Secure Your Home Network: Introduction

This is the beginning of a new series about what (mostly) non-technical readers can do to lock down their home networks to a decent level of security.  I need to start with some caveats here:

1. It's pretty easy to protect yourself from "script kiddies" (Bad Guys who just use canned exploits without knowing much (or anything) about you or your home network.  Hopefully the posts in this series will make you, if not impervious to, at least unreasonably difficult for these attackers.
2. It's harder to protect yourself from a knowledgeable and determined attacker.  Someone with skill, time, and motivation to attack you is a dangerous opponent.  Hopefully the posts in this series will increase the required time, skill, and motivation needed for these Bad Guys to succeed.  Basically, it raises the cost for them to attack you which is A Good Thing.
3. At the end of the day, you can't protect yourself from NSA or FSB (the KGB successor organization).  Or the Chinese, who are quite active and skilled.  Even keeping them from sniffing out your traffic is really, really hard.  If you think that any of these organizations are likely to want to access your computers, then you should unplug from the 'Net right now.  Not kidding.  

So if you're interested in this kind of thing, and are willing to spend a nominal amount of time and money to raise the bar on your home network security, follow along on this series of posts.

Tomorrow's post: What is a Firewall and why do you care? 

 

The 2025 most dangerous software exploits list

 Dad (who was a history professor) liked to say that History repeats itself because nobody listens the first time.  I get an incredible sense of deja vu all over again looking at Mitre's list of top 25 exploits for 2025.

The top 4 are all very, very old.  I myself demonstrated #4 when I taught a computer security class (with corporate IT Security present) back in 1994.  That's three decades ago.

And what's with numbers 11 and 14?  One of the classic papers on software security is Smashing The Stack For Fun And Profit - from 1996.

Numbers 3, 6, and 22 are web server vulnerabilities that are over 20 years old, and I've posted about them before. 

17, 19, and 21 have been known since before I was in this industry.  Call it the 1980s, although it's likely older.

I guess it's nice to see a shout-out to DoS (number 25) although geez, this is depressing.

So that's half the list having been known for literally multiple decades. So what gives?

I blame Agile Software Development.   I guess I'm the cranky old guy yelling at the sky here, because this is how all software is developed these days.  Product Managers (my old field) are to blame here, having spent the last 20 or 30 years pushing Go Ugly Early - get working product shipping as soon as possible and let customers tell you how to improve it.  Essentially, a lot of what you would have the developers spend their time fixing are things that customers just don't care about.

This has led to a pushback of sorts from software professionals, particularly the Software Craftsmanship movement.  Their manifesto is interesting:

As aspiring Software Craftsmen we are raising the bar of professional software development by practicing it and helping others learn the craft. Through this work we have come to value:

• Not only working software, but also well-crafted software
• Not only responding to change, but also steadily adding value
• Not only individuals and interactions, but also a community of professionals
• Not only customer collaboration, but also productive partnerships

So what's missing from this?  How about don't keep making the same dumb security mistakes that people have been making for decades?

And what do Product Managers miss in their rush to go ugly early? How about don't keep making the same dumb security mistakes that people have been making for decades?

And so here we are.  The IT infrastructure of the 21st Century has been constructed out of moonbeams and cotton candy.

I don't see anything changing here, as the incentive structures are all stacked against good security.