Six Dumb Responses

Sep 12, 11:46 PM

Marcus Ranum wrote The Six Dumbest Ideas in Computer Security. I should preface this by says I’m not a security expert. I’m a person who believes there are no experts in security. Here are my thoughts…

Default Permit

To recap the article — Default Permit means everything than isn’t banned is allowed. Default Deny means everything that is not allowed is banned.

I like his thinking here. I’m almost inspired to write spam-filter based on this, but it’s too easy, configure your email to client to deliver all messages to a spam folder then use the built-in rules system to move good messages to the inbox. Spammers use so many tactics to foil keyword and Bayesian “Default Permit” filters that they wouldn’t stand a chance against a white-list only system — for a while.

However, he also wants it applied to the OS. That would be quite complicated. I’d personally like to see newly installed apps forced to run in sandbox where they are only allowed limited access to resources. I can’t stress enough that allowing a digitally signed application to automatically bypass the sandbox is a bad idea. I’d want each new non-OS application be required to run at least once in the sandbox and require user action to graduate from the sandbox. The sandbox would have more zones than just in or out. You can have a new/untested zone, a standard local zone (access only it’s self created preferences and documents, opening a document created by another program would require user intervention), a standard LAN zone (like standard local with fine-grained access to intra-net documents and/or resources), a standard Internet zone (like standard local but can access the internet is limited ways), a game zone that allows the game to be played fullscreen and grab the keyboard and mouse, and etc. Many applications would not need to graduate from the sandbox completely. It would need to be a better designed sandbox than the one in Java Web Start.

Of course, if a virus pops up a message like “Sorry, we can only show you female naughty bits outside the sandbox.” it may still spread.

Enumerating Badness

This is probably better know as Blacklisting. It’s a special case of Default Permit.

Penetrate and Patch

His argument nutshell is if companies designed secure applications, there would not be security flaws. Yeah, right. I’m sure the Internet Explorer team decided to design hackable browser, probably figured it was the quickest way to a huge market-share.

I’ll admit, if I designed a product required that had 3 security fixes month for >12 months, I’d look for the design flaw instead of patching symptoms.

Hacking is Cool

He says hacking is a social problem and using them to do “penetration tests” is a bad idea. No real objection here. But making the woman who talks too loud on the phone all day in the next cube think her computer is exploding is cool. It’s a social problem: you get rid of society and I promise to never do it again.

Educating Users

Educating the users is kind of like blaming the victims. If your security policy requires all (or most) users to be smart and contentious then it has already failed. (Kind of like an evacuation plan that calls for everyone to use their own cars and screw the people without and those is nursing homes and hospitals.) I believe you should only hire smart people. However I also believe it is hard to tell who the smart are and even the smartest people do dumb things from time to time.

Action is Better Than Inaction

He argues that sitting on the fence and waiting for others to do your analysis work is better than getting your hands dirty. Ugh, I hate this attitude.

I bought a new car last year, a brand new model. The finance guy at the dealership. launches into this story telling me I’m stupid for buying this car because others haven’t bought it. He tells me he used to live on a farm in Texas and his daddy would never use a new type of seed or chemical until his neighbors used it. I said “Hope you had honest neighbors.” I loath people know won’t take risks, mostly because they refuse the recognize the risks they do take. For instance, this stupid hayseed finance guy didn’t realize that I could have told the salesman and his supervisor that he is trying to sabotage sales.

The author of the article goes on to relate a story about posting a message to bulletin board to get insights on a product. Any product, no matter how good or bad, is bound to the have users that love it and users that hate it. Let’s assume that you get ahold of a few honest people without too many axes to grind. You’ll only hear if the product fit their needs. You don’t know if they did any research or they had unrealistic expectations. Of course, you might wind up taking a sales-guy-incognito (either for the product or their competitor’s product) to lunch and only get marketing information. In these days of astroturf (fake grass-roots campaigns), spin control, talking-points, memes and what-not public opinion is not reliable, it is something that can be controlled. Determine your current needs, speculate on future needs, do your research (including public opinion taken with a huge grain of salt), make a short list and then test the product yourself.

Let’s suppose everyone followed this guy’s advice. If I were to make a super secure OS designed using his ideas, he would never use it because no one would be willing to make the first move. This guy is the (or has been) the CEO of a security company, he is used to giving out unworkable advice. I hope his company had a nice big list of customers before he started handing out this nugget of wisdom. I’ve worked for one start-up that died before finding it’s first customer, of course we had list of thirty that promised to be the second customer.

Bottom Line

He has some good ideas. In the end, it comes down to common sense, and that is not so common.

Commenting is closed for this article.