Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
How Much Security Is Secure Enough?

By KiTaSuMbA in Op-Ed
Thu Apr 04, 2002 at 10:24:17 AM EST
Tags: Security (all tags)
Security

In the past few years "security", "hackers" (inappropriately used), "exploits" have all become buzzwords for the end - users. Wide availability of broadband internet connections, dynamic web content, remote code execution, over-bloated net-wise software and OSes and the widespread of internet among computer illiterate people have turned normal desktop PCs in highly probable cracker / worm / virii targets. This editorial intends not to be an internet security guide, a HOW-TO, a bible, but rather to provide some guidelines to keep you as far as possible from frustrations.


Some rules to keep in mind:
  1. There is no such thing as a totally unbreakable computer now or in the future as long as it is somehow connected to a network. Never mind what hardware/software companies promise you and what specific OS aficionados are eager to convince you about.
  2. Security is inversely related (though not in a linear fashion) to commodity, advanced features, simplicity of use. It all ends up completely crippling your computer's network capabilities.
  3. The higher the complexity and the size of a system the higher are the odds of presenting vulnerabilities and the time/effort needed to track them down and fix them.
  4. Security is implemented in multiple levels with the most important being the very user and not his/her box
Answering the question:

Before setting up the most die-hard system or skipping this article thinking "why should it ever happen to me?" you should first make up your mind on what level of security and in what sense you need it. This is called a "security policy" and, no, it doesn't concern only IT staff. Ask yourself these questions:

  1. Why me? Because
    1. I have some very "interesting" data in my hard disk(s).
    2. I keep getting involved in flame wars.
    3. I have a 24/7 high-speed internet connection (cable, DSL etc.).
    4. I run "sensible" services like web/ftp/mail servers on my box.
    5. I run software notoriously insecure.
    6. my aunt Mary is not security-aware and could get us (the box) in trouble.
    7. I had a fight with my techie roommate/colleague and a subtle "inside" job could be revenge enough for him.

    These are all risk factors, you get more or less the idea on how probable is to be attacked and therefore how badly you need better security than what you currently have.


  2. How much security can I afford without making my internet life a nightmare?
    1. I run services that HAVE to look at the outside world.
    2. I know that ACME's foo program has security issues but I can't get my job done without it...
    3. my aunt Mary only knows how to use 3 programs: IE, outlook and solitaire!

    Thinking about these issues gives you an idea on how far you can go with security without going paranoid.


  3. What kind of attack would I be a candidate for? Depending on your risk factors, different types of attack are more probable than others and thus your security policy should be oriented accordingly.

    1. flame wars: most "experienced" crackers leave themselves out of them, so you are most probably engaging script-kiddies and trolls that will attack you just to gain some self-esteem and play "cool" at their high-school friends. Their preferred method is a Denial of Service (DoS) as dropping your connection for some time or otherwise harassing you is acheivement enough and this kind of attack is very easily deployed. Another type of attack would be trying a well-known exploit with some (almost) ready to use tools available in the net on a vulnerability likely already fixed with a patch/update/new release of your software as their computer skills are far lesser than what they claim to be.
    2. DEFENSE:
      1. stay out of flame wars - don't harass people. The Netiquette is not just a wish-list of some early internet bigots you are too "cool" to follow. And don't go around the net telling people how secure your box is and how darn good you are: someone may try to teach you security the hard way!
      2. watch out for patches / security updates for your software (from OS to IRC client, whatever) Most security breaches occur upon software already "fixed" that users don't care or don't know about.
      3. use a well-configured non-computer-resources-hungry firewall. Bulldog, keep-all-out, pseudo-die-hard, fancy-graphics style firewalls are more likely to cowardly die on a simple DoS attack and even crash your system altogether.

    3. high-speed 24/7 connection: Even a non-so-cautious cracker will route himself through 3-5 boxes before hitting that high-profile site. You also risk that an "advanced" script-kiddie uses your box to install malicious/illegal services: IRC bouncers, warez ftp servers, flooders, mail-bombers etc.
    4. DEFENSE:
      1. again, keep an eye for patches / security issues.
      2. firewall, again. Try to be restrictive on your firewall rules and keep logs to search for "suspicious" activity. Don't get paranoid though, you'll find lots of random hits.
      3. use strong and encrypted passwords: "password", your birthday or your dog's name are obviously weak :-P. Try not to use the same password on multiple accounts, services: if someone gets his hands on a password of yours it will be the first thing he tries next time.
      4. a simple Intrusion Detection Software (IDS) / filechecker (checks for modified system files) to identify an intrusion ASAP. It would be best to run such a utility from a read-only medium (floppy / CD-rom) to make sure it isn't compromised itself.
      5. keep periodic back-ups: they won't hesitate formatting your disk if feared to get caught.

    5. software with well-known security issues: you can get just about everything as attacks: virii, worms, wannabe crackers "practicing", script-kiddies "having fun".
    6. DEFENSE:
      1. check for patches, patches, patches!!! Don't get caught asleep...
      2. if the security issues are more likely to be due to the software design (security-unaware features) rather than simple bugs in the code, it is *guaranteed* that more trouble will come your way, patch after patch, service pack after service pack (Internet explorer or outlook ring a bell? :-P) . Try to migrate to a more secure product asking yourself if you desperately need all those features, if the users find it impossible to learn how to use another - even similar - software and if you can afford an eventual overhead in the costs to purchase new software.
      3. use an antivirus software and KEEP it updated: at least you can avoid older virii / worms but keep in mind that this is not a panacea (virii nowdays can be designed and distributed in the net within days / weeks).
      4. a firewall could keep some of the trouble away but not much: the attack uses a "path" offered by your own software and thus most probably permitted by the firewall itself.

