Security

General discussion

Locked

The Six Dumbest Ideas in Computer Security

By jdclyde ·
This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:
http://www.ranum.com/security/computer_security/editorials/dumb/"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

A locked down state

by jdclyde In reply to A place to start.

What kind of "creativity" should an employee have with a company computer? Should they be allowed to install any application they want at any time they want?

What is the cost of LETTING them trash "their" systems as they please can be small or huge. There is the down time while their system gets reloaded, and hope they had backup of "their data".

If data is lost, who much time is wasted replacing that data instead of doing their job?

Then there is the information theft. What will happen to your business if people find out your user database gets stolen because you don't want to stiffle creativity with a company asset? I think you will see less people wanting to do business with you, not to mention possible law suits.

Bottom line, that computer is NOT the users computer. It is a company TOOL that they are allowed to use to complete set tasks for the duration that they are employeed. The more they dump systems, the shorter that employment will be.

Collapse -

I wonder

by Too Old For IT In reply to A locked down state

Just what kind of security/lockdown goes on at places like websense and other blacklisting organizations, where users are required to look at hate sites, moveon.org, internet porn, drive-by-downloader sites (and so on) all day long.

Maybe they keep the "boot to Ghost" CD as close as we do when we are testing old Win 95 apps on WinXP Pro machines ...

Collapse -

Security unveiled, at last

by tor In reply to I wonder

Wow! And I thought we were all alone out here struggling against the tide. On an individual basis the delete key is the most effective effective tool for computer security through e-mail. If you don't want it, delete it.

Secondarily, why did the article have to be thin white print on a black background, that's really dumb!

Collapse -

Background and font

by stress junkie In reply to Security unveiled, at las ...

Sometimes when I click on the link to a story I get the dark background. If I reload the page it goes to black letters on a white background.

Collapse -

Background and font 2

by coberbeck In reply to Background and font

I was thinking it was a homage to maddox.

Collapse -

Work enviorment Empoyer's Choice

by BHunsinger In reply to A locked down state

There is a difference between scratching and tearing. I could just as easily say what kind of 'security' requires that I have to submit a request to go to a technical site just because TR is not on an approved list. Or keeps me from checking my web based email account with out a sign off. Or requires that I submit to a strip search every time I enter the job site.
Oh and how much time is spent authorizing those changes, and reseting 16 character passwords?
I am not advocating anything goes. What I am saying is that there balance between employee morale/productitvity and security. If you treat employees as if they cannot think, learn, or act responsibly, the culture of your company becomes one in which noone acts without orders/permission.
"I was waiting for the proper authorization " is why several hundred school buses were flodded while people were trapped in New Orleans.
Security reason were why data wasn't adequatly shared between government agencies before **1.
National Security has been used for 50 years to coverup misdeads at the federal level.
Fear sells. Scared people give up power. There are some people in security. of all types, because they like having power.
Joe Foss, an 80+ year old war veteran, was stoped from flying to West Point after 9/11. Why? His Congressional Metal of Honor, which he was taking to show the cadets, had pointy edges, and he wouldn't let them take it.
My comments are not about the rights of the company to do as it see fit about security on the company's property. It is about how to chose.

Collapse -

broken link

by gallagher In reply to The Six Dumbest Ideas in ...

I think your link is broken

Collapse -

Works just fine

by jdclyde In reply to broken link

Just checked it out, and still up.

You might have checked it at the same time as the hords of TR scampered to it.

Very common when an article gets linked to and many find out about it at the same time.

Collapse -

Interesting

by Ou Jipi je In reply to The Six Dumbest Ideas in ...

Firstly, there are user requirements. Often, such include running of Internet Explorer with permission to execute scripts, that Microsoft did not foreseen when integrating of their browser into their Operating Systems. That alone is a dumbest idea of them all. While I agree that this is not such a big problem if you put a experienced admin on a spot, the chance of being "hacked" is already down by at least 98%. (Last 2% is Microsoft itself and their complaint department is closed for the weekend)

That said, secondly, even dumbest idea might be is to employ a network administrator with insufficient knowledge and assign him to a manager who spends most of the time sticking his head up his butt.

Computers are tools. There is no magic or romance involved here. If someone would give you a spoon and say dig out a swimming pool for me asap. -- even when I have seen in my experience dumb admins who would actually start digging, and middle management supporting the idea -- the spoon will eventually brake.

I want to be secure, but I want to have no restrictions! Voila -- there we go, dumbest idea number three.

Should I continue?

Collapse -

Preaching to the choir...Always gets applause

by Beoweolf In reply to The Six Dumbest Ideas in ...

Great article...it's as good this time as it was the first 10 or 20 times I have read it (in one form or another).

Now back to the hard work fo fighting every foolish idea, notion or inspiration that comes from managers, HR and especially Marketing.

Generally speaking...there are more good System Admininstrators than there are bad ones, don't laugh-bear with me a moment. The biggest flaw with most Sys Admin is not having the strenght of conviction to not allow the systems they are charged with protecting to be compromised by for a "minor" drop in security..."just until we get this sorted". Invariably, "just until" becomes, "just a little longer" and finally morphs into...well, "why change it now, we havent had any problems".

The point is...if they are paying you for knowledge, then be knowledgable. Complacency is the biggest enemy of a secure system. Seems the better you are at keeping staff from shooting themselves in foot, the less they respect our warnings.

As stated in the article; the sys admin that "saves" the system or "cleans" a corrupt email system...after it is infected or comprmised...gets a boat load of "Atta' boys". The guy that prevents the infection, compromise, is labeled as a "hard ***" and roundly vilified by managment and staff.

Related Discussions

Related Forums