A Rant About InfoSec:

A Security Veteran in a Bad Mood Dumps on Everyone

M. E. Kabay, PhD, CISSP


Security Leader, INFOSEC Group, AtomicTangerine, Inc.


Copyright © 1999, 2000 M. E. Kabay. All rights reserved.


Information security is in crisis as we begin the 21st century. Let's see: whom shall we blame? Why, everybody! And where shall we start the litany of complaints? The Internet, of course.


The explosive growth of the Internet and of the WWW has increased the number of novice computer users into the hundreds of millions worldwide, cheerfully sending each other joke programs with embedded viruses and cowering in fear at the latest hoax.


Teachers and parents (many of them violating software copyrights without realizing they’re breaking the law) are failing to teach children how to resist the wiles of criminal hackers, virus writers, pornographers and pedophiles.


Some Web sites are being managed by under-trained staff who know nothing about the years-old vulnerabilities they have left invitingly on their systems. These unfortunate people are stuck with inadequate resources and dismissive managers who nevertheless blame them when the site is plastered with obscenities by teenagers with less conscience than the average dog.


Web designers assume that users should trust mobile application programs (Java applets, ActiveX controls) whose origins are uncertain, whose documentation is unavailable and whose actions may be pathological. At least the Java virtual machine makes an attempt to limit the actions of applets; in contrast, ActiveX security laughably depends solely on authentication--as if knowing the origin of a program guarantees safe execution.


Software makers who ought to have known better have blurred the distinction between document and program by adding automatic execution of macros to their word processors. E-mailed Trojan horses are activated automatically when the message is opened.

Bloated programs are routinely so full of bugs that consumers now think it is normal to pay money for a service release that fixes what never ought to have been released.


We continue to use Internet protocols devised nearly 20 years ago and which have no provision for packet authentication. Criminals forge mail headers and packet headers with impunity and use them for denial of service attacks and spam.


Access control still relies largely on the outdated and ineffective use of passwords chosen by untrained users. Conveniently for criminal hackers, the users pick names of family members, people with whom they are having illicit romances, movie stars, pets, favorites sports teams, and the names of objects on their desks or visible from their windows.


Managers are loyal neither to colleagues nor to employers. The boom in firings and job-hopping has led to a short-sighted emphasis on the quarterly bottom line that makes investments in corporate security seem pointless -- why spend money on expensive protection when you'll be gone to another job within a year or so?


To our shame, we security specialists still lack reliable data on network and computer intrusions. Even when attacks are noticed, there is nowhere to submit the information for collation.


This is a rant, not a prescription, so I'll just mention a few of the measures that we have to implement to improve security in the coming years:



There now. I feel much better. Do you?