Mark Burnett, 2005-04-26
Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid?
Colapse all |
Post comment
Security for the Paranoid
2005-04-26
Anonymous (5 replies)
Anonymous (5 replies)
I have worked in the field of mental illness as a case worker. And today I work in security too. Although you can make a case to explain your actions, the fact that your kids, your wife, and anybody who's too you your too paranoid is evidence of a neurosis. Your actions are not justified even by...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Anonymous
Anonymous
I dissagree, trusting your wife, and giving her your password are two diffrent things.
Its not paranoid to follow good security habits.
If there is a need for her to be in an account you share... create a seperate account for that purpose.
God knows if you get ripped on an account and you...
[ more ] [ reply ]
Its not paranoid to follow good security habits.
If there is a need for her to be in an account you share... create a seperate account for that purpose.
God knows if you get ripped on an account and you...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Rickard Johansson (1 replies)
Rickard Johansson (1 replies)
There are a few people I trust with my life, but I still do not share my passwords with them. Why not? Because I do not have to.
And I usually do not actually put my life in their hands either, if I do not have to....
[ more ] [ reply ]
And I usually do not actually put my life in their hands either, if I do not have to....
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous (1 replies)
Anonymous (1 replies)
well, since you involve your family in your overkilling security practices maybe you are really paranoid, expecially if while reading you're taking offence from my comment (I say this because I'm myself a little really paranoid, so I know how it feels ;)
Anyway there's one thing you don't say in th...
[ more ] [ reply ]
Anyway there's one thing you don't say in th...
[ more ] [ reply ]
Re: Security for the Paranoid
2005-05-25
Bradbury9
Bradbury9
<quote>Having a 50 words passphrase is fun (I can think of the faces of people seeing you typing a 50 letters phrase to login !), thinking that evil forces are secretly deploying megaterahertzcpus is paranoia.</quote>
Paranoia? I don't think so. it is just looking forward to cuantic cryptography (d...
[ more ] [ reply ]
Paranoia? I don't think so. it is just looking forward to cuantic cryptography (d...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
Perhaps you have really worked in the field of mental illness as a case worker. But you can not give an full diagnosis about a complex thing like mental illness only by one or two strange behaviours. No real expert would do this.
I know that I'm a little bit paranoid too. But todays computer ind...
[ more ] [ reply ]
I know that I'm a little bit paranoid too. But todays computer ind...
[ more ] [ reply ]
No such thing as "being TOO paranoid/careful"
2005-05-05
Anonymous
Anonymous
"If you can't trust your wife with the network password, then why would you sleep with someone in the same house as the knives?" <-- what Mark Burnett the author here is trying to relay *cough* ..hasn't got anything to do with trusting/mistrusting his spouse in the general sense. Mark's wife is pro...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Anonymous (1 replies)
Anonymous (1 replies)
50 char pass words are to extream esp for things like boot up and local stuff that people need to be on your computer to type in the pass word. 3 firewalls is also to extream. Hardware firewall and software firewall on each computer is more than enough. between the modem and lan. You might want a se...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous (1 replies)
Anonymous (1 replies)
If you make your living by being a security expert, I said spending 10% of your gross income on security to protect your reputation would not be out of the question. If anyone ever hacks into his system and then leaks it to the public, he will never recover and his career will be over. Besides, it...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
Very true that is is a good way to stay on top of your field. But does a security expert really need to look at the incoming address to figure out if it is really their bank or not? Phishing attempt are easy to see and trace. If his e-mail gets out on a list, then the whole plan is shot. He is going...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Times Enemy <times@krr.org>
Times Enemy <times@krr.org>
Greets.
I thoroughly enjoyed your article, Security for the Paranoid. I have been burning shredded documents, mixing the shredded documents with various ashes, then throwing them out randomly. After reading your article, i think i may try mulching the shredded documents, however, i may setup a ...
[ more ] [ reply ]
I thoroughly enjoyed your article, Security for the Paranoid. I have been burning shredded documents, mixing the shredded documents with various ashes, then throwing them out randomly. After reading your article, i think i may try mulching the shredded documents, however, i may setup a ...
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Jeroen Kemperman (2 replies)
Jeroen Kemperman (2 replies)
I run a firewall and use some common sense when browsing and accepting files. That's basically it. If you're using Windows I'd add a good virus scanner to that, but that's not needed on my mac.
