What's Under My Tree
All the good boys and girls on Russ' list get tech toys this Christmas.
During the holiday season I've abandoned the standard cybertrust risk categories,
and offer something different. As security-minded individuals, we often lose
focus of some aspects of what's happening in the real world. If you don't, you
get a deep bow from me, but I know many who do. Here's a snippet from under
my tree this Christmas:
My mother continues to struggle with her HP-435 digital
camera. She's usually able to get one or two pictures out of it before it informs
her that the batteries are insufficient to take any more. This year I got her
a new memory cartridge because she said she wanted to be able to "take
more pictures". Unfortunately, the camera informed her that it didn't support
a 256MB card.
We got her this camera last year at Christmas. We choose it because it had
the "insta-share" feature which allowed her to simply place it in
the cradle and have it transfer the pictures to her computer more or less by
itself. In other words, it was supposed to be "simple". It is, as
long as you don't mind sitting at the computer to take pictures while it's still
in the cradle! Moreover, does anyone remember the issues that Windows NT had
with boot drives that were larger than 2GB? Which memory genius designed it
so that upgrading memory cards from 128MB to 256MB and beyond created something
"unsupportable" in under a year?
I gave my brother a refurbished 700MHz Gateway computer
that used to belong to my stepdaughter. He's a savvy computer user who has had
one, in one form or another, for decades. It was fully loaded with Windows XP
SP2, Microsoft Office 2003, and software to assist with the new DVD burner.
His question, upon opening it, was "so what will I need to do?"
I suppose I should have given him a laptop, so that the computer could have
been on when I gave it to him, already logged in, with all the Help windows
opened. As he pored over the CDs and manuals, he expressed astonishment at just
how much reading material there was. This, despite the fact that all the software
manuals were on the CDs and all he was looking at were a few installation leaflets.
It took many long hours to preload the requisite software; yet it seemed even
that effort wasn't enough. He'd still have to provide his ISP dial-up information,
and configure his mail.
My stepdaughter had asked for a UBS, or SBU,
"Stick Drive"—at least that's what
my wife said. She wants to print things out at school as she doesn't have a
printer at home. Since she's going to school in Australia, giving her a printer
wasn't a wise choice, hence the request for the "Stick Drive". We
gave her a 128MB memory drive and she was thrilled. I haven't gotten around
to explaining to her how she's going to have to print her Word documents yet.
My preference would have been to give her a D-Link USB 2.0
Multi Card Reader, as she already has a 256MB spare card for her camera,
but there seems to be some status in a "Stick Drive" that isn't achieved
by using your camera to print.
There's "functionality", and it seems, there's "funkshionalty."
One is all about something being suited to the task, and the other is about
something doing the task in a fashionable way. Thankfully, the range of available
hardware makes such choices available; but how does someone like me come to
figure out which item is which?
Only my brother was interested in security. But he's in love with his fairly
ancient version of Norton Firewall and Norton
AntiVirus. I gave him an up-to-date version of Norton
Internet Security Suite 2004; after he struggled to install and then
remove it, he declared it inferior to his ancient software.
As security professionals, we're welcome to believe what we will about various
products, configurations, default installations and disclosures. In the end,
though, whether we're fully aware of the risks or not, our efforts will meet
such individuals as those in my family. They're found in offices as well as
homes. If we fail to provide an adequate mix of both functionality and funkshionality,
in all likelihood our efforts will fail.
As a network administrator, my users referred to me using a derogatory phrase
I can't repeat here. It was my job, though, to control the security of our environment,
and that won't win any popularity contests. In my case, though, management supported
me, and let me dictate to our users how things would be in our environment.
Most admins aren't in such a position; they're told they must provide what the
users demand and find ways to handle situations that go beyond their comfort
Software and hardware vendors could help in this effort if they would stop
for a moment and consider just what they're giving us. The combination of engineering
and marketing they currently supply is far too weighted to the marketing side,
offering more "funkshionality" than we can secure.
Also, vendors, consider the poor administrators and try giving us fewer surprise
gifts like already-infected systems, Web pages coded with buffer overflows and
databases with every default Stored Procedure in place. It's enough to keep
the network running with those millions of office workers who work fervently
all year to find ways to circumvent the controls we put in place.
Remember that security is everyone's job. Just imagine what a mess this Christmas
could have been if Santa had a laptop with a wireless adaptor and the Santy
Drive everything—be it car, laptop or server—safely this holiday
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.