Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Six Dumbest Ideas in Computer Security

Posted by Zonk on from the don't-hire-catbert dept.

Frater 219 writes "The IT industry spends a huge amount of money on security -- and yet worms, spyware, and other relatively mindless attacks are still able to create massive havoc. Why? Marcus Ranum suggests that we've all been spending far too much time and effort on provably ineffective security measures. It may come as a surprise that anti-virus software, penetration testing, and user education are three of "The Six Dumbest Ideas in Computer Security"."

6 of 792 comments (clear)

  1. Here it comes... by SnprBoB86 · · Score: 0, Flamebait

    Cue the "Installing Windows" jokes...

    --
    http://brandonbloom.name
  2. users are teh greatest security problem by timmarhy · · Score: 0, Flamebait

    you have put on all the AV and security polices you want. but if joeslob is going to click on and run "naked_sluts.exe" he get emailed, there is nothing you can do. my solution? don't fucking work administering computers, it's a cunt of a job and it's hugely under paid for the time and stress it causes.

    --
    If you mod me down, I will become more powerful than you can imagine....
  3. The Micheal Moore aproach by pauldy · · Score: 0, Flamebait

    This has to be the worst article in terms of truthfulness, content, and the authors understanding of the subject in general I have seen since the last Michael Moore documentary. Most of the practices mentioned are good when they are carried out. The real issue of balancing security with delivery for the end user is a tough one and some simplistic article categorically denying the worth of all security practices is worthless itself. Security is an in depth process and with the dangerous combination of ignorance and arrogance comes a security breach. The same goes for physical security if you have inept people installing the locks and maintaining the doors, someone will eventually enter who you didn't expect. With worms the threat is even greater because it is all automated and attacking from angles your IT team may not have expected or anticipated because they are under trained over paid egomaniacs who got the job because they sounded like they knew what they were talking about and exuded a confidence far superior to their actual abilities or training, much like the author of this POS.

  4. Re:Locking down users by Ph33r+th3+g(O)at · · Score: 0, Flamebait
    So power-tripping network Nazis don't get any respect and get gone around when they mess with people senior to them. Did you know the Pope's Catholic, too?

    ~~~

    --
    I too have felt the cold finger of injustice.
  5. Re:Locking down users by Creepy+Crawler · · Score: 0, Flamebait

    Are you THAT incompetitant of an admin to even LET the user write where you dont want him to write?

    --
  6. Re:Joke? by MikeFM · · Score: 1, Flamebait

    It isn't only a Windows problem but it is a Windows problem and it is a commercial software problem largely created by Microsoft. In many ways Microsoft created the software industry and the culture of creating software commercially and interfacing with users. Their bad habits have invested the entire industry.

    Certainly there are many kinds of attacks and let there be no doubt that there will always be new attacks being invented. Expecting to avoid all of them, even before they've been invented, either by smart design or blacklisting is naive. Windows though encourages this behavior by having poor built-in security. IMO Unix/Linux-style security leaves much to be desired but it is just worlds stronger than that of Windows. Unix was around before Windows, and Microsoft had experience with it (Xenix) but they decided to throw out what they knew and just face the world with no security model in place. Foolish even in the days before everyone had Internet access.

    Sendmail, and the whole fragmented fscked up concept of EMail as we know it, is a mess that also wasn't designed with security in mind and is a classic example of how patches can never fix a bad design. Email needs to be reinvented from the ground up to be fixed.

    Apache has had problems but they are at a more reasonable level and most are in a module and not in Apache itself. Overall, it was designed well. My experience is that most opensource projects start off as poorly designed as their commercial counterparts. The difference being that all that poor design is exposed so that over time the programs get redesigned and evolve into solid code bases. Commercial software hides it's weaknesses and is consumed with the bottom line of making money - features and glitz over stability, flexibility, and security.

    My experience is that most admins and programmers are clueless, lazy, and not nearly paranoid enough. Of course a lot of that is because of pressure put on them from management that doesn't want to invest the time in better solutions. I really hate hearing that doing it right takes to long and that it's good enough without decent security and a solid design. They'd rather worry about the problem, at much greater expense, only after it becomes a danger to them financially.

    --
    At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.