Computer-Security Paranoia

This is just a lovely essay. Very subtle.

Posted on October 21, 2005 at 8:33 AM • 47 Comments

Comments

joeOctober 21, 2005 9:07 AM

well.... sublte until maybe here:
"I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards."
then it just gets ridiculous

BillOctober 21, 2005 9:42 AM

When I originally read this, I didn't think it was tongue-in-cheek, because you often see this attitude represented in "security" books and guides... They rarely talk explicitly about the difference between subjective and objective risk. (Sorry Bruce, I haven't gotten to read any of your books yet).

Nathan M.October 21, 2005 9:53 AM

There is a fine line between doing enought and going completly overboard. The Idea is to be secure without excessive inconvenence on your part.

stacyOctober 21, 2005 10:19 AM

@Nathan M.
> The Idea is to be secure without excessive inconvenence on your part.

Sometimes, going overboard is the path of least effort. I was doing some clean up in my home office, shredding stuff with private information on it. I realised I was spending far more effort sorting out the "sensative" documents than I would if I shredded the whole lot. And shredding everything has some added benefits. 1) I don't have to worry about having missed any that should have been shredded and 2) I now have a huge pile of shredded paper that contains < 5% sensative information.

I think I will move my shredder out to the garage and place it over top of the paper recycling bin.

MikeOctober 21, 2005 10:42 AM

At the end of the day this story is on El Reg ... I'll go for the subtle analysis.

Stories like this make me look forward to the letters secton every week.

Chris SOctober 21, 2005 11:41 AM

He's right on the line of paranoid, but I'm not sure he's over. Go read the bio at the bottom - his reputation is based on knowledge of systems as it pertains to security.

One side effect of this is that *any* successful technical attack, no matter how small or insignificant, would also constitute a reputational attack. The risk trade-off that he has to consider is completely different than the one most of the rest of us must make.

For most people, this would be paranoid. But a good security analysis should be flexible enought to encompass non-system valuables that my be attacked indirectly.

MartinOctober 21, 2005 11:53 AM

I think what's even more telling is how few of the commenters on this article actually get the point of the article itself. Subtle enough? Perhaps too much.

Then again, maybe I'm paranoid too.

scosolOctober 21, 2005 12:10 PM

Well- yes the subtle message of "practice good security even when there is no identifiable need to" is of course a good one, but man this guy is off the mark...
(why does it not suprise me he is a *windows* security "expert")

My favorites:

> I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.

HAHAH as if that's the only place one could be placed. I'm imagining this guy's home life- "Who turned the computer around?!?!? Johnny? Sally? Answer me!!!!"

> It takes five passwords to boot up my laptop and check my e-mail.

Since he makes no mention of disk-level encryption on his laptop, I assume he's not using any- thus with physical access (the only time one would be confronted with his 4 host passwords), all data on it is of course easily accessible. Perhaps he should switch to a 10-password scheme?

> And I install hotfixes the day Microsoft releases them.

Ah my favorite- blindly installing vendor-supplied updates before running them through full QA and reviewing peer reports of their usage is conducive to neither security nor availability.

AnonymousOctober 21, 2005 12:11 PM

@Joe

> well.... sublte until maybe here:
> "I require my kids to use at least 14 character
> passwords on our home network and I'm
> considering issuing them smart cards."
> then it just gets ridiculous

a 14 character password is less secure than a 8 character one... A user will struggle to remember 14 characters, therefore it will inevitably be weak or written down. By comparision a good 8 character password is reasonable and more secure.

scosolOctober 21, 2005 12:14 PM

Well I read it again after reading the comments- but... I must be missing it- I read nothing tongue-in-cheek here-
Whatever subtlety beyond "security works only if practiced with rigor" must be lost on me...

I continue to read nothing more than a lot of confusion, ridiculous and ineffectual measures, and yes, paranoia.