    7. real world's hatred - induced attack (from inside): depends on the skills of the attacker... There is not much you can do against a sledgehammer!
    8. DEFENSE:
      1. strong passwords, really strong passwords!
      2. IDS / filechecker, antivirus.
      3. keep back-ups not accessible to third parties.
      4. data encryption (perhaps a bit too much of paranoia here...).

    9. sensible services: you can get crackers trying to route themselves through your computer, somebody "practicing" on an exploit he just read/heard about or - rarely - figured out himself, attacks specifically targeting YOUR service (website defacement, mail servers used for spamming etc.) , worms.
    10. DEFENSE:
      1. do you really need these services? Most end users prefer using preconfigured OS installations rather than selectively choosing the applications they need. They select a "typical" MS Windows installation which contains, surprisingly enough for the typical desktop user's needs, the "personal web server" (Microsoft's own web server - IIS), a software "traditionally" known for its bugs and vulnerabilities. Linux newbies go for the full install of their distribution to avoid the trouble of choosing among some 50 or more software packages, thus installing just about every network service known to present day (from rsh and NFS to apache and telnet). Trouble is, a lot of users are actually unaware of the services their system runs or don't realize the security implications of such a configuration. Indeed, one of the most widespread worms, Nimda, exploits a well-known and fixed long before its appearance vulnerability of the IIS web server. MS justified themselves that the service pack fixing the bug was available for some time and there was a notice on their site informing users. However the worm rapidly propagated in the net as most users failed to update their computers (either because they didn't care or because they didn't even know what IIS is!). Let's ask this question again: do you *know* what services your system runs? And if yes, are you sure you need them all the time or could you load them upon request, e.g. testing a dynamic web page before uploading it. And, furthermore, do these services need to look to the outside world? If not, configure them properly.
      2. patches, service packs, security updates, remember???
      3. configure your server appropriately: double check for file permissions, vulnerabilities in dynamic content web pages, strong passwords.
      4. firewall: the firewall configuration should leave these services go through but you could avoid some heat anyway.
      5. keep logs for the network AND the service (if available) and READ them, either manually (on high-traffic servers this is close to impossible) or by using specialized software.
      6. use a reliable IDS application.
      7. keep frequent back-ups. You can't take for granted that you are secured.

    11. non secure-wise user behavior (aunt Mary): all sorts of things can occur without realizing it until you personally sit in front of that box and get lucky enough to notice some "strange events". Tendencies are for virii, trojan horses, worms and any kind of "dangerous"/malicious code injected by e-mail attachments, e-mail body executing code (javascript, Visual Basic, ActiveX etc.), web browsing (VB, java, javascript, ActiveX, cookies, whatever) or even by straight forward social engineering ("hey, grab this program / IRC client script / anything, it works great!!").
    12. DEFENSE:
      1. Educate your users. This must be *high priority* for you. If users mess around blindly, trouble is coming at you real fast, real soon, no matter what security measures you take (you cannot "program" a user's mind not to give passwords away to "friends" or not to use his phone number as one). Try to be detailed and specific though polite and clear. Don't use jargon or tech terms heavier than they can handle. Explain what could happen if they do this or that, don't give them a dry list of DOs and DON'Ts and don't play guru to them making them feel like complete idiots. If you work at an office, print an "internet security policy" sheet and try to be available for further questions/discussion. You can gain a hell of a lot more by being polite and "concerned" than by pestering people and barking at them every time they fail to keep up with your policy standards. In the middle/long term you will save a lot of time and nerves-breaking, painful system recoveries.
      2. about strong passwords: on non-office, real multiuser boxes (e.g. your home linux desktop, where aunt Mary reads her mail and browses the web for cookbooks) don't take user account passwords lightly ("who cares, it's *his* home directory getting messed up"). Local exploits to gain root access, and thus complete control over your box, are far more numerous and easier than remote ones. Configure your system not to accept weak passwords (on most modern linux distributions it's as simple as an option checked in a GUI configuration tool) and educate users (see above).
      3. use an antivirus program and keep it updated.
      4. configure a firewall: make it functional though. You don't need people asking you why their ICQ client won't work, why they can't use DCC on IRC networks or those with the "I am a hacker, dude!" attitude piercing that firewall, tunneling etc. just to get more functionality or your little brother back home messing around with IPTABLES when you are away.

    13. critical / "hot" data on your hard disk(s): you might be targeted by a really experienced cracker with the explicit intent of theft.
    14. DEFENSE:
      1. DATA ENCRYPTION! strong data encryption. :-)
      2. a very efficient firewall.
      3. keep the complexity of the system as low as possible without crippling your job to avoid eventual vulnerabilities: these guys don't need an exploit to be posted on the net to deploy one.
      4. security focus and other security-oriented (both defender and attacker sides) sites should be on your daily web walk-about.
      5. update, patch, service pack as soon as available, not "one of these days, really soon..."
      6. if it is *really* critical, use some professional advice / help. Unless of course you know your way inside your box pretty well so you shouldn't have read this far if not for fun (or perhaps looking for some bits to flame about :-)

Conclusions:

Hopefully, if you followed me this far, you can figure out (more or less) how much security is secure enough for *your* case. Remember, there is no golden rule of thumb on this issue nor a way to be 100% safe. Now, having a defined strategy, go create your security policy in details and read the documentation on how to implement it on your computer.