There are billions of users on the Internet, and I'm definitely not one of those with much sensitive in...
[ more ] [ reply ]
There are billions of users on the Internet, and I'm definitely not one of those with much sensitive in...
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Anonymous (1 replies)
Anonymous (1 replies)
Uhm, well even if you don't have any sensetive material, there are a couple of scenarios that your computer would be interresting anyway. 1. Denial of Service bot 2. Spam bot, 3. Virus originator. 4. Nasty enough identity theft even if it is your email, and 5. I've heard of a couple of cases where u...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
Your computer can often be just as useful of a tool for other people as it can be for you. A private web proxy on floating ip addresses that contacts you whenever it changes is a beatiful thing if you don't want people looking at what you do. Owning the box that does all this makes it even better as...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Anonymous (1 replies)
Anonymous (1 replies)
My feelings on this matter are somewhere between "You're a bloody nutcase in need of medication and 24 hour care" and "Everything you're doing here is personally reasonable". I think the Internet we're all on would be a much safer and more stable place if people used more security than the 'nothing...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Anonymous
Anonymous
It kind of scares me that your are supposed to be a security expert. I have time for three comments:
1) Have you really considered if your policies are actually improving security? For instance, long passwords (especially with the non-security conscience) tend to encourage users to use easily gue...
[ more ] [ reply ]
1) Have you really considered if your policies are actually improving security? For instance, long passwords (especially with the non-security conscience) tend to encourage users to use easily gue...
[ more ] [ reply ]
Security for the Paranoid
2005-04-26
Anonymous
Anonymous
Personally, I think the author might be clinically paranoid.
Remember the word "excessive" from that dictionary definition of paranoia which was quoted in the article? I think that's the key. There must be a limit on what qualifies as "excessive", how much is too much.
For example, note that...
[ more ] [ reply ]
Remember the word "excessive" from that dictionary definition of paranoia which was quoted in the article? I think that's the key. There must be a limit on what qualifies as "excessive", how much is too much.
For example, note that...
[ more ] [ reply ]
know your enemy
2005-04-26
Anonymous
Anonymous
The first rule of warfare is "know your enemy". Who are you trying to defend against who will be clever and persistent enough to work against all those defenses?
The limited expense rule of defense is that if you can make your adversary spend more on the attack then the value of the target, then...
[ more ] [ reply ]
The limited expense rule of defense is that if you can make your adversary spend more on the attack then the value of the target, then...
[ more ] [ reply ]
Playing the "You're Paranoid" Card for Social Engineer & Profit
2005-04-27
Anonymous
Anonymous
Sometimes, calling a cautious person "paranoid" or "silly" can be a great way to coax the person to drop his guard.
A variant I've run into revolves around my practice of covering my hands with a hat or other block as I'm entering passwords on the keyboard if a visitor in my cubicle is glancing a...
[ more ] [ reply ]
A variant I've run into revolves around my practice of covering my hands with a hat or other block as I'm entering passwords on the keyboard if a visitor in my cubicle is glancing a...
[ more ] [ reply ]
When Paranoia Annoys Ya
2005-04-27
Anonymous
Anonymous
Perhaps some of the precautions that Mark Burnett uses may come out of the ability to think how systems can be hacked, cracked, and whacked. I know from my own experience that my ability to think offensively contributes to my thinking defensively.
The tricky part with thinking like this is that i...
[ more ] [ reply ]
The tricky part with thinking like this is that i...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
You are totally and completely paranoid.
The cost of using your security is higher than the cost of being attacked successfully.
You should get psychiatric help.
When I imagine your home I imagine think iron bars on the windows, bullet-proof glass, an eight-foot cement wall with electrified...
[ more ] [ reply ]
The cost of using your security is higher than the cost of being attacked successfully.
You should get psychiatric help.
When I imagine your home I imagine think iron bars on the windows, bullet-proof glass, an eight-foot cement wall with electrified...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
There is a very thin line between genius and insanity.
The main question here is that you asked if you're bordering insanity. My wife calls me Mr.P (not for you now what, she has another name for that) so I feel qualified enough to give my opinion of where you've crossed the line.
1- three fir...
[ more ] [ reply ]
The main question here is that you asked if you're bordering insanity. My wife calls me Mr.P (not for you now what, she has another name for that) so I feel qualified enough to give my opinion of where you've crossed the line.
