General discussion


The Six Dumbest Ideas in Computer Security

By jdclyde ·
This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -


by apotheon In reply to WHY are exe's a problem?

Linux does the same thing: looks at it quizzically and says "So?"

Collapse -

Block all attachments

by RNR1995 In reply to Several good points

This is actually a great idea. Let only attachments through with a suffix of .(yourchoice)
that way people sending you legitimate files will have to rename them and so will your users.You will never be infected via attachments. Unless some idiot sends you a virus:}

Collapse -

Determine good programs

by wdewey In reply to Several good points

How do you determine which programs are "Good"? How easy would it be to add a program to this list? There are a number of viruses that hide themselves from antivirus programs (without the proper patch), so I don't see a virus having a problem adding it's self to a good list. Then there are the viruses that overwrite DLL's of valid programs. What about Word and excel exploits? Those types of programs are going to be apart of every accept list.

Bill Dewey

Collapse -

That depends on interface

by Tony Hopkinson In reply to Determine good programs

Exposing it with RPC, COM or even .net would probably be a bad idea. Essentially if client side execution of foreign code under the system account is going to be left in, don't bother with it.

Collapse -

Re: Good Programs

by azrider In reply to Determine good programs

Unlike *most* other operating systems, MS products install everything in the system directories (in fact, this is the only way they can run). Even worse, runtime information is contained in the system registry!?! If the architecture was set up so that a pointer to the application's path is stored there, and then the application is responsible for it's tree (ie: root, root/bin, root/lib, root/etc...), it would be absurdly simply to quarantine any installed program (as well as completely nuke it if desired). In addition, any program could be set up to only have access to the files owned by the installer (who *usually* should not have admin rights to the entire system tree.
This way, *no* malicious program would be able to modify system (or other application) libraries at will.

Collapse -

Kindred spirit

by stress junkie In reply to The Six Dumbest Ideas in ...

Some years ago someone said to me that if you tell people what they already believe they will think that you are a genius. As far as I'm concerned this guy is a genius.

One of the great design elements of my beloved DEC VMS operating system is that the security model was designed around the kind of model that Mr. Ranum describes. All user accounts were created within the scope of permitted actions. All else was denied. This greatly simplified security configuration. The basic premise is to deny everything to everyone then enable specific actions for specific accounts or groups of accounts.

I also like the idea that he expressed several times that if a given approach hasn't worked by now then it never will work. Patching bugs in software hasn't worked. Penetration testing hasn't worked. Educating users against social engineering attacks hasn't worked. Finding and implementing methods such as code reviews have proven to be effective, yet corporations refuse to adopt new ways of developing products. Developing a product to be secure makes more sense than trying to patch holes as they are discovered.

When I started in this business in 1985 I thought that this business would certainly have a short run. Even back then when most businesses didn't have a computer it seemed to me that computers could soon be made as easy to use as a telephone or a television. That could have happened but it didn't. Poor quality software has kept system administration alive and well. We still require years of experience to develop skills to keep bad software working more or less safely. We still have to think of baroque schemes to make computers work the way that people think that they should work.

All of this might be acceptable if system administrators were all competent and did their best work. Unfortunately that isn't the case. Like all people, the group of system administrators has a few people who want to do a good job and who work hard. But like all people, the group of system administrators are mostly comprised of people who do the least that they can get away with doing without losing their job. That fact combined with the poor quality software and the vast amount of valuable, sensitive, personal information stored on computers combine to create a disastrous scenario whose potential for crime has only just been glimpsed. When I hear stories of "highly secure" government military computers having been recently hacked I know that the software products and the system administrators are sorely lacking in quality.

Collapse -

Pareto's Principle

by jmgarvin In reply to Kindred spirit

Stress you bring up a good point. Most system admins could care less about actually having a secure system with a good system plan behind it. It is the 80-20 rule. I generally find those sys admins and make sure that I keep reporting on their actions or lack there of.

A bigger problem in current IT is that there are too many cooks in the kitchen. The managers think they can be sys admins, the sys admins think they are net admins, the net admins thinking they are sys admins, the HR department thinking they are project managers, etc ad nausium. I have NO idea how you fix the corporate culture in this respect.

While I agree, mostly, with what he is saying, I don't know if I can totally latch on to his "Hacking is Cool" point.

I see his point, but I disagree with the the fact that someone who might not be a criminal becomes one because they can hack (Donn Parker). I think that is a pretty large leap in logic. I also disagree that learning how to hack and pen test your systems is a waste of time.

The waste of time is using tools that get dated and/or have no application within your current setup. Write your own tools and pen test your networks in various way.

Collapse -

Bad cooks as well as too many

by jdclyde In reply to Pareto's Principle

I see the main problem with the administration of systems and networks is the windows mentality.

Windows gives this easy to use by default server that installs and runs with little knowledge. Remember most IT departments started out as subsets of Accounting, simply because the accounting department were the first to get the computers so they knew the most about them.

This led to the dreaded "Admin by default" that many companies end up with.

The other thing that has added to this is the horde of "Consultants" that are of very substandard quality. They will drop a network in for a price, usually of generic defaults and then leave. The customer will try to let the system run on it's own as long as possible and only get a knowledgable person to come in AFTER it has crash and burned.

That and the glut of worthless MicroSoft Certs that people use to add crediblity to themselves. Did you know that a part of the certs now cover MARKETING information now? The Techs are now the front line of the sales force, instead of focusing on doing their job correctly they are more worried about selling another server.

Collapse -

re marketing

by Jaqui In reply to Bad cooks as well as too ...

This is the midset a university networking fellow I know used to get his mc* certs.
he picked answers that best sold ms products.
aced the exams.

since his degree, and experience, are in Unix networking he has the knowledge that ms tools don't require.

Collapse -

And the reason for this

by jdclyde In reply to re marketing

there are more people willing to pay to take a MS class than to pay to take a *nux class. Many that use *nux in the first place are they types that aren't afraid to read a MAN page or look up the answer.

There is some good training for Unix, I got the MACE cert myself. But the classes were not offered nearly as often and ran at about 1/3 the class size of the MS classes.

Bottom line, there is more money to be made TEACHING and SELLING MS for many.

Related Discussions

Related Forums