Schneier on Security
A blog covering security and security technology.
« Tor Needs Bridges |
| Friday Squid Blogging: Lego Giant Squid Model »
April 26, 2013
xkcd on a Bad Threat Model
Funny, and true.
Posted on April 26, 2013 at 12:21 PM
• 17 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Its just like when ppl harden their kernel with selinix/grsec and use a high security pf firewall then they dont use 2factor ID on their email, or bank, or bitcoin exchange so they lose all their privacy and money.
Speaking of bitcoin if you are looking for a new challenge to break should check out bitmessage. Its an amazing almost fully anonymous encrypted messaging protocol but has never been tested by any real cryptanalysis experts. Should it prove reliable it will certainly replace pgp slowly over the next few years
But if they could install drivers...
Funny. And yet, it's not a completely worthless precaution. Recovery from malware can be much simpler if it hasn't managed to get its hooks into the operating system, install a rootkit and disable your antivirus.
Yes, strictly speaking you ought to reinstall completely after a breach. In practice that can mean digging up the disks, spending hours re-installing OS and apps, losing access to that business critical app that you've lost the installer for, and the vendor went bust a decade ago, failing to realize that some of your data was in c:\windows\stuff\(random hexadecimal gibberish) and so on.
Unless your /home (Or whatever windows is using right now) is encrypted it doesn't really matter that much if you are logged in or not when it is stolen.
I know it just seem wrong that I have a token to use with my battle.net account to play Starcraft II, but for my bank, all they've got is a picture I'm supposed to look at to see if the site is spoofed. I'd rather have a token for the bank or some other actual two factor protocol.
@examination ... and then placing anonymous links on random forums, hoping that people will be dumb enough to click through and boost your link ratings.
No matter how you try to disguise it or what lame excuses you come up with, link exchange is simply a fraudulent scheme to attempt to improperly influence search engine rankings.
It's all about the principle of least privilege, isn't it? You don't run as root because it makes it harder to install drivers, you do it because if you've got faulty or insecure software (browsers being the most obvious example), it's harder for them to get their hooks deep into the system. It just makes good security sense to separate code and data, and then requiring higher privilege to alter code.
Separation of accounts and not running normal software under privileged uid(s) isn't designed to protect against theft of the physical device - it's there to prevent attack escalation, e.g. an attacker who exploits one vulnerability shouldn't be able to, say, install a key-logger or view the memory space of other processes or the kernel. Granted, it may not be a sufficient condition to prevent attack escalation but is a necessary condition.
That is EXACTLY it.
Kudos to XKCD again.
Condolences to his brother.
My first thought was, this does seem odd. Then I read the alt text, and remembered that the reason for the admin security is so that can only screw himself up, not .
I am curious why you call this a 'bad' threat model. It seems pretty accurate to me, closely mirroring the typical computer owner, so I don't think it's bad in coverage, though it is incomplete in identifying purpose, scope and assumptions. It seems pretty dead on for current recommended practices, too, in that a typical computer user is not expected to need fort knox level security. And it pretty accurately identifies that protecting admin is not capable of being the primary protection for all accounts, but doesn't seem to imply that it's the only control in place And it mirrors the real world - once you get access to my home, you get access to everything it protects: jewlery, furniture, and keys to other peoples homes.
So I'm a luttle stumped: why do you think it's bad?
@Atk: If someone breaks into your house, do they also get the contents of your safe deposit box and car glove compartment? Alternately, if someone smashes your car window, does he get everything in your house? This isn't real life, this is a computers, and they are different and could do better. Qubes proves that it's possible; you can already start browser processes in Windows as a different user to do your banking, say, but it's only when that's automated that you'll be protected from losing everything valuable at once.
@joshua Bowman: yes, to several of hose questions. If someone breaks into my house, they have access to the spare car key and have access to my car. If someone breaks into my house, they get access to my safe deposit box, but must subvert other controls at the bank (signature) ifthe bank has such controls.
If someone smashes my car window (which is a fallacious comparison, as a car is not typically where people store all keys) Then they get access to whatever is in my car. Wih some people, they do store their hose keys in their car, and breaking into the car grants access to their house whih grants further access.
Computers is part of real life, so your claim that it's not is incorrect. There are differences in what controls work in electronic systems than in mechanical systems, but that's also off topic...
And I never said we cannot do better, but I did ask what can be done. Automating better browser tab separation is a good thing, but misses the point. It doean't matter how good your browser tabs are separated if an attacjer has control of your os account.
I still am interested in why the threat model is bad, and for what definition of bad.
If someone breaks into my house, they get access to my safe deposit box, but
Should have been
... to my safe deposit box *key*...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.