astirusty
Premium
join:2000-12-23
Henderson, NV
 ·AT&T Southwest
|  No hope for John/Jane, since security pros are confused too.
An article by Bruce Schneier predicting RSA Conference Will Shrink Like a Punctured Balloon has an interesting statement about security products: The booths are filled with broad product claims, meaningless security platitudes and unintelligible marketing literature. You could walk into a booth, listen to a five-minute sales pitch by a marketing type, and still not know what the company does. Even seasoned security professionals are confused. And Bruce hits on one issue of security when it comes to John/Jane consumer/user, that some security pros fail to recognize.
No one wants to buy security. They want to buy something truly useful -- database management systems, Web 2.0 collaboration tools, a company-wide network -- and they want it to be secure. They don't want to have to become IT security experts. They don't want to have to go to the RSA Conference. Emphasis added in Bold.
And for those here who just "LOVE" car analogies...
Imagine if the inventor of antilock brakes -- or any automobile safety or security feature -- had to sell them directly to the consumer. It would be an uphill battle convincing the average driver that he needed to buy them; maybe that technology would have succeeded and maybe it wouldn't. But that's not what happens. Antilock brakes, airbags and that annoying sensor that beeps when you're backing up too close to another object are sold to automobile companies, and those companies bundle them together into cars that are sold to consumers.
--
Do yourself a favor, just say no to anything Windows. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| One of our members posted this today in his new blog..and I think he will permit me to post some of it here since i think it ties into that which you thought was important to highlight..
Blake
Link Logger
»www2.dslreports.com/profile/356416
Blogging from Microsoft MVP Summit Conference 2008
April 16, 2008 18:04
»www.spearpoint.ca/blog/post/MVP-···Two.aspx
"The rest of the afternoon was spent discussing the current state of the art and future of security coding tools and practices. Certainly this discussion has got me doing some thinking as I'm not really sure I agreed with what was said by some of the other people, but we obviously have different objectives and requirements which in itself highlights a problem within this area. Not everyone wants the same thing,nor has the same expectations, budget etc. I get the Threat Modeling, the use of techniques to detect potential SQL Injection issues, Fuzzing etc, but my objective is to secure the applications built by smaller companies who don't have the Threat Modeling experts,Tools and such that large ISVs and Enterprises might be able to afford. In some ways I'm the guy who is looking for the 80% solution for the 20% cost that pretty well any company can implement no matter how big or small. I'm not asking a company to get perfect security as I know that isn't possible or feasible, but really when it comes to security you just don't want to be the low hanging fruit. One person I was talking to agreed with me and described it as being chased by a bear, you don't need to be the fastest man on earth, just faster then the other guy. I must admit I'm a little wary of automated testing tools as a silver bullet, I've seen them come and go, and while they might have been able to offer some direction or suggest areas to investigate, they were never silver bullets. I guess I'm looking to just start by educating developers about the dangers and the simple techniques and tools to help get them going in the right direction. The journey of a thousand miles starts with a single step sort of thing and some of the solutions discussed in my opinion are more then a single step and more like having a rocket pack which is great if you got the dough to buy one, otherwise your hooped. Now to be fair Microsoft wasn't suggesting these big ticket complex systems, but other people in the room were and again for their clients these might be great, but one size defiantly doesn't fit all here."
"We had diner tonight with Michael O'Neill, liked the guy right off as he has two L's in his last name. We talked about the challenges facing the Developer Security group and while I'm thrilled to be in this group, I'm wondering if perhaps I should have thought about it a little more before coming over. When I was in the Windows Security group we pounded on the Microsoft Windows guys and they did something as Microsoft didn't give them much choice but to make it so, Microsoft accepted they had a problem and they had to do something to fix it as it wasn't going to go away on its own. In the Developer Security group we are dealing with third party developers working on third party applications so Microsoft just can't hammer them into action, so we will need to provide them with the guidance, tools, education, and provide them with the information required to motivate themselves. This will be a challenge to start with as frankly there are all sorts of reasons (none of them good) for resisting change. Security isn't free and it requires change, and given that most dev shops are already underfunded and overworked this change isn't going to come easily (frankly I think that most development shops have serious personal problems as frankly I don't think developers are enjoying their jobs anymore as far too many shops have become little more then sweat shops, because of increasing expectations, falling employment numbers, etc). I sometimes wonder if third parties will need to experience the intense pain that Microsoft felt in the past to motivate them to make security a priority worthy of investment of enough resources and budget to elevate their game to an acceptable level. Michael is putting a lot of thought into how Microsoft can help external developers and I think he has a pretty good group of very diverse people in his MVP group to help him achieve this goal and plus I love a really good challenge to test my belief that this is really is the 'next' big issue in security.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Hewitt, NJ
clubs:
 ·Optimum Online
 ·Vonage
| reply to astirusty
There's also the issue of "convenience" for John/Jane Home Users. People want secure, out of the box, but they don't want to be, in any way, shape or form, inconvienced by it. UAC is sort of a case in point. Having to click through a couple of boxes is too inconvenient, as we've seen posted on these forums many times. They'd rather disable UAC.
