« The Urban Explorers Are Coming
Whither Cinequest »

Bad Security Models

Recently sent to me was a piece of commentary published by Maj. Vanessa Johnson, commander of the Air Force’s 407th Expeditionary Communication Squadron. In it, she decries “anonymity” - really traffic-filtering circumnavigation - as a security risk. In her words:

Anonymous browsing circumvents protections in place to ensure harmful spyware or viruses aren’t inadvertently downloaded and spread on the network. When someone uses an anonymizer to access restricted sites, they expose the network to an unacceptable level of risk.


Major Johnson, if the only thing protecting the Air Force’s networks is an URL filter dumb enough to be fooled by a pseudonymous proxy, that’s a pretty sad state of affairs. If you’ve got computers on your network that aren’t running up-to-date antivirus software, you’ve got bigger problems than people trying to check up on their friends’ blogs.

Computer security works best at the user end. Trying to keep malware off a vulnerable network ignores completely the largest, oldest, and most insurmountable flaw in computing - the human element. Never underestimate the ignorance and stupidity of computer users.

If you want absolute internet security, don’t blacklist bad sites - blacklist everything, and whitelist the sites you want people to be able to access. It’s pretty much that simple.

On the other hand, if, as I suspect, you really want to prevent people from accessing productivity-reducing (or resource-consuming) websites like MySpace and YouTube, be honest about why you’re doing it, rather than disingeniously claming people are “jeopardizing the security of our government network” by doing so. That pip on your collar doesn’t exempt you from your precious integrity, Major.

(Update: At least some Jarhead geeks block access to one widespread anonymous network, though almost certainly more for monitoring reasons than security ones. The USMC, in fact, apparently doesn’t accept traffic from TOR, either. Almost certainly unnecessary overkill, but more accepting of the human realities of computer security than Major Johnson’s opinions.)

Published in: General, 'D' for 'Dumb', Geekiness, Security | on March 9th, 2007|

You can leave a response, or trackback from your own site.

Leave a Comment