Full Disclosure mailing list archives
Securing our computers?
From: n3td3v <xploitable () gmail com>
Date: Sun, 2 Nov 2008 05:38:20 +0000
does anyone have good ideas on how to secure our computers better? is it a problem at the user end, or a problem at the corporate and government end? should it be upto vendors to provide security to operating systems, or should it be the end users responsibility to learn the skills required to use a computer safe and securely, and its data assets that might be stored on the systems? these are the sorts of questions you should ask yourself. should we really have operating systems with a built in firewall that is turned on by default, what i call back seat driver security.this is a term im using for vendors who provide end users will ready to go security measures, but don't teach its users about security, they just provide the security mechanisms to the user, without telling the user about security and why its important for the firewall to be there. should security be expected, back seat security? or should we be road mapping with the end user, by saying, we provide you with default security, but we want you to learn more about the security of computers, and all its technical and non-technical surroundings. is it healthy that vendors are back seating its users by providing point, click security which is extremely lazy for the end user. the end user doesn't need to do anything, or think about anything to do with computer security, because its already provided by the vendor. the problem arises when new threats come about and the security that the user expects can't protect their computer and its data because the vendor hasn't had time to notify its security response staff and build and release a patch. so what layer of protection does the end user with point and click back seat security have against a new emerging threat to our computer systems? none. the vendors don't provide the education for the end user to mitigate new emerging threats, they are told to wait for a patch, there are no effective workarounds usually that you can use to protect yourself from a new emerging threat, workarounds usually only make it less likely you'll be infected with malicious code, but i don't think its security, its just the best we can do. should we not force our users to learn about computer security instead of providing them with instant-on security? the real threats come from those vulnerabilities that are not-yet-patched, where the operating system is at its most vulnerable, yet the user has no clue about what's going on, because they haven't been encouraged by the vendor, to learn about security, its just expected by the user that the system is 1) not break in able and 2) hasn't already been compromised. if you turn your computer on and everything looks in place and as it should, you suggest to yourself you haven't been hacked, however that is not the case, although that is the mindset the end user has, if everything looks ok, then it probably is or so they assume. do you ever think what could be happening to your computer while your screensaver is running, could this be the perfect opportunity for a hacker, to start looking around the system files, a tip off perhaps that you are away from the computer, and can't see what's going on behind the graphic that is screensaving your operating system? these are the kind of questions we should be asking ourselves, because security is assumed by the end user, they are putting an incredible amount of trust in the vendor who provides the software, and is it healthy to have your data security in the hands of the vendor. when you buy say microsoft windows you don't own that software, you own a licence to run it on your systems, you never actually own the product, you are merely signing an agreement that microsoft has given you permission to use the software. the code is infact secret and will probably stay that way for some time, because its how they work, they don't like "free", they don't make money from "free" so they keep the code base secret from the user who owns the licence to run the software, although the user doesn't know exactly what it is that is running on their system, as they don't have open source to view what's really going on. with companies such as microsoft keeping its source code a secret, you've got to wonder what are they hiding, and why should you put your trust in such a large corporation to not only provide the services you agree on the software licence but the security of not only you and your computer, but the data that is held on that software. its all about trusting the security of the operating system, and people seem to trust big companies with their security, but are they trustable? its a huge amount of trust you give microsoft everytime you agree to their licence terms, most people just sit back and agree, most don't even read the small print, this is sad. you are running a software that you don't own, are merely borrowing the use of, and that software will eventually expire and you need to repay the company every say 4 to 8 years per software life cycle. so essentially, why are you using microsoft windows, and why are you putting your trust in them? not only that but why are they providing security to the end user, without sharing the code or encouraging the end user to find out more about security. like i said, security is assumed, but it cannot be guaranteed. they don't say hey, its a pretty good idea that you know about new threats and how to mitigate them, the end user shouldn't be relying on security professionals to keep their data secure, there is nothing a security professional knows that the end-user can't find out, so why are we not steering the end user towards computer security websites? because they don't want to learn, they don't see the need to learn, the security is provided by the vendor, the one we put our trust in to provide a secure code base to run our commands in a graphical environment. the end-user doesn't know about security, the end-user doesn't really understand what it is that is running, they know its microsoft windows, but do they know about the possible threat vectors, and are they up-to-speed with security news? no, but they should be but aren't encouraged to be or even think about security, because the vendor does it for them, the people you trust. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Securing our computers? n3td3v (Nov 02)
- Re: Securing our computers? Biz Marqee (Nov 02)
- Re: Securing our computers? n3td3v (Nov 03)
- Re: Securing our computers? Chris Jeane (Nov 03)
- Re: Securing our computers? n3td3v (Nov 03)
- Re: Securing our computers? Ureleet (Nov 03)
- Re: Securing our computers? n3td3v (Nov 03)
- Re: Securing our computers? Ed Carp (Nov 03)
- Re: Securing our computers? vulcanius (Nov 03)
- Re: Securing our computers? Michael Boman (Nov 03)
- Re: Securing our computers? n3td3v (Nov 03)
- Re: Securing our computers? Biz Marqee (Nov 02)
- Re: Securing our computers? Ureleet (Nov 03)