% fortune -ae paul murphy

The only answer to PC insecurity

Last week Computerworld ran a story by Jaikumar Vijayan that started like this:

APRIL 10, 2006 (COMPUTERWORLD) - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents in Florida's Broward County are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on the county's Web site.

What happened there is that the legislature required some public materials be made public - and the people in charge of redacting these materials to surpress personal information simply didn't do their jobs.

To me, therefore, the more interesting thing about the story was the accompanying list of related headlines:

Registrar's database said to have exposed data
Hacker hits Georgia state database via hole in security software
N.H. IT worker disputes state government security breach
Arrests made in debit card fraud case
Offshore outsourcing cited in Florida data leak
Laptop theft at Fidelity exposes data on 196,000 HP workers
Debit card fraud outbreak raises questions about data breach
Citibank probes ATM withdrawals, cites potential U.S. "retailer breaches"
Server hack at Georgetown Univ. probed

That's quite a list - and its just an editor's sampling of less than a month's worth of stories about significant security lapses; I can add several recent horrors to that list and so, I'm sure, can you.

Right now I don't know anyone who pretends to consciousness, works in some form of audit, and doesn't spend time worrying about people stealing laptops or cracking PC servers. As a result most of them are like sitting ducks for PC sales people offering automatic data encryption, secure USB keys, built in biometric security, or some other security related buzziness.

The problem is, most of this stuff imposes real costs while yielding illusionary security benefits: if a bad guy just wants to steal hardware a password challenge system will thwart idle curiosity, but if he's after data and not entirely stupid none of this other stuff will amount to much more than a nuisance.

Some of the reasons for this are external: for example, the internet means that a solution found by one person somewhere, is almost instantly available to all persons everywhere - including those whose own skill levels would never have permitted them to find the solution for themselves - or even to implement one from a good description.

There's an obvious internal reason that this type of security is generally not that hard to defeat too: people need to store keys somewhere -and whether that's in a chip, in a file, or on the network doesn't really matter. Security is as strong as its weakest point: encyrpt all your data using RSA (or AES), but store your 100 digit key in a password chain protected by "bilybob3" and the bad guy doesn't need to break the RSA or AES stuff, all he has to crack is an eight character password.

None of this, however, gets close to the real problem: we insist on distributing the data with our left hands while knowing perfectly well that the protection tools we have available to us are inadequate. Did the people behind those headlines do their jobs? Most of them did - what really happened is that their bosses didn't understand that using PC security to protect PC data is a lot like bringing in mice to keep mice out of a grain terminal.

So what's the right answer? Simple: if it doesn't work, stop doing it - or, in this case, if the headlines make it clear that major players can't protect their PC data, why on earth would you believe you could? So just say no: don't collect what you don't need, don't put customer data on externally accessible PCs, and don't put customer data on portable devices.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.