A Bad, Bad World
-
A Bad, Bad WorldIf you read this commentary on Internet security, you might be tempted to disconnect your computer from the Internet and stick to playing solitaire and typing your checks into Quicken manually.
Or you might not even finish reading it. It's a truly depressing view of our world and it makes you think that the best minds in the world, building these incredibly complex software products, can't even begin to make a decent piece of software. I'd like to think that things are getting better and that products such as SQL Server 2005, show some amount of maturity in how they are developed.
However until every software development project considers security an integral part of the process and no short cuts are taken, even in those small departmental apps that track who's in the office, we'll still have potential issues. And even then I'm sure that many criminals will find ways in, but I think things will be better.
I also think that until more of the world can agree on laws, allow enforcement and pursuit across borders that it's harder to make substantial gains in security. Unlike the physical world where borders and enforcement of laws at their entry can make something of a difference, there is no such bottleneck on the Internet.
It's a scary world out there, but I'd like to think that most people have good hearts and that it's worth the risk to interact with them from afar.
Steve Jones
-
Unfortunately, I have to agree with much of what the author had to say. Case in point: Adobe Acrobat Reader ActiveX control 7.0.1 - 7.0.8 is vulnerable to a remote code exploit and there is currently no patch. How many people have Adobe installed on their computers and have IE and are allowing the PDF file to pop up in their browser? If they have one of the vulnerable versions... you guessed it, they are potentially in trouble. Thankfully, I've not heard of any public exploits to this point. But it raises the question, "How many end users even know they are vulnerable?" And therein lies a HUGE issue.
The unsecured wireless access points is another good example. Over Thanksgiving my family went out of town to eat with some relatives. However, we had to take something from some other relatives in the town I live to where we were going. I had my computer up in the minivan because I was working on some things for work (no rest, I tell you). Just driving through the network to our relatives, I cannot tell you how many unsecured wireless networks my computer detected. And this is just the built-in wireless card... I can't imagine how many more I would have seen if I had a "pringles can." Many of them were default ("Linksys" or "Netgear")... so they were basically pulled out of the box and turned on. Absolutely frightening.
We've got to get smarter as a society. If we don't, security is going to continue to get worse and worse and worse. There are too many people willing to prey on the naive attitude that the world is basically good.
K. Brian Kelley
@kbriankelley -
It is sad but true that most of what occurs is lack of understanding or laziness. Being a SQL Server consultant I am given access to a lot of different systems to review and make recommendations. One area that never surprises me is the lack of effort that goes into securing SQL Server.
When security issues are discussed with the client it is often brushed off as there are other things that are more important to take care of such as making sure the business can operate. So the blame is really two fold; first the blame does lie with the DBA for not taking the effort to understand what needs to be done and what should be done, but secondly and more importantly I don't think that management really cares all that much about security. The old adage if it ain't broke don't fix it goes hand in hand with security. Once a breach of security occurs a lot of finger pointing occurs, but once the waters calm down again everyone seems to forget that it ever happened.
I think one way to solve the problem is a top down management approach where everyone in the organization is held accountable for security at some level. We now have Sarbanes Oxley to thank for some strigent rules on security, but what I hear from the IT community is grumbling over how difficult it makes there job and how do they expect to be able to even work with tighter security settings.
So overall I think a lot of the tools are out there that can help us have tighter security, but the IT community needs to wake up and make the real adjustments.
I have only discussed what I have seen at the SQL Server level and I know this is just one part of the entire picture. But if everyone does there job from the first tier to the last tier (including the end user) we can at least eliminate some of the issues.
As far as the home user community this is a whole different problem. I know as an IT person and an end user (especially surfing the web at home) I often get annoyed at all the security messages that popup. One of two things often happens; first you either turn of the security or secondly just ignore the messages. I thing to really combat the security breaches at home a lot more needs to be done and this is definitely an issue that will be around for quite some time.
I have hope for the future, but unless we all do something as a whole I don't forsee this problem getting any better for quite some time.
Greg Robidoux
Edgewood Solutions
www.edgewoodsolutions.com -
I don't know that SOX has really done a whole lot to tighten security. That's one of the issues I have with the legislation as written. You can interpret parts of it to require greater levels of security, but it may just be better auditing, which isn't exactly the same thing. The auditing is tedious and it takes people to review it, which is usually dumped on the same folks who were already stretched to begin with... but auditing doesn't necessarily prevent someone from doing something they ought not.
K. Brian Kelley
@kbriankelley -
Steve
You said, "even in those small departmental apps that track who's in the office, we'll still have potential issues". Guess what. Knowing who is in the office and when is valuable data to those that would attack your orgqanization or people.
I heard, "It's just inventory data." Well if I have your inventory levels nationwide over a period of time it's no great thing to predict your movement trends. If I can get my product into your high demand areas faster and cheaper I can beat you.
Sr. Flannigan said, "Ethics is good people trying to do well." We are good people. We try to do well. If you see a security hole raise the red flag. Take from someone who constantly thinks about how something can be turned around against me, you'll be able to sleep at night. I sleep. Many, many, bad dreams but I still sleep.
ATBCharles Kincaid
-
You are so right. Auditing is more like a MIB (Mishap Investigation Board - NASA) than a safety inspection. Don't get me wrong here. Auditing can, and does, reveal holes and defects.
ATBCharles Kincaid
-
Since this thread is security related and this is a sql server board,
I thought I would mention that last week I en to a "what's new in SLQ Server 2005" session at one of the university's business partners'.
I was most impressed to learn that SQL server can be configured to "force" integrated login / server policies etc with regards to what you can do and even "see".
Was even more impressed to find out that there is some T-SQL to negate this requirement!
Gavin Baumanis
Smith and Wesson. The original point and click device.
-
SQL Server 2005 is a great move forward for security in the MS world.
Charles, I've read about a few of those tricks before and it's certainly made me rethink the idea of sequential IDs on exposed interfaces.
-
It doesn't matter what the system is there will always be someone who tries (and suceeds) to crack it.
In the UK there is a government database that has been set up to allow medical records to be available in any part of the country in any GP surgery. The laudable aim is that if I am run over by a bus in John O'Groats (as far North as you can go on mainland Britain) but my residence is near Lands End (as far South as you can go on mainland Britain) then my medical details can be instantly available to tell if I am allergic to penecillin, or other medicines that may be used in treatment.
The problem comes in that the number of people who could legitemately have access to this data is quite high. Even if only a tiny fraction of these are dishonest that means that the data of a vast number of people has been compromised.
The other issue is that the number of people who can legitemately enter information is quite high it is likely that errors will occur and be propgated through the system.
If you are incorrectly entered as being a paranoid schizophrenic and that information propgates through medical, to insurance, to police databases then
- How do you find out about the slur against your name?
- How do you go about removing it?
- How do you check that the correction has been propogated?
Take another example, let us suppose that someone famous gets incorrectly flagged as a child abuser. That information gets propogated and because of that persons status the information gets printed and read by millions. You can publish all the retrations you want but there will always be an element of doubt; that character will be tarnished for ever.
A Bad, Bad WorldViewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply