General discussion


The Six Dumbest Ideas in Computer Security

By jdclyde ·
This came in a security newsletter I recieve. I read it and some of the ideas I thought were pretty obvious to me, yet some others made me have to think about them for a while as they are counter the conventional "wisdome" about computer security.

"Marcus Ranum released any interesting editorial entitled "The Six Dumbest Ideas in Computer Security." He gives his views on common security misconceptions that seem to be perpetuated throughout corporate IT environments. You can read this and other editorials at:"

After reading this, what is your take? Are we just chasing our tails so vendors can continue to make a profit?

Is this approach something that you use, or could use?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

It was new to a few of us

by jdclyde In reply to Preaching to the choir... ...

This isn't the line of thinking you get from many securty "Experts" as it would take away from their business if people followed it.

If you have other good sources, links are always wanted. (thanks)

As for the "atta boys", that is the EXACT reason that a Windows Sys Admin gets more respect than a *nix Admin does. The Win admin has to come along to "save the day" on a regular basis, and the user doesn't know he saves the day by rebooting the server. The *nix admin puts the system in place and you forget about it until it is time for an update or upgrade.

The worst thing I see, is a company with a firm security policy that they are unable or unwilling to enforce. Welcome to my he11.

Collapse -

Not hard enough / CLM

by MWRMWR In reply to Preaching to the choir... ...

Excellent point. Only employ sysadmins who will insist on absolutely no network connections and no media importation etc.

Then get those knowledgeable folk to explain to the shareholders how much this zero-risk strategy has boosted the company worth....

Shucks. I *do* agree with you actually on the mis-directed sysadmin-praise topic. I am regularly commanded to "make do and mend" rather than understand, fix and thus minimise the daily fire-fighting; so I empathise. The politicians that avoid wars tend to get less glory than those that "win" wars; likewise, sadly, those that re-inforce coastal or earthquake defences are seen to just waste $? - until disaster strikes.

As for HR and Marketing "bright ideas", minimise the time waste by smiling and saying "Yes, yes, yes" enthusiastically ...and then enter the idea into the to-do list where it can be assigned the relevant cost, benefit and priority attributes ;-}

Collapse -

Hack-Proof Network

by thisisfutile In reply to The Six Dumbest Ideas in ...

lol, as if...

You do like everyone else, you patch the whole...fight the virus...lick your it again tomorrow.

Collapse -

What are you smoking?

by jsullo In reply to The Six Dumbest Ideas in ...

You do make some points but for the most part what you describe does not exist in most infrastructures today. To put out the idea that these methods are dumb ideas is silly in most existing corporate infrastructures you must do these things until your so called zen network is in place. By the way good luck with that. Oh and what ever you create can be hacked in ten minutes with one payoff to a disgruntled employee, let's not forget about the attacks from within. I'm not sure what you goal is with this article but I think if you have a new OS to take over the market well put it out otherwise get back to patching since Microsoft is not going to build bullet proof OSs anytime soon. Good Perimeter, Good Domain Security and sensible design will help you hande things in between patching and IDS but they are not instead of it.

Just My two Cents

Collapse -

A change in thought is required

by jdclyde In reply to What are you smoking?

The way people BUILD and run networks has to be regularly looked at and reviewed.

Is this the best way to do things? Can it get better doing what we are doing? Or is it not working, time to try a different approach?

That is what I took this article as. Sure, most of us couldn't change over to his ideal right now, but it is something to think about.

People need to expect more.

I could use a little Zen, how about you?

Collapse -

This ideal standard..

by Praetorpal In reply to A change in thought is re ...

... is available now for Linux. If you drop Trustifier on each Linux server/node where data is kept, and each access point (firewall/VPN and eventually mobile devices), than that ideal is attainable now.

NOTE: Trustifier is a commercial product for the enterprise. In this forum topic I am trying to tread the fine line between discussing a new model of security product factually, and selling. This product was my introduction to security and everything else just seems like too much darn work.

Collapse -

Can I have your dreamworld

by gphoto45 In reply to The Six Dumbest Ideas in ...

Excuse my typing, I am one-handed this week! The dreamworld is OS's that don't need pattching. Every OS will require patching. You can't create and OS that is bulletproof, when new bullets are coming out every day. Windows, Linux, Mac, they all have patches. Who ever assumed 5 years ago, we would be fighting an army of Zombies. How are you going to lock down Granny's computer, and have her just activate the services she needs. Are you going to install a quarentine server for her emails, and one for her 200 friends? They solution is the same one the solves the problem if having to lock you doors. If the penalty for trespassing is so sever, no one will do it, then the problem is solved. To send a hacker to less than a year in a juvenile detention center, complete with Cable TV, golf course, swimming pools is the punishment, we have lost. That is better than some people have at home. Not a big proce to pay for millions of $ of damage. The author has some very valid points, but is obviously stuck in a IT world that only exists in his dreams. This isn't a discussion on what OS is better, but how to make computing safe. And you have to start with the problem, that attackers, not trying to protect something that shouldn't have to be protected.

Collapse -

But how to enforce?

by jdclyde In reply to Can I have your dreamworl ...

All someone has to do is be in a country where that activity isn't illegal and doesn't have extradition. From that point, there is NOTHING that can be done to these people.

The only way to stop this behavior is to black list countries that do not follow guidelines for on-line behavior. Spammers, porn jockies, scam artists, and hackers can do as they please.

Then when someone here DOES get caught, it is "unpopular" to prosucute (execute?) them and they get the slap on the wrist you pointed out.

His ideas can't save the world, but they could help the work networks and servers. If grandma has to have her system reloaded a few times a year, oh well.

Collapse -

Lets see lets make all OS's secure

by Tony Hopkinson In reply to Can I have your dreamworl ...

or re-engineer the human race.
Windows source code a and C book coming up.
Don't want your dream world anyway, if you took the tendencies that lead to criminality out of out race we'd be extinct in short order. A lot of innovation comes from getting round constraints natural or man made.

Collapse -

not a c book

by Jaqui In reply to Lets see lets make all OS ...

a visual basic book

actually, windows is coded in c++ exclusivly.*

*trivia gained from ms associate that has been alpha testing windows for last 10 years.

Related Discussions

Related Forums