The corporate/enterprise world may be a little different, but I'd bet the mindset is pretty much the same....make it work, make it absolutely secure....but don't inconvenience us.
So what is a developer of a security app, or even MS, to do when the end users want to have their cake and eat it too?
--
10,925 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
|
|
SUMware
Premium
join:2002-05-21
| reply to Name Game
said by Name Game  :Security isn't free It is with Linux.  |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Hewitt, NJ
clubs:
·Optimum Online
·Vonage
| ahhh, shaddup.  |
|
SUMware
Premium
join:2002-05-21 | Heh. How's things with your 'Linux Mint' install? |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to SUMware
You can take that to the bank
»techrepublic.com.com/5208-6230-0···&start=0
»forums.fedoraforum.org/archive/i···211.html
»www.google.com/search?hl=en&q=li···e+Search
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
SUMware
Premium
join:2002-05-21
edit:
April 17th, @06:31PM
| Yes. In an MS dominated world, support by businesses for consumers choosing to use Linux is not necessarily encouraged. |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
edit:
April 17th, @06:47PM
| said by SUMware :Yes. In an MS dominated world, support by businesses for consumers choosing to use Linux is not necessarily encouraged. I don't either..too many friends got their accounts cleaned out that I know..even 4 years ago friends who live in Brasil got their Desktop PC in Sao Paulo compromised and their entire savings account whacked by thieves working out of an internet cafe in Rio with just one floppy disk of trojans. At first the bank accused my friends that it was their fault..and even possible one of their kids did it..in the end I helped them track it all down and prove how it really happened..we even uncovered in the gang they had inside help at some of the branches to cover their tacks. 
--
Gladiator Security Forum »www.gladiator-antivirus.com/
*
A fun/friendly/informative forum for the mature elder crowd
»www.theover50goldengroup.net
|
|
Steve
SAS-70 is extortion
Consultant
join:2001-03-10
Tustin, CA
edit:
April 17th, @08:25PM
| reply to SUMware
said by SUMware :It is with Linux. Having BIND and sendmail *cough* sorry nwrickert  *cough* on my systems makes me feel so warm and safe... |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Hewitt, NJ
clubs:
·Optimum Online
·Vonage
| reply to SUMware
said by SUMware :Heh. How's things with your 'Linux Mint' install? Ok. Still a learning curve.  |
|
SUMware
Premium
join:2002-05-21
edit:
April 17th, @07:23PM
| said by La Luna :said by SUMware :Heh. How's things with your 'Linux Mint' install? Ok. Still a learning curve. Yep, understand.
Went through it myself, as with anything new. Still am, and enjoying the process.
Congrats on giving it a try! |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA | reply to astirusty
It's still more fun being multi-lingual. I can be, and have been, owned in several different OS's. It keeps life interesting. They say an expert is someone who's made every mistake already, and I'm determined to do that in a hurry! |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
| reply to La Luna
said by La Luna :The corporate/enterprise world may be a little different, but I'd bet the mindset is pretty much the same....make it work, make it absolutely secure....but don't inconvenience us. Based on my experience your close, as in: ... mindset is pretty much the same....make it work, ...but don't inconvenience us.
Oh wait your talking about the corporate security experts point of view. I was thinking about the corporate end-users point of view.
Most of the corporate end-users I knew simply did not give _____ about security and I am talking about highly educated people with Masters or PHDs in Math, Science, Geology, etc. The exception was when some security policy caused them extra effort. Forget UAC type stuff, were talking basic stuff like having to change their passwords every 60 days or being logged out due to inactivity.
