The Myths of Security

brothke writes "The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is an interesting and thought-provoking book. Ultimately, the state of information security can be summed up in the book's final three sentences, in which John Viega writes that 'real, timely improvement is possible, but it requires people to care a lot more [about security] than they do. I'm not sure that's going to happen anytime soon. But I hope it does.'" Read on for the rest of Ben's review.

The Myths of Security: What the Computer Security Industry Doesn't Want You to Know
author	John Viega
pages	260
publisher	O'Reilly Media
rating	8
reviewer	Ben Rothke
ISBN	978-0596523022
summary	A contrarian provides an interesting look at the information security industry

The reality is that while security evangelists such as Viega write valuable books such as this, it is for the most part falling on deaf ears. Most people don't understand computer security and its risks, and therefore places themselves and the systems they are working in danger. Malware finds computers to load on, often in part to users who are oblivious to the many threats.

Much of the book is made up of Viega's often contrarian views of the security industry. With so much hype abound, many of the often skeptical views he writes about, show what many may perceive are information security truths, are indeed security myths.

From the title of the book, one might think that there is indeed a conspiracy in the computer security industry to keep users dumb and insecure. But as the author notes in chapter 45 — An Open Security Industry, the various players in the computer security industry all work in their own fiefdoms. This is especially true when it comes to anti-virus, with each vendor to a degree reinventing the anti-virus wheel. The chapter shows how sharing amongst these companies is heavily needed. With that, the book's title of What the Computer Security Industry Doesn't Want You to Know is clearly meant to be provocative, but not true-life.

The book is made up of 48 chapters, on various so called myths. Most of the chapter are 2-3 pages in length and tackle each of these myths. The range of topics covers the entire security industry, with topics spanning from various security technologies, issues, risks, and people.

While not every chapter is a myth per se, many are. Perhaps the most evocative of the security myth is chapters 10 — Four Minutes to Infection and chapter 22 — Do Antivirus Vendors Write their own Viruses?. But the bulk of the book is not about myths per se, rather an overview of the state of information security, and why it is in such a state.

In chapter 16, The Cult of Schneier [full disclosure — Bruce Schneier and I work for the same company], Viega takes Schneier to task for the fact that many people are using his book Applied Cryptography, even though it has not been updated in over a decade. It is not fair to blame him for that. While Viega admits that he holds Schneier in high esteem, the chapter reads like the author is somehow jealous of Schneier's security rock star status.

Chapter 18 is on the topic of security snake oil, ironically a topic Schneier has long been at the forefront of. The chapter gives the reader sage advice that it is important to do their homework on security products you buy and to make sure you have at least a high-level understanding of the technical merits and drawbacks of the security product at hand. The problem though is that the vast majority of end-users clearly don't have the technical wherewithal to do that. It is precisely that scenario that gives rise to far too many security snake-oil vendors.

Perhaps the best chapter in the book, and the one to likely get the most comments, is chapter 24 — Open Source Security: A Red Herring. Viega takes on Eric Raymond's theory of open source security that "given enough eyeballs, all bugs are shallow." Viega notes that a large challenge with security and open source is that a lot of the things that make for secure systems are not well defined. Viega closes with the argument that one can argue open versus closed source forever, but there isn't strong evidence to suggest that it is the right question to be asking in the first place.

Overall, The Myths of Security: What the Computer Security Industry Doesn't Want You to Know is good introduction to information security. While well-written and though provoking, the book may be too conceptual and unstructured for an average end-user, and too basic for many experienced information security professionals. But for those that are interested, the book covers the entire gamut of the information security, and the reader, either security pro or novice, comes out much better informed.

While the author makes it clear he works for McAfee, and at times takes the company to task; the book references McAfee far too many times. At times the book seems like it is an advertisement for the company.

Viega does give interesting and often entertaining overviews of what we often take for granted. Some of the books arguments are debatable, but many more are a refreshing look at the dynamic information security industry. Viega has sat down and written his observations of what it going on. They are worth perusing, and the book is definitely worth reading.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know .

You can purchase The Myths of Security: What the Computer Security Industry Doesn't Want You to Know from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page.

Myths of Security?

[erbbysam]

There are no myth's of security, just the myth of security itself. Modern computer security is based on the fact that their are algorithms that no one knows how to reverse quickly. Doesn't mean that they can't be reversed however...

The greatest myth of security...

[tacarat]

Security does not actually protect you, it delays others. If you don't implement enough delays to allow yourself to find out you're being attacked and to act accordingly, it's all useless.

Evolution will produce security

[onionman]

While I'm a big fan of security research, I think that the reason we see security lacking in most products is because there just isn't a business case for it. Most of the time, the added hassle of security development or deployment seems larger than the cost of poor or no security. As the consequences of security failures escalate, I'm sure that the market will evolve to include better security focus.

Hopefully, we'll get to that point without a wide-spread catastrophe... for example, the current "Smart Power Grid" ideas will have "Intelligent" power meters in most homes and businesses... imagine what a security failure in a widely deployed "Intelligent" power meter could do!

Most SHOULD NOT think about security...

[nweaver]

It is a great failing in our industry that its viewed as a problem that "most don't think about security".

Rather, the problem is that we haven't constructed systems such that people don't have to think about security. The best security systems are so unobtrusive and unnoticable that people should not think about them.

EG, a good succes story is the modern car key. 10-20 years ago, it was trivial to steal a car. You break the steering lock, put two wires together, and drive off. We had horrible cludges like "the Club", and people had to think all the time about it, in theory.