AnonymousOctober 21, 2005 12:16 PM

I'm not sure which subtlety I might have missed. It's somehow exaggerated, but basically he's right. I am paranoid enough to encrypt trivial email messages. Alas, none of my friends have yet come to appreciate the importance of paranoia, so my PGP is completely useless. What a shame. Maybe the world would be a better place if we all were a little more paranoid?

Gerd RauschOctober 21, 2005 12:21 PM

I think he makes poor choices while being paranoid.
Example:
If I was an attacker, I'd be very happy to see his "Password Day" coming up.
Not only would I have access to the system broken into, but he would also deliver all his other passwords, since he changes them all at once.
Or maybe he's paranoid enough to have one computer for each password, each running a different operating system ;-)

jammitOctober 21, 2005 12:27 PM

Funny article. I don't know who said this, but I use it as my motto "Just because I'm paranoid doesn't mean they aren't out to get me". The parts I found funny were the penny wise and pound foolish stuff. Like a 14 char password and yet installing any "beta" patch as soon as it comes out (like someone before me said), or having a password day where all passwords are changed in one day (so much for not having a recognizable pattern). Keeping the computer turned around to see for any hardware keylogger installed was too funny.

stacyOctober 21, 2005 12:31 PM

@Anonymous
> a 14 character password is less secure than a 8 character one... A user will struggle to remember 14 characters [...]

AAARRRRGGGG!!!!!
I am so tired of hearing that arguement. It is complete BS. If we stop telling people to "use long passwords" or "use strong passwords" and actually take the time to teach them strategies for picking strong passwords that can be remembered then they will not need to write down the password.

Whether they can type the password in correctly before thier account gets locked out is another question :-)

Joe LoughryOctober 21, 2005 1:19 PM

I thought he sounded quite sensible, actually. Just about the right amount of paranoia. Although I would add a crosscut shredder capable of handling polycarbonate discs and give the kids keyfob tokens for logging in to the home network.

Ed T.October 21, 2005 1:23 PM

I can see it now:

{channeling Jeff Foxworthy}

"You MIGHT be considered paranoid if:

* Your home PC is protected by 3 firewalls (one of them hardware).

* You stay up on Patch Wednesday to make sure the patches install.

* You make your children use a 256-character passphrase, including characters from the Kanji set, and require they change passwords at least weekly.

* You prepare your old PC for recycling by tossing a thermite grenade into it.

* Your router is set to 'default counterattack' mode.

* You never surf the web without wearing your tinfoil hat.

{/Jeff Foxworthy}

-EdT.

AnonymousOctober 21, 2005 1:27 PM

@stacy

> I am so tired of hearing that arguement.
> It is complete BS.

Erm... I don't believe so.

alexOctober 21, 2005 1:35 PM

It is a bit on the subtle side...but let's face facts: people who read weblogs all day long do not always have the keenest grasp on reality.

Jim ThompsonOctober 21, 2005 1:51 PM

I haven't seen anything in the article or the comments that mentions the value of the secrets he's trying to protect. If it's just his credit card number, then yeah, paranoia is probably the right word. But if it's his bank account, extremely sensitive documents, or the like, then maybe his measures are more realistic. Until you know what he's protecting, isn't it premature to pass judgment?

Marc VallottonOctober 21, 2005 2:04 PM

Hmm, I don't recognize myself in this guy but I do know quite a few people who are as paranoid or even more (worse). They have long been working in industries where protection of data (read: confidentiality) is of utmost concern.

I guess one can become as paranoid as this but as soon as I can no longer choose (use common sense to decide whether I should really shred my papers and blast them into the universe), I lose control over the whole matter.

If you are caring about having a life and good health, you'd better go easy, apply some good practice habits and exchange the keyboard for a good book or a walk in the park from time to time. I try to.

keroOctober 21, 2005 4:59 PM

We should remove nail clippers from airplanes because they could kill someone! We should make people take off their shoes because they could have a bomb in them! We should arrest a small woman because she is walking on a bike path restricted to bikes!

