Security Watch

What's Under My Tree

All the good boys and girls on Russ' list get tech toys this Christmas.

During the holiday season I've abandoned the standard cybertrust risk categories, and offer something different. As security-minded individuals, we often lose focus of some aspects of what's happening in the real world. If you don't, you get a deep bow from me, but I know many who do. Here's a snippet from under my tree this Christmas:

My mother continues to struggle with her HP-435 digital camera. She's usually able to get one or two pictures out of it before it informs her that the batteries are insufficient to take any more. This year I got her a new memory cartridge because she said she wanted to be able to "take more pictures". Unfortunately, the camera informed her that it didn't support a 256MB card.

We got her this camera last year at Christmas. We choose it because it had the "insta-share" feature which allowed her to simply place it in the cradle and have it transfer the pictures to her computer more or less by itself. In other words, it was supposed to be "simple". It is, as long as you don't mind sitting at the computer to take pictures while it's still in the cradle! Moreover, does anyone remember the issues that Windows NT had with boot drives that were larger than 2GB? Which memory genius designed it so that upgrading memory cards from 128MB to 256MB and beyond created something "unsupportable" in under a year?

I gave my brother a refurbished 700MHz Gateway computer that used to belong to my stepdaughter. He's a savvy computer user who has had one, in one form or another, for decades. It was fully loaded with Windows XP SP2, Microsoft Office 2003, and software to assist with the new DVD burner. His question, upon opening it, was "so what will I need to do?"

I suppose I should have given him a laptop, so that the computer could have been on when I gave it to him, already logged in, with all the Help windows opened. As he pored over the CDs and manuals, he expressed astonishment at just how much reading material there was. This, despite the fact that all the software manuals were on the CDs and all he was looking at were a few installation leaflets. It took many long hours to preload the requisite software; yet it seemed even that effort wasn't enough. He'd still have to provide his ISP dial-up information, and configure his mail.

My stepdaughter had asked for a UBS, or SBU, "Stick Drive"—at least that's what my wife said. She wants to print things out at school as she doesn't have a printer at home. Since she's going to school in Australia, giving her a printer wasn't a wise choice, hence the request for the "Stick Drive". We gave her a 128MB memory drive and she was thrilled. I haven't gotten around to explaining to her how she's going to have to print her Word documents yet. My preference would have been to give her a D-Link USB 2.0 Multi Card Reader, as she already has a 256MB spare card for her camera, but there seems to be some status in a "Stick Drive" that isn't achieved by using your camera to print.

There's "functionality", and it seems, there's "funkshionalty." One is all about something being suited to the task, and the other is about something doing the task in a fashionable way. Thankfully, the range of available hardware makes such choices available; but how does someone like me come to figure out which item is which?

Only my brother was interested in security. But he's in love with his fairly ancient version of Norton Firewall and Norton AntiVirus. I gave him an up-to-date version of Norton Internet Security Suite 2004; after he struggled to install and then remove it, he declared it inferior to his ancient software.

As security professionals, we're welcome to believe what we will about various products, configurations, default installations and disclosures. In the end, though, whether we're fully aware of the risks or not, our efforts will meet such individuals as those in my family. They're found in offices as well as homes. If we fail to provide an adequate mix of both functionality and funkshionality, in all likelihood our efforts will fail.

As a network administrator, my users referred to me using a derogatory phrase I can't repeat here. It was my job, though, to control the security of our environment, and that won't win any popularity contests. In my case, though, management supported me, and let me dictate to our users how things would be in our environment. Most admins aren't in such a position; they're told they must provide what the users demand and find ways to handle situations that go beyond their comfort level.

Software and hardware vendors could help in this effort if they would stop for a moment and consider just what they're giving us. The combination of engineering and marketing they currently supply is far too weighted to the marketing side, offering more "funkshionality" than we can secure.

Also, vendors, consider the poor administrators and try giving us fewer surprise gifts like already-infected systems, Web pages coded with buffer overflows and databases with every default Stored Procedure in place. It's enough to keep the network running with those millions of office workers who work fervently all year to find ways to circumvent the controls we put in place.

Remember that security is everyone's job. Just imagine what a mess this Christmas could have been if Santa had a laptop with a wireless adaptor and the Santy worm running!

Drive everything—be it car, laptop or server—safely this holiday season!

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular