digg

Facebook Connect Join Digg About
See the original image at ranum.com

The Six Dumbest Ideas in Computer Security

ranum.com What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality."

Who dugg this? Made popular Apr 19, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

211 Comments

show profanity settings
expand all
  • angers, on 04/19/2008, -4/+87Blog owners take a pen and paper: THIS is how everyone should make their blogs. first of all, the text isn't split up in 10 seperate pages, and the only thing ON the page is the text were interested in. Clean and simple.
  • jonlarge, on 04/19/2008, -4/+69I really like the concept of keeping track of "good" software instead of "bad" software
  • Rivetgeek, on 04/19/2008, -3/+64in the trash where they belong.
  • toxicityj, on 04/19/2008, -11/+72Where's Norton and McAfee?
  • Chalks777, on 04/19/2008, -1/+45Well, seeing as it hasn't succumbed to the digg effect yet, I'd say that was a pretty smart idea.
  • waspinator, on 04/19/2008, -20/+63lies. hacking IS cool
  • Muncher, on 04/19/2008, -0/+38Actually, I wish more of the internet was like this. More content, less shiny crap.
  • Rivetgeek, on 04/19/2008, -10/+47"If you're a security practitioner, teaching yourself how to hack is also part of the "Hacking is Cool" dumb idea."

    This is the most retarded statement ever made. That's like saying firemen shouldn't learn how fire works because no two fires are the same. While I respect Mr Ranum for his work with tenable and others, this statement is just plain wrong. Plus, maybe in a perfect world penetration testing wouldn't be needed but this isn't a perfect world and your damned well better be able to run a few footprinting scans and have the ability to test for buffer overflows. This sounds to me like someone is trying to push the idea of "Dont bother learning, just go buy a subscription to nessus and we'll do the work for you!"
  • canthraxp, on 04/19/2008, -2/+38""Penetrate and Patch" can be applied to human beings, as well as software,"

    That sounds terribly wrong.
  • MioTheGreat, on 04/19/2008, -2/+37>but the first time you open a program on Mac OS X Leopard, it will say something to the effect of "You downloaded this program from the Internet. Are you sure you want to run it?"

    Windows Vista and XP SP2 both do that.
  • darkwing602, on 04/19/2008, -1/+32Ther'es a difference between learning specific version exploits and learning a methodology.
  • akkibaba, on 04/19/2008, -2/+31Every day the signal-to-noise ratio of Digg comments gets worse. If you didn't read the article, why did you bother to come here and comment?
  • Lunarbunny, on 04/19/2008, -1/+22I remember that they blacklisted certain apps at my high school. Stupid in 2 ways - 1 was that it was a blacklist, and 2 that it was by filename. So after the quake 3 arena demo got popular on the school network, they blocked quake3.exe. What happened? Everybody renamed it different things. I personally renamed it msword.exe
  • frontporsche, on 04/19/2008, -5/+25"if 'Penetrate and Patch' was effective, we would have run out of security bugs in Internet Explorer by now. What has it been? 2 or 3 a month for 10 years?"
  • scp429, on 04/19/2008, -1/+21From: A Mac OS X, FreeBSD, OpenBSD, Linux user

    It's this mindset that will doom us all. All current architectures/platforms/etc. can and will be compromised. The sooner you realize this, the better off you will be.
  • Chalks777, on 04/19/2008, -2/+19I think his point is that people are spending too much time trying to hack, and not enough time trying to secure. That's how I read it anyways.
  • ActiveMatx, on 04/19/2008, -0/+15Finally a tech story on digg. Unfortunately, it has very little diggs. I missed the days where I compared slashdot to digg.... unfortunately, this doesn't work anymore...
  • lucutus, on 04/19/2008, -1/+16My thoughts Exactly.
    Personally I think this guy's a bit off in some of his basics.
    Ignore all traffic you didn't predict and list? Unless you know everything your entire user base does you are going to break something. Don't learn anything about hacking? Ok I am glad I am not on your network and I hope our infe Sec folks don't listen to you.
    Reminds of admins who vow to unplug everything in the name of security and force employees to justify the need for access to one site.
    The internet is a terrible thing to waste.
  • dood, on 04/19/2008, -0/+14I do, too, but I don't think it'll ever see wide adoption. If the OS prompts people too frequently, they're just going to click Yes on everything, and eventually try to work around the security software.
    On top of that, the security software is basically expecting everyone to be aware of all that goes on in their computer, which is not all that reasonable.
    That all said, I am heavily in favor of signed applications, with some way to easily verify the signature against an official online (or on "known good" physical media) source.
  • digitalagent, on 04/19/2008, -2/+16Kind of funny that the one thing everyone seems to hate about Vista (and most turn off after a few annoying messages) is a large part of his theory: engineer software not to avoid running bad apps., rather engineer software to run only good apps.
  • diggduggjoe, on 04/19/2008, -0/+12As Scotty would say, "The more plumbing they put in, the easier it is to clog up the drain!!"

