Best security Article I've read in a long time.

[Moby-Dick]

http://www.ranum.com/security/comput...itorials/dumb/

The Six Dumbest Ideas in Computer Security

What a great read - its not an OS specific rant , but as set of idea I found to be well presented and equally well thogught out.

I shall certainly be doing my best NOT to implement any of them

[TheAnimus]

an intresting project i made a while back was a block on loading, before any proccess could be created, any library loaded, it had to be in the allow list, if it changed, it would scream at you. I wounder if i should dig that out and see if i can satisfy myself that i could make it work for administrator users with debug privledges.... would be quite usefull no?

(anyone who's instrested in making lists of allowed software, or GUIs email me, i just like the device driver parts of such projects, i've got the code lying about somewhere).

[badass]

http://www.ranum.com/security/comput...itorials/dumb/

The Six Dumbest Ideas in Computer Security

What a great read - its not an OS specific rant , but as set of idea I found to be well presented and equally well thogught out.

I shall certainly be doing my best NOT to implement any of them

Oddly enough the default deny approach is exactily the approach I shall be taking to lock down works computers and protect them form web based malware in general. I have warned the boss that it will take a *lot* of testing however.

[peterb]

Basic premis should be deny all except those services that MUST be enabled. And the second is defence in depth - don't rely on just one product/technique. Third is don't be complacent - make sure all your software has the latest patches, and review your security policy frequently to ensure it still meets your needs - and of course, follow it!

[Paul Adams]

Interesting, but more aimed at corporate environments than home users I feel.
A few personal observations of the "top 6" points rasied:

1. Can you imagine an OS with a "default deny" approach that a regular home user would try to use? I would guess that right now even with secure environments being possible, most users run with administrative privileges.
This would definitely be appropriate for the workplace though - I have encouraged the practice of disabling USB ports & floppy drives and removing the ability for users to install software wherever possible (really annoys developers though!).

2. "Enumerating Badness" is, as the author says, a specific case of "default permit", so I believe this has the same caveats as the above.

3. "Penetrate and Patch" is often the only way to analyse legacy applications, but I fully agree with the concept that code being developed today should have security as part of the design process, not testing.
Totally agree with the nonsense which is public disclosure of vulnerabilities and "proof of concept" code.

4. I'm not sure the "hackers" are particularly concerned about whether it appears cool to the general public or not, as they often do it for a challenge to impress their peers (who naturally consider it "cool") or anonymously (possibly for gain).
I don't share the optimisim that reducing the public image of "hacking" would be that significant a deal.

5. "Educating Users" - yes, yes and YES. Educate the users as to how to use their systems and the risk and significance of other issues is reduced. I would place this higher in the list of importance, however.
Again, educating users in a corporate environment is much easier than expecting to achieve global awareness.

6. "Action better than inaction" - I too have seen the wounds of people trying to use cutting edge technology (but then if noone adopted the technology it will never take off or mature, so it's a catch 22).


The author seems to have some idea of what he is talking about, but I disagree with his prioritization of the points.
In the real world, having a static environment with a nice sandbox of "good" applications that never even have version updates is a rarity.

I would have rejigged his list to make a top 10, as some of the minor points are more common and merit public awareness, but it was a good read and nice to see the views of those with concepts of security.

[Paul Adams]

And at the other end of the scale we have this kind of thing as reported by The Register.

Seems to be a combination of cutting edge, lack of security in the design and a complete lack of awareness of security (both the people hosting the system and those using it).
Think twice before using public computers (especially if you have a mistress it seems ).

[peterb]

Which comes back to the top three security measures.. "User education, user education and user education"

[Big RICHARD]

Interesting, but more aimed at corporate environments than home users I feel.
A few personal observations of the "top 6" points rasied:

1. Can you imagine an OS with a "default deny" approach that a regular home user would try to use? I would guess that right now even with secure environments being possible, most users run with administrative privileges.

I agree to an extent, but shouldn't the option be available to everyone, including home users, in order to allow them, if they so wish, to use 'default deny'? Just because there will be several users in the market who can't understand, let alone make use of, a 'default deny' system, it doesn't mean that the option shouldn't be available for those users who would wish to make use of such a system at home.

[Paul Adams]

I agree to an extent, but shouldn't the option be available to everyone, including home users, in order to allow them, if they so wish, to use 'default deny'? Just because there will be several users in the market who can't understand, let alone make use of, a 'default deny' system, it doesn't mean that the option shouldn't be available for those users who would wish to make use of such a system at home.

It's a double-edged sword.

Corporate environments can have test labs and processes to ensure the integrity of the builds and impact of applying any changes, one of the major benefits is provided by having more than one box to work with and it not being a big issue if it is broken and has to be flattened.

When it comes to IT literacy for home users there is a vast range of knowledge levels from "it frightens me" to "I know everything" - the ones in the middle ground are the dangerous ones that might find such a feature and play with it, managing to lock themselves out of their own machine (and of course complain that "it just broke itself").
The same kind of principle that has people following the instructions of a guy who says "these are the services you absolutely must disable, and delete these registry keys and modify these files"... without a clue of the real impact of what they are doing or any kind of regression plan.

Ironically, the people that might like such a feature for a home system are possibly those that are aware of hardening processes and don't need it.

Also, I am sure that many people when presented with an "application X is trying to apply a dooberry firkin to the wotsit" message will click the "OK, whatever, just stop hassling me" button as a knee-jerk reaction anyway (and there are a lot of people that actually complain when their personal firewall product does exactly this).

[Big RICHARD]

It's a double-edged sword.

Corporate environments can have test labs and processes to ensure the integrity of the builds and impact of applying any changes, one of the major benefits is provided by having more than one box to work with and it not being a big issue if it is broken and has to be flattened.

When it comes to IT literacy for home users there is a vast range of knowledge levels from "it frightens me" to "I know everything" - the ones in the middle ground are the dangerous ones that might find such a feature and play with it, managing to lock themselves out of their own machine (and of course complain that "it just broke itself").
The same kind of principle that has people following the instructions of a guy who says "these are the services you absolutely must disable, and delete these registry keys and modify these files"... without a clue of the real impact of what they are doing or any kind of regression plan.

Ironically, the people that might like such a feature for a home system are possibly those that are aware of hardening processes and don't need it.

Also, I am sure that many people when presented with an "application X is trying to apply a dooberry firkin to the wotsit" message will click the "OK, whatever, just stop hassling me" button as a knee-jerk reaction anyway (and there are a lot of people that actually complain when their personal firewall product does exactly this).

True, but the option should still be there, otherwise we REALLY should stop home users from utilising 'start -> run -> regedit', by the same token!

[aidanjt]

I think more importantly Microsoft and application developers need to encorage users to stop using with administrative privilages, so when a user clicks "yea yea, whatever/OK", any kind of trash has much more of a problem getting on the system.. In fact, half of the current 'home' programs I've installed and tried out on Windows this year required Administrative rights to run certain software properly, and I really couldn't be bothered having to 'run as' administrator for everything. It really is rediculous that at a time where pure multi-user systems exist application developers are still going about writting single-user apps, games are especially criminal at this point for no reason at all other than lazy/sloppy work.

regedit isn't much of a problem providing its use is restricted, thus the Default Deny policy should be applied to mainstream operating systems. Disabling services not essential to the system booting will mean the user will learn the consquences of enabling whatever service they're after in course of figuring out 'how' to install/enable it.. This kind of aproach is what makes OpenBSD so secure.