I couldn't disagree more.

I have a 1979 HP calculator Velcroed to my desk, one foot from the 'calculator' shortcut button on my keyboard, because even when the 9 volt battery is running low it has yet to slow down, get infected, suggest wanted features, etc.

If I didn't love the internet I wouldn't be typing this at 2 AM, but there are so so many things that don't benefit from being as distracted by it as I tend to be...

I don't agree that just because computer tend to get connected means they should, or that it's inevitable that they will in every case. Mandating that a given computer should remain unconnected is a reasonable requirement, but of course you should put in place safeguards that a) help prevent it from happening, and b) mitigate problems that may occur when it does happen. Those safeguards can include anything from physically restraining all or part of the machine to installing software. The more sensitive or critical the nature of the computer, the more safeguards should be installed.

If a user connects a computer to the Internet (or LAN or whatever) that shouldn't be, I blame the user (assuming they were told not to in the first place) as well as the IT department for not securing the computer adequately (whether physically or virtually). Sure, people will tend to break rules to get their jobs done but that's not necessarily a good excuse.

I completely, wholeheartedly disagree.

There is nothing wrong with making a sensitive machine network-capable (and ensuring that if in the event it is connected to a network it is as secure as possible). However, there are plenty of machines for specific purposes which contain data that really does not need to be on a network. A good "layman's" example would be a recording studio - I know many (admittedly probably in the minority) studio engineers who run top of the line DAW systems that are not connected to the internet - it's just too much of a risk - if their machines are compromised and brought offline or data is lost, they would be in a bind. Downtime is not something they can afford. Regular software updates and the like are as simple as a network-enabled laptop, and a DVD burner or USB stick. It's not -that- inconvenient.

Ultimately -no- system is ever 100% secure, so the argument that it's a user's fault for not securing a machine well enough is completely fallacious. You could store the US Nuclear codes on the most secure machine known to man, but at the end of the day if it's connected to a network, someone will find a way to crack them.

I guess that's why those codes are carried in a briefcase handcuffed to a heavily armed man's hand, right within the center of a heavy security cordon. For true information security, you cannot beat physical security.

Yeah, count me in with "disagree wholeheartedly". Respectfully, of course, but still disagreeing.

Humans have sex to reproduce. It's something that's built into our bodies, built into our minds, and built into our culture. It's a basic drive of ours, and I agree that it's impossible to stop it point-blank.

"Mission-critical" devices, on the other hand, have very little to gain, and very much to lose, if they are connected to the Internet. They are less personal computers, and more specialized, complicated machinery, with computer hardware inside to facilitate their operation. MRI machines, nuclear power plant controllers, dam controllers, etc., AREN'T designed to be connected to the Internet, because their job is to control important things, not to talk to other computers. It's not a smart thing to do.

Whereas sex is something that anybody can do, these sorts of expensive, important devices should be owned and operated only by people who know exactly how to use them, people that are able to keep them running every day. Other people rely on the operator's skill: in the case of power plants or electricity grids, sometimes millions of people. If one of those machines is connected to the 'Net, it smacks of incompetence to me.

Um, okay, anyone else think that maybe the teen sex metaphor just adds a misleading (albeit more intriguing) layer of racy controversy?

A more boring and less controversial way of putting the main point: If you design something with the ability to connect to the net, expect it to be used, and work out the consequences for the worst case. Engineering additional protection to compensate for user-initiated blunders is good design.

Additional instructions / warnings, while helpful (and not always effective) in avoiding legal fault, are not good design.

If something can't handle the net, then maybe it should be made unable to do so, via hardware AND software.

Obligatory XKCD reference.

Did you guys read the actual article?

To sum up: even in sensitive jobs, computers may have a need to be connected to the Internet, and even those computers that don't need to be may accidently be connected to the Internet.

That's the parallel to the question of "abstinence vs. safe sex" education. Sure abstinence is safer, but you can't ensure that's going to happen, and in some cases it's not even possible (heck, it's much more likely a computer must be connected to the Internet than that two people must have sex).

