Frater 219's Journal: Fallacies & Falsities of Security

"Securing systems or programs is basically about closing the holes and weaknesses that let hackers in." Rather, security is about correctly modeling in software and hardware the trust relationships that people have regarding their computing resources and data. It is about making computer systems behave in the way that their operators want and trust them to behave, with respect to such things as authorized use and availability. It isn't about patches; it's about correctness.

"A firewall is essential to keeping a network secure by rejecting attacks." A firewall is nothing more or less than a network bridge or router that selectively drops packets. It does not "block attacks" or "forbid unauthorized access" -- it drops packets. Sometimes this is a useful thing to do on a network segment in order to provide assurance as to what sorts of activity won't come in over that segment. This can be useful in modeling trust: if you block port 23 with a firewall, you can guarantee that nobody outside can send port-23 packets through that segment. That's not the same as saying that nobody outside can do unencrypted login to any machine inside ...

"If a program crashes, that only means it's unreliable, not that it's insecure." In fact, many forms of attack against programs are first discovered as ways to make the program crash with a piece of malformed input. If your FTP server dumps core when I send it an excessively long username, that's probably because it's overflowing a buffer. Breaking in is just a matter of overflowing that same buffer with the right data.

"All software has bugs, and bugs lead to holes -- so from a security perspective it doesn't really matter what software I use, since I'll need to patch it anyway." The fact of the matter is that some software projects release programs that are consistently more reliable than others. Some projects release software that is easier to patch than others. Some projects release software that is better documented, and its behavior better understood, so that you can more set it up with more accurate trust relationships. In short, some software is more correct than other software, and you can reduce the amount of time you spend fixing broken software by choosing software that is less broken. Anyone who tells you that all software is buggy is a cynic; anyone who tells you that all software is equally buggy is trying to sell you IIS.