OPINION
Security Misconceptions

This week is the RSA Conference 2005, and today I'm doing one of the opening talks at a Trusted Computing Group lunch. I'm trying to find a nice way to say that I think the most common approach to security problems these days is completely whacked, but I have struggled with the "nice" part. Here are some of the things that are bothering me.

User Identity

Much of the grief we are currently experiencing comes from e-mail that that appears legitimate but isn't. Users open a hostile application or go to a hostile Web site that captures their personal information, and some criminal uses the information to access their bank accounts or open credit lines. Anyone who has been victimized in this way knows it can take months or years to recover from the damage to credit ratings.

The elderly seem to be the biggest target for such attacks. But there are attacks targeting children that are even worse. Children are tricked into believing they are talking to other kids and are introduced to pedophiles or kidnappers.

We resist the idea of solid user identification because of privacy concerns. Yet many of the sites we don't want people to know we go to contain advanced spyware that broadcasts to unknown others our activities, eliminating this privacy benefit.

I think that we the users should have the ability to blanket-reject communications from anyone who does not have an identity that can be traced. We should be able to decide whether we are willing to take the risks associated with receiving mail from strangers, and we should be better protected from receiving mail from impostors pretending to be friends.

User Exposure

We seem to ignore that incautious users are the biggest problem. They are the ones opening questionable attachments, using trivial passwords, and exposing otherwise secure systems. Until we make users part of the overall solution, I don't see how we can get to where we need to be. This not only requires some level of training, it also requires that we formally abandon passwords as a security method and move to something more robust. Whether that is a smart-card approach, biometrics or a combination of the two, we desperately need a secure way for people to log into their systems.

We spend an incredible amount of time coming up with creative ways to secure systems and almost no time ensuring that the people accessing them are legitimate. It doesn't matter how strong you make the vault if anyone can open it.

Granted, companies like IBM and MPC are aggressively putting extended security on laptop computers, but these machines are largely targeted at corporate users, leaving the vast majority of consumers unprotected.

Security starts with the user. If you aren't willing to ensure that only authorized users have access to sensitive systems, then you deserve what you get if your systems are penetrated. If you refuse to put locks on your door and someone steals your stuff, isn't that your fault?

Trusted Computing

It isn't just people we need to be sure of. We are constantly patching our systems, and we are now required by our internal audit departments to show that we have extensive automated patching processes in place in order to avoid a dreaded non-compliance report to our board of directors. But we don't yet have in place, particularly for open-source platforms, a trusted computing environment that ensures our patches come from legitimate sources.

How long will it be until the links put in place to manage systems remotely are compromised in a way that it will cripple a national defense system, a major bank or the network backbone we can't live without? The concern about Microsoft (Nasdaq: MSFT) using such a system to take over the world is silly on two fronts: First, Microsoft already is dominant, and, second, IBM is currently an even more active driver of this initiative than Microsoft. IBM is trying desperately to secure Linux, where the greatest exposure currently exists.

Wouldn't it be nice if, before raising these silly red flags, people spent some time looking at who really is creating these problems? The hardware vendors are being killed by the proliferation of malware, and they are trying to find ways to protect their users. Dell, HP (NYSE: HPQ) and IBM aren't trying to lock in users; they are trying to ensure a safer user experience to contain support costs. Why would any sane user want to stop this? I understand paranoia, but Valium has been on the market for a while. If you have this problem, please take some and let the rest of us sleep at night.

Grass Is Greener Security

The belief that open source is more secure is largely unfounded. Take Firefox -- a 1.0 product with two active support folks and a key designer who just left to work for Google. Yes, it works on a lot of sites just as Opera did when it was the hot browser; yes, it isn't (or wasn't) targeted by as many exploits; yes, it does seem faster (so did Opera). But if it used to be obscure, it certainly isn't today, and that means it will increasingly be targeted.

It is hard to figure out how many security vulnerabilities the product actually has. You can go to Security Focus and search on Mozilla as the vendor and then Firefox as the title and come up with 39. On Secunia, you'll see not only that the number of reported vulnerabilities is increasing, but also that 88 percent remain unpatched or only partially fixed. Internet Security Systems documents 62 security exposures, but I can't tell easily how many of those 62 have been corrected in the 1.0 product.

In the world I thought I lived in, if you ran around telling people to migrate to a 1.0 product over a 6+ product from a branded vendor, particularly when the 1.0 product only had two full-time support people, you'd be taken to a quiet padded cell. Firefox is getting a ton of press, and people will attack it. How will two people and a handful of volunteers be able to protect you? If you are in a company and are audited for this choice, the word "oops" doesn't protect you.

Security: Think for Yourself

In the end it is your privacy, or your company's privacy, you are protecting. Stay focused on the bad guys, the people who want to steal your stuff, your identity and your piece of mind. Do your own research and think through the process. Don't think just of the exposures that exist today -- think ahead to the exposures you will need to address next week, next month and next year. You may make the same choices, but at least you'll be vastly better at defending those choices. Given the career implications, this approach will do a lot to cover your assets.