APPENDIX

hackers: people that present the attitude to rather adapt their tools to them than the other way around. On computers: those that know their computer inside out, play with it to the limits of cripling it just to "try something they read about" and would rebuild the entire system to get that "-03 -march=i686 -mcpu=686" extra optimization (I know I did, and got a KDE on steroids! :-P)
crackers: people who sneak into strangers' computers usually doing damage/defacement. Mainstream media erroneously call them "hackers".
script kiddies: usually under-18, socially isolated individuals and "wannabe-crackers" without the skills and/or the talent. They use tools and code already available on the net on a "download - compile (the "advanced" ones) - execute" scheme. Identifible mostly by their compulsive linguistic/orthographic extravaganzas (r00t for "root", 31337 h4x0r for "elite hacker" etc.).
warez: illegally copied / cracked software
virus: a malicious piece of code that embeded on a file, "infects" your system's files causing almost invariably serious damage
worm: a code that using your system resources and services propagates itself to other victims (most frequently by e-mail). Almost all recent virii contain a worm component
trojan horse: a program that provides remote unauthorized access to your computer.
exploit: a method to gain unauthorized access to files and /or services of your computer through software already installed.
firewall: software that "filters" your network connection allowing only specific type of connections to occur.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
what is your main "risk factor"?
o computer illiterate users 8%
o a 24/7 broadband connection 33%
o I run servers on my box 23%
o my software is known to be vulnerable 2%
o I keep flaming on K5! 2%
o my roommate hates me!!! :-P 0%
o I work for the CIA 15%
o I won't tell yah even if you torture me! 13%

Votes: 135
Results | Other Polls

Related Links
o Also by KiTaSuMbA


Display: Sort:
How Much Security Is Secure Enough? | 77 comments (57 topical, 20 editorial, 0 hidden)
I voted... (3.00 / 10) (#8)
by synaesthesia on Thu Apr 04, 2002 at 08:16:17 AM EST

I voted "my software is known to be vulnerable"

In case you're wondering, my IP address is 127.0.0.1



Sausages or cheese?
AHAHAHHAHAHAHA!!!! (2.00 / 5) (#9)
by KiTaSuMbA on Thu Apr 04, 2002 at 08:17:38 AM EST

;-)
There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
I know you're lying (3.30 / 10) (#14)
by cthulhain on Thu Apr 04, 2002 at 08:38:46 AM EST

because my ip address is 127.0.0.1. And in case you don't know, it's impossible for two computers to have the same ip address. Otherwise, the internet would break.

--
nothing in his brain except a ruined echo of the sky.
[ Parent ]

My computer is vulnerable too (3.00 / 9) (#16)
by theboz on Thu Apr 04, 2002 at 08:56:44 AM EST

And my IP is 192.168.1.102 (at least on my network.)

Stuff.
[ Parent ]

Hacker vs Cracker (4.36 / 11) (#19)
by wji on Thu Apr 04, 2002 at 10:05:23 AM EST

I think the most lucid and sensible bit about this debate comes from [Cr,H]acker magazine editor Emmanuel Goldstein:

Now, we have a small but vocal group who insist on calling anyone they deem unacceptable in the hacker world a "cracker." This is an attempt to solve the problem of the misuse of the word "hacker" by simply misusing a new word. It's a very misguided, though well-intentioned, effort. The main problem is that when you make up such a word, no further definition is required. When you label someone with a word that says they're evil, you never really find out what the evil was to begin with. Murderer, that's easy. Burglar, embezzler, rapist, kidnapper, all pretty clear. Now along comes cracker and you don't even know what the crime was. It could be crashing every computer system in Botswana. Or it could be copying a single file. We need to avoid the labeling and start looking at what we're actually talking about. But at the same time, we have to remember that you don't become a hacker simply because you say you are.


In conclusion, the Powerpuff Girls are a reactionary, pseudo-feminist enterprise.
Actively defining `cracker' (3.75 / 4) (#30)
by PigleT on Thu Apr 04, 2002 at 11:56:29 AM EST

If I read your quote right, he's objecting to those of us pedants who correct "hacker" into "cracker" saying the latter is ill-defined.

It's not. A cracker is one who breaks and/or enters into your computer system for some nefarious purpose, simple.

At least the article here had a positive definition of `hacker' - oh and it's -mcpu=i686, not just 686, btw. And -Os -fomit-frame-pointer would've been good, too.... ;8]
~Tim -- We stood in the moonlight and the river flowed
[ Parent ]
nah (4.83 / 6) (#42)
by jayfoo2 on Thu Apr 04, 2002 at 01:49:17 PM EST

What he's pointing out is that Cracker isn't a good term because it's not specific enough. In our society labels do matter. Murderer, pederast, lawyer all have very negative connotations.

What I think he's trying to point out is that all computer crimes are not equal. There is a difference between a script kiddie nosing around some data (which deserves a slap on the wrist) and someone stealing and selling a batch of Credit Card numbers (which deserves jail time).

The laws surrounding other crimes are much better defined (i.e. negligent homicide, manslaughter, murder, each with degrees).

One of EG/EC's hot buttons is that the punishment should fit the crime. He does believe that real computer criminals should go to jail, but that jail is not the appropriate penalty for non-destructive computer crime.

