Dagmar wrote: It is Clue.
Argh. Why'd you have to post something so inflamitory on a day when I have movers in my apartment? I must respectfully disagree. The number one most destructive idea in computer security is that its a good thing to write quazi-utopian "everyone in the entire industry is crazy except me" essays that give clueless people the belief that they are privy to THE answer. I'm sure it works wonders for Ranum's business. However, it is neither constructive nor useful.
1. Default Permit. It depends on the context. I think that default permit is a bad idea in the email world, for example, but most people are, for some reason, far more interested in getting the odd unsolicited communique then they are in living without spam. This is, perhaps, because the whole idea of the internet is to enable people to easily communicate. Its possible that overtime people will tire of all the opennness, and if they do, no one will be happier then computer security people, but for the time being some applications are going to be default permit, and its not the computer security community that drives that.
2. Enumerating Badness. He argues in the default permit section that "It takes dedication, thought, and understanding to implement a 'Default Deny' policy" and then immediately proceeds to argue that its less expensive to implement a Default Deny policy then to enumerate badness and that most of the computer security industry is a sham!
He is, of course, wrong (why did we write NFR?!). While you might have to pay $30 to buy a product that enumerates badness, in general, that badness is the same for everyone. Your goodness is specific to you, and so you're going to have to hire someone to custom configure it for you, and they are going to charge you a hell of a lot more then $30.
His Enumerate Goodness anti-virus system sounds somewhat reasonable until you realize that decent worms and viruses disable things like that, but if you want to live in a world where you absolutely must get permission from the IT department in order to run anything, its coming, and its called palladium, and I will conceed that people are going to do it, and it will prevent some security woes. It will also prevent a lot of work from getting done, and smart people won't use it.
3. Penetrate and Patch. If people simply wrote software that didn't have vulnerabilities, there wouldn't be any need to patch things! WOW! Brilliant! The inevitable result is going to be that some hapless admin somewhere is going to need to patch a critical flaw and he'll be told by his boss's boss that he has a "penetrate and patch" mentality. Wonderful. The fact is that no one has designed a vulnerability free computer, and while we do appreciate systems that are more failure tolerant, such as OpenBSD, and wish businesses adopted them more often, until such time it is foolish to fault researchers for continuing to look for flaws and admins for continuing to patch them. The changes he seeks can only come about through the things he derides:
4. Hackers aren't cool. Yes, please, lets return to the halycon days of 1989 when anyone who published vulnerability research ended up on an FBI watchlist and the unemployment rolls (clears throat, recent drama notwithstanding). Everything was much better then. And whats with this arguement that teaching yourself about system penetration is a patch dependent skill!? There are larger concepts that one learns through such a process that everyone involved in computer security needs to understand. How can you design hack proof security systems if you don't know the first thing about hacking?
5. Educating Users. Spoken like a true engineer! On my list of bad ideas in computer security is the notion that any solution which is not absolute is useless. Give me a fucking break. I suppose we should also avoid teaching people about personal hygiene because some people won't get it and we can just hand out anti-biotics anyway. If educating people is such a waste of time why did he bother to write this article?
I'll offer that I do agree with #6.
Decius says exactly what I was thinking.
