Computer Security

Those crazy Irish! They like their hacks blackcurrant-flavored!


People seem to want to treat computer security like it's rocket science or black magic. In fact, computer security is nothing but attention to detail and good design. It's certainly possible to turn a computer security problem into a rocket-science or brain surgery class problem, but if you've done that it's almost a certain indication that you've already started down the wrong path. Indeed, the simplest and most effective rule of computer security is:
You don't have to do it? Then don't!

Of course there is tremendous potential for debate about where a particular thing falls along the spectrum between "want" and "need" - which is, in fact, the most crucial aspect of security design. Again, the simple approach is best: if someone says you have to do something: don't. If you survive without it, you didn't need it you merely wanted it. I suspect most product features and added complexities would fail this test. The essence of minimalism is, secretly, laziness.

Comments on Anthem Breach
I get a lot of media requests, and this morning I was awakened by a call from The Third Estate asking if I had any comments on the Anthem breach. I was on the road yesterday and didn't have a chance to do any research on it, so I was caught flat-footed. Fortunately, I had my "Security Expert Comment Generator" that I wrote a few minutes ago...

The Ultimate Firewall Revisited
I used to brag that wire cutters were the ultimate firewall. But then it occurred to me that if people are going to use cute little "firewall" icons on their powerpoints, they should have one that looks more interesting.

My Web Site Defaced! Search-engine Stuffing Hack
Web site defacement is so... '90's, isn't it?? But sometime between when I uploaded my execution control article and this morning, someone added a bunch of hidden crap to my main index page. Apparently, this is some new trick to manipulate search engine rankings. Have I mentioned that I think hackers suck?

Execution Control: Antivirus bites the wax tadpole!
For years I have been railing about how stupid "default permit" execution architectures are, and how there are no decent tools that allow a Windows system administrator to build a system in "default deny." I tried Windows execution control, and one commercial product - but right now I'm getting great results from a tiny piece of freeware.

Old Dog: New Tricks
I got a chance to experiment with the state-of-the-art in source code security analysis tools, and ran it against my fifteen-year-old firewall toolkit (FWTK) code-base. Much to my horror, I discovered that my old code had a number of buffer overruns. I also ran the analysis tool against sendmail, Imapd, BIND, and postfix.

Point/Counterpoint: Is there "Strategic Software"?
From my point/counterpoint column with Bruce Schneier.

Hard Disk Encryption Revisitted
I have no idea why I was lazy about setting up hard disk encryption on my laptop. After a bit of research and a relatively simple bit of data wrangling, I've protected my laptop's data. What too me so long? This stuff is really easy!

The Six Dumbest Ideas in Computer Security (originally written for
After years of reading about "this great new idea" or "that new cool technology" I finally realized that there are some anti-smart ideas that are so powerful that they can turn perfectly good ideas into dumb ideas. Read 'em and weep.

Enabling the Complaint Department
Junk email bugs the heck out of me. Back in the day, I used to complain by responding with a uuencoded copy of /unix. Obviously that didn't work. A company called Blue Security is enabling and facilitating email users' complaints - is it a denial of service attack? Or is it legitimate? Some thoughts on the topic.

Inviting Cockroaches to The Feast
A lot of smart but short-sighted people are arguing that we should allow liability litigation for software defects. I think that it's a really dumb idea unless you're a lawyer.

Outsource Your Data Center to Baghdad!!
That sounds like a really stupid idea, huh? It is!But it's not much worse than the popular alternatives. At least the Iraqis aren't in the middle of a nuclear stand-off!

Do We Really Need Hacker Skills?
Do security practitioners need to know how to hack? No. Hacking follows as an obvious extension of the discipline of security.

Blasts (and Whimpers) From the Past
By request, I have created an "archives" area of my old articles, tutorial materials, and security-related writings. Some of them seem prescient, some peevish - but they're all common points tracing the trajectory of my thinking about security.

Teachings of Master Sun
I wrote this rather silly, whimsical, angry piece after about the 2,000th time someone asked me about patching my systems.

The Calendar
You've heard of the legendary SourceFire computer security calendar, right? Now, you can see it online.

A Matter of Motives
The full disclosure debate has pretty much died down; the proponents of disclosure have won (largely by virtue of the fact that nobody can stop them). But never mind the technology - let's look at their motives.

Monoculture Hype Alert!
NSF Grants Two Universities $750,000 to Study Computer Monocultures (25 November 2003)
With the help of a $750,000 National Science Foundation grant, Carnegie Mellon University and the University of New Mexico will study computer "monocultures" and the benefits of diverse computing environments. "The researchers intend to create an application that could generate diversity in key aspects of software programs, thus making the same vulnerability less effective as a means of attack against the population as a whole."
$750,000 to sit around and whine about Microsoft? How do I get a gig like that?!

The Myth of Monoculture
Recently, my friends Dan Geer and Bruce Schneier (along with other smart people) published a paper postulating that our computing environments are at risk of security disasters because of a "Microsoft Monoculture." This paper has gotten a tremendous amount of attention lately. Unfortunately, I think that many of the papers' proponents have forgotten that the paper is an analogy and not real science. Arguing by analogy is illuminating but also distracting. I offer my opinons and some observations.