I'm not sure how much I agree or disagree but I do understand the point that letting the media associate Cracker with murderer and pederast isn't a 'Good Thing'



[ Parent ]
Hacker nomenclature (3.50 / 4) (#46)
by DrJohnEvans on Thu Apr 04, 2002 at 05:07:55 PM EST

The problem lies in creating a seperate term for "computer-related criminal" altogether. If I may quote myself here:
The term isn't needed. If somebody has a great deal of knowledge and experience concerning chemicals, we call him or her a chemist. If that same person uses their knowledge to kill people with chemical weaponry, that person is now a criminal. Still a chemist, but also a criminal. There's no seperate chemistry-specific term.1
The use of the term just adds confusion. If your average person doesn't really understand what a hacker is, what's his reaction going to be when you throw the new term "cracker" at him? Will he sit down, do some research, and properly define and identify the terms? Ideally, yes, but most likely he'd just resign any hope of understanding, and just assume that the mass media is right: that hackers, crackers, whatevers, are all criminals threatening our way of life and should be locked up.

Instead of inventing new terms to cover all the bases, we need to clarify the terms already in existence.

1. -1, Nomenclature by DrJohnEvans on Sat Mar 9th, 2002 at 06:54:04 PM EST

[ Parent ]

Re: Hacker nomenclature (3.80 / 5) (#47)
by carbon on Thu Apr 04, 2002 at 05:21:49 PM EST

Ideally, yes, but most likely he'd just resign any hope of understanding, and just assume that the mass media is right: that hackers, crackers, whatevers, are all criminals threatening our way of life and should be locked up.

So you're saying that the response of the average person to hearing _one new term_ from a person, and then having it's meaning explained to him, is to ignore this new explanation in favor of what he's last seen on the tube? Most people aren't that stupid. Plus, I think that the term 'cracker' is fairly obvious in definition when used in context. It has been when I've seen average people exposed to it in the past.The big confusion is that around the original word 'hacker'.


Wasn't Dr. Claus the bad guy on Inspector Gadget? - dirvish
[ Parent ]
Well actually... (4.00 / 1) (#63)
by prometheus on Fri Apr 05, 2002 at 02:27:39 PM EST

Most people I've talked to are that "stupid", so to speak, and to explain the difference between hacker and cracker needs so much background which is so far removed from what most people know that it takes awhile to explain things. Only to have to repeat it because after that kind of explanation, people will just do whatever they're used to because it hurts too much to do things a new way.
--
--
<omnifarad> We've got a guy killing people in DC without regard for his astro van's horrible fuel economy
[ Parent ]
Example (none / 0) (#70)
by carbon on Sat Apr 06, 2002 at 09:12:42 PM EST

Real conversation that I had a few months ago (though paraphrased):

"I heard a hacker broke into someone's system!"

"No, the word hacker specifically refers to a type of person who enjoys programming and computing and things like that for their own sakes. The correct word for someone who breaks into people's computers is 'cracker'. The news industry has been really nasty about missing that distinction..."

"Really? Cool."

See, wasn't that hard. And he never made that mistake again (as far as I know, anyways)


Wasn't Dr. Claus the bad guy on Inspector Gadget? - dirvish
[ Parent ]
So... (4.75 / 4) (#51)
by epepke on Thu Apr 04, 2002 at 06:40:07 PM EST

You must think the term "safecracker" is unneccessary, because "locksmith" would do just as well.


The truth may be out there, but lies are inside your head.--Terry Pratchett


[ Parent ]
typos... (and some OT info) (3.00 / 2) (#59)
by KiTaSuMbA on Thu Apr 04, 2002 at 09:54:02 PM EST

as usual. At least it does less harm here than when actually compiling ;-)
for the optimisation, I prefered not to push too hard especially the KDE packages that took about 3hrs to get around.
I usually abstain from hacker vs. cracker wars as it usually ends up at meaningless dogfights. That quote though had an important info too:
hacker is not he who thinks he is (even the last of the script kiddies and warez d00dz retain themselves as such) but one that is recognized to be one. :-)
Now, why do I get the feeling that someone will propose elections for such titles? ahahahaha!
There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
vocabulary issues... (3.50 / 2) (#58)
by KiTaSuMbA on Thu Apr 04, 2002 at 09:45:43 PM EST

Using a single word to define a series of actions or behaviour is, yes, somewhat generalising and perhaps offending someone but still very helpful for the discussion's sake. This is a fact not only about hacker/cracker but all sorts of classification. I mean you can easily talk about "mad people" doing no just to a maniac depressive that finds himself classified along with a psychotic and a schizofrenic, and then this counts within the psychotics group etc. IMHO, when the actual meaning within a phrase is clear there is no need to go radical about the use of words. It's the content that counts, words are only medium.
There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
Who's your audience? (4.14 / 7) (#25)
by jeffy124 on Thu Apr 04, 2002 at 10:28:58 AM EST

In reading this, I find that you did an excellent job, but I cannot figure out who your audience is. Are you targetting Internet newbies? The "Aunt Marys" of the world? Or reasonably adept computer users in general?

Depending on who you're talking to, most people wont know what they're looking for in a good firewall product, or how to even read the logs. Likewise for finding patches for specific pieces of software, and then installing them. (sidenote: I find Windows Update very good at doing both).

It also looks like some of what you discuss is simply preaching to the chior. Most k5 readers fall into the hacker and reasonably adept user realms, and are already familiar with most of what you discussed.