Very subtle...

DaxOctober 21, 2005 6:37 PM

Hahaha. Very nice.

Although, I am rather embarassed to admit that I observe some of the practices he details. Makes one pause when their practices parallel those of a piece of absurdity.

I, too, keep my office and research PCs turned around so I can tell if anyone has installed a hardware keylogger. Actually, they're sideways so I can observe their backs and still access the font. Why, installing one would be a prank worthy of my officemates, and so it doesn't hurt to check. It takes but one extra second to look.

I rarely check in luggage when I fly. Not just for security reasons, but also because I have stood there and watched the way that airport personnel regard people's belongings. If I do, I carry anything beyond clothing and makeup in my carry-on, even on tiny prop planes where they try to pry bags out of your arms to stick them in the belly of the plane. Business paperwork would never, ever be trusted to luggage checking.

I do some my Internet browsing from a locked down box that has few rights. I futhermore use "Tor" for a large part of my surfing, and choose https: options when and where I can.

I use Google maps to see what others might be able to see about my home. I also regularly check and make sure that I have not been added to zabasearch or any other online people searches. That I can find sensitive addresses on there means that others can find mine.

Most of my passwords more than 15 characters long, using special characters, upper and lowercase, and numbers. I never forget them because I use memory triggers, my own mis-spelling tendencies, and I alter the letters in patterns. The one thing I might forget is which password is used where, but enough use and practice is eliminating this problem.

I also delete unused services on my servers because this is good practice. I wasn't aware this was part of the absurdity. Isn't that part of the CERT system administration guide? If you aren't using them, why have them?

I compute with the assumption that any network machine is potentially compromised, and any non-networked, unlocked machine outside my home is as well. After recently learning the art of lockpicking and knowing that other officemates know this as well, I wouldn't be suprised if locked machines were as well. (Great having forensics guys as officemates.)

Otherwise, very funny indeed, if making me blush. heh.

Anon50October 21, 2005 7:15 PM

Of course it is a tongue-in-cheek essay, but one with a little edge to it. The subtlety comes from the idea that this person is taking incredible precautions and we look at it and think maybe he's right.
I've always believed a key point of Bruce's is that security shouldn't be an impossible task, but the supposed actions of this author are impossible in any real life situation...but maybe in 5 or 10 years we won't think so. As I write this, the blog has a link to Bruce's free password keeper near the top. How many of us use it, how many can use it in many situations? (A business office computer? I don't think so).
Real security seems to need a real re-think of our processes and our choices so we don't force kids to have 14 character passwords (or even/especially me).

Davi OttenheimerOctober 22, 2005 12:18 AM

"How many of us use it, how many can use it in many situations? (A business office computer? I don't think so)"

I guess that depends who's in charge of the office security. I've purposefully spread Password Safe around many businesses faster than you can say "what happens if I search all the drives for the string 'password'?"

I tell the system admins to deploy Password Safe as a package or script and bingo, everyone has a simple place to store passwords and learn about the benefits of encryption.

It's not perfect, but a really good start compared to leaving "share drives" full of passwords in docs, spreadsheets, etc.

Password Safe is so convenient and easy I haven't had any (individual) user complaints, and I don't think it's unreasonable to use in any environment where you have to keep track of multiple personal passwords.

In fact, some people have started backing up all their soft-key info, including private PGP keys, to their Password Safe and storing the dat file on a USB key they keep with them. Seems pretty handy to me.

The Reg article is funny. For example obsessing about ports in the back of a computer case is hilarious, especially because many cases have ports on both sides (and maybe the top as well). I took it all as a joke.

I think keeping all your keys safe, physical and logical, on the other hand should be considered common sense.

packratOctober 22, 2005 1:25 AM

Heh. I'm surprised he missed the obvious security measure of packing the kids off to boarding school. They can't compromise a system they're not using. :)

BrianOctober 22, 2005 6:14 AM

14 character pass phrases are trivial to remember:

"CanYouRemember"
"ThisOneIsEasy!"
"ALongPassword."

