The Dumbest Ideas in Computer Security

I've been trying to enjoy the waning days of summer on my weekends and after work, and I actually went almost two weeks without going online from home until one day last week. But once I did go online, I had quite a few virus definitions to download for my antivirus software (which also needs a subscription renewal later in the month).

I shouldn't have been surprised how many virus definitions were developed in a span of two weeks, but the download took some time.

So on Friday when I was reading Bruce Schneier's security blog and saw a link to Marcus Ranum's "The Six Dumbest Ideas in Computer Security" I took note of one in particular: Dumb Idea No. 2, according to Ranum, is "Enumerating Badness."

It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness. For every harmless, legitimate, application, there are dozens or hundreds of pieces of malware, worm tests, exploits, or viral code. Examine a typical antivirus package and you'll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I've installed on my machine, and you can see it's rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness.

Ranum goes onto point out that if you developed a security model that focused on using the good instead of tracking the bad, you solve the problems of spyware, viruses, trojans, and exploits involving executing pre-installed code that you don't use regularly.

Is anyone out there in security listening?