    HTML is fine, I hate sites that require me to have java and flash just to see the corporate logo with the obligatory image of hard working office workers. Sites which cut to the meat are not that bad.
  • pantsbandit, on 04/19/2008, -1/+13White list would be incredibly complicated and people would just add malware to the whitelist because they'd be inticed by names like 'freeporn.exe' and so on and would think the malware was legitimate programs. The other things he writes about are obvious, such as default permit firewalls, but they are so old I don't think I've ever even seen one and I've used computers for some time. He also throws IE out as an example of patching not working, to give all the fanboys a hard-on I suppose, but his solutions are worse than patching for sure, especially for average users. Advanced users should have a choice on how to secure their computing, but it must be easy for noob users, and there are many more noob users than advanced users, just fyi, and the current strategy is about as good as it gets for them. Noob users are never going to be safe because they will always fall for tricks, after they get infected a few times they will learn proper security, that's really the only way they're ever going to get secure. In my opinion advanced users already have the tools they need to be secure, I've personally not had a virus since XP SP1, running Vista x64 for a year now and it blocks everything and I know not to execute .exes from unknown entities.
  • mrsteveman1, on 04/19/2008, -2/+14To do that the kernel has to be involved, and your 3 daily apps make up less than 1% of the stuff that actually runs on YOUR computer, almost all the time.

    You have to authorize and sign every piece of code you want to run, even little stuff like cp, mv, rm, or del, copy, xcopy in windows etc
  • TheDaveBoy, on 04/19/2008, -0/+11Then just press the ***** thumbs up button and stop spamming digg comments. This gets more and more like YouTube every day.
  • Ouze, on 04/19/2008, -1/+11more after the jump
  • mookieXL, on 04/19/2008, -2/+11Just report him.
  • sinembarg0, on 04/19/2008, -0/+9Then I could append a couple random bytes on the end of the exe and give it a different hash...
  • redfox2600, on 04/19/2008, -0/+9First off Vista does that too, in fact they even made it into an Apple commercial, ironic how hypocritical a company can be huh? Second off http://security.itworld.com/5013/mac-hacked-first- ...
  • aywwts4, on 04/19/2008, -0/+9Yes his whole "Hacking is Cool" section was really saying that it is a dumb idea to know your enemy.

    Without security experts who worked on "hacking" their own systems, we would all think WEP is secure and god knows what else, While nefarious crackers would be able to attack with complete and utter impunity, we owe nearly all of our security advances to these good hackers.

    Teaching yourself how to be a script kiddie and all the latest leet'est 'sploits is indeed foolish, teaching yourselves the methodology of an attack, what to look for, what defenses get in your way. Really there aren't that many ways to hack a network, new venerabilities are found all the time but they are usually the same old attacks with new applications, if you don't know anything about your enemy what the hell can you do to stop them, That's simply security through blithe ignorance, something I have run into time and time again, "Oh we are secure" Oh yeah? *plugs in a thumb drive* here are all the social security numbers of your students you are leaking on to the network, here are all the network resources you are sharing to the general public, here is a list of passwords that can be cracked in less than a minute. And That is just what an unintelligent automated script kiddie could find.

    If you don't audit your own security, using recent methodology, you are plugging your ears, closing your eyes, and humming "I am secure, I am secure, I am secure" over and over again.
  • bndocksnt, on 04/19/2008, -1/+10what an ignorant comment. as mio points out, vista and sp2 for xp both warn you if you're running a program for the first time, etc. trying to blame these issues on a single operating system is lazy.
  • giantsfan134, on 04/19/2008, -0/+8You have really made a great point, FOR ME TO POOP ON!
    http://arstechnica.com/journals/apple.ars/2008/03/ ...
  • Nanite, on 04/19/2008, -0/+8Not every brilliant Computer Science nerd needs to know something as pedestrian as CSS. :)
  • inactive, on 04/19/2008, -1/+8Good article. One point I want to bring up is that the author uses one of many meanings for the word, "hacker".

