Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Six Dumbest Ideas in Computer Security

Posted by Zonk on from the don't-hire-catbert dept.

Frater 219 writes "The IT industry spends a huge amount of money on security -- and yet worms, spyware, and other relatively mindless attacks are still able to create massive havoc. Why? Marcus Ranum suggests that we've all been spending far too much time and effort on provably ineffective security measures. It may come as a surprise that anti-virus software, penetration testing, and user education are three of "The Six Dumbest Ideas in Computer Security"."

6 of 792 comments (clear)

  1. Highly applicable by gunpowda · · Score: 5, Informative
    The Internet has given a whole new form of elbow-room to the badly socialized borderline personality.

    Woah, he's not talking about Slashdot?

  2. Re:He mixed up hacking and cracking by TLLOTS · · Score: 4, Informative

    I think you misunderstood his point with #4. My understanding of what he was saying was that time spent learning how to hack into a system with xyz could be better spent simply learning about good security practices (such as how to prevent a buffer overflow). Rather than spending the rest of your life learning about each new exploit, you simply focus on why those exploits are occuring, and fixing them at the source, rather than trying to simply keep patching.

  3. Re:Either stupid or obvious by Hektor_Troy · · Score: 3, Informative
    3) Penetrate and Patch

    So you are saying we should write code without bugs and holes? What a great idea that is? why did no-one think of saying that before?
    That's not what he's saying.

    Think of it this way:

    int isPrime( long primeSuspect)
    {
    if(primeSuspect == 2 || primeSuspect == 3 || primeSuspect == 5 )
    return 1;
    return 0;
    }

    How would you patch it? Test it for every prime and then add them to the check list? Or would you realise that the design is crap and change the design?

    He wants you to change the design, rather than just fix the aparent flaw that 7 returned false.
    --
    We do not live in the 21st century. We live in the 20 second century.
  4. Re:Dumber Article... by Krunch · · Score: 5, Informative
    One of the points basically comes down to "write perfect code".
    No, it comes down to "build a perfect design".
    Of course I fricking want to install it
    But maybe you don't want it to connect to the network or touch the filesystem.
    --
    No GNU has been Hurd during the making of this comment.
  5. Re:Joke? by pembo13 · · Score: 3, Informative

    I think he meant Mac as part of *nix

    --
    "Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
  6. Re:A much bigger problem by mr_z_beeblebrox · · Score: 3, Informative

    thus negating the hundreds of thousands of dollars of security infrastructure

    They didn't negate it. The stateful firewall still stopped traffic at it's border etc... What they did was expose the lack of hours spent planning the security. here is what I do and you are free to do it, improve it or ignore it (that makes it free). In my company every network jack that does not have a direct attached device on it is plugged into a bank of switches that are seperated from my network by a pixfirewall. The firewall has rules that allow basis e-mail, web and specific application data to go accross. Most traffic is denied. If anyone plugs a laptop in they are able to do those things but are unable to do Windows file share, domain login etc... If they need to use those I have to be given control of the box and it does not leave the building.