I think Cory's actually got a point (and that's not always easy for me to admit :) ).

All that said, the topic reminds me of when my wife was pregnant with our first child and I wanted to hook our video camera's S-video input to the ultrasound machine so I could get direct, high-res video. I got away with it the first time, but on a subsequent exam I was told that the hospital lawyers had nixed the idea, due to patient confidentiality concerns. They had a strict "don't connect any outside equipment to any hospital equipment" policy.

At the time I was greatly annoyed by the inconvenience, and even today it bugs me a little. There was practically zero chance of any other patient's data finding its way through the hospital network, into the ultrasound machine, and then into my camera. But in hindsight, I've got to respect them at least a little for a) having a policy, and b) sticking to it (let's face it, the people in charge of implementing the policy simply don't have the technical proficiency to be 100% sure an exception they might make to the rule is safe).

In the long run, the problem has gone away. A year ago, we found that the ultrasound machine now includes a DVD writer, avoiding the issue altogether. :)

Anyway, the point here isn't that machines that shouldn't be connect to the Internet shouldn't be connected to the Internet. It's that some machines have to be connected, and other machines shouldn't be but wind up connected by accident anyway.

You can't rely on an "abstinence-only" education policy any more than that's a useful policy for sex education for teens (or adults, for that matter). You have to make the assumption that exceptions to the ideal will happen, and provide the proper education/tools so that those exceptions can still occur more safely than simply having no precautions at all.

To paraphrase the Internet meme: excuse me, wtf are you saying?

I don't understand how you've linked abstinence sex-ed -- an exercise of closing your eyes and hoping that the people in the most vulnerable position of getting hurt by having sex early will consistently do the right thing without giving them adequate support if and when they do screw up -- with contemporary IT network policies -- which should and do have policies for when things go wrong, especially when you do things that you're not supposed to.

One is not the other, Cory. We know that systems may and will get access to things that they're not supposed to -- even 'mission-critical' ones like SCADA and the like. We know users will prioritize getting things done over our precious network policies.

So what? That's what security audits and intrusion detection systems are for, and that's why even 'mission-critical' systems need some kind of mechanism that allows us to bring back the system and the organization from a security incident. To me, that's the equivalent of already talking about and making available condoms and abortions, not... "abstinence".

I like listening to you, and I do agree with quite a bit of your other posts on other topics... but you've failed in talking about IT security before.

The worst part about this post is, though, is that I've never seen you fail in such an early stage of your argument. Usually it's your advice and evidence that is faulty. This particular article actually has you failing at the initial premise.

@8 Did you read the article? Particularly these paras?

> Real-world disease-prevention often means checking in the word "should" at the door. Take abstinence programmes: whether or not you think kids should be having sex, you can't miss the fact that they are having sex. If you want kids to stay disease-free and healthy, you have to provide them with the tools and skills to have sex while doing so. The facts speak for themselves; countries where abstinence is the primary mitigation strategy have higher rates of teenage pregnancy and sexually transmitted infections than countries where sexual education and free birth control and condoms are the rule...

> But IT departments need to go beyond defense in depth. To effectively secure a network, you need to become an epidemiologist of your users' unsafe activity. Did the radiologist plug the ethernet into the MRI machine because she needed to update the controller software with a new version in order to get her job done? Are the operating theatre's machines on the LAN because surgeons have followed the entire rest of the world in outsourcing their remembrance of petty facts to search engines? Does that defence contractor carry his sensitive materials on his laptop because he is collaborating with hundreds of other contractors in a huge, complex endeavour only possible with networked communications?

I'm with Palilay above. My friend who runs a recording studio keeps all of his computers off the internet. If a music studio can make proper decisions about what should and should not be connected, what's so difficult about making similar decisions if you're a hospital?

