September 2005
« Aug   Oct »


I am The Cyberwolfe and these are my ramblings. All original content is protected under a Creative Commons license - always ask first.
Creative Commons License

The Six Dumbest Ideas in Computer Security

This article needs to be required reading for every programmer and developer in the world. It is a bit long winded, but I think I can actually combine two things into one. Here’s a shorter version:

#1 Default Permit and #2) Enumerating Badness really point in the same direction.

The idea here is that computers today either do everything unless told not to or let everything in unless told not to. This means you have to spend your time looking for all the things in the world they shouldn’t be playing with. Exhausting to even think about!

What they should be doing is only what we tell them to and allowing in the same. Brilliant concept, no? Here’s an example: a Blacklist vs. a Whitelist.

A blacklist is, of course, a list of all the things you shouldn’t do or people you shouldn’t talk to. Your Anti-virus client has a list over 75,000 items long of things not to do, that has to be updated weekly, if not daily.

A whitelist, on the other hand, is a list of things you should do or people you should talk to. How many programs do you use daily? Three? Maybe up to seven? That list just got orders of magnitude shorter. And how often do you install something new? Maybe once a month?

Obviously, implementing a whitelist-type security policy would benefit a corporate environment the most, where computers are used more as tools rather than entertainment consoles, but the home user would still see some benefits – like an end to spyware.

Here’s something that made his list only peripherally: Ease-Of-Use. In the early days, computers could only be used by people who had specific training. To generate a greater demand for computers and thus bolster the profit margin, they had to make them easier to use so more people could do so and grow dependant on them in their daily lives.

This has unfortunately led us to a situation where the average computer user knows nothing about how the computer actually works – which in turn means that to get anything done, the software needs to be designed to function on a single click of a mouse. That one click can now have the effect of executing millions of lines of malicious code, with the user none the wiser.

Me, I think we should ease up on the user-friendly bit and force the user to gain a little education and think about what they are doing. Yes, I realize that this would end up alienating a chunk of the userbase, but the ones who don’t want to learn are the ones that make it bad for everyone.

-Begin Rant-

And yes, I realize how much of an asshole I sound like right now. The fact of the matter is that I billed nearly $2000 worth of time last month fixing problems due to user stupidity. This includes corporate customers who experienced a loss of revenue on top of the fees they paid to me in lost productivity in their workers. This could add up to increased cost of services that these companies provide, leading to inflation after it builds up, which means my hard-earned dollar goes a shorter distance.

And really, is education and learning such a bad thing? Look where un-education and an unwillingness to think have gotten us: Bush was elected by people who are mostly religious – people who, by definition, are not used to thinking for themselves. Instead, they are taught to have faith – faith that their leaders know what’s best for them. This ends up rolling over into their everyday lives, and they end up having faith that the phishing scam they just got emailed comes from a legitimate source. Having that one-click-ease-of-use means that a simple act of faith ruins them financially.

Paranoia can be a virtue, if it makes you think.

-End Rant-

Comments are closed.