General discussion


The Six Dumbest Ideas in Computer Security

By jdclyde ·
This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Several good points

by Jay Garmon Contributor In reply to The Six Dumbest Ideas in ...

Read this earlier today, and I found some very good points within, especially the notion of "Enumerating Badness" as a stupid premise. Why have security software that must maintain a list of thousands of harmful programs to block--which must be constantly updated--instead of simply allowing only authorized programs to run. Great idea in principle, though I expect the application would be difficult, especially at the home user level.

The idea goes off the rails in the "block all attachments" rants, because I legitimately receive exe files and have the good sense to know which ones to run and which not to. Some of these extreme countermeasures could easily toss out the baby with the bath water.

Still, required reading for IT pros, as far as I'm concerned.

Collapse -

Quarantined attachments

by stress junkie In reply to Several good points

The article simply said that it is possible to put email attachments on a system that will make it more difficult for viruses to compromise. The scheme that he proposed said that the email attachments would be stripped from the email body and stored on a special server. The end user could log in to the special server to view or retrieve the email attachment.

Collapse -

Good Idea

by Dr Dij In reply to Quarantined attachments

major companies' headquarters where I used to work does this. educating users only helps slightly. They will still try to download spyware screensavers, open attachments, visit pages that do surreptitious installs, etc.

Collapse -

But you still should educate

by graeme In reply to Good Idea

We find our travelling roadshow for small businesses (1 hour plain English PowerPoint of what the problems of allowing staff to indiscriminitly email, IM and surf are). DRAMATICALLY reduces support requirement for stupid stuff. If only because they now understand how the kids have screwed up their home machines and they got hit in the pocket to fix them. The hit in thwe pocket lesson transfers to the workplace - for about 6 months. Then it needs re-inforcing.

If only the MS "Limited" account was really such a thing......... I like this guy's approach and arguments.

Collapse -

Stupid is as Stupid does!

by The_M0nk In reply to But you still should educ ...

I agree wholeheartily, one of my job roles is to train our sales staff on pc components. They still come up with some interesting ideas. Never the less the saying of forest Gump remains one of my favourites....

Collapse -

Every time you idiot-proof, they come up with a better idiot

I have, unfortunately, had mixed results with educating users. Some years ago, we worked with everyone in the company to try to make them concerned with password security. A few weeks after the last of the classes, we ran a test. We sent out an e-mail purporting to come from a new system administrator. In essence, it said

Hi, I've just started as a computer administrator here at <company>. In order for me to keep the records up-to-date, please give me the following:

Mainframe system(s):

Mainframe password:

Unix systems(s):

Unix password:

E-mail password:

In our company, each user has a unique ID which is the same for mainframe, Unix, or e-mail. (Or the NT LAN, but the password for that is the same as the e-mail password.) Thus, Joe Bloggs would be "jbloggs" no matter where he logged in. BTW, Unix administration, mainframe administration, and e-mail administration are handled by three completely different groups.

Out of 2400 users, sixteen sent in their passwords, one department head not only e-mailed his password, but also clicked on "Reply to all", so every user in the company got his message, and 627 people called either the help desk or the security group to complain that someone was trying to get their passwords.

Collapse -

Try this one . . .

by RealMe In reply to Every time you idiot-proo ...

I work for a government agency that (when our network was originally rolled out - about 15 years ago) upheld the requirement that we provide our supervisors our passwords so they could access our stuff if we "were out." Never mind the fact that the I.T. department could change the password and allow access on a supervisor's/department head's request. This was encountered in a City Attorney's office. So much for password protection, they were kept on a list in the supervisor's desk.

Collapse -

actually . . .

by apotheon In reply to Quarantined attachments

The article said to quarantine at a staging server and allow end-users to retrieve attachments from there, as you stated, but it also said to throw out all executables right off the top. I think it was only with that last bit that the Trivia Geek took exception.

Collapse -

Ideas like this MUST be heard

by Big Jerry In reply to Quarantined attachments

One thing we know for sure: the current security situation to which we have evolved is a mess. It was founded on archaic concepts from a simpler time. It didn't evolve in the right direction, so it needs to be overhauled.

The major players (Microsoft, etc.) must look into finding creative and flexible ways for administrators to identify trusted software (and probably with different levels of trust), and those, and those only, run on the computer.

Collapse -

Recieving exe files

by jdclyde In reply to Several good points

I delete all exe files at the firewall.

If there IS a valid reason to send a program via email rather than downloading it, I make the sender modify the extention to just .ex.

The reciever must then manually modify it back to the .exe, and because of this process I KNOW what it is and am always expecting that executable.

As you are in Tech, and my users are not, this would happen much less frequently for us than it would for you. While a hassle, it does save me from the "well, I got an attachment so I HAD to see what it was".

Related Discussions

Related Forums