The fact of the matter is that some of the time, IT departments are incompetent. And when they are, reading your column isn't going to make a difference. You criticize security researchers for telling IT departments what they should be doing, and then you turn around and tell IT departments what they should be doing. You're falling into the same trap you're criticizing.

Beyond that, the idea that the security policy should be able to handle something which isn't connected to the network being connected to the network is not really sensible. I'm not saying that they shouldn't do contingency planning to try to detect that situation or mitigate the harm, but there is no such thing as a firewall or security system which can be guaranteed to prevent a network connected machine from being hacked. It does not exist, and it probably never will.

Beyond that, the best defense against being hacked is to apply all security patches as soon as they become available. That has been shown repeatedly to be the best way to avoid an automated or manual remote compromise of a machine. That strategy, however, is not a good strategy for medical equipment. The problem is that security patches can sometimes cause other bugs. For my home computer, that's a very reasonable trade-off. I can handle the occasional bug, if it means that my computer does not get compromised. With medical equipment, bugs can kill.

Most medical equipment does not run on the latest OS version, and it doesn't get updated or patched regularly. This is because the most important thing is that it work properly. So the version they have has to be tested very thoroughly and often vetted in other ways. Stability and hacker-proofing are not compatible goals. There are two solutions to this: 1) design a complete system which is guaranteed to be unhackable (this is feasible, but highly expensive and as a result no one does it) 2) remove the hacking threat bsdfy disconnecting it from the network. That is the appropriate solution to the problem.

That said, I do agree that you have to work around user's behavioral tendencies, not just proscribe bad behavior. However, step one in that process is ensuring that machines which shouldn't be connected don't get connected. For the highest security machines, that should probably mean removing all of the networking drivers and either clipping the wires out of the ethernet jack or filling it with hot glue. You can do any software updates via other means and explicit polices for doing this properly should exist.

When it comes to security, you should make sure that what employees can do is a subset of what they should do. Employees can and will make terrible security decisions because it is human nature. Most people think about ways to make things go right. They do not think about ways which things could go wrong. This makes them inherently terrible at recognizing when their behavior is a security risk. As such, when the stakes are high enough, employees should not be able to take simple actions which result in large security risks. If they can, then the security people in the IT department are not doing their jobs. (That said, overdoing security when the stakes are low is also a bad idea.)

But you do have to make sure that security is compatible with usability. So, it should also mean spending the extra $400 (which is peanuts compared to the cost of things going wrong) for a basic computer to run a web browser in the operating theater if such is needed.

To go back to the article, I think that Cory's suggestion of a "dirty public side" versus "clean private side" doesn't really make much sense. It's easy enough to say, but it doesn't really mean anything. What's a "side" of a computer? What's "dirty" mean in this context? What about "clean"? Also aren't people much more likely to worry about keeping "dirty" things private and prefer the "clean" things be public?

What he's expressed there isn't really a well thought-out idea. It's the vague shadow of an idea, and it doesn't seem to resolve to anything understandable. My best guess is that he's suggesting that you use two different user accounts or virtual machines (some form of strict compartmentalization) in order to have one which does all of the network access and the other which holds all of the "important" stuff. The problem is that, as he's basically pointing out in this same article, for most people, most of the time, the network stuff is the important stuff. So in practice you have a risky, networked compartment which gets used for everything and a non-network connected compartment which doesn't get used for anything.

A better idea is just to have a protected store of some sort where you can put stuff in that you want to guarantee doesn't get lost even if you get hacked. This is difficult to do, but could potentially work, especially if the store lives on the network and appropriate encryption is used to make it write-only and non-desctructable for the operating system and only readable with a password.

There is nothing wrong with abstinence.
Abstinence only is where the trouble starts.

The lesson: don't hire teenagers to do system security.

*scratches head*

Okay, doesn't the same argument apply to washing hands? I mean, there's thousands of people who didn't wash their hands after urinating and defecating before handling food with their bare hands and all in all, people do not drop dead left and right.