--
Do yourself a favor, just say no to anything Windows. |
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
 ·Sprint Mobile Broa..
·RoadRunner Cable
| It's not just at work that highly educated corporate end-users have that point of view. I would constantly warn friends at work about the dangers of their home computing habits, and they would look at me like I was nuts.
"Stop visiting those porn sites and doing your banking on the same machine. No, your default configured NAT router will not protect you with those habits."
"You're too paranoid." |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| reply to astirusty
Schneier makes a very insightful point in the article:
For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure -- power, water, cleaning service, tax preparation -- customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers. Whether he's right or not about the "death" of the end-user security industry is not my real point. What stands out to me is his implication that the Internet is in process of finally joining the "infrastructure" - at least, to a great many users. That perception changes expectations and it changes what people are willing to do themselves in order to use the infrastructure to simply "get things done." And IMHO it will eventually change how the industry deals with meaningful security - a key question being: how long is "eventually"?
However, this infrastructure perception sets up a growing tension between the evolving "bundling" thrust and the issues of monopoly/anti-trust. Referring to Schneier's car analogy, in the auto industry when car companies do the bundling, developers of innovative concepts have to sell their ideas to the car companies... and, if successfully "sold", the car companies demand a wide variety of tight specifications, cost controls, and delivery commitments from a developer for whatever he supplies. The end customer only deals with the end results - the car - which will hopefully be successful. But a major problem arises if there's only one major company selling the end product(s), be it cars or software. One only need observe the near-daily criticism, justifiable or not, occurring every time Microsoft absorbs some innovative development-house or adds a "feature" previously only available independently of Microsoft to get a sense of how much of a hot-button issue that is.
Somewhere out there in the space-time continuum, growing 'infrastructure' expectations are going to collide head-on with anti-monopoly sentiments. That should prove... uhm... "interesting".
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
mysec
Premium
join:2005-11-29
edit:
April 18th, @01:16AM
| reply to astirusty
This seems more oriented to IT environments, but since John and Jane are mentioned, I will say that I and a few friends who help home users would disagree that there is no hope for John/Jane.
Speaking from a home user's point of view, IMO computer security is made out to be more complicated than need be.
There are two principal ways malware gets installed,
1) By remote code execution
2) By user being tricked into installing something malicious
The first is the easiest to deal with:
==> firewall
==> some method of preventing installation of unauthorized executables; there are a number of White List solutions available.
The second is more problematical, since it involves the user making a decision. No security product will be reliable, as the "Beware Fake Codecs" thread points out.
The Sunbelt link in the Google Groups thread is another example of people being enticed to click. Again, no security product will be reliable.
In my experience, John and Jane need very few security products. Proof of this is that I nor anyone I've helped over the years has ever gotten malware installed.
|
|
mikenolan7
Premium
join:2005-06-07
Torrance, CA
·Sprint Mobile Broa..
·RoadRunner Cable
| reply to Blackbird
But how can the internet be considered to be ready to move to the level of infrastructure? The amount of malware is still expanding rapidly, the size of botnets continues to grow. Individual companies still bring in hired guns to design their security systems, or test their quality.
If we compare it to the interstate highway system and automobiles, we are still at the level of banks hiring Pinkertons to try to protect the stagecoach. |
|
astirusty
Premium
join:2000-12-23
Henderson, NV
·AT&T Southwest
| reply to mysec
said by mysec :In my experience, John and Jane need very few security products. Proof of this is that I nor anyone I've helped over the years has ever gotten malware installed. I am not sure that is proof when it comes John/Jane Doe. You obviously helped your friends. But few John/Jane Doe types:
a) have friends who can really help them with security
b) few take security seriously (as evident by all the BOTS)
c) take advantage of even free help when it is offered
--
Do yourself a favor, just say no to anything Windows. |
|
mysec
Premium
join:2005-11-29
| Hope for John/Jane Doe
Yes, that is sad, but it doesn't dispute that it can be done. There is too much of a defeatist notion about the plight of home users. Some people seem to take pleasure in gloating over other's misfortunes.
Sensational headlines in the mainstream security news add fuel to the fire story, but those who take the time to help even just a few aren't influenced by all of the propaganda. If they were, nothing would get done.
Just because Mr. Brown's shoes are too tight, why should my feet hurt?
|
|
