Tuesday, September 13, 2005

6 Dumb Ideas

Marcus Ranum has an interesting article on "The Six Dumbest Ideas in Computer Security".

I agree with "Default Permit", "Penetrate and Patch" and "Action is Better Than Inaction". I could do without the Sun Tzu reference, regardless of what he did or did not say. That reference gives the impression that your management isn't to be trusted. (See "user" reference below.)

I had to read all of "Enumerating Badness" before agreeing with it. It's AKA "log file reduction".

I slightly disagree with his position in "Hacking is Cool", only for the factor that the only available alternative (currently) amounts to "ignorance is bliss".

I have issue with his "Educating Users" section as it comes across as "don't trust your users" and the need to "protect people from themselves". However, I'm not saying that I disagree with him. I just don't like how he stated the issue.

"The Minor Dumbs" are mostly spot-on, though the root of the problem (IMO) is the security vendors that promote those ideas in the first place. Every single "minor dumb" originates in the marketing fluff that management reads on a regular basis.