Decius wrote:

Dagmar wrote: It is Clue.

Argh. Why'd you have to post something so inflamitory on a day when I have movers in my apartment? I must respectfully disagree. The number one most destructive idea in computer security is that its a good thing to write quazi-utopian "everyone in the entire industry is crazy except me" essays that give clueless people the belief that they are privy to THE answer. I'm sure it works wonders for Ranum's business. However, it is neither constructive nor useful.

They are dumb ideas because there are easier and more reliable ways to do these things. There is no THE answer, but Ranum is clearly identifying the where and the why of how these six notions fail and fail spectacularly when they do so.

1. Default Permit. It depends on the context. I think that default permit is a bad idea in the email world, for example, but most people are, for some reason, far more interested in getting the odd unsolicited communique then they are in living without spam. This is, perhaps, because the whole idea of the internet is to enable people to easily communicate. Its possible that overtime people will tire of all the opennness, and if they do, no one will be happier then computer security people, but for the time being some applications are going to be default permit, and its not the computer security community that drives that.

I don't recall him discussing email in that section, but basically, if default deny were applied to email, then we'd only allow non-executeable mails through and quarantine everything else. The shops that I've seen doing this have been rather successful at it, if for no other reason that when a stubborn employee does go out of their way to double- and triple-click for pictures of naked teenage tennis stars, there's still a copy left on the quarantine server as well as the information about where it came from. They might have a user with a blank hard drive, but they've at least retained very invaluable information about what exactly happened so they can start working towards keeping it from happening again.

Trying to determine "goodness" OR "badness" of the text portions of email is something that's going to have to be left up to artificial intelligence researchers for some time to come.

2. Enumerating Badness. He argues in the default permit section that "It takes dedication, thought, and understanding to implement a 'Default Deny' policy" and then immediately proceeds to argue that its less expensive to implement a Default Deny policy then to enumerate badness and that most of the computer security industry is a sham!

He is, of course, wrong (why did we write NFR?!). While you might have to pay $30 to buy a product that enumerates badness, in general, that badness is the same for everyone. Your goodness is specific to you, and so you're going to have to hire someone to custom configure it for you, and they are going to charge you a hell of a lot more then $30.

Offhand I'd say the reason NFR was written is because of the data in the graph... When that program started, you could easily enumerate badness because there wasn't a whole hell of a lot of it. There was always some you wouldn't know about, but it was rare enough to not cause early hairloss and an increase in stock valuation for the company making Tums. Another good explanation is innocence/ignorance--at the time, it seemed like an effective solution, and it was effective enough, but now we're finding that anomaly detectors have much lower false-negatives (meaning they call foul just in case so a human can look at it) and do a more thorough job of spotting fishy things than Omniscient Detectors of All Known Evils.

His Enumerate Goodness anti-virus system sounds somewhat reasonable until you realize that decent worms and viruses disable things like that, but if you want to live in a world where you absolutely must get permission from the IT department in order to run anything, its coming, and its called palladium, and I will conceed that people are going to do it, and it will prevent some security woes. It will also prevent a lot of work from getting done, and smart people won't use it.

Dude, in the office I work in now (and it wouldn't be the first one, either) I'm technically supposed to get permission from the IT department in order to install anything. It drives engineers nuts, but in most offices that's simply the way things are because after rebuilding users' hard drives enough times, even the most pacifistic technicians begin to start looking a little wild around the eyes and begin to gaze at sharp pointed objects with a wistful expression.

...and for that matter, if suddenly Microsoft stopped sucking so much, or maybe bought some company that had a few stainless steel clues, they might actually implement a code-signing base so that only signed code can be executed, and code can only be signed when the computer is in a specific state (i.e., someone logged in as the administrator account specifically approving a set of binaries). This would be enumerating goodness and it would be much more likely to succeed where their cockeyed implementation of "security zones" failed fairly fscking miserably.

Honestly, enumerating goodness on the desktop could and would work quite a bit better than enumerating badness, if anyone actually tried it, if for no other reason than the amount of badness out there is absolutely ludicrous now. Even if every single file on the typical XP desktop were carefully enumerated as "good" it wouldn't hold a candle to the length of the list of evils out there.