1- three fir...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Kron
Kron
IMHO you are definitely over paranoid. And I wonder if you are really doing a good job for your clients. Let me explain: Security has a cost. Very good security is extremely expensive. Yet, for as much as you spend, you will never get the 100%. So, the intelligent thing to do is to measure the risk ...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
dan@3-e.net
dan@3-e.net
As you point out paranoia is a very clearly defined term, therefore people who use it in such an ignorant way need not be taken seriously. Perhaps you need to point out to your detractors that they should try mastered the English language before passing comment on your security measures or your men...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous (1 replies)
Anonymous (1 replies)
It's a good article and I think what you are trying to establish is "security is a state of consciousness" not a product or process like all the "security consultants" are trying to sell to the people who control the purse strings.
Most people fear the unknown but people who fear the known and ...
[ more ] [ reply ]
Most people fear the unknown but people who fear the known and ...
[ more ] [ reply ]
Re: Security for the Paranoid
2005-06-23
Morris Cox
Morris Cox
What about INTPs? I'm an INTP (or rather, I*N*T*P*) myself. I'm a network admin and Internet expert (11 years). Quite a few of my coworkers think I'm paranoid. I think a lot of it is because they haven't been "burned" yet. (Try being framed for a felony because someone used your computer to break in...
[ more ] [ reply ]
[ more ] [ reply ]
Answers and clarifications
2005-04-27
Mark Burnett (1 replies)
Mark Burnett (1 replies)
Thank you all, I enjoyed your comments. I wanted to answer some questions and clarify some points so as not to give the wrong idea about what I consider good security. I certainly don't think that stupid security is good security.
Sharing passwords with my wife - I don't share them but she has a ...
[ more ] [ reply ]
Sharing passwords with my wife - I don't share them but she has a ...
[ more ] [ reply ]
Answers and clarifications
2005-04-28
Chatos Anonymous
Chatos Anonymous
" "you are at 42% where the line is at 50%" - So you're saying I still have 8% of my sanity I can still blow on security? Great! "
I hate giving you free reign but after your explanations on 1, 6, 14 and 18, you gained quite a buffer zone. You moved from 42% to 24%.
But don't forget that acco...
[ more ] [ reply ]
I hate giving you free reign but after your explanations on 1, 6, 14 and 18, you gained quite a buffer zone. You moved from 42% to 24%.
But don't forget that acco...
[ more ] [ reply ]
sounds to be a reflection myself
2005-04-27
<visitbipin hotmail com>
Noone can guarentee 100% security but we can assure 100% risk acceptance.
for example: i use to go far as changing the file permission of every executables of my computer to r-only and backup to R only to even the one with Administrators privilage... so even in a worst day, a virus runnng with ...
[ more ] [ reply ]
<visitbipin hotmail com>
Noone can guarentee 100% security but we can assure 100% risk acceptance.
for example: i use to go far as changing the file permission of every executables of my computer to r-only and backup to R only to even the one with Administrators privilage... so even in a worst day, a virus runnng with ...
[ more ] [ reply ]
What OS are you using?
2005-04-27
Anonymous (1 replies)
Anonymous (1 replies)
Before having 3 firewalls, ask yourself if your OS is or is not "secure". AFAIK, OpenBSD is secure (but not easy to use or upgrade). AFAIK, Windows is... secure ?...
[ more ] [ reply ]
[ more ] [ reply ]
What OS are you using?
2005-04-27
Zachary Palmer
Zachary Palmer
I'm also curious about on which system the 50 character password is used. Last I checked, Windows splits passwords into eight character units for password hashing. Thus, by caching all reasonable results from the hashing function in a hash-to-string fashion, one can get the plaintext password from...
[ more ] [ reply ]
[ more ] [ reply ]
Missed the most obvious security precaution
2005-04-27
Anonymous
Just ditch Windows, Mark. You're being silly, trying to be secure on that OS. Unless you believe all the treacherous 'windows is more secure than linux' microsoft-funded studies, of course. In which case - please continue thinking you are secure :)
Also, you don't mention encrypting all pop/smt...
