General discussion


The Six Dumbest Ideas in Computer Security

By jdclyde ·
This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Sidetrack: Amen to the moan about adding "extra" software

by Kim Spence-Jones In reply to Excellent article, some c ...

Two worst cases of that which I have encountered:

1. Logitech, who "helpfully" installed a new mouse driver with my webcam software -- and broke my mouse.

2. HP Print drivers, which arrive as a massive (300MB iirc) install image, and seem to worm their way into the functionality of almost every application and function in your system, even including changing folders in explorer.

As a result, I'll think twice about buying or recommending further products from either company.

The only way we stand a chance of keeping this stuff under control is if software sticks (by default at least) to its own core functionality.

Collapse -


by retroreformat In reply to The Six Dumbest Ideas in ...

Having read every prior post, there seem to be many reasons to avoid doing the one thing a certain large and well known company refuses to do...
Yes, nothing man can devise cannot be UNdone by yet another man; I was under the impression though, that the lock is designed to stop the honest man and will only deter those motivated by lesser ideals.
If redmond is filled with people that never lock their doors, why is it any surprise thieves congregate there? Why is it any surprise there are so many attacks?
Unless someone has a financial interest in working the (known and exploited)failures in any OS, there is no other reason to advance the relevance or utility of such a system. Dump it at the first available opportunity.
I really do understand the "enumerate the bad" crowd; somebody had to be the first to understand what a rattlesnake was.
What they may not see in their rush to justify their salaries is that others have already decided
they will avoid the bite in the first place, by design.
I am currently on my LAST redmond product, and I figure it is only a matter of time before Redmond gets a DARWIN AWARD. I have no interest purchasing ANY OS that is "encryted for my safety". All I see is a big push for Cover Your A** out of Redmond, which has apparently taken the screen door and firmly welded it to a submarine.
Open source allows many eyes to assure that every prior set of eyes all see the very same thing... a secure and stable system.
Advances in programming and technology should make that MORE of a reality, not less, and any attempt to cloud your view of what is running on YOUR systems only advances the cause of cash flow for courses, updates, patches and technicians.
I'm lucky... my company is so far behind the curve on technology spending, all the rest of you are my test bed, and my boss thinks I am amazing with all the stuff he reads that we can AVOID due to that single fact.
Funny thing is, as an ex-military guy, he feels just as I do that encrypting your OS is a great way to assure that nobody on the outside can see just how stupid you have been on the inside... you just limit everyone to chasing the end result at questionable cost across the board, as opposed to having far less to react to in the first place.

Actually, the boss said "Trustworthy computing from REMOND is like BANKING with DILLINGER AND BARROWS"
I'll work for this guy until they drag me kicking and screaming out the door.

Collapse -

Pass this along!

by lachandler2000 In reply to The Six Dumbest Ideas in ...

This is the most definative analysis of what's wrong with modern computing.

Collapse -

Great points ... in retrospect

by michael_dore In reply to The Six Dumbest Ideas in ...

All of the points you raise are based on a lack of central control in systems development. Initially (not that I was around back then) systems development was about a bunch of smart people helping each other out and the basic assumption was that code should be open, sharable, decentralized... (see the cathedral and the bazaar). Interestingly as systems have evolved and become core infrastructure to most aspects of daily life from defending our country to buying movie tickets perhaps it is time for the industry to evolve as well. The next question is who should be standards body (govt, IEEE, business community, consumer watchdogs...) who will audit, list, and maintain the validated software lists? Who will pay for that? It would be an interesting study to see how much it would cost to do versus how much is spent now on wasted cpu cycles and person hours on current practices.

Oh yeah how about closing some of the holes in email?

Collapse -


by apotheon In reply to Great points ... in retro ...

You don't need "central control in systems development", you need clear policy in systems implementation and transparency in systems development. Central control in systems development is exactly what got Microsoft into the mess in which it currently finds itself. Central control in systems development leads to opaque systems development planning, which leads to problems.

Collapse -

sarcasm is lost

by michael_dore In reply to poppycock

at the end of the day, no one is talking about the would be decompiler who uses techniques that are already in use (port scanning, decompiling, spoofing...) At the end of the day it won't work and will just cost a lot of money.

I agree with your ms comment incidentally.

Collapse -

re standards body

by Jaqui In reply to Great points ... in retro ...

the I.S.O.
with a membership greater than the UN already, thier standards are a compilation of the needs by all interested parties.
no one group has control. every standard is agreed on by international committee before it is released.

when government, private industry, and end users all have an equal voice in setting the standard, it seems safe to assume that all concerns are addressed.
a Standards Committee has a tribunal in charge, one from private sector, one from public and one from end users.
these three have veto power individually as well as collectively. to governing body of the iso supplies the minute taker for discussions, so a neutral party is keeping the records, no overriding a nay-sayer.

Collapse -

No they are not they not

by Tony Hopkinson In reply to Great points ... in retro ...

It's aresult of commercial concerns overiding technical one. Now seeing as business is and should be in control, IT is a service to business after all, that is OK. But it's not a free lunch, every time you make a design decision to go left that makes it much more expensive to go right. If the decision to go left was a business one, that only exacerbates the problem.
How would you explain the decison to write an ordering application that only coped with one order per customer, for instance. What would be the technical justification ?

Collapse -

#4) Hacking is Cool

by molotovmusic In reply to The Six Dumbest Ideas in ...

"Wouldn't it be more sensible to learn how to design security systems that are hack-proof than to learn how to identify security systems that are dumb?" I agree with the ideas presented but, if you don't know how to hack it how can you hack proof it? I'm talking real hacks not script kiddie stuff. I'm not saying hacking is cool I'm saying you may lose a million dollars waiting for a patch, not to mention your job. Sometimes a change of heart is a tough lesson.

Collapse -

well, yes . . .

by apotheon In reply to #4) Hacking is Cool

If you know how to hack your system, you can make it better. What he's referring to is specific security cracking techniques, and he is unfortunately not well enough acquainted with what the **** he's talking about to realize he's using the wrong terms. This seems to be the major failure of this article: because the author doesn't know the correct terms for what he's talking about, he's not entirely clear in his writing.

Security cracking techniques are based on an understanding of currently valid system vulnerabilities. Learning these vulnerabilities might be somewhat valuable in teaching you how to recognize poor security design in general, and perhaps figure out what to do differently, but for the most part it's an area of knowledge that is of limited value. More important is understanding principles of good, solid system design based on the sort of concepts he has brought up.

As such, learning the tricks of the trade of security crackers is essentially useless for someone looking to secure a system for the long haul, and only helps you to secure a system for the short term instead. Learning to plan a system properly in the first place is what he's advocating which, ironically, requires the aptitudes and attitudes of a real hacker, in the classic sense of the term, and not of script kiddies and other security crackers that seem to enjoy being misidentified as "hackers" now.

I guess you could say that hacking is cool, but "hacking" is not.

Related Discussions

Related Forums