+1fp anyhow - we need a good discussion about some of that stuff.
--
You're the straw that broke the camel's back!
crap - should be editorial comment (none / 0) (#26)
by jeffy124 on Thu Apr 04, 2002 at 10:29:35 AM EST

damn mouse wheel
--
You're the straw that broke the camel's back!
[ Parent ]
the reader's profile... (5.00 / 3) (#57)
by KiTaSuMbA on Thu Apr 04, 2002 at 09:37:49 PM EST

is neither 'aunt Mary' (with whom the reader probably interacts at work or home) nor that linux guru who probably has some good laughs reading it. The article has this rather wide spectrum of audience of people who are rather familiar with their computers (windows, unix, whatever) but still leave the security issues in bottom of their ToDo-lists. The whole point is to generate some interest in security and a discussion on the issue, not to handhold the users.
:-)
There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
anti-virii nazi (4.20 / 10) (#27)
by johnathan on Thu Apr 04, 2002 at 11:18:20 AM EST

I know this is a losing battle, but "virii" is not a word.

What is the plural of virus?

Those confused souls who write *virii are tacitly positing the existence of the non-word *virius, and declining it as though it were like filius[....] *Virii is still completely silly, so don't do that; otherwise, everyone will know you're just a blathering script kiddie.

--
Her profession's her religion; her sin: her lifelessness.

And again (4.40 / 5) (#31)
by Torako on Thu Apr 04, 2002 at 12:01:22 PM EST

Just for completeness (or redundancy if you will): My Langenscheid Latin Dictionary has the following entry on virus: "virus, i n (used only in the singular nom. and acc. form)" So, there is no plural form of virus. Actually, it wasn't even a native Latin form. It was derived from a classical Greek word that meant "poison", some later, that is post-classical, meanings of the word include: slime, venom, the salty taste of ocean water.

[ Parent ]
Right. (2.00 / 6) (#32)
by mindstrm on Thu Apr 04, 2002 at 12:18:07 PM EST

But in english, we are allowed to pluralize nouns.
And to pluralize a noun ending in us, you drop the us and add ii.

Platypus -> Platypii
Octopus -> Octopii

Cactus -> Cactii
Virus -> Virii

So.. you can argue all you want it's not proper latin, or breaks the rule somewhre.

But as anyone knows, english is not based on rules, and language evolves.
Go look how many words are in the dictionary now that were not there 20 years ago.


[ Parent ]
...except that it isn't (3.40 / 5) (#34)
by pietra on Thu Apr 04, 2002 at 12:55:42 PM EST

The English plural of "cactus", whether correct in Latin or not, is "cacti." Ditto "octopi." In our crazy attempts to make English look less like a godawful hodgepodge with a million exceptions to anything resembling a grammar rule, we have at least managed to come up with standardized spelling. Sometimes. You're half-right in the sense that if enough people use a word, despite how ungrammatical or wrong it may actually be, eventually it will be absorbed into the language. However, we do tend to insist that said word be spelled in some sort of standardized fashion, and at present, nouns ending in "-us" get one "i" for their plural form, not two.

[ Parent ]
Octopodes, not octopi (4.00 / 1) (#62)
by hythloday on Fri Apr 05, 2002 at 09:21:10 AM EST

Greek root, not Latin. Yes, I'm aware that most dictionaries probably disagree with me. ;-)

[ Parent ]
Yes. (2.00 / 1) (#64)
by mindstrm on Fri Apr 05, 2002 at 04:41:19 PM EST

My bad. One 'i' of course.



[ Parent ]
Wrong. (5.00 / 5) (#36)
by johnathan on Thu Apr 04, 2002 at 01:07:50 PM EST

And to pluralize a noun ending in us, you drop the us and add ii.
I hope you're joking. I don't think that there is a single case of this in the English language. Many times, us becomes i, but many other times, the plural is formed normally (as with caucus, rebus, and syllabus).

Platypus -> Platypii
Nope. Platypus -> platypuses or platypi

Octopus -> Octopii
Octopus -> octopuses or octopi

Cactus -> Cactii
Cactus -> cacti or cactuses

And "virii" is still not a word. (You might check a dictionary as the final authority.)

--
Her profession's her religion; her sin: her lifelessness.
[ Parent ]

Syllabus (5.00 / 4) (#43)
by elefantstn on Thu Apr 04, 2002 at 02:29:45 PM EST

Syllabus actually is a Latin word, and I had professors in college who pluralized it as "syllabi" as kind of a joke. But in fact, the Latin plural of "syllabus" is "syllabus," with a long U instead of a short one. It's a fifth declension noun.

[ Parent ]
Octopus -> octopodes, actually. (3.66 / 3) (#44)
by seebs on Thu Apr 04, 2002 at 04:02:48 PM EST

Well, it would be if it were Latin, but it isn't, so the correct plural is Octopuses.

http://www.askoxford.com/asktheexperts/faq/aboutgrammar/plurals

[ Parent ]

It's actually Greek (3.50 / 2) (#60)
by Delirium on Fri Apr 05, 2002 at 03:47:10 AM EST

So the correct plural would be Octopodia.

[ Parent ]
No octopodes was right (none / 0) (#66)
by a humble lich on Fri Apr 05, 2002 at 08:55:52 PM EST

pous, podos is a third declension noun (meaning foot), so the (nominative) plural should be octopodes. I don't know where you get podia from, my dictionary lists that as an alternate form of pous (http://www.perseus.tufts.edu/cgi-bin/ptext?doc=Perseus%3Atext%3A1999.04.0057%3A entry%3D%2384142) Perhaps that is a modern form?

