The Effect of Snake Oil Security 110
Trailrunner7 writes "Threatpost has a guest column by Robert Hansen (aka Rsnake) about the long-term effects of snake-oil security products. 'I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"
Re:Good, Bad and Ugly (Score:4, Informative)
Re:Good, Bad and Ugly (Score:2, Informative)
The term vector has been reused in other branches of science, with different meanings relevant to this subject. In epidemiology, which has a close analogic relationship to computer security, an infection vector is the means (parasite, contaminated water, sneezing) by which a disease spreads. This is actually a more exact derivation from the Latin original, which meant "one who carries". A threat vector is not the same as a threat, just as a bullet is not the same as a gun. The threat is malaria, the vector is the mosquito.
Re:It's the OS, stupid (Score:3, Informative)
However those things can and will be fixed without introducing "let's loof for 'sudo rm -rf /' everywhere" approach that only exists because Windows security model is broken and unfixable.
No it's not. In fact, it's arguably better than Unix, insofar as you have much finer granularity in terms of what you can allow or disallow and who you can allow it to.
What is broken is that most applications utterly fail to respect it, hence the implementation in many organisations winds up screwed. You could argue this is because of history (Applications that were written in the days of '9x and have never been updated to account for a security model), because of laziness (too many software houses giving their devs admin rights) or because it's simply too complicated for its own good, but there's only one of those arguments which might reasonably be translated as meaning that the model is broken and unfixable.
Re:It's the OS, stupid (Score:3, Informative)
Interesting question. Is there anything really impending Linux to automatically run executables downloaded from the Internet? I bet not.
It's executable permission bit. If a file is downloaded by anything other than package manager, it remains non-executable until the user explicitly sets it on the command line or in a scary-looking permission setting screen. Since all applications are installed in a package manager, the only time when user will want to touch executable bit by himself is when he is really sure he has to run a file.
So, on one hand we have that "the year of Linux on desktops" haven't reached yet because "cumbersome" limitations that make it "dificult for average joe" to use it, so "Linux isn't attacked by so many threats because it's more profitable to attack the wider Windows base"; in the other hand, as per current "analysis" from "experts" in order for Linux to take the desktop it should implement the same Windows easiness that allows for both "average joe" and the worms to take advantage of the platform.
Oh, I see. You are either a Microsoft astroturfer or an idiot, so you just copy-paste some of your "discussion examples" to make it look like you have something relevant to say.