Marcus Ranum has a podcast out on... well he called it with his title - Ranum's Rant. Now, I expect quite a bit from Marcus because he is usually contrarian and entertaining and provides thoughtful commentary along the way. Not this time.
I was disappointed to find out that his current podcast at http://www.rearguardsecurity.com/ - #2 on Past Episodes - is just a generic security rant. Whine, really. Oh, with a twenty-year window for nirvana! Hah!
Hey, I'm prone to it as well, but talk about cliche - non-security folks (especially! senior! management! yay!) are stupid and don't care and we (caring, serious, important, smart security professionals) try really, really, hard (really) to do a good job except we know they are stupid anyway (darn them!) and don't care about us (damn them!) or technology or anything at all...
I hate to burst anyone's bubble or anything, but wallowing in self-pity is not going to change anything. And, in fact, all executives are not stupid. We don't try hard enough to understand business problems. We can't even come up with a consensus on what set of significant risks exist in the IT world, so why would anyone believe us anyway? ((a good example? Well, Marcus uses passwords. Let me tell you, anyone fighting the "strong password" battle is completely missing the new(/old) threat models out there.)
No, successful Internet generation executives twenty years from now will have learned the same things today's executives have, so that won't help. WE'RE THE ONES THAT NEED TO CHANGE!
Co-dependent? No. Alcoholics on a binge encouraging each other to "fight the good fight" till our BAC is our body temperature and we wonder why we are constantly being relegated to lower and lower levels on the corporate ladder*? Yep, that'd be us. Sure, this stuff plays well to our crowd when we are drunk, but there are plenty of sober folks out there not buying it for a minute.
*If you haven't noticed, the top security spots in enterprises today are more and more frequently being given to folks outside of the security profession that understand how businesses manage risk.
Hat tip: Shrdlu at Layer 8.
>> a good example? Well, Marcus uses passwords. Let me tell you,
>> anyone fighting the "strong password" battle is completely
>> missing the new(/old) threat models out there.
In general, I agree, in that weak passwords aren't what's going to be causing new troubles.
However, given all the functionality/vulnerability that Web 2.0 is opening up, I think we could be surprised by just comes in the future.
Imagine, for example, a CSRF attack distributed by XSS, essentially turning millions of browsers into millions of password-guessers.
(Of course, you could legitimately ask why they aren't using their botnets for that right now. My point is that since the attackers have shown that their imaginations generally outstrip ours, declaring any particular vector as over-and-done seems premature.)
Posted by: Dan Weber | May 30, 2007 at 02:31 PM
@Dan -
You make my point well - a "strong" password is not going to protect against that type of attack at all - you are better off picking a pseudo-strong one (i.e. one that can survive a handful of guesses) that can be memorized and logging the hell out of the system. And the more obvious solution is multi-factor authentication.
But there is little/no need to even get that complex. Consider the recent case with MySpace passwords being collected through a phishing attack - in that case, it doesn't matter if your password is 50 alpha-numeric random characters - you're dead.
Posted by: Pete | May 30, 2007 at 02:39 PM