Recently, I was asked by an instructor at a technical college if I would mind responding to some of his students' questions. I happily agreed. Ultimately, this resulted in a lively back-and-forth session, so I decided to share the exchange with you. Enjoy!
Question 1: Microsoft just announced a huge list of security patches for "Patch Tuesday." Why doesn't it just focus on a single product and fix all of the security holes in one shot?
Finding bugs in products doesn't work that way. Every product that Microsoft codes goes under dozens of manual and automated tool reviews. That scrutiny is vital because Microsoft is the biggest target, and as a result Microsoft products actually have fewer vulnerabilities than those of its nearest competitors. But even with the right tools and processes, you can't catch everything. New techniques are found, mistakes are made, and until you have perfect humans, you'll never have perfect code and you'll never have perfect bug detecting.
[ Find out how to block the viruses, worms, and other malware that threaten your business with hands-on advice from InfoWorld's expert contributors. Download the PDF today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Here's a good example. Years ago someone discovered they could buffer-overflow the HTLM color attribute field located on Web pages as it was rendered in a popular browser. No browser vendor at the time ever thought the color attribute field could be abused. The vendor's security reviewers didn't know to look for it and neither did any of the private or third-party tools, despite the fact that every field should be boundary-tested. Now all vendors check for it. Everything looks easier in hindsight -- improving software is an evolving process.
Question 2: In one of your blog posts, you mentioned something like: "The NSA could be hiding small snooping programs in, let's just say, a picture of a cute kitten or a fun Android game." So how can the average Joe ever know that what they download is the real picture or app with no hidden malware in it?
The short answer is you can't -- not even close. The only thing you can do is decide to trust the entity that created the device or code, especially if it is digitally signed. Because as long as their digital-code signing cert wasn't compromised or the machine the code was signed on wasn't compromised, at least you can say that the code the developer signed was what they signed when they signed it. But the truth is you really don't know.
It's all a matter of faith and trust. Certainly some vendors deserve more trust than others. Personally, I believe we need to "fix" the Internet and make hacking and snooping, even by the NSA, easier to prosecute and easier to detect. It disturbs me greatly that what the NSA does is completely legal ... and most countries don't even have the laws that we do. I wish everyone's privacy laws were stronger. In the United States, we need to modify our Constitution to guarantee more personal privacy. I thought the amendment against unreasonable search and seizure did that, but it's not even close to being enough these days.
Question 3: I liked your article "Crazy IT security tricks that actually work." Someone dismissed your points of "security through obscurity." If these things work, then why would the IT Industry be so quick to discount them?
People repeat dogma as fact, when all you're really talking about are cute little sayings that were a stretch from the beginning. Obscurity is one part of security. It shouldn't be relied upon as the only defense, but it certainly plays a big part. If it didn't, every army would tell the other army what all their capabilities were, where all the weapons and troops were, and make everything "transparent."
The best thing I can say to anyone trying to learn is not to accept everything you hear at face value. Respect what other, more learned people say, but don't accept anything as gospel unless you do it or see it yourself. Stay skeptical.