Now our carkeys have RFID transponders which are cryptographically keyed to the car's computer. It is vastly harder to steal a modern car (either bring a tow truck or swap the computer), but the actual cognitive load for most people is vastly less. You do the same thing you did before, but now your new car is far more secure.

Thanks!

[viega]

Ben, Thanks for the positive review. I know the book has pissed some people off, especially when I take on their particular sacred cows (e.g., intrusion detection). But, the Schneier chapter isn't meant to piss him off, I have no beef with him whatsoever. I just think the fanboys do the world a disservice by not thinking for themselves, especially when they draw from material that's a decade old. John

Re:Most SHOULD NOT think about security...

[clang_jangle]

Modern cars are actually a pretty bad example. Your new car is "far more secure" against the average destitute crackhead non-pro thief, but cracking codes and cloning RFIs is actually pretty trivial for a pro. So it appears reasonable to conclude that (to paraphrase an old saw), "even the best security only works against the honest and the incompetent".

Re:Most people simply don't think about security

[arminw]

...You just can't preserve the user's freedom while doing so....

Apple has found out about this and has implemented their app store as the only legitimate place to download software for the iPhone that has been filtered and approved. This does limit the users freedom, but it's about the best security that can be had in any computer system. I hope that they will extend the system to the Mac sometime soon.

Re:I have a full-proof security code

[cheros]

Actually, during the last Access-all-areas held in London I brought along a Samsonite briefcase with a digital lock.

Someone spent the ENTIRE weekend trying to open the lock and didn't manage, which was due to a bit of evil from my side. The lock has 4 digits, so I entered a code and opened/closed it - he tried everything from 0000 to 9999 and didn't manage.

The reason was me pretending to press keys. That case had a cute feature: you didn't have to use all 4 digits, so the actual combination was just "9" with me pretending to hit other buttons :-)

Ah, those where the days..

PS: that lock had a major weakness anyway so I didn't use it long - it was just amusing..

Re:Most people simply don't think about security

[lgw]

Yeah, I think it's pretty well established that you can have good security with software that no one would buy or use by choice. A security model that allows users to be their usual flaky selves and still work reasonably well is what's called for. Hopefully people will focus on that, instead of the myth of the "educatable user".

Limiting what individual pieces software can do, rather than what the user can do, is key. Admin/root acount vs normal account is a first step, but no where near a last one, as it still requires too much user smarts. SE Linux's per-process finely-detailed jails is a great further step, but fails because it depends on a known good source of software, and only installing from there. Taking a few more steps in this direction would be real research, and profoundly improve computer security.

Thinking that the answer is to improve the user instead of the system only makes sense from a religious perspective (and even them, half the religions would disagree that this is possible).

What *they* don't want you to know!

[luddite47]

How many books have this stupid subtitle?
It must work...

The irony of IT security is practically axiomatic

[Anonymous Coward]

Your job is make access impossible for a motivated, resourceful and knowledgeable attacker, yet dead simple for an unmotivated, uninformed and careless user.

Corollary:

If you fail, you get blamed / fired / sued, not the user, not the attacker.

This is why IT people are so "paranoid" - they are usually entrusted with this impossible responsibility (impossible because it's not theirs alone but shared by the users), yet their ass is on the line (perhaps others as well, but definitely theirs) if something gets compromised.

No Need

[omb]

Well I have read the book and the much funnier "Secrets and Lies" AC about 3 times and Secrets and Lies more. First AC is in the nature of a scholarly review book and introduction to mathematical and procedural cryptography. It says nothing DEFINATIVE about particular ciphers but DOES make the point that all cryptography depend on mathematically difficult problems that Mathematicians have an annoying problem of simplyfing, and this is the nature of the MD5 and SHA1 attacks, and the advice to "walk not run to the exits". Rijndael aka AES is much better than 3 x DES and the new hash will be better than the SHA family.

This stuff is not snake oil, but you need to understand it at a mathematical and process level to get good results and you need to test, see the Debian SSL fiasco.

So, for example SHA1 is more than fine for all practical purposes in the version control system 'git' where only accidental collisions are concerning. For all the security bruhaha about SHA1 no one can tell you how to forge the message that you would like to send with a given known SHA1. Most people will notice if they see a message "send a cammel ein milliarde swietzerish franken to the First Crooked Bank of Nigeria" (deliberate errors). So unless you can fix the SHA1 with spaces and <CR> <LF>, in small numbers, and you can not you are SOL.

And any valid process encrypts both the message plain-text AND the hash, and to be useful the HASH better depend on the senders private key and be de-cryptable by their published keys (fingerprint freely available) eg

sig. omb GPG Key ID: 0xy0481D676FBC700y, old PGP Key Id: 0xy97186Ay

Finally, the idiot pols in the USA and UK could do just one thing useful, issue everyone a high grade X509 cert for free and sign the Social Security or NHS number using the private key.

This looks, at first case badly flawed, since all private keys are known and held by government whereby they can be mis-used or lost.

I leave it as a simple, excercise to the reader to turn this into a very cheap, foolproof security system which absolutely stops identity theft.

Re:Thanks!

[Anonymous Coward]

I met John Viega at defcon and he seemed put off that people didnt know him. Hes got a chip on his shoulder - especially about Schneier - Viega doesnt have anything but derivative works to his name and knows it.

This books is basically a manifestation of his personal self esteem issues, hes making up a windmill to tilt at. If theres any myth about security - its him. Hes a hack repeating other peoples ideas to create a place for himself.