Living in an unsafe world

  • Article

Hello ladies, gentlemen and others

I am sorry that I have not blogged for a little while. I have been a little occupied with some pro-active stuff for a change. I was on training last week with David Solomon (smart fellow) and I have been preparing for a talk that I will be delivering in Stockholm in a few days. Fortunately for me, they are willing to speak English; I speak no Swedish at all.

So, in my last post, I said that I would be discussing limiting risks. If your computer is turned on and connected to a network then the risk to it is non-zero. All that you can do is find a good balance between risk and functionality. If your computer is turned off, it is very safe but quite non-functional. If the computer is turned on and there is no firewall protecting it and the logged on user is an admin then it is probably very functional but not at all safe. Everything else is seeking a balance point.

So, are you familiar with the ten immutable laws: https://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true ?

I like law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore

This might seem like it is not wholly true – if malware runs under a limited account, is that so bad? It might not be the end of the world if that account were very limited and that software only ran with that user account. What if there were an elevation of privilege vulnerability as well? It has happened before in Windows, Linux, BeOS – none of this is OS specific. These are called blended attacks. It may be that there are no elevations left or that there is no route to the elevation from the things that malware running in a compromised context can access. However, if something might be a risk, it is best to assume that it is a risk. Smart but dishonest people will work very hard to find any hole.

Given that, any computer with malware can not be fully trusted. In a near perfect world, it wouldn’t be trusted at all. Of course, in a perfect world, there would be no malware.

In this very imperfect world, it is pretty much certain that some of the computers that connect to a website will be compromised. Some of them will belong to blackhats. It has been said that politics is the art of the possible. IT security also the art of the possible – living in a world where not everything is safe.

I will talk about helping your programs survive in a dangerous world in my next post

Signing off

Mark