In case you didn’t know, or had mistakenly believed some vendors’ claims that things are getting better: computer security is still approximately as bad as it was when I got into the field in 1989.
Usually, when I say something like that around my peers, someone says, “well, it means we’ll still have jobs!” but, seriously, that joke wears thin after a while. What it really means is “a great deal of time and money is going to waste, and your career is a tiny little slice of that wasteage.” Great.
The strength of a chain is only as good as its weakest link, blah blah blah blah; it happens to be true. Forget all the fancy technology, it’s a problem akin to “arrange your clothes so that they are not in the path of your urine, before you pee” (formerly, “unzip before you pee”) – it’s the kind of problem that is easier to avoid than to clean up. That’s what has always frustrated me: my career has been an endless litany of “do we need a firewall?” being asked during an incident response in which a huge amount of data leaked from a more-or-less open network. A few years ago, I started answering such questions a bit differently:
Customer: “Do we need a firewall?”
Marcus: “No, you needed a firewall. Now that it’s too late, you need a bunch of consultants to do an incident response, and you need to send breach disclosure letters to your users, and do a bunch of forensic analysis to figure out what happened – and you also need a firewall.”
I’ve seen some doozies in my day. One bank in Iceland explained to me and Bill Cheswick (who were visiting, attending a conference) “most hackers are American and can’t read Norse.” Granted, that was back around 1990, before everyone believed that hackers mostly read Chinese.
Then, there’s this kind of thing:
That’s Dr Harold Bornstein, Donald Trump’s doctor; the guy who’s probably writing the endless prescriptions for amphetamine-based diet pills. Damn it, you should not be using Windows XP!
And, don’t tape your password on your monitor unless you have adequate physical security:
What really made me pop my buttons about this was listening to an episode of NPR’s Planet Money podcast, in which they framed a computer security incident as addressable with insurance. Then, they proceeded to completely miss the point that the insurance was merely being used as a lever to try to adjust user behavior. Which, it didn’t. So please explain to me, again, how insurance helped with the problem?
Here’s the episode if you want to give it a listen. [npr] Normally, Planet Money is not terrible. Or, perhaps it’s always terrible and they just normally don’t talk about things I’m deeply familiar with.
Marriott. Target. The Democratic National Committee. There are so many hacks so often, they may feel unstoppable. And companies are trying everything. We watch as one company grapples with being hacked, and find out that a dusty old financial tool, hundreds of years old, could solve this very modern problem.
First, we have a litany of people who did not correctly arrange their garments before embarking on a urination. Then, they all got wet and nasty smelling and had to laboriously clean up and change their clothes. All of which could have been avoided by performing a simple, brief, and widely recommended behavior. Instead of doing that, they chose to have the problem and then they were unhappy with its cost. If you google for “how much does a typical computer security breach cost” it takes you right to:
You sure can save a hell of a lot of money by just ignoring basic computer hygiene until after you have a disaster.
Gotta go; pee to mop up in aisle 5.
I regret the ableism in the calendar “stupid user” – stupid is not a lifestyle choice. I did that calendar back in 2000, and have since re-thought a few things. [calendar] By the way, that calendar won some kind of marketing award, which I suppose makes me an award-winning marketing consultant. Oh, the irony!
On a more serious note: some clients have asked me, rhetorically, “well, isn’t the problem that Windows is too vulnerable?” Yeah. So why do they keep buying it? If you’ve got users who don’t know how to use a computer, get them a Mac. “Oh but Macs are really expensive!” yes, they are – but so is letting your ignorant users go on the internet running Windows.