Dumb security ideas

There's a lot of dumb security out there, and Marcus Ranum has assembled a top 6 of dumb security ideas. The list:

  1. Default Permit
  2. Enumerating Badness
  3. Penetrate and Patch
  4. Hacking is Cool
  5. Educating Users
  6. Action is Better Than Inaction

Now, “Educating Users” is a Good Idea™.

With a perfect OS no files or executable code could be “bad” because they could do no harm, but in the real world that OS doesn't exist, so users need education and skilled sysadmins that can shield them from bad things. I'm pretty sure this is what Marcus mean, except that he thinks it's possible to shield users so much that they can't harm anything and can't be harmed. I don't think this is realistic.

Picking “Educating Users” as a title of a dumb idea will be misunderstood by many, and as such it should've been called something else or perhaps been left out entirely.

Another gem found in the list was a link to a local copy of Personal observations on the reliability of the Shuttle which is excellent and I think all engineers/technical people should read it.