General discussion


The Six Dumbest Ideas in Computer Security

By jdclyde ·
This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Execution control is the point

by codepoke In reply to I like how he thinks, how ...

The worm/virus/exploit should not run on the target computer. There are ~30 programs that he would like to have permission to run on his computer, and nothing else should be allowed at all. This would prevent viruses by default. Again, his point.

The problem is that Outlook assumes that it should run every series of bytes it sees that seems executable. The Notes ECL (Execution Control List) has a lot of potential, but very few companies actually put it to use.

The author's patches to his anti-virus are a concession to reality, not a "good idea".

Collapse -

What about Java?

by erich1010 In reply to Execution control is the ...

The ~30 apps allowed to run argument breaks down when it comes to web surfing. It is hard, these days, to log onto a website that doesn't have some code on it. And do we really want to go back to static pages? I don't think so. The idea of a well constructed sandbox for foreign apps to run in is fine, and not a bad idea. As long as we consider code outside of those ~30 apps we trust to be hostile and not give them default resources, then we can allow them to run. For that matter, we shouldn't even give those ~30 apps default access to all resources.

Collapse -

It all comes down to access

by jdclyde In reply to What about Java?

If the user wasn't browsing as ADMINISTRATOR, the code on the web pages would be limited to what damage they could do to the users system, while still letting them access dynamic websites.

Also, if web devolopers would get a clue and adhere to internet standards instead of trying to use every non-standard "feature" that MS can throw their way, the world would be a much better place.

If I can't run something on multiple browsers, it has no place on a business web site. Why would I make it hard for someone to do business with me?

Collapse -

not entirely true

by apotheon In reply to It all comes down to acce ...

If you were talking about a *nix system, you'd be right on the money. Anything run by someone that doesn't have root privileges doesn't have the ability to screw up anything to which that user doesn't have direct access. This is because unix was designed from the beginning as a multi-user system.

Windows, meanwhile, was designed on top of a single-user system, DOS, and its multi-user functionality started out as nothing more than a little confection on top of your single-user functionality. Software kludges were heaped atop this single-user system to simulate the effects of multi-user privilege separation, which looks good to the unattentive sysadmin, and gives a warm and fuzzy "secure" feeling. Unfortunately, software is only limited in what it can do by the Windows privilege separation scheme if the programmer who created the software designs it to "play along" with the multi-user interface layered over the single-user system beneath it.

Microsoft has, over the years, begun making some changes to Windows to make it closer to being a true multi-user system, but it's very slow going, and they're still not quite there (unless Vista surprises me mightily, of course). File attributes have better built-in support for permission separation than they used to with older iterations of Microsoft filesystems, for instance. Ultimately, however, it's still tied together with an official API and designated "right way" to write applications for Windows so that they'll be compliant with the permissions system. What this means is that people who know how to break those rules can write software that completely bypasses Windows privilege separation, which in turn means that while avoiding running things as the Administrator account on Windows would cut down on the amount of system-wide damage malicious code could do, that's only any kind of guarantee if the code was written by someone that doesn't know how to ignore the permissions system on Windows without breaking the program.

I know, you probably already know most or all of this, jdclyde. I figured I'd just be pedantic, and point out how and why your "if the user wasn't browsing as ADMINSTRATOR" comment isn't quite as clearly applicable as it might at first seem.

Collapse -

It does slow things down though

by jdclyde In reply to not entirely true

that is why I stated "limits" instead of "stops".

It is a start and of course anyone that surfs regularly with ActiveX/java/scripting in full swing DESERVES to have to format their system a few times a year.

It blows my mind that cable companies haven't started selling or leasing a cable router to protect the home users! Makes their system work better for the user AND adds another "service" they can soak people for!

Collapse -

they do

by apotheon In reply to It does slow things down ...

The cable company out here offers a "home networking" plan with a router/firewall. Obviously, I just chose to buy my own.

Collapse -

ahh, the

by Jaqui In reply to What about Java?

infamous clientside scripting is a needed concept.

I build my mozilla with no support for java, javascript or plugins at all.
if I can't use a site without having clientside scripting, then there is nothing on that site I'm interested in.

I don't miss the garbage that comes with the clientside scripting.

dynamic websites can easily be done with server side scripting.
it's called server push.
the original animated images online were all done with it.

css has fancy dynamic capabilities without using javascript, java, vbscript, activex or flash in the website.

Collapse -

Interesting view point

by Tony Hopkinson In reply to The Six Dumbest Ideas in ...

Essentially everything came down to design secure programs and then only allow those you know are secure to execute.
As a programmer I've done a LOT of turd polishing, buffed up several products into usable in fact. In fact I have to wholeheartedly agree, it won't happen Security is very lucrative commercial industry.

Collapse -

Why are we losing the battle?

by Praetorpal In reply to The Six Dumbest Ideas in ...

If you read this short opinion piece along with 6 Dumbest Mistakes, you might make the connection that the reason we are losing is because the whole industry is based on those bad ideas/premises.

Cyber Crimefighters Are Losing The Battle

Without trying to sell, Trustifier for Linux is a "default deny" security model that "enumerates goodness". Patching becomes unnessary in many cases. All unauthorized attempts to access the system or files just fall off the system as non-events. Lock down your Linux systems and get to work.

This article helped me realize why so few people in security "get it". They have a certain mindset, have blinders on to anything new, and probably enjoy the swashbucking adrenaline rush of being on the front battle lines while they milk the cash cow at their clients expense.

Collapse -

A place to start.

by BHunsinger In reply to The Six Dumbest Ideas in ...

But just that.
1st dumbest It is a variation on don't install default settings. At least it is at my level- I don't write programs to sell to people.
One thing he does ignore is the choices. Yes, 20 to 40 programs are the norm for a user: but As Robert Heinlein used to say about horse races "It is well established that one horse runs faster than another-but which one? Differences are critical!"
Not to start another thread devoted to screaming about freedom verses safety, just that there is a middle of the road approach that is needed in some places. There is a real cost to security. Try locking all materials in a room in an manufacturing plant. Unless the stuff is small, expensive or rarely used, the cost outways the benifit. Futher there is a cost to living in a locked down state. The benifits may some time outway that, and an employer can do what they want on thier machines and network, but there is still a cost in tems of employee satisfaction, morale, and creativity.
His views on user education and patching involve some card palming. In the last ten years Microsoft has offered 8 OS's for the desktop- let alone the server. IE has been through 3,4 languages and To dismis that increased complexity and change by saying "2-3 patches a month for 10 years" should have fixed it I say Hey, just set your browser to text only.
Education sometimes requires pain. People need to pay the consequences of breaking rules. This is not a technology issue, it is a social issue. For a conputer startup you can require people to install their own machines as a way to weed out wannabes, not on a loading dock or a cash register.
Hacking- leaving alone the 'hacker/cracker' definition issue, the cool issue is moot. People are doing this for cold hard cash-no other reason. They are doing it in counties where the fix is in, screw "timid" it's safe. There is a difference between B&E goofs who rattle doorknob and slit window screens in the next neighbor hood and those who break into jewelry stores for big hauls. You better know the latest tools and tricks.

Related Discussions

Related Forums