Saturday, April 19, 2008 7:52 AM codingsanity

The 6 dumbest ideas in Computer security

Marcus Ranum has an article titled  The Six Dumbest Ideas in Computer Security. I strongly suggest that anyone interested in security read it, and his other articles too. It's quite an old article, but someone put it on proggit and it made me remember it. In fact, I'd say that this article was seminal in guiding my undertstanding of computer security. For those of you too lazy to click on links, a swift summary:

  1. Permitting things by default instead of denying things by default. Used to be very common in firewalls.
  2. Focusing on stopping bad things rather than only allowing known good things, a special case of #1, but still very common in anti-viruses and operating systems.
  3. Catch holes by fixing hacks as they become known rather than hardening the application.
  4. Hacking is cool.
  5. Educating users.
  6. Doing something is always better than not doing something. Think about it this way, do you really want to be running bleeding edge software for your firewall?

A point he makes about #3 and #5 is that if these worked they would have worked by now. IE would be the most secure browser on the planet and users wouldn't click on attachments anymore.

Do yourself a favour, go and read the original article. It's well worth it. 

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!
Filed under:

Comments

# re: The 6 dumbest ideas in Computer security

Monday, April 21, 2008 9:54 AM by OJ

Hacking <em>is</em> cool. It's a fantastic way to learn how things work. Are you suggesting that learning by pulling things apart is a dumb idea? If so, I completely and utterly disagree. Some of the best programmers around started off in this manner.

If you think hacking is only a bad thing then you need to try it for yourself. You'll be surprised what you learn. And don't forget that there's a difference between hacking and cracking.

# re: The 6 dumbest ideas in Computer security

Monday, April 21, 2008 10:31 AM by Sean Hederman

OJ, the point that Marcus makes is that hacking is a criminal activity, and by lionizing hackers we encourage more people to try and hack systems. The thing is that most "hackers" are in actuality merely script kiddies with a VERY limited understanding of what they're doing.