
The Six Dumbest Ideas in Computer Security (2005) - jwecker
http://www.ranum.com/security/computer_security/editorials/dumb/
======
cperciva
Two more dumb ideas which ought to be on this list:

1\. "Given enough eyeballs, all bugs are shallow". The fact is that most
eyeballs are useless because they're not capable of seeing the problems. Some
bugs simply can't be found unless the person looking for them has particular
technical expertise. (Side channel attacks against cryptography is my personal
area of interest, and history indicates that at least 99.99% of eyeballs
aren't useful when it comes to finding these.)

2\. "There's a theoretical vulnerability, but nobody will be able to exploit
it in practice." History is full of "purely theoretical" vulnerabilities which
have turned out to be entirely real. This is why mathematicians (or people
with mathematical training, at least) tend to do well in the area of computer
security: If you can't prove that your code is secure, it probably isn't
secure.

~~~
omouse
I think you've mis-interpreted "Given enough eyeballs, all bugs are shallow".

When you have more eyeballs on a project, there is a higher chance that some
of those eyeballs have the technical expertise necessary to find/fix a bug.
For a proprietary/commercial project, the pool of talent available is only
what you can afford but for a free/open-source project, the pool of talent
available is free abd very very large provided that you can attract it.