Even longer pass phrases are pretty easy to remember:

"To be, or not to be? That is the question. The answer, as we all know, is 42..."

That's over 80 characters. Also, what's wrong with writing a password down if you are afraid you're going to forget it? If you write it down and put it in your wallet and treat it like a credit card, it's not a big deal. Once you've used the password/phrase enough that you are confident you won't forget it, you can destroy the paper.

RichOctober 22, 2005 8:55 AM

A Fantastic Essay!

But I'm surprised that people haven't picked up the really important message. This kind of paranoia isn't required just for computer security- it's what we need in the War on Terror!

We need to train an elite squad of federal law enforcement with Special Combat Anti-Terrorism skils. Each member should have a drug/bomb sniffing dog. They should perform random checks, not just on individuals but homes. We could be surrounded by sleeper cells and not even know it people! I can't begin to name the dangers we face. Just think of our children! Think of all those backpacks and shoes not being searched! Those kids are OUR FUTURE! We owe it to them to protect them by searching them!

I for one would be a Proud to be randomly stopped and strip searched and have my Real ID scanned, every day for the rest of my life, if it would stop one Evildoer from so much as sneezing in our Great Country!

May the Tears of Eagles Bless Us, Every One!

Jason MarshallOctober 22, 2005 8:54 PM

A couple comments on earlier posters:

I used to use substitution patterns and the like in my passwords, until I was reminded again that every time you sign up for a new account, you give them a password, possibly several over time (especially if you forget the password and start guessing).

You have no way of proving that they do not keep a cleartext version of your password. If you rely on dictionary words plus simple substitution patterns, this will be obvious to someone who acquires (or steals) several samples of your passwords. Even if you never recycle passwords between sites, you still may be giving away the keys to your accounts.

Instead, I prefer very long passwords, as another reader suggests. It has the bonus of sometimes telling you when you've come across a site that doesn't use password hashing (what do you mean, I can only use a password of 12 characters or less??). Of course, I'm also a fairly adept touch typist. Imagine your unsavvy friends trying to type a line of nonsense, or an obscure movie quote, in, with only '*******************************' as feedback. Think they could get it in three tries?

Fazal MajidOctober 23, 2005 12:05 AM

There is a gaping flaw in his risk model. He says only he has the network password, not even his wife, but he makes no mention of a will.

DigiLifeOctober 23, 2005 11:34 PM

I think Bruce helped us all out with the password issue. I'm not a fan of hollywood movie plots but movies like "Ghost" and "Final Fantasy" remind us of the dangers of keeping passwords and personal info/diaries/journals/etc. unencrypted even when kept on our person at all times. password safe helps with part of the problem. i suggest keeping a "generic" revocation certificate for your pgp/gpg key(s) in password safe as well, just in case. the pgp/gpg key(s) and password safe (both program and database) should be on a usb flash drive you always keep with you. also i find it much easier to keep up with shredding by not receiving credit offers and such in the first place. all my statements i get electronically over encrypted connections and i use a mac with filevault. :) i keep password safe for when i am forced to use a windows machine. i also keep firefox installed on the usb flash drive. i use gpg but i dont keep a win32 version of it because i dont trust those operating systems *that* far! but i may need to access password protected content from a windows machine and password safe is a good thing to have. no admin i ever met has complained about password safe tho some dont like me having a writable drive. i cut a cd-r in those cases. some security just makes good sense. but i agree it should be practical.

