The Six Dumbest Ideas in Computer Security

A few personal thoughts/reactions:

I'd think that 'default deny' is pretty obvious and would now be the norm. But even understanding the idea, I tend to forget that it's an issue beyond simply firewall rules:

Another place where "Default Permit" crops up is in how we typically approach code execution on our systems. The default is to permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program or a spyware blocker. If you think about that for a few seconds, you'll realize what a dumb idea that is. On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don't understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me. That's "Default Permit."

In the past I've tended to enumerate badness with cookies in my browser, but recently cleared all my cookies and set the default to deny setting. Instead of a huge complicated list of crap sites which need denied (I'd had the browser ask me before setting a cookie and usually said "no"), I now have a simple small list of good sites. Enumerating badness is clearly wrong...unscalable, unmanageable. Plus enumerating goodness sounds so much better for karma.

I've been an advocate for penetration testing and I think I still am after reading this article. I certainly understand his point that when:

...design (or their security practices) are so fundamentally flawed [then] no amount of turd polish is going to keep the hackers out.

I see testing as not a simple means to achieve security through identifying and closing individual holes. I see it as a way to come up with a laundry list of flaws to take to management and engineers and show them the scope of the problem in their product. By confronting them with a large, broad problem either they ignore it, patch and ignore it, or they sit down and say, "Woah." If you can scare them enough for the latter maybe then they decide to architect security into the product up front instead of simply patch it on afterwards, which doesn't work.

I've read some descriptions of computer crime as a social problem. It's clear enough that computers and networks "...increase the emotional ease of crime." But it's an interesting twist to approach the problem not with "Hacking is Cool" (ie: promoting script kiddies into white hat attackers) but with "Good Engineering is Cool". This is a major irk to me. Most programmers are not software engineers and are not interested in engineering discipline. Other engineering disciplines could not get away with the crap product that most software is.