3. Penetrate and Patch. If people simply wrote software that didn't have vulnerabilities, there wouldn't be any need to patch things! WOW! Brilliant! The inevitable result is going to be that some hapless admin somewhere is going to need to patch a critical flaw and he'll be told by his boss's boss that he has a "penetrate and patch" mentality. Wonderful. The fact is that no one has designed a vulnerability free computer, and while we do appreciate systems that are more failure tolerant, such as OpenBSD, and wish businesses adopted them more often, until such time it is foolish to fault researchers for continuing to look for flaws and admins for continuing to patch them. The changes he seeks can only come about through the things he derides:

I know you work for a company that does that very sort of testing, but honestly, how many times have you seen companies do anything more than just "penetrate and patch" fixes. I can't entirely fault you for calling foul on this point, because Ranum only barely suggests a "somewhat" solution for it, but he is at least correct in that an exclusively "penetrate and patch" methodology is useless. It falls right into the same race condition that we've lectured people about for years--assuming that you are the smartest admin or have the leetest code around. There's always someone just a little bit smarter, or luckier, or faster, and penetrate and patch falls prey to that.

If people were more into default deny, penetrate and patch would likely become a lot less prevalent, if for no other reason that you'd have a much shorter list of things to audit.

4. Hackers aren't cool. Yes, please, lets return to the halycon days of 1989 when anyone who published vulnerability research ended up on an FBI watchlist and the unemployment rolls (clears throat, recent drama notwithstanding). Everything was much better then. And whats with this arguement that teaching yourself about system penetration is a patch dependent skill!? There are larger concepts that one learns through such a process that everyone involved in computer security needs to understand. How can you design hack proof security systems if you don't know the first thing about hacking?

I'd like to agree with you both, but unfortunately, you're wrong in some key places in your reasoning. For one, in 1989 more people seemed to have been catching hell for security research than now because then it was a big grey area and more people took the risk. Now we pretty much *know* that there's huge continent-sized peices of legislation forbidding you from ever looking at GIF images crosseyed with dark and foreboding penalties for anyone who dares do so. (I.e, the DMCA.) So no one's taking the risk, and those who do wind up spending most of DragonCon burning through the entire lifetime of their cell phone in a few days.

...although frankly I'd really like to see hacking become un-cool again, just to get the dim-witted click-tewls using script kiddies the hell out of my sight. We as hackers definitely _are_ looking to break rules, and by and large we do it for our own reasons of curiousity and don't often disrupt anything, let alone profit from it in any direct or significant way, but that doesn't mean that we're not looking to engage in some form of "crime". We are, but that's not the problem. The problem is one of "monkey-see, monkey-do". Dimwits and out-and-out greedy people see that there's a quick way to get access to lots of things that don't belong to them which they can utilize to realize substantial and direct personal gains. Those people see this as "cool" and generally turn hacking into something that is nearly the difference between an academic environment, and an Intellectual Property Holders Convention hosted by the American Bar Association.

The morons out there don't have the self-control that the real hackers do, and they make life hell for everyone. Not to quote science fiction authors or anything, but when you decide it's time to throw away the rules of society and live by your own, then your own rules have to be stricter, more thought out, and more rigorously adhered to than the normal rules of society or you're just another lawless barbarian.

5. Educating Users. Spoken like a true engineer! On my list of bad ideas in computer security is the notion that any solution which is not absolute is useless. Give me a fucking break. I suppose we should also avoid teaching people about personal hygiene because some people won't get it and we can just hand out anti-biotics anyway. If educating people is such a waste of time why did he bother to write this article?

Because he's not paying us. I've definitely got to chalk the presence of the movers you mentioned to this one, but you're missing the point. He's not saying that companies shouldn't educate their users. He's saying that they are doing the wrong thing by not firing the ones who are so incompetent that they still need training to be able to properly handle their own passwords. Basically, user education to prevent the most common problems in IT would simply not be necessary if these people were at least competent to begin with.

I'll offer that I do agree with #6.

Well, we know that because you're not running Gentoo. ;)

RE: The Six Dumbest Ideas in Computer Security