    From what I can tell, he implies hacking is a malicious art. That is not always the case, hacking can be used for very useful and extraordinary good, well-meaning, things and as such can, in some contexts, be labeled a "cool thing".
  • crazysamz, on 04/19/2008, -2/+9Ever heard of UAC dumbass??? Windows prompts you too. And I don't get why people think UAC is soo annoying when nobody complains about Mac OSx or linux doing the same thing...
  • Chalks777, on 04/19/2008, -2/+8oh man, me too. I really wish there was a program that stopped _everything_ from running except the programs I authorized. If there already is one, then I wish I knew about it.

    I've always heard this referred to as making a "whitelist" instead of a "blacklist".
  • johneyoung, on 04/19/2008, -1/+7This list was very underwhelming, and in some cases idiotic (#5: Educating Users). This mentality will stop any progress we stand to make, because at some point inevitably, you are the "user".
  • pmr12002, on 04/19/2008, -2/+8Blacklisting in this way can work but only if implemented properly. Windows Server 2003 has a way of blacklisting programs based on making a hash value and blocking the program based on that hash value.
  • canthraxp, on 04/19/2008, -1/+7Thank you for converting a server security article into a OS fanboy "my dick is longer" battle.
  • Kyan, on 04/19/2008, -1/+7And if your company is smart, you're fired for being an idiot.
  • Gathalimay, on 04/19/2008, -0/+6@ jonjonr6 (reply fails)
    but for those 10,000 diff sofware applications, there are 123496871767590845 bad applications. Now which is easier to keep track of?
  • mrsteveman1, on 04/19/2008, -0/+5Code signing. You can do it in Linux but its ridiculously difficult manually, and none of the distros seem to care enough to do it for you.
  • NoDitchDigging, on 04/19/2008, -4/+9I first read this like two years ago, and it really affected the way I look at computer security at the base level. The author has been in the security business for a very long time, having written one of the first firewalls ever. He is also a very, very good speaker. I really encourage you to check out the speeches he has posted (click "Computer Security" and then click "Speeches"). Some very good material here, particularly in how he looks at the quality of computer software viewed from a traditional engineering perspective.
  • KibibyteBrain, on 04/19/2008, -0/+5What company would you trust to have no interests or to never want to compromise behavior on your systems? Microsoft, Apple, Google, have all be caught doing unethical things. And for example digg has at least done things that its users have not liked. And, if someone compromises someone you have whitelisted, you are just doomed. Whitelists won't fix any trust issues at all, as the issue you are discussing is that of trust and trust is always a dynamic and personal matter with little structure or reason. For example, a surgeon I may trust with my life would not be trusted to get his billing 100% right.
  • dsmx, on 04/19/2008, -0/+5That such a waste, the disks make nice coasters and enough of them can make a very nice lamp.
  • mllawso, on 04/19/2008, -0/+5Sometimes you have to change the configuration of an already deployed piece of software: thus creating new, unexpected vulnerabilities.
  • Cerebron, on 04/19/2008, -0/+5I always feel bad when I fix someone's computer and they have those installed. I recommend a free alternative so they don't have to pay to renew their subscriptions, but it's ultimately up to them and they like their warm fuzzies that Norton/McAfee offer.
  • captainiceman, on 04/20/2008, -0/+5Dugg for turd polish.
  • ProfBagelwood, on 04/19/2008, -3/+8This would safer, sure, but it would also absolutely cripple innovation. Open source projects, which are typically safer than things that are written poorly and depend on "security by obscurity," would hardly ever make it onto the registry of approved software, and so the adoption rates of open source software would decrease since users would be afraid of it. If you want to promote good coding practices and secure computing, then promote open source development models.

    Furthermore, if this kind of far-reaching registry was ever made, guess what would become a target? The bad guys would intercept and forge the list updates, or maybe they'd just overwhelm and disable the servers. The "arms race" would continue, but there'd be a single, central point of vulnerability for the good guys.
  • thedude42, on 04/19/2008, -1/+6Yeah, that has to be the dumbest statement. Understanding how a family of exploits work is key in developing secure code since you'll know what to look for. Like, if you didn't know that printf functions could be exploited, you may fall victim to someone else's bad advice of always using printf even when you just want to print a stdout message. In this case, knowing the exploit would prevent the need to patch in the future, ergo knowledge of the hack makes the code less likely to contain coded exploits.
  • Fetching more discussions...
    Show 51 - 100 of 210 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.