Re: Re[2]: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause
i dont usually comment on this list because of my lack of knowledge but on this issue i feel qualified to comment since you are commenting on the gray haired non tech type which is what i am.i am 54 and a grandmother . i run linux now but when i bought my computer in 1998 i knew absolutely nothing about viruses,worms,or trojans.when i switched to linux 2 1/2 years ago it was after careful research on it and lots of reading.my incentive was because i was tired of reformat C because of viruses.having AV did me no good even updating weekly.sure linux in a default install can start some services that make you insecure but if a person is worried at all they CAN learn about how to become just a little more secure.am i vulnerable? sure i am because i dont have the tech knowledge that others have but i do have the desire to learn which is why i join lists such as this.i do have a firewall going which has worked very good because it is easy to close ports and permission specific IP addresses as needed.i update my machine as soon as alerts are posted and a fix is ready. having a firewall day sounds like a good idea to me.you can never educate people enough because us older folks are joining the online community more and more everyday. br3n ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re[2]: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause
On Thu, 15 Jan 2004, Joris De Donder wrote: > > > There have been alot of 'complaints' or FUD replies concerneing the > > efforts for personal firewall day, 1/15/04, yet not a single, "this would > > work much better" replies or offerings. do any of the unsuporteres have > > The main problem is the user. Annie for example opens/runs every > attachment she receives. Now if you say to Annie that all she needs to > do to be secure is installing (buying) a PFW (from a short list of > sponsors (*)), using an Anti-Virus program and keeping her system > updated, you actually encourage her to continue her dangerous > behavior. Fact is that even with a PFW, up to date AV and system, > Annie (who is part of the Administrators group btw) will get infected > if she keeps opening/running every attachment. > And then it's game over. This is not 1998, trojans/backdoors are > becomming more and more advanced (public rootkit projects for MS > Windows are becomming more common) and no PFW (a program that is > running on the same, now compromised, system) can prevent a 'modern' > backdoor/trojan from "getting out". > > So we need to change Annies behavior. An obvious (technical) solution [SNIP] We need to properly educate Annie's kids, they are the ones that will grow up with a keyboard under their finger tips and see every automated device and toy they get for x-mas cipped up and connected. Annie grew up in a time before all this, hell her VCR still has her stumped. so we help Annie out with PFW days and such, and try our best to guide her along one baby step at a time, as her hair greys and her grandkinds lock down the system she e-mails the family about reuinions and stuff... Thanks, Ron DuFresne ~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Re[2]: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause
On Thu, 15 Jan 2004 21:31:18 +0100, Joris De Donder <[EMAIL PROTECTED]> wrote: ISPs could give the same information to their customers or even put certain 'security requirements' in their contracts. They could send their users a 'security newsletter' and/or setup a special website/page with usefull information (usefull information != some links to your sponsors and and some FUD text written by people from the marketing dep.) This particular approach to education of the average ISP patron is a good idea in theory, but if such contractual stipulations or useful information were presented to the average user it would elicit no more than a nod. The braver users may attempt to understand what they are being told "for their own good", but the a majority of them are likely to give up their benefits after reaching the 3rd technical term that they don't understand. I agree that the only way to truly secure the desktop PC, once and for all, is to force into the users' hands a read-only device. If all administration were controlled by a competent professional then we'd all be relatively safe from data and revenue loss, as well as having our sensitive datas compromised. I believe that nothing will ever stop security threats and breaches completely, but that is good because it shows something hopeful for the ingenuity, tenacity, and adaptability of mankind. Your friend, Ethan E Sundstrom ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: Re[2]: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Joris De Donder > Sent: Thursday, January 15, 2004 2:31 PM > To: [EMAIL PROTECTED] > Subject: Re[2]: [Full-Disclosure] January 15 is Personal > Firewall Day, help the cause > > Conclusion: The purely technical solution (with obvious commercial > intentions) proposed by personalfirewallday.org will lead to > a false sense of security, resulting in more insecure systems. > User Education is an essential part of the solution. > I must say that I've been absolutely amazed by the negative reactions to this. You complain that what "annie" needs is education. The personalfirewallday.org site does *precisely* that. Have any of the people criticizing the effort even bothered to go look at the site? I finally did, just to see what all the fuss was about. I found: 1) A vision statement 2) An explanation of why you need protection, including information about viruses, worms, trojans and hackers 2) An explanation of what layered protection is and why you can't depend upon just one security product 3) Explanations of personal firewalls, antivirus protection and OS updating and links to resources for each Everything you claim "annie" needs is right there on that one website. And you think that's a *bad* thing? I realize it is possible to be so blinded by hatred that you can't even think logically, but I didn't realize how many in this industry were blind. I understand what the penguin-heads are up to, but I would have *thought* that people who *claim* to care about security would applaud any effort to increase public awareness. Boy, was I wrong! Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re[2]: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause
> There have been alot of 'complaints' or FUD replies concerneing the > efforts for personal firewall day, 1/15/04, yet not a single, "this would > work much better" replies or offerings. do any of the unsuporteres have The main problem is the user. Annie for example opens/runs every attachment she receives. Now if you say to Annie that all she needs to do to be secure is installing (buying) a PFW (from a short list of sponsors (*)), using an Anti-Virus program and keeping her system updated, you actually encourage her to continue her dangerous behavior. Fact is that even with a PFW, up to date AV and system, Annie (who is part of the Administrators group btw) will get infected if she keeps opening/running every attachment. And then it's game over. This is not 1998, trojans/backdoors are becomming more and more advanced (public rootkit projects for MS Windows are becomming more common) and no PFW (a program that is running on the same, now compromised, system) can prevent a 'modern' backdoor/trojan from "getting out". So we need to change Annies behavior. An obvious (technical) solution would be to give Annie an email client that's incapable of launching (possibly harmful) attachments, but that only solves part of the problem since Annie just received a .scr file through her favorite IM client and next week Annie will find and install a new filesharing program... Annie needs to realise that she's not safe. She needs to realise that even with a PFW, up to date AV and system, she can still get infected. She needs to learn to 'think' when her new PFW pops up a message saying that a file cald "iexpIlore.exe" (with a nice IE like icon) tries to "connect to the internet". So (unless ofcourse, we can move Annie and the millions like her away from general purpose desktop computers like we know them today to some new kind of secure frontends, that store their files and settings on a remote server(**)) it's essential that we educate Annie. Computer stores can play a very important role in this and for example give their customers a flyer or 'brochure' with usefull tips and guidelines. ISPs could give the same information to their customers or even put certain 'security requirements' in their contracts. They could send their users a 'security newsletter' and/or setup a special website/page with usefull information (usefull information != some links to your sponsors and and some FUD text written by people from the marketing dep.) Conclusion: The purely technical solution (with obvious commercial intentions) proposed by personalfirewallday.org will lead to a false sense of security, resulting in more insecure systems. User Education is an essential part of the solution. Joris (*) I see the list just got updated (**) No, I don't mean dumb terminals. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html