Via Slashdot I got The Six Dumbest Ideas in Computer Security.
I've tried to keep this light-hearted, but my message is serious. Computer security is a field that has fallen far too deeply in love with the whizzbang-of-the-week and has forsaken common sense. Your job, as a security practitioner, is to question - if not outright challenge - the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn't it?
It verges on brilliace because it states the obvious so clearly. The first idea, Default Permit, is seriously at the root of all...I repeat, ALL...Internet security issues. The second, Enumerating Badness, is interesting because Corporate America (a.k.a. Microsoft) has tried to address it, and all the geeks in the world called it an attempt to hide the truth.
But my favorites are the dead-obvious ones, like Penetrate and Patch
"Penetrate and Patch" is a dumb idea best expressed in the BASIC programming language:
10 GOSUB LOOK_FOR_HOLES
20 IF HOLE_FOUND = FALSE THEN GOTO 50
30 GOSUB FIX_HOLE
40 GOTO 10
50 GOSUB CONGRATULATE_SELF
60 GOSUB GET_HACKED_EVENTUALLY_ANYWAY
70 GOTO 10
...Let me put it to you in different terms: if "Penetrate and Patch" was effective, we would have run out of security bugs in Internet Explorer by now. What has it been? 2 or 3 a month for 10 years?