[ more ] [ reply ]
Anonymous
Just ditch Windows, Mark. You're being silly, trying to be secure on that OS. Unless you believe all the treacherous 'windows is more secure than linux' microsoft-funded studies, of course. In which case - please continue thinking you are secure :)
Also, you don't mention encrypting all pop/smt...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous (1 replies)
Anonymous (1 replies)
You're paranoid about security, and yet you use Windows, as opposed to a Mac, *nix, or something even more secure/obscure like VMS? (I'm guessing, since you said that you install patches the same day Microsoft releases them.) It's cute that you think you're following "good security," but in the...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
Are you too paranoid? No, threats are everywhere and the simplest way not to get screwed is to be a difficult target. That said you have made the PC difficult to use for those around you and in the event of your wife not being able to get to your files a possible problem in the case of something tr...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Stephen
Stephen
Actually, the difference between you and others may simply be that you have the ability to *remember* all of these different passwords. Having five passwords between my email and myself would actually reduce security for me-- I'd have to write them down somewhere, since I simply couldn't remember th...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
Interesting read. While it may sound extreme, let's face it - being a consultant in the security field makes you a target for some people. Sad, but probably true. So in my opinion, your security setup at home, while way more than I would set up, is justified.
When it comes to security, the only ...
[ more ] [ reply ]
When it comes to security, the only ...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
people posting things like: no one is interested in your data, why do you care?
They are interested in using your compromised system, to compromise others. You too will start to care when guys in black show up on your doorstep and haul you away for hosting kiddie pron, or because someone used you...
[ more ] [ reply ]
They are interested in using your compromised system, to compromise others. You too will start to care when guys in black show up on your doorstep and haul you away for hosting kiddie pron, or because someone used you...
[ more ] [ reply ]
Security for the Paranoid?
2005-04-27
Anonymous
Anonymous
In order to be considered RATIONAL, your "response cost" to threats should be proportional to the threat severity. If you (and others) are not unduly inconvenienced by your security measures then you are doing fine. Also, you should always remember that NO security is absolute, and that wasting ti...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
josh
josh
It's good to be paranoid nowadays. Far too many people are unaware of the most basic security measures which can prevent most disasters. The real answer is to create a solution which is paranoid for you so that it does not take as much effort as the columnists methods do.
Josh
http://itsecurea...
[ more ] [ reply ]
Josh
http://itsecurea...
[ more ] [ reply ]
Social Engineer Past The Technology
2005-04-27
Anonymous
Anonymous
So now all I have to do is bypass all that technology that you think protects you and social engineer one of your family members into giving me access. Now that your wife knows you don't trust her, maybe she'd be willing to give me her password to spite you?
Do you take a different route home ev...
[ more ] [ reply ]
Do you take a different route home ev...
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
I can see how that much security could be useful. by practicing such tight security you can deter people from even trying because of the insanity of that setup. look at the idea of the castle. the castle was developed in case a large army equiped with siege weapons showed up at the front door. the l...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
JB kybrdcowboy@hotmail.com
JB kybrdcowboy@hotmail.com
Very interesting setup. I wouldn't call it paranoid, it just depends on your own needs/ requirements. I am curious btw, what about software to prevent intruders from listening to the noises your computers make, or the radiation your computer and monitor(s) give out? Theoretically, this too can be ...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-04-27
Anonymous
Anonymous
The question is not whether the writer is a paranoid or not, it is whether his practices make sense or not. One must always weigh the cost against the value- if being overly cautious prevents you from doing your tasks in a normal fashion or takes up more and more of your time, than something is wron...
[ more ] [ reply ]
[ more ] [ reply ]
Windows?
2005-04-27
Anonymous (1 replies)
Anonymous (1 replies)
Security for the Paranoid
2005-04-28
SafeCracka
SafeCracka
1)Does he check his firewall logs daily? Did he disable LM hashes on his Windows box? (If not, the 14 char password is really just two sevens)
2)More importantly, did he change his password after disabling the LM hashing, because otherwise it's equally pointless.
3) "And I install hotfixes the...
[ more ] [ reply ]
2)More importantly, did he change his password after disabling the LM hashing, because otherwise it's equally pointless.
3) "And I install hotfixes the...
[ more ] [ reply ]
Security for the Paranoid
2005-04-28
ZeroXeal
ZeroXeal
You talk about your network security and while I am impressed with it and may upgrade mine as a result of this. I wonder what you do about physical security.
Is your comptuer area tempest sheilded?
Is it an armored room?
If someone were to physically compromise your house for whatever reason h...
[ more ] [ reply ]
Is your comptuer area tempest sheilded?
Is it an armored room?
If someone were to physically compromise your house for whatever reason h...
[ more ] [ reply ]
Absolutely right, although...
