Related link: http://www.ranum.com/security/computer_security/editorials/dumb/
OK, looks like everybody has already blogged about this and the smoke from the mailing list fights has cleared a bit. Its a very fun piece, everybody involved with security in some shape or form must read it. However, do not treat the document as the “Revelations of St Marcus” :-) For example, his stance on hacking (combined with apparent lack of clarity in how he defines it…) will certainly raise same major league heckles. And, while being a visionary like Marcus Ranum does require you to step back from reality a bit, the step IMHO should not be too big…
The Basic code from #3 was entertaining.
10 GOSUB LOOK_FOR_HOLES
20 IF HOLE_FOUND = FALSE THEN GOTO 50
30 GOSUB FIX_HOLE
40 GOTO 10
50 GOSUB CONGRATULATE_SELF
60 GOSUB GET_HACKED_EVENTUALLY_ANYWAY
70 GOTO 10
The article was interesting, and although you take some issue with his comments on hacking, I do see the focus on hacking skills misplaced. He'd rather see us glorify great engineers, but who's going to go see a movie about square programmer types who made a really modular SMTP server?
We've glorified hacking for the same reason we still talk about famous outlaws. People like the dark side, and "Enumerating Badness" is a better band name than "Secure Architecture". The world of computer security will continue to cause St. Marcus concern because the problems he identifies as "dumb" are just manifestations of larger societal issues. Why build door locks when we could just end world hunger and poverty? Because reality intervenes. Why incarcerate millions of people (enumerating badness)? When we could just invest in our communities?
I agree with much of what he says, but I'm still going to pay Symantec to "enumerate badness". Who's going to be the first to set up a Cafe Press tore that sell shorts emblazoned with "Badness Numerator"?