Sunday, August 08, 2004
It's NOT about the technology
Quotes for the day
Security entrepreneur and programmer Marcus Ranum said some pithy things recently about security technology.
His main point is
to which he adds the opinion
and challenges conventional wisdom with
and tells network administrators
The complete article including technical issues
Discussion
Yes, he's blunt.
Diets are a good analogy. For normal people (the kind this blog is written for) computer security is exactly as much fun as dieting and exercising. The fun level drops even lower because whether it's weight loss or computer security you have to keep working at it forever.
Dilbert has a coworker in IT called Mordac the Preventer. Everyone thinks that Mordac is there to prevent productivity. If you think that describes your company's IT department, maybe they're just following the advice above. They may seem arbitrary when they're actually protecting the company network.
When you're back at home you're the network administrator. I'd say do "waste your time" patching but eventually replace software that's constantly requiring security fixes. Start with replacing Internet Explorer -- the alternatives are faster and more fun. And do use appropriate technology. Antivirus software can protect you against surprises, firewalls reduce your exposure, and both are cost-effective. Just don't kid yourself that they make you "secure". Your antivirus software and your pepper spray are useful tools, but both on the street and online it's your alertness that keeps you safe.
|
Security entrepreneur and programmer Marcus Ranum said some pithy things recently about security technology.
His main point is
Well, there are 2 ways to negate 90% of your risk:
a) do a few simple, obvious things that are not very fun
-or-
b) spend a ton of money on products and process
to which he adds the opinion
Computer security, as it's done today by most practitioners, is
fundamentally a con. It's a con the same way that most diet foods
and "lose weight fast" schemes are a con: they cost a lot and they
only work if you do something sensible that would have worked
REGARDLESS of whether you were following the rules of the
diet. Because, basically, successful diets involve taking in less
than you burn.
and challenges conventional wisdom with
9) Don't waste your time patching
a) if you're running code on an internet-facing
system that has a history of needing
patches every week, you're running
the wrong code
and tells network administrators
12) No, your users do NOT need that stupid new chat/file sharing/
net-meeting/remote-control/powerpoint sales tool/virtual FAX
garbage - it IS dangerous
The complete article including technical issues
Discussion
Yes, he's blunt.
Diets are a good analogy. For normal people (the kind this blog is written for) computer security is exactly as much fun as dieting and exercising. The fun level drops even lower because whether it's weight loss or computer security you have to keep working at it forever.
Dilbert has a coworker in IT called Mordac the Preventer. Everyone thinks that Mordac is there to prevent productivity. If you think that describes your company's IT department, maybe they're just following the advice above. They may seem arbitrary when they're actually protecting the company network.
When you're back at home you're the network administrator. I'd say do "waste your time" patching but eventually replace software that's constantly requiring security fixes. Start with replacing Internet Explorer -- the alternatives are faster and more fun. And do use appropriate technology. Antivirus software can protect you against surprises, firewalls reduce your exposure, and both are cost-effective. Just don't kid yourself that they make you "secure". Your antivirus software and your pepper spray are useful tools, but both on the street and online it's your alertness that keeps you safe.
# posted by Frederick @ 10:24 PM Email to a friend:
Haloscan: they provide trackback