Ummm why exactly would surgical equipment need to be connected to the net?

Sorry just don't buy the premise that what computers do is connect to each other. Not every device with a chip in it should be designed to connect to the net, nor should they be.

Sorry, Cory, but you are so wrong it hurts. Computers don't just connect to the internet on their own. Someone has to either plug it in or enter a wifi password (please show me a mission-critical machine in range of an open wifi hotspot). This brings me to a more fundamental observation: computers that run critical hardware like MRI machines and power plants shouldn't be running windows or any other consumer-level OS in the first place. They should be running hardened software as an embedded device. There should also be real security measures taken when it comes to critical infrastructure. Teenagers fucking doesn't come close to having the kind of consequences that can occur from these kinds of machines breaking down due to poor network policies. Windows is for running MS Office and signing your timesheet. It needs to stay in the office and way the hell away from anything important.
Despite how much you believe in the singularity, computers are not people, they do not (and should not) make their own decisions and should not be connected to the internet if they're running things that can kill people if they break.

Computer security is what I do when I'm not making things out of brass, and Cory is on target.

In the most secure environments you harden the machine AND set policy against connection, but the key is the hardening.

If you have the ability to tinker with the immune and reproductive systems, if you *designed* them and have the ability to re-configure them to be proof against infection, etc., why are you fucking around with condoms?

Yep.
The problem is with abstinence ONLY.

If you think that keeping a computer away from the net is enough and you can do without proper security practices, you are making a very dangerous assumption.

But keeping a computer unconnected 'per se' is not inherently a wrong thing, just as abstinence is not the problem, rather the absence of proper education is.

@Cory

That argument makes little sense. It also makes little use of corporate risk management theory especially within a clinical environment, regardless of potential Caldicott breaches. It transfers the responsibility from the computer, where it should lie in these situations, to the user.

Your argument seems to be 'if you can't beat them, join them'; all devices ultimately will have some sort of network connectivity, so why bother resisting it.

What is more telling is that you tend to argue against the viewpoint that these sensitive systems should never be connected, but without being able to argue why they should be.

O

The computer_as_teenager analogy may not hold up in some/most cases.

It's obvious that abstinence_as_prophylactic doesn't work. Heck, even prophylactics_as_prophylactic aren't foolproof. And it's unwise to rely on abstinence anyway: the species has to reproduce, somehow.

Two counter-example/questions: Would you be comfortable if it was a tech from the IT department to clean your wound? Then, why would/should it be up to the medical staff to determine if/when it's OK to patch the software running the MRI? Maybe they didn't click the download page's link to technical note that says "Don't apply this patch to equipment below SN 1121270"? There is some value to expertise in a particular field.

Would you rather live in a country where, whenever a patient's demands that he/she be supplied with antibiotics to 'treat' a viral infection, the physician writes a prescription? In this case, the patient is advertizing to the doctor that they don't understand biology - the doctor would do well to prescribe a placebo. Better though, would be to explain why antibiotics wouldn't help and would even harm. (Not that the patient would believe anything the doctor told them. They'd rather trust their neighbour, what they read in 'People' magazine, or an ad on TV.)

When a nurse is at home and she doesn't wash her hands after using the bathroom, it's not really a public-health issue. But, once they're in a hospital, a different policy has to kick in. The hospital isn't 'the world outside'. It's likewise for the medical equipment in the hospital: "Go ahead and (foolishly) upgrade the CD-burning software, which has been working fine for the last five years, on your home computer, but the MRI doesn't belong to you, it belongs to the hospital."

A better question: why is an oxygen-monitoring machine in an operating theatre running Windows, rather than proven-to-be-reliable non-M$oft, non-Apple real-time OSes? Would you fly in a plane that's controlled by Windows? OS/X? Not me.
(While I'm at it, why DOES your espresso machine need an IP address? Would the coffee be better if you could surf for porn while you're making a double-shot ristretto?)

