Dr. Johannes Ullrich and the Principle of Least Priviledge

In an article posted this afternoon at Forbes, Dr. Ullrich compares network professionals who disable unneeded features with slumlords.   He starts comparing a Bible for Section 8 landlords with network security.   For those who don’t know, Section 8 housing  is housing for the poor that is government subsidized.   So, I guess he is also comparing users to the residents of Section 8.  I suppose I should refrain from commenting about Section 8 residents as I may offend.  Security analogies rot when examined too closely.

The Section 8 Bible according to Ullrich has the following rules
1.  If the law doesn’t require it, remove it.
2.  Don’t fix it.   For example, if interior doors aren’t necessarily required and can be removed.

I don’t see network and security professionals acting in this way for the most part.   From his conclusion it seems that Ullrich has decided that security is Dr No and the no fun light (traction control in cars) rolled into one.   And we get more cliché about the business need being paramount.   The Titanic had a business need to run on time too.   But now I’m using my own cliché.

I fear that what he describes is more like checkbox or audit based security.   Security starts looking like the result of a proposal from the lowest bidder.   The bidder asks how can we minimally match the requirements of “security”.   And an auditor comes through to verify that you’ve minimally matched the requirement.   But security hasn’t occurred.   This is another security fallacy but it is not the principal of least privilege.

“Restrictive network policies hinder creativity”
Seriously?  This old chestnut?   We’ve heard this for years.   It is particularly bad at Universities.   Although repeated worm infections and system reloads have led to greater security controls even at the University.

I’m reminded of a time when a VP demanded access to Second Life so the business could appropriately promote itself.   Dear reader, when was the last time you even thought of Second Life.   Allowing access to that sure kept the doors open.

Someone in a business magazine writes an article about game theory’s influence on business.   Suddenly the “games” catagory can’t be blocked any more.

Right.   We’re hindering creativity.

I agree there is no reason to knee-jerk block social networking.   But I’ve found that when you don’t have a handle on things originally, you can never put it back in the box.   When webmail first became popular many companies didn’t allow any POP or IMAP access to email.   That email wasn’t scanned.   Or needed for business.  So it was blocked.   But webmail circumvented that.   We could have immediately blocked those sites until we felt they could be accessed securely.   But we let them be.   And now they are open forever.

But in general, shouldn’t the blocking social media comments be directed to Human Resources?   Often they are the owner of the blocklist and worried about people’s use of time.   In this slum-network example, HR is the Mom.   Go talk to your Mom about accessing social media.   I’m just the slum owner.

“Removing Features Hurts Security”
The author’s example is IPv6.  Reporting that Microsoft doesn’t test patches on systems with IPv6 disabled.   Fine.   How about we block it with the personal firewall.    Does any security person really think it’s a good idea for the users to be the first ones playing with IPv6?   They get that 6-4 translation set up and complete bypass the firewall and other security measures.

But what about the people whose job it is to play with IPV6, you might ask.   Isn’t that what labs are for?   It doesn’t need to be in production before it is ready.

“They’re going to do it anyway
“They Wont Want to Work For You”
I feel like I”m arguing with a teenager.

In summary, I think this article would have worked better without the slumdog analogy.   It inflammatory.   It doesn’t match what follows.   It takes work  and money to secure networks.   The slumlord is avoiding both.

What do you think?   Let me know if the comments below.

And if you are Johannes Ullrich and you are reading this.   Please dont kill me with your mind.


  1. Do you feel the death mind ray 😉

    I think you may have take the title a bit wrong, but your response does hit on some of the points I am trying to make. What it comes down to in the end is that user “buy in” is critical to make security work. If you are the security guy who always says “no”, you will fail, because users will work against you. The important part is to find the right balance, and I run into too many security people that say “no” first, just out of habit. If you don’t behave like a slumlord, then your users (tenants) will be able to pay a bit more and you tend to attract better users (tenants). Of course, there will be businesses that are very “focused” (thinking here about call centers) or have high security requirements (state secrets). But from a network security point of view, I actually find them less interesting then lets say an R&D department (difficult recruiting great people, lots of sensitive stuff to protect, tends to have creative/technical individuals).

    a try a tinfoil beanie against the mind control death rays 😉

    • Normally, I’m pretty good about releasing comment moderation. The spam filter snagged my comment notification for some reason. And I didn’t have much to blog about this week so I didn’t see the comment in queue until now. Sorry for the delay.

      Thanks for the read.

    • I stand by the title. I think that you painted all of us in IT Security with a broad “slumlord” brush. Not just specific types of people but anyone who would examine the risks involved with new technology, and even block it until its proven secure.

      With friends like these…

Comments are closed.