2005-04-28
Dmitry Kirsanov
Dmitry Kirsanov
You could use hardware key like eToken - a secure place for your SSL certificates, PGP keys, with internal RSA processor (1024-2048 bits), that would ease the pain of entering too much passwords, and would allow to extend your network passwords to 128 symbols.
At all, you are paranoid, and so am ...
[ more ] [ reply ]
At all, you are paranoid, and so am ...
[ more ] [ reply ]
Security for the Paranoid -trust wife
2005-04-28
Anonymous
Anonymous
In my case, it is not a case of trusting my wife. I just do not want to deal with the hassle of cleaning up or repairing a problem when something happens.
My wife sometimes leaves our home computers logged in when she is through using the computer. My nine year old son will then fiddle with the...
[ more ] [ reply ]
My wife sometimes leaves our home computers logged in when she is through using the computer. My nine year old son will then fiddle with the...
[ more ] [ reply ]
Security for the Paranoid
2005-04-29
Mat
Mat
I'd be interested to hear Mark's comments on how much his strict regime costs him (i.e. how long does it take to do all the additional tasks he has to complete).
This could be be compared against readily available stats on the frequency of, and effort to clean up, a typical 'attack' of a home netwo...
[ more ] [ reply ]
This could be be compared against readily available stats on the frequency of, and effort to clean up, a typical 'attack' of a home netwo...
[ more ] [ reply ]
Due Dilligence vs. Effeciency
2005-04-29
Anonymous
Anonymous
It is possible to have too much security. It is possible to waste resources on non-issues.5 passwords to get into a laptop is ridiculous. If the info on it needs serious protection, whole disk encryption with two factor is the way to go.
Browsing from a sandbox? Buy AV and patch...make the wife ...
[ more ] [ reply ]
Browsing from a sandbox? Buy AV and patch...make the wife ...
[ more ] [ reply ]
Security for the Paranoid
2005-04-29
Anonymous (1 replies)
Anonymous (1 replies)
Remember the old wheeze, "I know I'm being paranoid - but am I being paranoid enough?"...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-05-02
Anonymous [Information Security Defender]
Anonymous [Information Security Defender]
I think a lot of security minded people would agree with the need for lots of security. This is especially true if they have either seen or been a part of security incidents.
Although I'm not sure I would go as far as the author, security should be dictated by the business and/or personal prot...
[ more ] [ reply ]
Although I'm not sure I would go as far as the author, security should be dictated by the business and/or personal prot...
[ more ] [ reply ]
50-character password is overkill
2005-05-03
Anonymous (1 replies)
Anonymous (1 replies)
The 50-character password is overkill. A uniformly random 20-character password is not subject to a brute force attack and 50 characters won't protect you from any but the smallest capacity key loggers....
[ more ] [ reply ]
[ more ] [ reply ]
Re: 50-character password is overkill
2006-02-26
Anonymous
Anonymous
Well, the security of a 20-character password is only as good as its encryption method. I am constantly encountering articles that reveal some encryption method isn't as good as had been believed, that it might be broken in a billion years instead of a trillion. One could imagine someone discoveri...
[ more ] [ reply ]
[ more ] [ reply ]
Security for the Paranoid
2005-05-06
Anonymous (1 replies)
I am accused of being paranoid and over the top because I have two firewal;s, one in the router, a SPI; a software firewall, one antivirus, combined in eTrust EZ Arnor; two AntiTrojans, Trojan Remover and TDS-3; three spyware scanners, Microsoft's, Ad-aware, and Spybot S&D; ProcessGuard; Startupmo...
[ more ] [ reply ]
Anonymous (1 replies)
I am accused of being paranoid and over the top because I have two firewal;s, one in the router, a SPI; a software firewall, one antivirus, combined in eTrust EZ Arnor; two AntiTrojans, Trojan Remover and TDS-3; three spyware scanners, Microsoft's, Ad-aware, and Spybot S&D; ProcessGuard; Startupmo...
[ more ] [ reply ]
Security for the Paranoid
2008-02-17
Anonymous
Anonymous
Funniest thing is if i stole your laptop give me a hour and I would have changed all the local passwords, and gain all of your stupidly long one's out of the cache, unencrypted all of your documents, no cracking required. Over the top and pointless plus the more complicated a system is, easier it i...
[ more ] [ reply ]
[ more ] [ reply ]
[ more ] [ reply ]