Community Comments To Security Absurdity Article 190
An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"
Re:We wouldn't be having this problem if... (Score:3, Informative)
"
* Don't click on links in email messages. Type the URL in your browser manually.
* Disable the preview pane in all your inboxes.
* Read all email in plain text.
* Don't open email attachments.
* Don't use Java, JavaScript, and ActiveX.
* Don't check your email with Microsoft Outlook or Outlook Express.
* Don't display your email address on your web site.
* Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
* Don't let the computer save your passwords.
* Don't trust the "From" line in email messages.
* Never Use Internet Explorer and instead Switch to Firefox.
* Never run a program unless you know it to be authored by a person or company that you trust.
* Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
* Don't count on your email system to block all worms and viruses.
* Get a Mac
"
Now, how many of those do you think the average computer user knows about? Not many, I think. Most people see features and want to use them so they ignore many of those suggestions. Thus, this common geek sense is not common sense to the average user, and frankly I wouldn't expect the average user to remember or know all of this stuff all of the time unless we tested computer users like we did drivers, and even that has gaping holes.
Re:Security of who? (Score:3, Informative)
Re:Wrong approch (Score:3, Informative)
I think you were looking for the language war article. This one is about ignorant users clicking "OK" to things.
Windows and vulnerabilities (Score:5, Informative)
I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.
How about this: Virtualisation is a reality on most machines nowadays. Why doesn't MS use this technology to set up a simple one-time VM to connect and download from a single SSL connection, the public key of which is compiled into the VM, ignoring all other traffic with the single focus of fetching the patches for the worst vulnerabilities, those which have remote exploits? If this were mandatory before enabling the general TCP/IP stack for WAN connections, Joe Sixpack wouldn't be participating in quite so many botnets. Hello! New connection not in my private address checklist. Disable TCP/IP and get the updates before releasing the user to the big, bad Internet. Please wait whilst I sort my ragged arse out and stop you from becoming another statistic...
Or have I simply made the problem too simplistic in my own mind? It seems to me that a single connection from a single port over SSL with no intermediate DNS or man-in-the-middle stages makes sense, even more so if part of the download is the MD5 hash of the update image and the VM rejects any image not matching that.
Bear in mind that the above idea works only for machines using a direct non-RFC1918 or draft-manning address for Internet connections. Those using routers should already be protected from the worst culprits, attack vectors which utilise services running by default, as these usually cannot traverse NAPT, but the feature should include the option to enable manual initialisation over such connections.
Too simple?
Re:three solutions (Score:3, Informative)
4. Realize that doesn't happen anymore because the firewall that ships with SP2 is an adequate defense.
Network worms targeting out-of-the-box Windows boxes are a thing largely of the past. What may happen is after two months of using the computer and clicking "OK" to those pesky dialogs asking for exceptions to the firewall one of those services may be insecure enough to allow a remote attack. She or he might also get themselves infected via some other method, like surfing the uglier parts of the web with IE6 or opening an executable attachment.
Re:three solutions (Score:3, Informative)
Doesn't NAT auto-magically protect you?
It does until someone tells little Johnny to DMZ his machine so his game will work.
Fix: use router passphrases that the delinquent is unlikely to guess, like "work is its own reward" or "idle hands are the devil's tools"
Re:SP2 Firewall (Score:2, Informative)
If you fidget a little I'm pretty sure you can unearth some others. For a good reference list where else but here [slashdot.org]?
Re:Windows and vulnerabilities (Score:3, Informative)
I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.
Yes, you can. Just enable the firewall first.
How about this: Virtualisation is a reality on most machines nowadays. [...]
Holy overengineering, batman ! Did you actively try and come with such an incredibly complicated way of avoiding any incoming network connections, or did it just fall out of its own accord ?
Too simple?
Vastly more complicated than it needs to be. All you need to do is not allow any inbound network connections or, indeed, any network connectivity at all until the user has updated (or acknowledged the risk). Which is, incidentally, what Windows has been doing for years now.
Re:Windows and vulnerabilities (Score:3, Informative)
Yes, you can. Just enable the firewall first.''
You are aware that there have been a number of exploits that target Windows's firewall, are you?
Re:We wouldn't be having this problem if... (Score:2, Informative)
I hope everyone realizes that this list was given as an example of where IT "best practices" have failed as a solution for the security problem. The whole point was that the existance of such a list is a symptom of the general security failure, and certainly not as a recommendation from the author.