Feeds

Security for the paranoid

Even a paranoid can have enemies

  • alert
  • submit to reddit

Remote control for virtualized desktops

Comment Paranoia is the key to success in the security world. Is it time to worry when other security professionals consider you too paranoid?

"You can't ever find a place that's nice and peaceful, because there isn't any. You may think there is, but once you get there, when you're not looking, somebody'll sneak up and write F*** you right under your nose." --J. D. Salinger, American Novelist

Something strange happened to me recently: a friend told me I was too paranoid when it comes to security. It was strange because he was the third person to tell me that in a couple weeks. Sure, I expect most people to call me paranoid, but these were all colleagues in the security industry. Is it time to worry when security professionals consider you too paranoid?

Most of my internet traffic goes through at least three firewalls. Is that too paranoid?

The first thing I did was try to understand the word paranoia. After checking a few dictionaries I found that it was a psychotic disorder characterized by delusions of persecution, grandeur, or excessive distrust. What is a delusion? It's a false belief held despite evidence to the contrary.

Are extreme security measures acting on false threats that don't really exist? Some consider some of my security strategies a bit extreme. I call it meticulous precaution. Sure, the threat might not be real. No one may ever actually want what you have on your PC. But does that really matter? Does the threat have to be real to warrant strong security?

Sometimes I have a "Password Day" where I change every password I own on the same day, just in case someone might happen to have one of my passwords. I frequently change my passwords after traveling.

Its not that I think someone is trying to hack me, but I also don't think someone is not trying to hack me. That's really not the point. There's no need to analyze the threat of every situation. Just practice strong security always and you should be okay.

I frequently see people posting PGP signed e-mails to security mailing lists. It's not that these people are afraid of someone actually spoofing fake comments from them on the latest CGI flaw; they just make it a practice to sign every e-mail, no matter how trivial it might be. Sure, these people are signing e-mails when it's really not important, but I doubt they get caught not signing when it is important. If you always practice the best security, you never have to worry about mediocre security.

I use very long passwords for everything, even with the lamest accounts I have. I require my kids to use at least 14 character passwords on our home network and I'm considering issuing them smart cards. No one else, not even my wife, knows my network password.

I don't just throw out shredded documents; I spread the shredded bits into my garden to use as mulch.

I don't do it because I think someone is going to go through my trash to reassemble bits of my research notes. I do it because it's good security. I try to run my own network the same way I tell my clients to.

Is this prudent and sensible proactive security or is it mental illness? Do you need a threat to practice the defense? I used to tell my clients to set files in their web content directories to read only. Some thought this was too extreme and too much of a hassle, but then along came a worm named Code Red that failed on all the clients who followed my advice.

I use a unique, secret email address for each sensitive online account I have. I have always done that. I guess this would look paranoid to most people, but when I get e-mails from my bank, I can check the address the e-mail address they used to see if they sent it to the secret address.

Of all the changes Microsoft has made towards security in the last few years, the most notable in my opinion is that they now secure against threats that to many seem minor or that might not even exist. Is it insane and delusional for them to protect themselves from threats that haven't even been invented yet? Is it a senseless preoccupation to defend the inner layers rather than just focusing on hardening the outside?

I keep my PC's turned around so I can tell if anyone has installed a hardware keylogger.

I never check in luggage when I fly.

I do my Internet browsing from a locked down VMWare box that has no rights on my network.

I use terrafly.com to see what others might be able to see about my home.

It takes five passwords to boot up my laptop and check my e-mail.

One of those passwords is over 50 characters long.

I also delete unused services on my servers. I block unused ports. And I install hotfixes the day Microsoft releases them.

Henry Kissinger said that "Even a paranoid can have enemies." The fact is that we don't know all the current and future threats so we might as well treat everything as high security. I do, but then perhaps I'm just paranoid.

Copyright © 2005, SecurityFocus logo

Mark Burnett is an independent researcher, consultant, and writer specializing in Windows security. He is the author of Hacking the Code: ASP.NET Web Application Security (Syngress), co-author of the best-selling book Stealing The Network: How to Own the Box (Syngress), and co-author of Maximum Windows 2000 Security (SAMS Publishing). He is a contributor and technical editor for Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle. Mark speaks at various security conferences and has published articles in Windows IT Pro Magazine (formerly Windows & .NET Magazine), Redmond Magazine, Information Security, Windows Web Solutions, Security Administrator and various other print and online publications. Mark is a Microsoft Windows Server Most Valued Professional for Internet Information Services.

Related stories

Microsoft reveals hardware security plans
Credit card firms push cybersecurity
PC-cillin killed my PC

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Choosing a cloud hosting partner with confidence
Download Choosing a Cloud Hosting Provider with Confidence to learn more about cloud computing - the new opportunities and new security challenges.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.