The defence contractor example, from your essay, is a difficult/impossible area to control, unless you're willing to let costs run (even more) wild. (We must have read the same research paper/essay.) Here, sandboxing and virtualization wouldn't make any difference - the problem is control of information, rather than exposing a particular machine to the 'Net.

On the whole, your essay makes a lot of valid points, but the problem is still that the general public (that includes most of the people working in hospitals, airplane plants, etc) isn't quite up-to-speed on secure computer usage - so the IT department's policy have to be obeyed - until you can demonstrate that you know what you're talking about. And again, why are these single-purpose machines running Windows? For the convenience of playing Solitaire while you're waiting for the next patient?

Every time I hear about a security breach involving a laptop forgotten in a coffee shop, I wonder "Am I the only person in the world that's heard of TrueCrypt?"

I think the article has a point.

As several have pointed out, it is the *only*. Security that depends on everyone following the rules is not very effective.

For example, the recording equipment example: you describe connecting the machine to a laptop or usb to perform updates. If either is infected, so is your recording equipment now...unless you bothered to set the permissions/install software as if it was going to be connected.

As for the medical equipment, it is entirely possible that it has a history log that is automatically updated to the hospital intranet. It is also entirely possible that it will get software updates from the manufacturer via disk/usb/computer connection.

Count me in the "disagrees" section. I design realtime, mission critical systems that are on their own network segregated from other networks via one-way out fiber connections. My systems have NO NEED for internet connection and, as a result, don't need to be patched, don't need anti-virus running and slowing things down. The few out-only connections are to other systems that are not on the internet as well.

I know that my engineers and I are not as smart as some of the hackers from around the world so having a physical barrier between my systems and the internet trumps their smarts.

If one of the administrators did connect my system/network to the internet (which would be very difficult logistically), they would be fired or worse.

Disagree, but I think the real problem is using WINDOWS (*consumer* operating system) for mission critical infrastructure tasks. #18 hit the nail on the head. Should be using a hardened real time OS for this stuff. If it CAN'T fail then you should not be using Windows.

I agree that keeping a computer disconnected doesn't always work. Part of the reason is that users often aren't given an alternative method for using the internet.

Even more important though is my observation that protecting users and computers through varying measures of internet connectedness and filtering doesn't work. This is simply because the compromise tends to come through the weakest link. USB thumb drives, optical media, and other physically portable means of moving or storing data are usually the first point of contact for compromise or infection.

I think if computers became sentient and tried to 'reach-out' for the Internet this would be an issue. : )

Viruses can come into the computer by other means than just the net. Portable media would be the next thing to lock out. They could also be typed into the computer, which means the keyboard has to go... maybe just eliminate all input. So essentially you'll have TV. There no viruses!

i disagree about connecting systems to the internet, but i agree that networking systems always does more good than harm.

i may be biased, being a big fan of private networks, but connecting things together doesn't have to mean connecting them to the internet.

this problem comes up a lot in IT. creative/development types what free reign on their machines and access to the internet to get their jobs done. IT managers want to protect corporate assets and limit access to those who truly need it. both parties are correct, and both parties need systems and networks that address those issues.

low cost, low power devices like netbooks (or their desktop equivalents), thin clients, and virtualization technologies like xen or vmware mean that you could put multiple devices connected to multiple separate networks pretty much anywhere for not a whole lot of money.

this way, sensitive systems that access sensitive materials can be disconnected from the internet and managed and monitored to an appropriate degree, while separate systems can be used to provide open access the internet.

this could be a setup that uses virtual machines that run in separate windows, or separate boxes that you access with a separate keyboard, mouse, and monitor, or share via a KVM switch.

separate, private, highly secure networks have their place, but so too does the need to provide workers with convenient access to the internet.

why fight your employees? why fight your IT managers? just give everyone what they want.

Meet their friends. Know where they're going. Set a curfew. Teach them to defend themselves, not trust strangers, and be sceptical. Talk to them. Get involved in their lives.

