Slashdot Mirror
The Six Dumbest Ideas in Computer Security
Frater 219 writes "The IT industry spends a huge amount of money on security -- and yet worms, spyware, and other relatively mindless attacks are still able to create massive havoc. Why? Marcus Ranum suggests that we've all been spending far too much time and effort on provably ineffective security measures. It may come as a surprise that anti-virus software, penetration testing, and user education are three of "The Six Dumbest Ideas in Computer Security"."
Why, would you rather I leave the door open to get some light in the basement?
Be relentless!
Unless they ban the movie Hackers and eradicate all copies of it everywhere, they're not gonna make hacking uncool...
[o]_O
I thought the overall article was dumber than the six dumb ideas.
Yeah, I'm taking all my anti-virus software off the computers right now. I don't know why I ever though it was useful anyway. It's more efficient to deal with the infections as they come in then it is to try to prevent it.
I'm gonna stop using condoms too while I'm at it.
Sometimes my arms bend back.
Ah, I see by the picture on that page that he likes to play 52 card pick up.
# chmod +x naked_sluts.exe ./naked_sluts.exe /home/iclod/porn... /home/iclod/work... /home/iclod/Mail... /home/iclod... /home... /home: permission denied.
#
Removing
Removing
Removing
Removing
Removing
Error: cannot remove
* Entering phase 2
Scanning ports for viral spreading:
No suitable ports available.
* Entering phase 3
Accessing sendmail...
Mailing...
Mailing...
Mailing...
Error: mail blocked: too many recipients. Wait ten minutes and try again.
In short, users aren't a major problem because they should only be able to hurt themselves. The problem is that they often can and do hurt others. This is the result of poor design.
Password must be 10+ characters in length, contain upper and lower case letters, 3 numbers and 2 special characters.
Result:
Users keep their passwords on post-it notes stuck to their monitors.
2) Constant password expiration
Passwords expire every 3 months. New passwords can not resemble old passwords.
Result:
Users keep their passwords on post-it notes stuck to their monitors.
My current password is "ilovepigs" and all i have to do to find it is look through my slashdot post history on another PC.
I don't understand why people bother with postit notes
"In a time of universal deceit - telling the truth is a revolutionary act." - George Orwell
*head explodes*
"I'm gonna stop using condoms too while I'm at it"
Its too bad your father had the same attitude.
Maybe he's a friend of ESR's or RMS's. Trying for his own elevation to 3 char alias fame...
Wow! That was one of the better articles I have read here! Very good! Thanks!
I worked for a firm earlier where we had to change our passwords every week where the password had to 1) be exactly 14 characters and 2) be ~60% different to the previous four passwords.
Man, you had it easy. My current place uses iris scans for authentication. We have to swap out our eyeballs every 30 days, and our new eyes can't be the same colour as the last pair.
Obviously, there are too many asses to pinch, boobies to grab and dirty jokes to tell for one person to do it all by hand (so to speak). So they've automated the process. I think you'll find that automation is superior to outsourcing in this case.
webmin tickle tab: putting her ass back in her.ass.ment.
actually, it's now 'iloveham'
My current password is "ilovepigs" and all i have to do to find it is look through my slashdot post history on another PC.
Better not do that on your girlfriend's PC.
Make that your ex-girlfriend's PC.
Somewhere, something incredible is waiting to be known. -- Carl Sagan
There is at least one other way to improve security...
e s/dilbert2813960050912.gif
http://www.comics.com/comics/dilbert/archive/imag
Well, for what it's worth, I just did a measurement of my Mac OS desktop which is 24.7 cm wide while my KDE desktop is 40.5 cm.
This was done with the time tested scientific method of sticking a ruler on the screen.
I'll let you interpret the result however you see fit.
May contain traces of nut.
Made from the freshest electrons.
Actually, I think the basic problem is more complex than users execing files unpacked from a tar or zip file. The major reason for so many "accidental" execution of outside software on Windows systems is that many Windows programs execute things without the user being aware that this is happening. The most obvious culprits are mail GUIs, where you "open" an attachment by merely clicking on its icon. There's nothing in the word "open" that implies executing a program, but if the attachment is labelled as executable, that's what happens. So the user may know better than to execute a strange program, but they think they're just opening (i.e., viewing) a document.
;-). Usually such features are controlled by an on/off option setting, but the default is "on", because that's more powerful and convenient for users.
;-)
This problem did pop up in unix software in the early 80's. Several mail readers (usually also editors) got a new "feature" of being able to automatically execute scripts embedded in messages. The user communities' reactions to this were immediate: They understood right off the danger, and insisted very loudly that this misfeature would be fixed right now. Companies found their sales on hold until this serious security breach was fixed. The problem was fixed in weeks, and whenever someone reintroduces such clever features, the same sort of blowup occurs until the vendor understands and repairs the damage.
The Windows user community is a different culture. They have accepted such misfeatures, because they don't understand the problem. Microsoft sees no reason to fix such problems, because few users are objecting (and it's not Microsoft's problem
It really does come down to ignorant vs. knowledgeable users, of course. Unix users tend to know a lot more about their computers than Windows users do. No surprise there; we've always had that divide in the computer field. But I wouldn't call Windows users "stupid". Many of them are quite smart - in some other subject areas. The word is "ignorant", and we're all ignorant in most subject areas. There simply isn't time to become knowledgeable in all subjects.
You don't have a spare college degree you don't need, do you?
Y'know, I've often wondered about that. I've never used my high-school degree or my B.A. (math) from college. Nobody ever asks you about any degree except the highest one. The rest are sitting there unused. So why not sell them to someone who needs one? I'd think that the "market" people, from whom we hear a lot these days, would strongly approve of this.
OTOH, I suppose one could argue that this is "Intellectual Property", and as such, there's a strong move afoot to outlaw resale of all IP items. The recording industry doesn't want you to be able to resell your old recordings. The movie industry is getting the same idea. Microsoft's EULA alread outlaws resale of the software that you bought with your computer, so if you donate your computer to charity, the license for the software doesn't go along with it, and your charity org has to pay for the software again. Similarly, you can't resell old degrees that you're no longer using.
So why shouldn't all of these be resellable on the Open Market?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
if they see a working prototype, they'll try to force me to roll it out as productive immediately
You think that's bad? I've had project managers try to do that to me when they saw a Powerpoint mockup of a new app!
You can accomplish anything you set your mind to. The impossible just takes a little longer.