Slashdot Mirror


The Six Dumbest Ideas in Computer Security

Frater 219 writes "The IT industry spends a huge amount of money on security -- and yet worms, spyware, and other relatively mindless attacks are still able to create massive havoc. Why? Marcus Ranum suggests that we've all been spending far too much time and effort on provably ineffective security measures. It may come as a surprise that anti-virus software, penetration testing, and user education are three of "The Six Dumbest Ideas in Computer Security"."

1 of 792 comments (clear)

  1. Re:Joke? by MikeFM · · Score: 1, Flamebait

    It isn't only a Windows problem but it is a Windows problem and it is a commercial software problem largely created by Microsoft. In many ways Microsoft created the software industry and the culture of creating software commercially and interfacing with users. Their bad habits have invested the entire industry.

    Certainly there are many kinds of attacks and let there be no doubt that there will always be new attacks being invented. Expecting to avoid all of them, even before they've been invented, either by smart design or blacklisting is naive. Windows though encourages this behavior by having poor built-in security. IMO Unix/Linux-style security leaves much to be desired but it is just worlds stronger than that of Windows. Unix was around before Windows, and Microsoft had experience with it (Xenix) but they decided to throw out what they knew and just face the world with no security model in place. Foolish even in the days before everyone had Internet access.

    Sendmail, and the whole fragmented fscked up concept of EMail as we know it, is a mess that also wasn't designed with security in mind and is a classic example of how patches can never fix a bad design. Email needs to be reinvented from the ground up to be fixed.

    Apache has had problems but they are at a more reasonable level and most are in a module and not in Apache itself. Overall, it was designed well. My experience is that most opensource projects start off as poorly designed as their commercial counterparts. The difference being that all that poor design is exposed so that over time the programs get redesigned and evolve into solid code bases. Commercial software hides it's weaknesses and is consumed with the bottom line of making money - features and glitz over stability, flexibility, and security.

    My experience is that most admins and programmers are clueless, lazy, and not nearly paranoid enough. Of course a lot of that is because of pressure put on them from management that doesn't want to invest the time in better solutions. I really hate hearing that doing it right takes to long and that it's good enough without decent security and a solid design. They'd rather worry about the problem, at much greater expense, only after it becomes a danger to them financially.

    --
    At what price learning? At what cost wisdom? The price is a man's peace of mind, and the cost is his life.