Understanding Computer Security

Recently I attended the Apple World-Wide Developer's where Apple's security guru gave a talk on how to make OS X secure.

The man was an idiot.

He said things like "you have to turn on encrypted virtual memory", and "you have to file vault your home directories" and "you have to turn off this or that service". I mean, he did no stuff about computer security. So maybe idiot is too harsh. More accurately, he was a security dictator, who didn't understand the most fundamental rule of

You can't say if something is secure or not, unless you can define what secure means.

I'm not trying to be clever or coy, merely practical. A bank and a university have vastly different security needs. Universities can afford to be much more open. But you have to make an honest assessment of individual risks. Banks might be targeted by real computer criminals interested in steal funds. Or (far more likely) by their own corrupt employees.

Sure, universities have valuable assets. Sometimes there's proprietary data. And no student or professor wants their research to be stolen by a competitor. But, let's be honest, that's not really a realistic threat. If you do the basic steps of securing your files and backups physically and with appropriate permissions, and do the basics of closing off the obvious security holes, that's good enough for a university.

I'm not saying it's impossible to have a smart hacker come in and find a subtle security hole and steal someones research. But it's unlikely because of the profiles. The smart hacker that can find the subtle security hole is likely high school or college undergrad aged, unmarried, with plenty of free time on their hands. For this person, a week of work could finish off the university's flimsy security. But if you think the college prof down the hall is going to do the same thing, think again. He's probably married. He has classes to teach, and students to meet with. He doesn't have ten spare hours a week. It would take him three months or maybe even six, to do what that script kiddie could do in a week, and he's just not that stupid to waste his time that way.

Meanwhile, what are the real risks that face researchers? Stolen data is possible, but among researchers I know, the biggest risk is simply losing the race to someone else who did the same work faster than you. I've met several people who've lost a race like this. I've never met anyone who had their research stolen. This person with 10,000 hours of computer simulation to run is not well served by encrypted memory or an encrypted home directory which will double or triple the time it takes to complete his or her research.

Hampering academics with compute policies that slow down their work exposes them to far greater risks than any hacker represents.

Tom Fine's Home Send Me Email