Michael Howard - What if we had an unattackable system?

"This network would be so great, if it weren't for the users" - Random System Administrator

Humans started the fight.  They are the ones that wright virii.  To attempt to write an un-hackable system with no security bugs sounds like a fools erand.  Hence the need for Firewalls, IPSec, and System.Security.Cryptography and why VoIP (at least in MSN Messenger/Netmeeting) and peer-to-peer sucks.

Windows could fix all their security holes, but that still wouldn't help all the thousands of poorly written apps out there.  Just look at the daily barrage of vulnerabilities on securityfocus.com to see what I mean.  Beyond .NET, what can MS do to help developers write more secure software?

These comments make a huge difference in my views about Microsoft's stance on security. I still think the focus on security has been a long time coming in Microsoft software. I realize that there are only so many people who can put only so many hours into making the programs we use but I think a reasonable request from the users would be that developers listen to Howard's comment.

It seems to me that time and money are often spent in the wrong place. The developers of Outlook spent time writing warnings about opening attachments and even made attachments an optional feature (to be enabled by the user manually) but that time may have been better spent on improving the internal workings of the application to withstand more subtle attacks.

When users run attachments they do so at their own risk. It is not Microsoft's responsibility to prevent users from breaking their own system. Car manufacturers don't control the brakes and steering of the cars we drive. The cars don't crash themselves... nor do they speed and run red lights.

Maybe Microsoft should spend time on user education rather than locking down the system. If my mother saw an ad on TV telling her not to run email attachments unless she knows what they are she would probably be more receptive than when she calls me up and says "Why won't Outlook let me open any attachments?"

I agree with you adwb, that we need to educate our end-users, but I also agree with Michael's stance towards his wife's email.  Security needs to be in place by default and once the end-user has been educated and knows what the possible threats are, then give them access to the extra's that are available within an application.

It's a shame that we have to address network and application security in terms of the least common denomitator.  But my experience and that of others in the tech support community have proven out that it is the best course of action.

I agree that educating the end-user is one of the most important aspects in computer security but it only works if the system itself is secure enough.

Take a look at the latest waves of email-viruses: They are disguised as error messages from email-servers or antivirus-filters and even educated users tend to open these messages. The more educated the users get, the "better" the viruses, trojans, etc. will get.
At this point only the combination with secure software and a secure software will do the trick and provide an acceptable level of overall security. The important thing is not to wait for the users to get more educated before you make your systems more secure or the other aorund. This has to be a development that goes hand-in-hand.

Fox wrote:

At this point only the combination with secure software and a secure software will do the trick and provide an acceptable level of overall security. The important thing is not to wait for the users to get more educated before you make your systems more secure or the other aorund. This has to be a development that goes hand-in-hand.

I completely agree with you, even educating end-user's will not solve all security problems.  It may, at best, help to mitigate security issues, but not solve them. 

As soon as the newest security updates or software come out, I am one of the first people wanting to evalutate them.  Although, as far as security patches go, it's pretty hard to get a straight answer out of Microsoft as to whether or not the updates will have a negative effect on an Exchange Server! 

Fox Wrote...

I agree that educating the end-user is one of the most important aspects in computer security but it only works if the system itself is secure enough.

Who is to say when a system is secure enough?

When that system does not get hacked as often as some baseline?
When a blue ribbon panel of 'EXPERTS' says its secure?

Sure we all have our own ideas of the answer for that question but you can't protect the user from themselves. Users want it all people. They want their cake AND they want to eat it as well. Take away their email with all of its bells and wistles, and you will have a revolt on your hands. You can educate them on the do's and don'ts of opening and executing email attachments, you can tell them to log off of their machines when they are away, you can tell them all that stuff. You can spend real money training them on all of this and a certain percentage will NOT get the message.

I can almost hear it now...
"You just launched the pink slip virus bla bla bla"

Training users on these points encounters the law of diminishing returns. Some people will never get the message. I am not sure but I think these folks are like the folks who rush off to the beach during a hurricane.

Mr Howard is right on when he says the social vector for an attack has perhaps the most potential for damage because through it lies the exploitation of what is perhaps the only sure thing next to death and taxes, human nature.

my 2c

As long as there are motivations for hacking, it will be done. I don't think there's any doubt that, with the way computing works currently, it will always be possible to attack a system.

Having unattackable system !!

            Impossible ! I believe !  Rules need to be broken like its said in great books . So Hackers do that same job.

Unattackable system in terms of secrity is impossible.

 Bascially Hackers show the loop hole in the sysetm by breaking in giving challenges and help in higher level of sophistication in s/w developement.

             I am in Cybersecurity but every day one new Hacker hacks the system and shows vunerability makes every day of mine challenging. Humans are the one who design and Humans are the one who break it. So this is never ending fight between Attackers and defenders.

Arun.

 

Lets not use the word unattackable...Nothing is secure in the world!