[ Parent ]
I don't speak ancient Greek (none / 0) (#68)
by Delirium on Fri Apr 05, 2002 at 09:25:08 PM EST

I'm not sure what "number" declension it is, but the plural of "podi" (foot) in modern Greek is "podia."

[ Parent ]
Linguistic evolution (1.75 / 4) (#45)
by karb on Thu Apr 04, 2002 at 04:14:46 PM EST

Has very little to do with correctness, and actually follows a pretty well understood set of laws. Save yourself the time trying to control it. Or become an english teacher. ;)
--
Who is the geek who would risk his neck for his brother geek?
[ Parent ]
RTFOED (3.50 / 2) (#49)
by artsygeek on Thu Apr 04, 2002 at 05:28:02 PM EST

(OED==Oxford English Dictionary) It's only VIRUSES in the OED. So, I concur completely. The folks who seemed to coin "virii" are AOLamers and 133t h4x0rs

[ Parent ]
Risk factor (3.00 / 4) (#28)
by El Volio on Thu Apr 04, 2002 at 11:28:59 AM EST

I run a honeypot, so of course I'm running vulnerable services... or so they would appear (actually it's a pretty low-risk, low-interaction HP...)

Many, many passwords (4.11 / 9) (#29)
by carbon on Thu Apr 04, 2002 at 11:49:37 AM EST

Sounds like good advice, but I'm afraid I can't follow the bit about using different passwords for everything. I have about 30 different accounts on various machines and things, and keeping a different, secure password for all of them would be insane.

Oh, and script kiddies : betcha can't crack my b0xen :-)


Wasn't Dr. Claus the bad guy on Inspector Gadget? - dirvish
Password Managers (3.80 / 5) (#35)
by lazzurs on Thu Apr 04, 2002 at 12:58:52 PM EST

Have you ever head of password managers.

I have one on my palm pilot and it is excellent, fairly secure and if I ever lost my palm then it would not be that hard to change all the passwords.

With it being on the palm it removes all of the usual arguments against using them, AFAIK.

Take care - RL

[ Parent ]
Stolen Password Managers (4.60 / 5) (#37)
by panum on Thu Apr 04, 2002 at 01:33:20 PM EST

And how exactly are you going to log into all the systems and change your lost passwords?

Another problem is that PMs are a tremendous security risk. Unless your pw list is protected with strong crypto, anyone can get your passwords. Getting the Pilot is all too easy: just promise $50 to any junkie to mug you.

-P

-- I hate people who quote .sigs
[ Parent ]
Maybe... (3.80 / 5) (#48)
by carbon on Thu Apr 04, 2002 at 05:24:11 PM EST

Well, I considered that (software such as GNU Keyring can indeed do that heavy encryption, and then I only need to remember one password) but then, if I lost my Palm, I would be effectively locked out of everything until I could get back at my home system or reach a system with outside access and a cradle.


Wasn't Dr. Claus the bad guy on Inspector Gadget? - dirvish
[ Parent ]
My compromise solution (5.00 / 4) (#50)
by greenrd on Thu Apr 04, 2002 at 06:09:06 PM EST

I have seven key passwords:

  • 2 root passwords (for 2 machines). Root passwords should never be reused for anything else.
  • One Windows logon password, also never reused. This is also an admin password because I have (unwisely, for convenience) set my ordinary user as an Administrator on Win2k.
  • One Hotmail password, never reused. Again, I'd prefer not to let people read my email if they happen to find out one of my other passwords, so I keep this unique. (Of course, theoretically anyone with access to a machine on the right route can read my email because I never get any encrypted email, but most casual snoopers don't have access to the big backbone routers - and I'm not too worried about Carnivore or Echelon because I would never say anything subversive. ;-)
  • One silly "low security" password for websites I virtually do not care about security on, like Java Developer Connnection (what are people gonna do with that password? Change my Bug Votes?)
  • One "medium" security password that I reuse on various sites like kuro5hin.
  • One Unix password that I only use on the internal campus network.

Pretty easy to remember them all, and reduces the risk of a compromise in one place affecting too much else. I also use Mozilla's password manager with a master password, which encrypts all the passwords it stores, so I don't have to remember which username/password goes with which site.


"Capitalism is the absurd belief that the worst of men, for the worst of reasons, will somehow work for the benefit of us all." -- John Maynard Keynes
[ Parent ]

Re: My compromise solution (5.00 / 3) (#52)
by khym on Thu Apr 04, 2002 at 08:34:51 PM EST

I do my passwords in a similar way:
  • A master password for my private key. I use this to encrypt all the text files in which I keep the user names and password for all the things I use, and I regullarly back this data up. I also use it as the passphrase for my SSH ID files, so I don't have to remember my passwords when opening a shell on an external site.
  • One unguessable password for my main Linux account.
  • A separate unguessable password for the root account.
  • A single unguessable password which I use for most of the web services I use: SlashDot, Kuro5hin, and so on.
  • A seperate unguessable password for each of the "sensitive" things I use:
    1. SourceForge
    2. The Open Directory Project, of which I am an editor.
    3. My PayPal account.
    4. My PacificBell account.
I have my Mozilla browser remember all of the web with it's password manager, encrypted with the same passphrase I use for my private key. Thus, that's a total of eight different passwords, only three of which I have to remember.

Of course, if a cracker broke into my main user account, he could install trojans for various programs into my $HOME/bin directory in order to get the other passwords, but I have other protections on my computer...



