reasons such as state security, competitive advantage, protection of property, the recently conjured up modern notion of privacy etc.. but if individual privacy is eroded one can't expect institutional privacy to be maintained.

    Technology is neither the problem nor the solution. It is rooted in our very attitudes towards others. Competition, mistrust, domination and unifying conceptions which tend to be exclusionary and limited (religion, nationalism, gardening and fan clubs are all examples).

    We are dealing with two contradictory principles that have been used to describe our "information age", one that information is power and the other being information wants to be free.

    Although as in times past, increasing amounts of money, time, effort and technology will be thrown at this security problem, we can neither get off this road nor know where it is taking us but there will be much "sound and fury" along the way.

    1. Anonymous Coward
      Stop

      Re: Tin cans and a string

      It's also laziness and profiteering. Would you volunteer to be a security solider in your local bus once per month for a day ? I am sure you have more important business in front of your TV to do. In exchange, they monitor your every move on public transportation these days.

      Plus, killing foreign "terrorists" with drones makes much better revenue than selling pistols and machine guns for police-style security forces.

    2. Anonymous Coward
      Anonymous Coward

      @ gnufrontier

      You should read Orwell's 1984.

  19. amanfromMars 1 Silver badge

    There is an air gap, Mikel* ..... AIResearch and digital Developments .... AIR&dDs

    And if you think all of that news is bad [if you have dirty little big secrets to hide] or good [if you don't have secrets to hide, and can recognise and accept perfect transparency as an effective disinfectant and deterrent to manipulative malfeasance and ignorant arrogance/arrogant ignorance], please be advised that the Great IntelAIgent Game has only just started and you aint seen nothing yet …….. and Google have been cordially invited out to play in ITs Alien Space Places …… http://www.ur2die4.com/?p=4161 …… but they are not necessarily leaders following in the leading fields there.

    And whenever you be told that GCHQ is fully aware of the situation, can you ponder on the dire state of national television intelligence servering and the BBC's abject failure to better beta edutain/educate, inform and entertain the masses for/with digital control of the future.

    Where be there a John Reith when he be needed?

    HM ER got it just right whenever she shared, allegedly, …… "There are powers at work in this country about which we have no knowledge." ….. http://news.bbc.co.uk/1/hi/uk/2407841.stm ….. for there most certainly is/are. Of that you can be assured. But only the fool and their tools would be rightly terrified, methinks.

    * Mikel posted Sunday 26th May 2013 07:09 GMT here, on this thread :-)

    1. Anonymous Coward
      Flame

      Re: There is an air gap, Mikel* ..... AIResearch and digital Developments .... AIR&dDs

      You mean a Female Mafia Boss threatened one of her disloyal underlings ? Say it didn't happen !!!!!

      "We can't guarantee for your security, Paul...."

      It's actually quite simple, there are more than enough former members of the armed forces in the west who will bully and intimidate people whom are uttered to be "enemies of the state". No proof, no court proceedings required whatsoever. No real secret here. And no need for a special service. Dumb ex-soldiers to be used by their former officers live in almost every street.

      1. amanfromMars 1 Silver badge

        Remote Virtual Assaults are Impossible to Defeat and therefore Perfect ....

        .... for Targetting WMD Users and Abusers?

        It's actually quite simple, there are more than enough former members of the armed forces in the west who will bully and intimidate people whom are uttered to be "enemies of the state". No proof, no court proceedings required whatsoever. No real secret here. And no need for a special service. Dumb ex-soldiers to be used by their former officers live in almost every street. .... cs_graduate Posted Monday 27th May 2013 13:53 GMT

        You might find if you cared to investigate, cs_graduate, and especially so with regard to former special forces officers and men, who would never recognise the description of being dumb ex-soldiers, that they are a lot smarter now than they ever were before, and they may realise that the state is the enemy and cares little to nothing about them and theirs and their welfare after their service of following dumb political and financial orders.

        And that puts pompous and pontificating ministers and senior dodgy communications advisers in the frame for future soldierly special forces undivided attention, to name but a brace of deserving souls worthy of that which they would be peddling/pimping and pumping and dumping. And that would give them lead with intelligence services too, which would be a pleasant change from the mayhem and madness which be presently servered for world views in the daily news.

        You gotta think out of the box which imprisons you, cs_graduate, otherwise you be destined and fated to be slave to the system and just an inconsequential number.

        1. amanfromMars 1 Silver badge

          Take Care in a Registered Post, for ITMagicians and AIMetaPhysicians can Deliver You, Anything

          Proof positive of the earlier post …. Posted Monday 27th May 2013 18:31 GMT …. and the contention that the state be the enemy, and by inference and direct association that would imply the problem is rooted in the government of the day, be here, …. http://www.independent.co.uk/news/uk/home-news/betrayal-of-our-wounded-veterans-i-served-my-country-then-they-turned-their-backs-8633611.html ….. and how would one disagree with that, whenever William Hague is arguing to arm right dodgy foreign rebels to attack national and military forces* and Iain Duncan Smith is floating the notion that social benefits be removed from general circulation and channeled into national defence and police forces to secure protection for systems and administrations which are creating deadly enemies …… which be akin to rogue government officials trying to ringfence security and protection for themselves?

          And they think to call themselves leaders worthy of a nation's support and election into high office? Oh please, that be certifiable madness and a conservative recipe for disaster to be visited upon the intellectually deficient and psychotically delusional?

