by Do we do a disservice to young sysadmins by teaching them important rules of thumb as if they were incontrovertible truth?
When I was starting out, I heard a lot of these, especially in security. For example, “a login server is always crackable”. I was dubious, because I didn’t understand the complex thought being expressed. What I heard was something like: “There are these invisible über-crackers who can take over any machine, any time, just give them a login and they’ll get root, so you might as well give up and stop offering login service. What? Your employer won’t let you stop? Too bad, you’re just screwed, and you’re probably a bad junior sysadmin for not threatening to quit over this.”
The actual thought prompting the rule of thumb is something more like: “Privilege-escalation bugs are one of the most common types of security holes. The more information a would-be cracker has about your system, the more likely he or she is to be able to take advantage of any holes that exist, whether through misconfiguration, extant unpatched software, or zero-day exploits that you don’t even know about. A login service gives the prospective privilege escalator lots of information about your system and lots of opportunity to take advantage of an exploit when he or she finds one. Over time, the chances are near-certain that you will for some period of time have such an unpatched exploit, and the chances aren’t bad that one of your users will take advantage of it. So you should take measures to mitigate any such exploit, and assume that such an exploit may exist at this very moment.”
Okay, not nearly as pithy as “a login server is always crackable”. It’s also not as scary. I know to some mentors, that’s a negative—they want to scare junior sysadmins into erring on the side of paranoia. I think the thought process goes something like this: “okay, maybe there isn’t actually any known exploit that would merit having users always change their PINs to ones that don’t share a single digit with the previous PIN, but the fact that I got my intern to suggest it should be praised because it shows she’s worried about security.”
(That’s a true story, by the way. I once worked at a site where I had to set up a voicemail PIN of at least seven digits. I’d never had a PIN that long, so I just came up with one by doing a walk around the keypad, using every digit once. When the automatic expiration policy required me to change my PIN, no matter what new PIN I tried, I was told: “your new PIN must differ from your old PIN by at least one digit. Please try again.” The helpdesk’s only solution when I brought the problem to their attention was to delete my mailbox and tell me not to use all ten digits in my PIN in the future.)
Is it actually necessary that we scare junior sysadmins? Fact: the mythical über-cracker who can break into any device at a moment’s whim, from electronic door lock to supercomputer, doesn’t exist. He’s a construct of the movies. Could the myth be useful when framing security policy? Sure—it sets a bound, a worst-case scenario. If you can deal with Mr. Scary-Hacker, then you’ve probably dealt with all the real people who might wish to do your site harm.
But I’m not sure that instilling the fear of the bogeyman—excuse me, I meant the über-cracker—into junior sysadmins is the way to get them to make good security decisions, especially as their career progresses. If you’re smart and thoughtful, you’ll realize that the statement, “a login server is always crackable” is simply false. That will make you begin to suspect all the security advice your mentors give you—you’ll be like the eight-year-old who begins to suspect that the monster under their bed will not eat them, even if they get up in the middle of the night, despite what her parents say.
Worse yet, if you’re not a smart and thoughtful junior sysadmin, you’ll take these statements as holy writ, and as you progress in your career you’ll make decisions based on superstition and vague, misbegotten hunches rather than on real data. God help us all if you make it to senior management.
It takes a little bit more work to turn a pithy but not-quite-true adage into a real explanation of a process, how it works, and what you need to know about it. But it’s well worth it to give people you’re mentoring the knowledge they need to really succeed as they progress in their careers, whatever their level of talent.
Trey Harris is President of LOPSA. Opinions expressed in his blogs are not necessarily those of LOPSA.