Interviewed by CNN on 14/09/2011 22:27, Richard Owlett told the world:
> Provocative enough subject line?
> Actually I'm *serious* !
>
> I personally suspect that all these "security" features are trying
> to protect users from there own culpable acts.
>
> I take responsibility for my own well being by:
> 1. *DISABLING* {user.js *IS* your friend}
> JavaScript
> Cookies
> 2. *NOT* using an "always live" connection
> 3. a local *always LIVE* firewall set to _paranoid_
> 4. my ISP provides some firewall and anti-virus email protection
>
> and "other" measures
You are free to do that, of course. In the security-versus-convenience
debate, you went all for security.
But:
1. Not everybody agrees with you on what is an acceptable compromise to
convenience in the name of security. For many people, updating the
browser may be a lesser annoyance than, say, doing doing without the
many, many sites that rely on Javascript, cookies and whatever else you
disable -- or at least, being relegated to a version of the site with
lesser functionality.
2. You are assuming that all attack vectors can be thwarted by your
measures. That's not so, as the recent DigiNotar case illustrates. With
a suitably spoofed DNS record (yes, it does happen) and fake digital
certificates, an attacker could present you with a fake site and
convince you to download and run a malicious piece of software -- with
no need for Javascript, cookies or defeating your firewall, and
bypassing your ISP's e-mail antivirus entirely. Your own antivirus is no
guarantee either: malware is usually tweaked to escape most major
antivirus on initial release.
3. Using an old piece of software, with many known security bugs, under
your described conditions is *still* less secure than using an updated
version of the software under the same conditions. If your first line of
defense (say, your firewall, or the ISP's antivirus) fails, you are
better off having a second line (a fully-patched browser/e-mail client)
than not having it. Belt and suspenders, you might say.
4. Even if you forgo updating Seamonkey, you still have to keep your
lines of defense updated. Do you trust an old firewall with known
weaknesses? I notice you use Windows XP; do you still keep it at the
late-2001, unpatched, RTM level, with its literally hundreds of security
holes? Do you use an old antivirus which wasn't designed to defeat the
new tricks malware authors are using now (I'm not talking about virus
definitions, I'm talking about updates to the antivirus engine itself)?
By the way, I wouldn't trust the ISP e-mail antivirus very much. ISPs
tend to keep the antivirus "agressivity" setting very low, because false
positives (blocking legitimate messages) can cost subscriptions.
So, on the whole, I would say that yes, security updates ARE needed. For
Seamonkey, for the antivirus, for the firewall, for Windows, for Linux,
for OSX...
--
MCBastos
This message has been protected with the 2ROT13 algorithm. Unauthorized
use will be prosecuted under the DMCA.
-=-=-
... Sent from my R2 Unit.
*Added by TagZilla 0.066.2 running on Seamonkey 2.3.3 *
Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
