The Six Dumbest Ideas in Computer Security

I sort of feel that whoever made this site should have read an article somewhere entitled The Six Dumbest Ideas in Web Design.<p>Also, amusing quip &#x27;if &quot;Penetrate and Patch&quot; was effective, we would have run out of security bugs in Internet Explorer by now.&#x27; although I guess the real case would be the less pithy if &quot;Penetrate and Patch&quot; was effective, we would have run out of security bugs in Internet Explorer 6 by now.&#x27;<p>also if Penetrate and Patch could be replaced by someone just writing a browser that was not hackable because it was not supposed to be hackable which browser is that?<p>I mean I understand that a system hardened by trial and error is not as enticing as a system made hard from the start, without holes, but I guess there is very few of these to be found and probably what is best is a system that has been tried to be made as hard as the programmers could from the beginning and then tested for holes after that.<p>I mean listing penetrate and patch as a dumb idea sounds like one of those jokes - The only thing stupider than using Penetrate and Patch to fix security holes is not using it at all. Probably I exaggerate there but (given the number of companies that don&#x27;t even do that) I don&#x27;t think I exaggerate by much.<p>On Edit: I mean I sure use the phrase I mean a lot. Sorry about that, have some long running conflicts at work that are boiling over right now. Probably shouldn&#x27;t comment on articles, but I do it to take my mind off things.

The author states that learning how to compromise a system is wasteful and stupid. On the level of learning to use a particular exploit that&#x27;s hot this week, that&#x27;s true. Learning how a class of exploits takes advantage of a class of security bugs is a good way to spot where those bugs are in your code and to evaluate how well you&#x27;re avoiding them.

This point sounds like it wasn&#x27;t thought out very well:<p>&quot;In fact, if I were to simply track the 30 pieces of Goodness on my machine, and allow nothing else to run, I would have simultaneously solved the following problems:&quot;<p>Well, yes. If you&#x27;re like your mum, dad or granparents and barely install new software at all it could work fine.<p>Not so much if you&#x27;re a web developer that regularly installs new software to make your dev environment easier to use or you like playing computer games (even less those available through digital services&#x2F;on sale&#x2F;made by amateurs or fans).<p>Cause in cases like those, I can see any &#x27;good apps&#x27; list rivalling the virus ones in the anti virus programs he mentions.

I&#x27;m tempted to use Marcus&#x27; words against him. With much love, of course. ;)<p>If tallying up the six dumbest ideas in computer security was a good way to fix the problem, then the industry would have solved this issue years ago.<p>But man, did I always love the idea of a Network Flight Recorder.

It&#x27;s often a lot less resource intensive to enumerate and filter out the first hundred thousand kinds of badness you encounter on a daily basis leaving you with a smaller pool of stuff that requires more than a cursory check. There&#x27;s no need do more than a simple analysis on plain text emails, without attachments where all senders&#x2F;recipients are in the organization.<p>You actually need to do the whole penetrate and patch thing as a part of your entire security system. It can&#x27;t be relied upon to tell you everything but not doing it at all is similarly dumb.

&gt;&gt; &quot;hacking is a social problem&quot;<p>There a lot of social problems in the world, but hacking in the true sense is more like a social cure than problem.