ritter.vg
bruce schneier is wrong
28 Dec 2009 21:45:23 EST

Bruce Schneier is wrong. There, I said it. Specifically, he's wrong in one of his recent essays Reacting to Security Vulnerabilities, and he's wrong in the suggestions he makes.

He states there are several reasons to "do nothing. ... Don't panic. Don't change your behavior. Ignore the problem, and let the vendors figure it out." They are:

  1. It's hard to figure out which vulnerabilities are serious and which are not. ... The press either mentions them or not, somewhat randomly; just because it's in the news doesn't mean it's serious.
  2. It's hard to figure out if there's anything you can do. ... Some vulnerabilities have surprising consequences. The SSL vulnerability mentioned above could be used to hack Twitter.
  3. The odds of a particular vulnerability affecting you are small. There are a lot of fish in the Internet, and you're just one of billions.
  4. Often you can't do anything. These vulnerabilities affect clients and servers, individuals and corporations. A lot of your data isn't under your direct control -- it's ... in a cloud computing application.

He then gives a list of steps you should take to protect yourself client-side: anti-virus, updates, proper configuration, common sense, and backups. Those four points aren't wrong, they're all true. But his conclusion to ignore vulnerability reports is downright careless.

For the elements (servers, people, services, etc) within your sphere of influence - you should be keeping an eye on the vulnerabilities that can affect them.

Consider a recent flaw found in IIS. If you're vulnerable, it's a pretty serious hole you have open - lots of bad things can happen. Fortunately, three things are on your side, two of which Bruce stated: the odds of you meeting the criteria are small and if it does affect you the odds of someone finding and exploiting you are small. Furthermore, good to excellent sysadmins would already be protected from this (it's a subtle/tricky thing to protect against but still oft-advised.)

But none of these things matter after you get hacked. Then it's your data on the internet, it's your ass on the line, and it's you that I want to punch in the face after you leak my credit card. You can't claim "I was waiting for the vendor" - Microsoft isn't going to apologize and make everyone's credit cards come back home. You can't stand in front of the CEO and say "The odds of this happening were so low we didn't think it was worth protecting against."

The fact of the matter is the tradeoff of reviewing vulnerabilities and at the very least being aware of what you're vulnerable to is low-cost/high-reward. Let's take a look at the cost: Add a few firehoses of information into google reader and skim through them in 5 minutes a day while having your coffee.

At this point, you're probably spending an hour a week doing this. And let me tell you - there is nothing more impressive to your boss than when he comes to you to ask about something he saw in the paper or in his feedreader and you can say "Yea, I looked at that vulnerability already and [we're not vulnerable/I closed the hole]."

I didn't pull these numbers out of thin air - I manage a half-dozen web apps and a few servers in either a semi-professional or professional capacity. If you're spending significantly more time you're probably doing it in a capacity where it's a formal part of your job in which case there's nothing to complain about. Bruce Schneier is wrong - it's our responsibility to stay on top of vulnerabilities and mitigate them when we can to protect our computers, businesses, and our clients' data.

The most important thing is that it's your job to keep your stuff secure - not anyone else. If it was their responsibility - it'd be their stuff.

Comments
Add a comment...
required
required, hidden, gravatared

required, markdown enabled (help)
you type:you see:
*italics*italics
**bold**bold
[stolen from reddit!](http://reddit.com)stolen from reddit!
* item 1
* item 2
* item 3
  • item 1
  • item 2
  • item 3
> quoted text
quoted text
Lines starting with four spaces
are treated like code:

    if 1 * 2 < 3:
        print "hello, world!"
Lines starting with four spaces
are treated like code:
if 1 * 2 < 3:
    print "hello, world!"