March 11, 2008

10 Immutable Laws of Security

After yesterday's net-buzz about a rogue mailbox archive application it's worth reminding ourselves about a classic security article: 10 Immutable Laws of Security

  • Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
  • Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
  • Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
  • Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
  • Law #5: Weak passwords trump strong security
  • Law #6: A computer is only as secure as the administrator is trustworthy
  • Law #7: Encrypted data is only as secure as the decryption key
  • Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
  • Law #9: Absolute anonymity isn't practical, in real life or on the Web
  • Law #10: Technology is not a panacea

Item #1 is particularly important in relation to yesterday's news!
If you install an application on your machine, you are implicitly granting it a certain level of trusted access -- so you better be sure you know and trust the source of that application.


Posted by Jorgen Thelin at March 11, 2008 09:00 AM