DigiLifeOctober 24, 2005 12:06 AM

another note: not having a writable drive is supposed to mean not being able to walk away with company secrets and not having anything means not being able to bring in a virus. some admins won't allow you to "install" a drive so usb flash drives are useless. i use a business card size cd-r in my wallet when i have to. usually such places have firewalled away your ability to access your website from your workstation.

another *very good idea* is to have a program that can use /dev/random to generate secure passwords. as long as you are using password safe, remembering them won't be an issue. just need to remember 2 strong passwords, one for pgp/gpg and one for password safe.

to Bruce: it would be nice if password safe could do this. adding the ability to create encrypted notes in the database will also help. especially if those notes can include a small file like an image, audio clip or video clip. another nice feature would be to add some secure delete functionality for erasing old/unused password databases and other files. having versions for linux, unix, BSDs, and Mac OS X is also good. will get one of each when they mature :) . of course i should only need one database.

RogerOctober 24, 2005 4:42 AM

@scosol:

This article originally appeared some months ago in Security Focus. In response to criticism in SF blogs, he posted a "clarification" which answers several of your objections. Specifically:

> Ah my favorite- blindly installing vendor-supplied updates before running them through full QA and reviewing peer reports of their usage is conducive to neither security nor availability.

In his clarification, Mark noted that this is because he is a hotfix beta-tester and has already tested them. He does recommend other uses pre-testing before installing hotfixes. However, I do not! OK, pre-testing is pretty important for the corporate intranet, and appropriate for expert home users. But for the average home user, that is an excessive complication, and one which is in fact rarely necessary unless you have a very unusual configuration. For the typical non-technical home user it is safer to rely on automatic updates, which in practice amounts to same day installation.

> > It takes five passwords to boot up my laptop and check my e-mail.
> Since he makes no mention of disk-level encryption on his laptop, I assume he's not using any- thus with physical access (the only time one would be confronted with his 4 host passwords), all data on it is of course easily accessible. Perhaps he should switch to a 10-password scheme?

Actually, one of his 5 passwords *IS* indeed a disk-level encryption scheme. He's not quite clear here but that seems to be the one which gets the 50 character (10 word?) passphrase since the others don't take such long passwords. The other passwords are a BIOS boot password, windows syskey, Windows logon, and his email password. The only one which comes even into the ballpark of paranoia is the syskey password.

A word of explanation on syskey: the windows syskey is a method of encrypting the windows security database, so that if a worm somehow obtains admin privileges, or even if a drive is mounted outside its own operating system, it is not possible to mount a dictionary attack on passwords. Installing a syskey is done by default on recent windows systems but requiring it to be entered at bootup is optional and hardly anyone does it, even though Microsoft specifically recommends it be done for any system that an opponent could obtain physical access to. (Not so good for servers as the machine then cannot reboot whilst unattended.) Arguably, it is a teensy bit paranoid for this setup since presumably the only passwords in the SAM are his own accounts, which presumably are already have strong password and are not vulnerable to dictionary attacks. But if he has other user accounts on the machine then especially for a laptop it is definitely a good idea.

The BIOS boot password on laptops is a reasonably robust method of preventing tampering. Certainly it can be overridden, but on a laptop doing so quickly without damaging the machine and/or leaving obvious traces is technically fairly challenging, certainly out of the league of the typical sneak thief or corporate spy. Unlike a desktop machine on a modern laptop it is usually not possible to simply reset the password (which in any case makes it obvious what has happened). For example PWCrack.com offers a BIOS password extraction service, but it requires that you first desolder the (surface-mount!) chip from the mobo yourself (not something that can be done in 5 minutes!), ship it to them, then they have a 2 day turn-around time, and finally the chip is usually unusable after they have extracted the password so you have to buy and program a replacement chip which the manufacturers will not supply, so it ends up looking different.

Unless a system needs to boot unattended you also might as well have a BIOS password since it's very cheap and does add a significant hurdle. BIOS boot passwords also don't need to be super-strong (and hence can be easier to remember) since they are not subject to dictionary attacks while the machine hasn't booted, and it can't be booted without knowing the password. While you're at it, also set the BIOS admin password, which will a) prevent resetting of the boot password and b) prevent a virus from reflashing the BIOS and turning your laptop into a very expensive foot-warmer. This BIOS admin password _does_ need to be strong, but that's OK since you use it very rarely, so write it down and stick it in the safe or wherever you keep your passport.

