Frater 219's Journal: Security is like the Tao.

You cannot make a stream run quietly by dumping more boulders into it. You cannot make a computer system secure by running more software on it.

The antivirus model, the software firewall model, and to a certain extent the NIDS model, are all built on the precept that running more software can make your system more secure, provided that it is the right software. If only you buy the right product -- install the right virus definitions file -- do the right upgrade, your system will be secure. Meanwhile, systems keep getting cracked and worms keep spreading.

"I eat lots of diet food, but I'm still fat." "I install all these security programs, but I still get cracked."

The insecurity of Windows default installs is not due to their well-known failure to install sufficient security features. It is due to their quiet installation of an excess of insecure features.

If you are in a position to need antivirus software, your problem is not viruses. If you are in a position to need a rootkit detector, your problem is not rootkits.

"Best practices" cannot improve "worst design".

When you receive virus spam in your email, do not blame the idiot who clicks on attachments. Do not blame the asshole who writes viruses. Neither of them put the feature to execute active content in the idiot's email program.

The Tau of Security

[DDX_2002]

What, you mean security has great long range firepower but horrible HTH stats? Sorry, W40K humor - honestly, first thing I thought of on seeing the title.