          And those be two valid enough questions to be asked of UKGBNI Intelligence chiefs, whoever they be, wherever they be, for they are failing spectacularly to secure and protect the future with the exercise of intelligent lead, which the public might be expecting them to be supplying to media for the puppets in Parliament to present as democratic policies.

          * Isn't that something similar to what Uncle Sam did in Afghanistan just before the Russians left and in Ulster too, whenever they were funding terrorism and the dirty war with donations there also? Some special relationship, eh?

          Yes … it's a mad, mad, mad, mad world in deed, indeed, but who needs fools at the levers of control, other than other fools hell bent on their own destruction? Certainly no one sane is going to accept such nonsense as a reality to be supported and supplied with Great Game Changing Novel Technology/AIMethodology/NEUKlearer HyperRadioProActive IT, are they? Casting pearls before swine never produced anything worthwhile.

  20. Anonymous Coward
    Anonymous Coward

    It's hackers that are the problem.

    Stick a knife in your chest then. I'm glad the correct words "attack" and "attacker" was used towards the end.

    TO THE REGISTER EDITORS:

    Please keep it real. Everyone of your authors and editor should know the meaning of "hack" and "hacker". If not, please quit your job and go work for Disney. I hear it's pretty nice over there.

    1. Michael Wojcik Silver badge

      Re: It's hackers that are the problem.

      Door closed, horse long gone.

      How about we pick a battle we might win, like telling people to stop pronouncing "jejune" as if it were a French word?

  21. Anonymous Coward
    Anonymous Coward

    Hunting the wolves ????

    The problem here is that it is illigal to do in most western countries.

    You need to jump to many hoops to get the police/FBI <fill in your favourite law enforcement agency> to do anything.

    Also a lot of website hacks are due to sloppy (either by internal developers or a contractor) coding.

    I've learned to not trust a single bit comming form a browser, all data needs to be checked on range, unwanted characters (who may allow SQL injection) etc before doing any processing. There are tried and tested methods to ensure that a session is not hijacked.

  22. Pete 2 Silver badge

    Knowing everything about nothing

    > Everything is going to be known about you

    What a load of self-important cobblers.

    Having a few snippets of information about when someone using my CC last bought some teabags online, or whether I sent my aunt an email on her birthday means nothing. Even if these sorts of items can be linked back to an individual - so what? It tells people nothing about what I want, my goals, desires or fears.

    At best it just presents some slightly-less-than-irrelevant information for my ad-blocker to ignore and sends a few irrelevant emails to a spam-dump email address - never to be seen by anyone.

    This "knowing everything" meme is the same as stating that white noise contains all the answers to all the questions in the universe. It may well be true, but the cost of sifting through it all to find those answers is extremely high - much higher than the value that results. Plus, like white noise, there is no guarantee that what seems like the correct answer (gleaned from an online transaction 10 or 20 years ago - and yes, I have some from 1993) is either still relevant or has made the correct inferences.

    1. Anonymous Coward
      Stop

      Re: Knowing everything about nothing

      Very naive indeed. Google can predict what the average net user will do the next day. Based on that the powers that be can make a nasty reception party happen. If they deem this necessary, based on your disobedient (but probably perfectly legal) behaviour.

  23. Anonymous Coward
    Flame

    Problem Is Much Deeper: Corruption Of Mind

    The "leadership" of the western world has convinced itself that Money Trumps Everything. That means:

    * we "need" Acrobat Reader installed on each and every PC, to "read business literature and MAKE MONEY"

    * we "need" Adobe Flash Player installed on each and every PC (see RSA "Security" (nice joke, isn't it ?) ), to "view business videp clips and MAKE MONEY"

    * we "need" MS Office installed on each and every PC (see RSA "Security") to "write business documents and MAKE MONEY"

    * we "need" to run Windows on each and every PC, because "our customers run Windows, too. They have THE MONEY"

    * we "have no money" for serious security efforts in bespoke systems

    * we the leaders "have no time to look into technology issues and discuss them with experts", as we "need to care about MONEY"

    Very much the same can be said about the banking industry, which bribes the hell out of politicos so that they "have to count the MONEY; have no time to lock down finance".

    In short - the western world is terminally corrupt and nothing will save us short of something which will bring fidelity and rationality back. It usually takes a rather authoritarian journey to eradicate excessive corruption. Grab a history book and find out the Anglos had this kind of thing too, before you cry "mother of democracies".

    1. garbo
      Devil

      Re: Problem Is Much Deeper: Corruption Of Mind

      I guess it was a smart move, my leaving the West and heading to the East all those years ago.

  24. Anonymous Coward
    Anonymous Coward

    No they don't

    "Every click you make on the web is already being tracked. "Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about," House said. "They already know about you".

    Never seen those ads popping up. The best they can do is show ads in my native tongue.

  25. garbo
    Mushroom

    Another Lost in Space loon

    ICBMs and atomic bombs vaporising your city are nothing compared to a hacker stealing your Facebook (eg) password. After a nuclear attack he won't need cyber protection.

  26. Anonymous Coward
    Anonymous Coward

    "Every click you make on the web is already being tracked. "Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about," House said. "They already know about you.""

    Not everything, and not everyone is a pleb. Some people can and do protect privacy (where possible)

This topic is closed for new posts.

Other stories you might like