![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
elfs
We don't really know because that's the first step in good security is not to tell the world what you're doing. But we can assume that Apple being one of the most sophisticated technology companies in the world has thrown massive resources at this.AAAARGGGHHH! No, that's bullshit. All that means is that Apple's customers don't know if they have to take any action to protect themselves. The correct route to security is to tell absolutely everybody what you intend to do, in excrutiating detail, with honeypots and demonstration servers, and let the world beat the bugs out of it. The strongest security in the world, the public key infrastructure, the same one used by banks and militaries and national security interests, is based on source code absolutely everybody knows and that the public has source level access to.
The other stupid thing he said was:
The first step in good Cloud security is to have a hard to figure out password that you change regularly, every six months at least."Hard to figure out" is not the same thing as a "hard" password. Want your password to be secure? Make sure it's at least 12 characters long, sixteen if you can stand it. Make sure they're not subject to a dictionary attack by using odd characters.
Man, this guy's advice is out-of-date. Everyone who listens to him will be ill-informed about what really needs to happen.
In the same article, Symantec System's Gerry Egan and McAfee's Joris Evers both encourage reporter Nina Gregory to give her listeners this advice: always have anti-virus software installed. Far be it for me to suggest that people who sell anti-virus software have something to be gained from a virus-laden cyber-ecology, but why is it nobody ever mentions that the biggest threat to Internet security is the inherent insecurity of its most popular operating system, Microsoft Windows?
Apple products outstripped Windows in the home consumer market a few years ago, but the multi-tiered security of Apple's operating system makes it much harder for viruses to get a foothold, and the number of viruses exploiting Macs is orders of magintude smaller than that of Windows. The same is true of computers running more obscure operating systems, like Linux.
The best anti-virus software for ordinary consumers is Mac OS X. Or, if you can't afford the top-of-the-line, a used PC laptop and Ubuntu.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2011-06-11 03:00 am (UTC)If we could afford it, I'd love to get Macs anyway, but that's just *way* outside our budget.
(that said, I grok your vibe) ;-)
no subject
Date: 2011-06-12 04:30 am (UTC)There may be some issues (namely, you can't) with running certain software though. Namely, software that doesn't run in a web browser.
Wait, you were listening to tech news on broadcast media?
Date: 2011-06-11 10:49 am (UTC)no subject
Date: 2011-06-12 04:46 am (UTC)1) if the username is exactly the same as the password, and the username is stunningly simple like "bill".
2) If the spammer cons the customer into actually handing them the password as in any weak phishing attempt that uses something that looks like our company name. You could have the world's most fascist password policy, but this will circumvent it faster and easier than any other.
We have a password policy for our customers that isn't terribly strong, for the benefit of the customers and the support staff. We only require 8 characters and it must include both letters and numbers.
There are *other* ways to prevent brute-force dictionary attacks from the internet, and the only way an attacker can brute-force a password in a way that isn't stupdendously slow and easy to detect (and thus, utterly impractical for the attacker), is by first stealing the encrypted password.
And really, if the encrypted password was somehow captured by an attacker, what *else* have they already stolen? Probably everything.
From an attacker's perspective, a password is the 8 foot-thick front door to the fortress. Making the door 12 feet thick isn't going to change anything, because there are *already* easier ways to get into the fortress anyway.
Hmm
Date: 2011-06-12 06:00 am (UTC)For example, consider the recent MacDefender malware that could install itself without requiring the user to enter an administrator password. I don't think that sort of thing is still happening on Windows, but it was apparently pretty easy on the Mac.
Also, I agree with Gromm about passwords. Once you avoid a dictionary attack, there's very little practical value to longer passwords. I'll add that longer passwords are more likely to be written down by the user, which can make them less secure than short, easily-remembered passwords that are not likely to appear in cracker dictionaries.
. png
Re: Hmm
Date: 2011-06-12 06:52 pm (UTC)It's still happening on windows. Maybe not with Windows 7, I have no experience with 7 to say one way or the other, but there are still a lot of XP machines out there and I know of occurrences with Vista too.
Other than that, I agree with you and Gromm. 90+% of password cracking isn't anything of the sort. Passwords that are "password" or similarly easy, phishing, someone using the same password across multiple sites, etc.
Re: Hmm
Date: 2011-06-14 11:25 pm (UTC)Ostrich Security Model
Date: 2011-06-12 08:11 am (UTC)Mac has about 5% of the consumer market, down from a peak in the low double digits back in the good old days, years ago. Linux has come up to a good fraction of 1% of the consumer market now.
Linux users, despite potential tech savvy, are a big vector for malware. They tend to think they know enough to be script kiddies themselves, and do stupid things like brag about 'uptime' rather than keeping their systems patched. Mac users are a big malware vector for some valid reasons, and some outright idiotic ones. They tend to be the least tech savvy, but Apple PR actively discourages secure computing practices. With essentially a monopoly, over 91% share, Windows gets the most attention from criminals. Correspondingly Windows has the most anti-malware technology built in, and the shortest response time.
Anything Web & Internet compatible is vulnerable to cross platform malware. Feature phones, industrial controllers, smart 'fridges, are all at risk.
Doing some quick stats from the NIST vulnerability database you can see that the largest malware vector for several years has been Firefox webbrowser (independent of OS). It has the most vulnerabilities (IE numbers are far smaller) and a long/slow response time.
Bottom line, anything successful/popular enough to get noticed by consumers will be worth the attention of criminals.
It's true that the first rule of network security is to not talk about your network security. It's not true that you should assume anybody has some, just because they have cool TV ads. Yes it's valid to Open Source (tm) something like PKI so people can independently validate that it's secure. And you have to give out some generalities in your marketing buzzwords.
Most people will have to trust experts. The experts will be perpetually out of date. Common sense and awareness of the risks our greed and laziness expose us to.
Death penalty for hackers is one way to go. I recently read a proposal to decriminalize hacking, with a view to making everybody more aware of just how vulnerable we are.
no subject
Date: 2011-06-13 05:14 pm (UTC)no subject
Date: 2011-06-17 08:16 am (UTC)As for Apple's cloud security, it's probably on the same level as Sony's. Yes, that's supposed to scare you...