All I Really Need to Know [about computer security] I Learned in [Primary School].

A computer is not an unruly teenager that does whatever it feels like it prompted by a natural affinity to be rebellious.

A computer is a machine, a complex one to be sure, but that will do always exactly what you tell it to do.

And a such if you take drastic measures (unplug the network cable, or even better, remove the network card or block the network port) bits will not flow magically inside the computer.

As for your computer connecting randomly as you walk, for bunnies sakes, use the off button more often.

Ametaphoria: the silent killer. Of comprehension.

Its crazy to think that an internet capable computer will never be put online.

If the data on the device is too sensitive to risk putting the computer online, then it should have not commonly available networking interface, tcp/ip protocol stack, etc. Lock it up with proprietary connectors and services.

#29 - Security through obscurity is not a good practice. Commonality through TCP/IP is a good thing, you just have to have take other measures to ensure real security.

Unlike teenagers' naughty bits, it's quite easy to remove network adapters from hardware, ensuring no internet connection.

So if I rub my computer's ethernet cord....

I maintain a few small lans and my policy is to restrict all traffic to the LAN and in the break room have a Internet capable computer running ubuntu. all equipment that has $MS systems are routed through iptables
using thunderbird for email and no web browser, clear silicone in the usb sockets of the workstations helped

Why don't we stop repeating stupid mantras and pause to think what they mean?

By ensuring a computer is not networked you are not enforcing "security through obscurity", since it would be obvious to any bystander that the computer is not networked, so there is no obscurity at all, in the contrary, it should be plain for all to see that the intention of whoever is administering the machine in question, is to stop the machine from actually connecting to others.

It really irks me the naivety of people wishing to connect all computing devices to a network, regardless of consequences and risks.

There are plenty of situations in which one has to ensure that a computer can't possibly connect to a network.

This is not black magic, there are specific ways to achieve this, both at the software and hardware level.

It is sad that somebody that should be better informed about this can actually equate promiscuity with actual technical negligence.

There are plenty of situations in which one has to ensure that a computer can't possibly connect to a network.

And if your computer is in a vault where only you have access, that might work. The problem are these things called employees and co-workers who don't necessarily care what your priorities are. Doesn't matter who you are or what you do, somebody on the night shift is going to steal a cable from another machine and hook up the 'secure' computer because the secure computer is in a better place for surfing porn at work. Real world - ur doin it rong.

I was coming here to disagree with you but I see everyone has done that for me already. I'll just disagree with the key assumption: Computer are not designed to be connected at all. People are and that's where the problem lies.

Since most people are talking about the IT security aspect of this, I'll just point out that this article is an attack on proper sex education. It tries to connect a questionable proposition to the well established, but politically embattled, case against abstinence only education.

People are really misunderstanding the point here. Its a classic case of engineers/IT thinking they can successfully engineer people. "We're right because we're the pros, clearly you're wrong".

The point here is not about IT and whether a computer is better to not be connected. Its about THE PEOPLE. The people will do all manner of things for all manner of reasons. Some of these things will undermine security policy (or security policy will piss off the people).

The point Cory is trying to make (which every "I disagree" post seems to be misunderstanding) is that you need to make sure that even when those people do stuff that will probably break the computer: browse web, watch porn, whatever, the security of the machine should not be compromised. Its the point that users are very hard to engineer, and this is exactly the same as with abstinence only programs. Anyone who thinks this article is about technical security has completely the wrong end of the stick. Its about (as security almost always is) security in the context of real world use, which means people. Now I'm just repeating myself. Think everyone! don't kneejerk react.

On the point of the clean side/dirty side, this is easy to understand: 2 virtual computers with lots of freedom on one side and very strict controls between them.

Computers do not need reboots to install programs.

Computers do not 'catch viruses'.

Computers do not need updates to do tomorrow what they did yesterday.

Computers can be connected to any network or USB drive perfectly securely.

Which OS are my users running? How did you know? What was your point again?