--
Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life.
[ Parent ]
Baffle them with Bullshit (1.76 / 13) (#33)
by Ken Pompadour on Thu Apr 04, 2002 at 12:30:17 PM EST

So that's your tactic, eh?

It's a shame I can't vote this garbage down.



...The target is countrymen, friends and family... they have to die too. - candid trhurler
BS? Where? (3.20 / 5) (#39)
by panum on Thu Apr 04, 2002 at 01:42:35 PM EST

To which parts you disagree in the post? For improvement constructive criticism is needed - not half-assed one-liners.

I have to admit I've read the post with a cursory glance at most and I didn't spot any too obvious flaws. I intend to read it more carefully. But meanwhile you might explain yourself a bit more.

-P

-- I hate people who quote .sigs
[ Parent ]
It's fluff (2.11 / 9) (#41)
by Ken Pompadour on Thu Apr 04, 2002 at 01:45:02 PM EST

Pure fluff. There's no information, it's all filler.

...The target is countrymen, friends and family... they have to die too. - candid trhurler
[ Parent ]
you misunderstanded... (2.60 / 5) (#56)
by KiTaSuMbA on Thu Apr 04, 2002 at 09:15:01 PM EST

You were probably looking for specific instructions, perhaps an analysis of specific methods/tools for security.
The article was not intented to be a security HOW-TO or a review of specific software. It merely approaches this important issue.
There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
Quick question. (2.20 / 5) (#38)
by derek3000 on Thu Apr 04, 2002 at 01:36:37 PM EST

In the past few years "security", "hackers" (inappropriately used)...

Mind telling me how it has been used inappropriately?

-----------
Not too political, nothing too clever!--Liars

hmmm... (2.40 / 5) (#55)
by KiTaSuMbA on Thu Apr 04, 2002 at 09:09:00 PM EST

I intend the term "hacker" as described by the jargon file (and also briefly explained in the appendix) so I consider that the term "cracker" is more appropriate for people that breach computer security.
Let's not make a dogfight out of vacabulary, as many people are strongly supporting either conception. If you don't feel comfortable with the term "hacker" as I use it, then substitute it with whatever you think is more appropriate (some talk about "computer geeks").


There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
Opportunity cost. (4.50 / 8) (#40)
by nr0mx on Thu Apr 04, 2002 at 01:44:50 PM EST

Let me congratulate you on an article well-presented. However, you have left out a very important factor in your calculations, IMHO the most significant one -- the time it takes to do all the things that you would have us do.

Sure, I would like my box to be as secure as possible. I want a souped-up system that squeezes every ounce of performance from my hardware. I have forgone sleep on countless days in pursuit of these twin goals. But the truth is, it takes some doing to stay on top of the rapid developments in these fields. And over the years I have gained increased respect for every hour of blissful slumber that I can sneak in.

I do not consider myself an average user, unaware of the perils you have just outlined. But my box, as it lies currently, is as insecure as any other. Because the time it takes to secure it is just too great.

After my last reinstall, I have simply given up on these activities. I am just plain *tired*. I know what needs to be done, and I have an approximate idea of how long it would take me to do it, and the time factor is unacceptably huge.



good observation! (3.00 / 4) (#53)
by KiTaSuMbA on Thu Apr 04, 2002 at 09:01:05 PM EST

It is obvious both from the article and the discussions that the "ultimate security" cannot be acheived. It's a compromise of security against commodity, and time has its own role on this. I am not, myself, a "security paranoid" but yet manage to steal just that bit of time necessary for a bit of security. Unfortunately not everyone has that time available, as you pointed out.
There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
90% of the benefit.....The Club (5.00 / 1) (#71)
by dmaxwell on Sun Apr 07, 2002 at 10:56:08 PM EST

Put an engineering maxim to work for you then.
90% of the benefit is realized for doing 10% of the work.

It's true that an awareness of security means constant care, patching, firewalling, etc to the detriment of actually USING the computer. On the other hand, most of don't need the computing equivalent of an armored van or have to protect the analog of a cherry '57 Corvette. Toss a pre-cooked firewall script on your machine or use Zonealarm depending on your OS of choice. It isn't much more effort to avoid running some of worst offenders like Outlook or that f----n' purple ape. The users of some Linux distros can use something like Bastille as well....remember the minimal effort principle.

These things aren't even the half of what you could do to secure your machine but they're better than nothing and almost no work. Will The Club deter an accomplished car thief? Nope, if that's all that is protecting your prize Porsche then consider it nabbed. Will it protect your '91 Tercel? Very likely. Hmmmm, That cracker/script kiddie thing seems to have parallels in other types of crime.........

[ Parent ]
Some UNIX/Linux security tools (5.00 / 7) (#54)
by khym on Thu Apr 04, 2002 at 09:07:03 PM EST

While on the subject, there's some security tools I'd recomend to anyone runing a UNIX/Linux box:
  • Port Sentry, a port scann detector. It monitors TCP and UDP ports which aren't in use, and detects attempts to send packets to them; once a scan is detected, it blocks access to the scanning host via both TCPwrappers and the firewall. It can detect "stealth scans", and can be configured to ignore ports which would lead to false positives.
  • LogSentry, which monitors your system's log files and emails you anything that's out of the ordinary, saving you the time of manually scanning through your log files.
  • LibSafe , which intercepts calls to the C library in order to check them to see if there are buffer overflow or format string problems, and stops the offending program if these are found. It can be used without having to recompile anything, and is used to prevent attacks taking advantage of unknown vulnerabilities.
I've been using all three of these for several years now, and they've worked very well.

