Patches and security metrics

Long time no security talk. This is meant just as a quickie, to jot some thoughts down while they’re in my head and before I take off to The Big Blue Room for a week or so.
I was listening to the most recent pauldotcom podcast, and something struck me about it. They’re not alone, but Twitchy spent a good 60 seconds at least decrying Macs for the number of patches they received in the last update.
Now, I’m not the smug Mac user that he / they hate, but it strikes me that it’s just as foolish to base one’s perception of the security of a product based on the number of patches it receives (security-related or otherwise) as it is to use any other single metric to judge anything else. For instance, judging worker performance by the number of request items closed is crazy. Judging a salesman’s performance based exclusively on number of products sold is showing a lack of poor judgement. (If you’re going to use a metric there, make it repeat customers. I know for real estate and vehicles that’s a bit less convenient, but if the customer’s not happy, it’s not a good sale just because you have their money. But I digress.)
All operating systems (and suites of software) have tons of exploits. Pick your poison. To quote a bofh who shall remain nameless here, “I’ve always taken the position that if you can’t find anything bad to say about a language or an operating system then you don’t understand it.” The key is – and in fairness, Twitchy touched on this – to understand just what you’re getting into when you run OS X or Linux or FreeBSD or Windows. I run all of those, every day, for different reasons. I have OSes that I prefer over others, and while it would be exaggerating to say that I literally hate them all, there really are things about each one that I can’t stand. (And they *all* have very annoying, smug, userbases, albeit FreeBSD’s is much smaller because there’s far fewer end-users of that than any of the others named.)
Besides, if you’re gonna go by the number of patches metric, I’m pretty sure if one were to count up all the patches for all the Linux applications (yeah yeah, Linux is just the kernel, but what the hell can you do with just a kernel?) in the last month, it’s a lot more than 50. So there. Hell, Firefox+Thunderbird alone must be approaching that. :-) In other words, I see your OS X 0-day driver vulnerability (that got somebody at ShmooCon 0wned), and raise you a 0-day Linux file privilege escalation vulnerability (that got a major Linux distribution’s build box compromised). Rationalize that how you will – “but the Linux one required local user privileges already” – but in the end, it’s still a major hole that affected a *lot* of people, and it’s far from the only one.
NO operating system is safe by the sheer virtue of its philosophy or designers or hardware or the majority (or minority) of the people using them or any other reason. By extension, no OS is unsafe simply because it has a lot of patches. I’ve used a lot of them in my time, and believe you me, every OS sucks. Appeal to authority? Maybe. I don’t care.

High level: Security vs Ease of Use

I was listening to Martin McKeay’s Network Security Podcast this morning (26 July 2006 episode) and he said something early on that struck me:
“People say they want security, but what they really want is ease of use.”
I think it’s a mistake to separate the two; they’re not exactly part of a single continuum, but they’re close. If something is not easy to use, then people will work out ways around it, thus obviating the security. Consider that the most secure computer is one that is disconnected from a network, turned off, and physically isolated from anybody and anything. Not very easy to use it though. The easiest computer to use is one with no passwords, no accounts, and anybody can do anything they like to it – not very secure. The goal of security is to find some place in the middle, such that the users don’t have to work around your security in order to be able to actually use the damn thing. Force password changes every week? Users will alternate the same two passwords. Disallow that, and they’ll alternate three. Disallow re-use, and they’ll make them easy to remember: cat. dog. shit. assholemademechangemypasswordagain. Sooner or later, you get to the point where users are writing them down on stickies and putting them next to the machine.
If something is too difficult to use, it’s not secure, because nobody will use it. They’ll figure out another way to do the same thing, and that other way is likely less secure. Figure out with your users the best way to strike the balance.
That leads into a ranty-type post, and I don’t want to get into it right now because I’m still too close to the subject. But I will be talking about service levels, user expectations, and IT responses at some point.
(Edit: tried to send a trackback ping to Martin, no joy. sigh. I mess around too much during the day to want to mess around all night, I must be… gasp… getting old.)

Stolen laptops

uwstudent (via The Record) has a brief story on some stolen laptops here at UW. Doesn’t look like there’s much personal data on there, but this line: “The personal information in the computers is password protected and is not retrievable” (from Martin van Nierop, who’s not really a techie so I assume it was given to him from somebody else) is a red flag. What sort of password? What assurances do the people whose information got stolen have that the data really is safe?
I’m disappointed, I’d have liked to have thought that our world-class institution would be a world leader in terms of fessing up when things go wrong. I guess what it really means is we’ll follow along with the rest of the world. That line’s getting to be as bad as “going out and giving 110%” is in sports.
Edit: 570News has a story on this too. Same story: “UW says the data is protected by a password and is not retrievable.”

PGP keys

Per practising what I preach, I’ve switched my mail clients to using GnuPG signing by default, or have at least started on switching them – main work machine done, laptop and home Windows PC to go.
One of my complaints about email is that it’s difficult to verify the sender or the contents, but I don’t do anything to help people receiving my email to do so.
Plus, it started making more sense to me some time ago, protecting myself from people who might misquote me in order to cause harm to me professionally.
It’s not perfection, but it’s a start. My one bitch is Thunderbird/Enigmail will remember my passphrase for an arbitrary amount of time, but can’t be set to clear when the screensaver comes on, for instance. I poked about at gpg-agent, but couldn’t find any frontend for MacOS that seems to do that.

Air Canada vs WestJet, conclusion

WestJet and Air Canada settled, courtesy of the CBC. The PaulDotCom boys picked up on it in their podcast – I’d submitted the story to them, intending to get them to link to my writeup, but I never took the time so I just gave them the raw link. Now I’m taking the time, because I think they missed something in their show.
There’s a couple of interesting items here. First is the most obvious, and the one they caught: what was an employee who’d presumably left on poor terms (but left!) still doing with a login id and password, valid from off-site, for what is presumably a considerable length of time?
Second is the settlement. It’s curious that AC would settle for legal fees + litigation, and a contribution to charity from WestJet. Did they figure they couldn’t win the original $220m lawsuit? Are they essentially admitting guilt to the charge of trashing the WJ exec’s house? Either way, that’s a pretty interesting result to what appeared to be a relatively straightforward case of industrial espionage.