The six dumbest ideas in computer security
A very interesting read by Markus Ranum, which emphasizes some of the ground-shaking security errors that we’ve come to make every so often in today’s day and age. Here’s the rundown:
“I’ve tried to keep this light-hearted, but my message is serious. Computer security is a field that has fallen far too deeply in love with the whizzbang-of-the-week and has forsaken common sense. Your job, as a security practitioner, is to question - if not outright challenge - the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn’t it?”
And here are the goofups, in decreasing order, sorted by frequency of occurance:
- Default Permit
- Enumerating Badness
- Penetrate and Patch
- Hacking is Cool
- Educating Users
- Action is Better Than Inaction
If they managed to tickle your interest, go read the full paper.
And since we’re on the subject of security for the moment, let me thank Kelly Martin for pointing me to the above article (go read her Hackers are all B’stards now article too if you have the time).
I also found another juicy piece of mind candy linked from Ranum’s article, entitled Personal observations on the reliability of the Shuttle, by R.P. Feynman. It’s not about computer security, but it does deal with the specific mindset needed when designing complex systems.
Ever since reading the above stuff, I’ve payed more attention to the ongoing discussions on various online forums dedicated to computer day-to-day use. Indeed: the two top mistakes in Mr. Ranum’s list have been embraced without a second thought by most of the users.
Take using Windows, for instance: we spend, oh, God, so much time installing, updating and tweaking so many pieces of security software, it makes you want to cry for the time we lose out of our lives. A firewall, an antivirus and at least one tool for periodical trojan and spyware sweeps are the norm on any Windows computer. And some of those still go wrong somehow and some users willfully go through the pains of completely reinstalling their systems from scratch(!!).
And this is the “knowedgeable” bunch. The regular users simply get owned, while the smart ones bow to their fate and just find a good, fast backup tool of some kind, to at least make their reinstall more painless (that’s in addition to the firewall, antivirus and spyware removal tool).
I’m not saying that computer users should be experts, or even knowledgeable about this stuff. Most of this stuff is the fault of software writers everywhere. Then there’s stuff, such as social engineering, that will never go away, no matter how hard we try.
But I just have to wonder: are we such cattle that we’ve reached a point where we voluntarily torture ourselves, lose copious amounts of time and stress out, and yet we don’t ask what’s wrong with the picture? “I’ve had enough of all this. Isn’t there a better alternative?” When’s the last time you heard a typical computer user say this and really mean it (as opposed to just bitching)?