This is a reasonably secure system. The disk encryption with a strong passphrase means his data is rock solid safe in the event the laptop is stolen (although I hope he also has backups!); the presence of the BIOS password makes it much more difficult for an opponent with physical access to install a keylogger which could then be used to attack the disk encryption. Strong and independent windows and email passwords mainly are protection from on-line attacks. Syskey is mainly useful here if someone without paranoid security practices also has an account on the laptop. The fact that so many different passwords are required to achieve all this is a problem with the architecture, not his paranoia level.

Incidentally it seems to me that there is actually at least one password missing here: the dialup password. Maybe Mark trusts Windows protected storage to be strong enough to protect that, since it is a fairly minor secret, and is encrypted with a key derived from his password (which presumably is strong). Personally, I would not trust it, since it will give up this data for the asking while I am logged on, and thus may be vulnerable to viruses, worms etc.

> My favorites:
> > I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.
> HAHAH as if that's the only place one could be placed. I'm imagining this guy's home life- "Who turned the computer around?!?!? Johnny? Sally? Answer me!!!!"

Well, yes I agree it is a bit paranoid worrying about hardware keyloggers on his home network.
Having said that, while it is theoretically possible to put a hardware keylogger in many places, all the ones currently available off-the-shelf -- and hence available to any old bottom-feeder for quite modest prices -- require either replacement of the entire keyboard, or else are installed between the keyboard port and the end of the keyboard cable. I guess the FBI could come in and install one inside my existing keyboard, or pick the padlock on my desktop case and install one inside the case. But I'm not worried about the FBI. If I was worried about this at all, my concern would be a flatmate or cow-orker slipping a forty dollar gadget on the end of the keyboard cable.

RogerOctober 24, 2005 4:45 AM

@Bruce:
"I can't believe you people are taking this essay as anything other than a joke. I guess it's even more subtle than I thought."

Uh, Bruce, i think you're mistaken here. This essay was originally published on Security Focus, where a thread ensued which was not dissimilar to this one. Mark stepped in to make some clarifications, from which it is clear that while parts may be meant to be humorous, it is basically *NOT* intended as a joke:
http://www.securityfocus.com/comments/columns/...

And frankly, I also am with Mark here. When analyzed point-by-point, very few of his defences step over the bounds of what I would consider reasonable, basic security for home computer use. Those that do are generally due to special conditions peculiar to him (e.g. he is a MS hotfix beta-tester), or else don't actually cost anything to implement and thus represent a good cost/benefit ratio even if the benefit is small.

scosolOctober 25, 2005 4:09 PM

@Roger:

Thanks for the clarification- he should have included that extra level of information about his passwords to begin with- haha I think it's funny that Bruce overestimates the average intellect of most "security" columnists, so assumes that it must be a joke :P

Though- I still call BS on Mark's hotfix installation- he said that he installs them "the day Microsoft releases them"-
If he's a beta tester, and installs the eventually-releases code, then he's already got the hotfix installed when MS releases it- or... if he beta tests versions but only has access to the "production" release from MS, he still isn't testing the code before installation because he doesn't know what has changed (or takes on faith as accurate, the list of what has changed) since the last beta he tested...

JoshApril 14, 2007 2:03 AM

If people want to spy on me, fine. My life is no more interesting than the average person. My wireless network in not encrypted, and I have no plans to make it so. When you are in my neighborhood, enjoy free internet access.

If you are sorry enough to waste your time trying to sniff my packets, go ahead and have at it.

It's easier to change all my credit card number 50 times than go through all this security nonsense.

BTW, I am not a newbie. I am an IT professional.

DelugeJune 14, 2007 9:36 AM

What are the risks of someone gaining access of your systems bios Bruce,
whats the worst that could happen if the laptop is on a network

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..