My view on Security

People in the Software Industry seem to be quite a bit bothered by the notion of Security. Security seems to be this ooh-so-magical castle that's innately "more important" than anything else that your company does and any and all pain and sacrifice demanded at the altar of security is justified (because oooh! Users! & Privacy!!!). Well, let's face it - security is a pain... a massive pain that provides very little reward in return.

Security is like brushing. Do it once everyday and you'll be happy, your teeth will be healthy and you'll have a long life. And that's all the importance it deserves. 

ACLs are like flossing. You know you should be doing it, but you keep putting it off as long as possible. ACLs give you a sense of security, a warm fuzzy feeling of being in control. An easy way of saying - yeah, we know what we're doing - look! ACLs! And every single day, an engineer's creativity dies a little bit when he or she spends 3 hours trying to get permission to look at just one, just one instance of the data that you're trying to protect so that you can write just one line of code. 

And then there's security "best practices". Ooh, I just cry a bit every single time someone in security says "no, you can't do this" without providing a half-decent, reasonable technical alternative to the egregious hack that's already in the system to work around some other limitation of some other security system. Half-assed security systems do no good to anyone. 

There are only 2 reasonable threat models in the world: you're either being attacked by a Nation state or you're being attacked by a script kiddie. Nothing you can do will stop a determined Nation state. Electronic security be damned. They're just going to pick you up from your neighborhood coffee shop and you're going to quietly give up your passwords and hope to get your life back. If they're trying to be a bit subtler, you're just going to get key-logged. 

If you're getting attacked by a script kiddie, reasonable passwords, https, instructions about phishing and 2 factor authentication is all that you need. 

This entire hoopla about "insider threats" being a reasonable threat model in enterprise just doesn't work. If you can't trust your employees with the broadest of powers, they just can't work with each other or with the data that you're working so hard to protect. There's just no way you can protect against the exponential possibilities of compromise. The *ONLY* reasonable alternative is "trust but verify". Put in auditing, look for patterns, look for data exfiltration but for heaven's sake, just don't make daily life hard. Because your average engineer is working really, really hard to move your company forward. Making your productive workers jump through hoops kills productivity and at the end of the day, talent leaves a non productive organization and with it, your long term future disappears.

Comments

Post a Comment

Popular posts from this blog

Coke Studio: Madari English Meaning and Lyrics

Image
Thanks to Sanat Rath , I had the absolute privilege of listening to this superb rendering of Madari by Vishal Dadlani and Sonu Kakkar and an absolutely stunning composition by Clinton Cerejo as part of Coke Studio. Here's the official video. The lyrics of the song are interspersed with the meanings translated to English. Credits for the superb lyrics go to Manoj Yadav. Hope you enjoy it. Make sure you watch this in HD, it's worth the extra audio quality. Song: Madari Producers: Coke Studio Singers: Vishal Dadlani and Sonu Kakkar (Intro music with chords) (Slow build up) (Sharp guitar riff) (Drums kick in...) [Vishal Dadlani sings] Madari, Madari, Madari, Madari mera tu, Main Jamura re Jamoora,  Jamura re Jamoora...  Master, master, master * you're my master I'm an obedient assistant * , an obedient assistant... Madari, Madari, Madari, Madari mera tu... Main Jamura re Jamoora,  Jamura re Jamoora re...  Master, master, mast
Read more

AJAX और हिंदी

हाँ! अब आप हिंदी में भी भी ब्लोग कर सकते हैं। गूगल में तो कुछ अलग ही बात है। इतनी आसानी से मैंने कभी हिंदी नही लिक्खी थी। चलो, इसी बहाने मेरी हिंदी कुछ और शुद्ध हो जायेगी। इस लेख का मुख्य उद्देश्य है आपको AJAX नामक टेक्नोलॉजी (इसे हिंदी में क्या कहते हैं?) के एक अंग से परिचित करवाना। AJAX का पूर्ण नाम है Asynchronous Javascript and XML और इसी के मध्यम से मैं अभी इन्टरनेट के द्वारा ब्लॉगर के इस सुन्दर यन्त्र का फूलपूर्वक इस्तमाल कर रह हूँ। दरसल AJAX द्वारा हम Desktop जैसी look aur feel web applications को दे सकते हैं। पर आज के लिए बस इतना ही। अगले लेख में मैं इस टेक्नोलॉजी पर ज्यादा विस्तार से बात करूंगा। तब तक के लिए शुभ रात्री, शब्बा खैर, और अपना ख़याल जरूर रखियेगा। तब तक के लिए नमस्कार। ;-)
Read more

Sadi Gali - Punjabi Lyrics and Meaning (in English) - Tanu Weds Manu

Image
Another superb song makes its appearance on the Bollywood scene. Sadi Gali from Tanu Weds Manu is a perfect Punjabi Dance track. Performed by Lehmber Husainpuri from RDB, words aren't sufficient to describe it. Just listening to it makes you want to jump up and start tapping your feet to the music. It's even garnered over a million plays on Youtube. In an effort to make this song's lyrics accessible to the masses, here's the meaning of the song in English paragraph by paragraph. I made it while listening to this song non-stop on loop. Hope you enjoy it!   Kudiyan de vich phir hassdi khed di [Hasdi] x 4 Khed di Ho, gutt di parandi teri naag wangu meldi [Naagawa-] x 4 -ngu meldi Again you're smiling and playing in the midst of girls Ho, Your "gutt da paranda"* resembles the moves of a snake gutt da paranda = An artificial hair extender often worn by Punjabi women to increase the length of their locks. Kudiyan de vich phire hassdi khed di College nu j
Read more

Tune Meri Jaana Kabhi Nahin Jaana - Lonely (Emptiness) - IIT Guwahati - Rohan Rathore

Image
Update: Rohan Rathore and his tragic story is a hoax for sure. This is confirmed. I've talked to my friends at IIT Guwahati and there is no record of such a person ever existing on campus. Nobody at IIT-G knew him and if a person dies in tragic circumstances, nearly everyone in the IIT knows it. The story about Rohan Rathore was created in order to gain views for a video on Youtube. So let us all put the "fake" Rohan Rathore to rest permanently as a person who never existed. Therefore, we can be very sure that the original singer of the song is Gajendra Verma. I'm leaving the original post below for archival purposes. ------ Original Post follows ---- I was introduced to this song by Sanat nearly a month ago and today, after listening to it again on Youtube,  I really felt that I needed to transcribe its lyrics. It's such a soulful song that you can't help feeling sentimental after hearing it - especially since the IITian (Rohan Rathod) who wrote a
Read more

Solved? LaTeX Error: pdf file is damaged - attempting to reconstruct xref table

Update : Greater experience with this issue has given me greater clarity. The issue is not related to LaTeX. Getting this error message simply means that evince tried to access the PDF file while it was being written to by pdflatex or latex and found it in a damaged state. This happens if you have a large pdf file being generated with lots of text or a number of figures. There's nothing to worry about if you get this error message. You can safely ignore it. ---- Original Post Below --- This is just a short note for anyone coming across this problem while doing LaTeX work. Google doesn't have a decent explanation for why this message occurs. I don't have one either but I have isolated the cause for my particular issue and I hopefully have a fix. The error under discussion is: Error: PDF file is damaged - attempting to reconstruct xref table... Error: Couldn't find trailer dictionary Error: Couldn't read xref table Error: PDF file is damaged - attempting to
Read more