--
Give a man a match, and he'll be warm for a minute, but set him on fire, and he'll be warm for the rest of his life.
Thanks for Recos (none / 0) (#69)
by jugglhed on Fri Apr 05, 2002 at 11:35:07 PM EST

That's what the article was kind of missing. A couple of concrete recommendations would have been nice.

[ Parent ]
Port Sentry vs. Packet Filtering (none / 0) (#74)
by yonderboy on Mon Apr 08, 2002 at 08:13:30 PM EST

If you're running an OS that has IP firewalling capabilities (ipfilter/ipfw/ipchains/ipfwadm/foo), you're better off configuring your firewall to detect portscans. The major reason not to run Port Sentry is within its implementation.

Instead of "detecting" the portscan by means of packet capture, Port Sentry opens a socket on all the ports you wish to monitor. While this may seem like a good idea at first, it really just makes you look like an easy mark for skr1pt kiddies since portscans will come back with all the ports Port Sentry is watching.

If you are using an IP firewall-based method for portscan detection, you're not sending a message back to the kiddies about anything you have open that you're not really running. In fact, if configure your firewall correctly (IP Filter FAQ (via OpenBSD)), you can block most stealth scans and fingerprint attempts with less effort.

In my experience, Port Sentry is like placing a "Root me, please!" sign over your head.

[ Parent ]

"Hacker" is like "queer" (4.00 / 2) (#65)
by epepke on Fri Apr 05, 2002 at 08:12:05 PM EST

Or "colored" or "negro" or "retarded" or "disabled." But it's mostly like "queer," because some people at least are trying to take back the name. A bit like "geek" or "nerd."

I'm afraid, folks, that the majority of people don't make the distinction between hackers and crackers, as functionally described in this article. It's almost impossible to find a computer in a movie made before 1985 that isn't a Demon Bent on Taking Over the World, and the ones that aren't are Stupid but Cute Robots. Even today, most people hate their computers. Anyone who actually likes computers must therefore be evil.

It doesn't matter what you think "hacker" means. Any word used to describe people who are into computers will eventually develop a bad connotation, because people feel toward us a mixture of awe, suspicion, and fear.


The truth may be out there, but lies are inside your head.--Terry Pratchett


Build it yourself (5.00 / 1) (#67)
by dJCL on Fri Apr 05, 2002 at 09:11:24 PM EST

I recently moved, finally got high speed and am in the process of building my firewall. My basic idea is to use the info from www.linuxfromscratch.org to setup the base system. Then create a system with only the firewalling on it from there. Oh, I also have a third network setup that has one machine - an old 486 with NT3.5 or so and no patches, it can only see the internet and a portscan of the firewall only see's it...

my sig was too long, and getting annoying, so this is all you get. deal with it.

been done (none / 0) (#72)
by DreamerFi on Mon Apr 08, 2002 at 09:02:39 AM EST

Or you could download the free firewall from www.dubbele.com

[ Parent ]
#1 isn't completely true (2.00 / 1) (#73)
by jpmorgan on Mon Apr 08, 2002 at 03:23:29 PM EST

1. There is no such thing as a totally unbreakable computer now or in the future as long as it is somehow connected to a network. Never mind what hardware/software companies promise you and what specific OS aficionados are eager to convince you about.

This isn't completely true. The US Military has computers which have been mathematically proven to be 'secure'. (By secure I mean conforming to their strictest security standards, the ones which replaced the old A classifications).

Not quite (none / 0) (#75)
by silsor on Mon Apr 08, 2002 at 09:48:38 PM EST

When you "prove" a program, you prove that the computer will do what you told it to do, not what you want it to do. Anybody claiming an absolute degree of security is selling snake oil. This is an axiom of network security.


✠  Patron saint of unmoderated (none / 0) top-level comments.
[ Parent ]
while arguing... (none / 0) (#76)
by KiTaSuMbA on Mon Apr 08, 2002 at 10:26:03 PM EST

...you actually admit that #1 is a true statement:
"(By secure I mean conforming to their strictest security standards, the ones which replaced the old A classifications)"
Standards are by no means equivalent to absolute.
As a matter of fact the old A classifications were considered unbreakable at their time. What you probably mean by "mathematicaly" is perhaps that their encryption methods use codes well over the 1024bit "wall" that should require enormous calculating power and time to break by brutal force. However, some recent studies have equily mathematically proven that if particular methods in the architecture of an offending computer cluster are used, time required would be in the range of hours (instead of decades) and that the system would cost at some hundreds K $. Considering the target's profile, offencers of a proportional magnitude can be thought of. Of course, no teenager-from-his-garage could do it as in some episodes the past years. They actually changed their security strategy and detailed policy to get a harder system. They got *better odds* that it won't be cracked, not certainties. The germans in WWII were pretty sure their encoding in radio messages was "secure", but ENIAC and some pieces of code+message broke the codes one after another.
There is no Dopaminergic Pepperoni Kabal!
[ Parent ]
Not exactly (none / 0) (#77)
by ph0rk on Wed Apr 10, 2002 at 10:53:02 AM EST

As long as there is a human working on/with the system, and that human can get disgruntled, then that system is not entirely secure.
[ f o r k . s c h i z o i d . c o m ]
[ Parent ]
How Much Security Is Secure Enough? | 77 comments (57 topical, 20 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!