[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4b6ee9310811012238l49b57897m4f62dc7b7842741d@mail.gmail.com>
Date: Sun, 2 Nov 2008 05:38:20 +0000
From: n3td3v <xploitable@...il.com>
To: n3td3v <n3td3v@...glegroups.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Securing our computers?
does anyone have good ideas on how to secure our computers better? is
it a problem at the user end, or a problem at the corporate and
government end? should it be upto vendors to provide security to
operating systems, or should it be the end users responsibility to
learn the skills required to use a computer safe and securely, and its
data assets that might be stored on the systems? these are the sorts
of questions you should ask yourself. should we really have operating
systems with a built in firewall that is turned on by default, what i
call back seat driver security.this is a term im using for vendors who
provide end users will ready to go security measures, but don't teach
its users about security, they just provide the security mechanisms to
the user, without telling the user about security and why its
important for the firewall to be there. should security be expected,
back seat security? or should we be road mapping with the end user, by
saying, we provide you with default security, but we want you to learn
more about the security of computers, and all its technical and
non-technical surroundings. is it healthy that vendors are back
seating its users by providing point, click security which is
extremely lazy for the end user. the end user doesn't need to do
anything, or think about anything to do with computer security,
because its already provided by the vendor. the problem arises when
new threats come about and the security that the user expects can't
protect their computer and its data because the vendor hasn't had time
to notify its security response staff and build and release a patch.
so what layer of protection does the end user with point and click
back seat security have against a new emerging threat to our computer
systems? none. the vendors don't provide the education for the end
user to mitigate new emerging threats, they are told to wait for a
patch, there are no effective workarounds usually that you can use to
protect yourself from a new emerging threat, workarounds usually only
make it less likely you'll be infected with malicious code, but i
don't think its security, its just the best we can do. should we not
force our users to learn about computer security instead of providing
them with instant-on security? the real threats come from those
vulnerabilities that are not-yet-patched, where the operating system
is at its most vulnerable, yet the user has no clue about what's going
on, because they haven't been encouraged by the vendor, to learn about
security, its just expected by the user that the system is 1) not
break in able and 2) hasn't already been compromised. if you turn your
computer on and everything looks in place and as it should, you
suggest to yourself you haven't been hacked, however that is not the
case, although that is the mindset the end user has, if everything
looks ok, then it probably is or so they assume. do you ever think
what could be happening to your computer while your screensaver is
running, could this be the perfect opportunity for a hacker, to start
looking around the system files, a tip off perhaps that you are away
from the computer, and can't see what's going on behind the graphic
that is screensaving your operating system? these are the kind of
questions we should be asking ourselves, because security is assumed
by the end user, they are putting an incredible amount of trust in the
vendor who provides the software, and is it healthy to have your data
security in the hands of the vendor. when you buy say microsoft
windows you don't own that software, you own a licence to run it on
your systems, you never actually own the product, you are merely
signing an agreement that microsoft has given you permission to use
the software. the code is infact secret and will probably stay that
way for some time, because its how they work, they don't like "free",
they don't make money from "free" so they keep the code base secret
from the user who owns the licence to run the software, although the
user doesn't know exactly what it is that is running on their system,
as they don't have open source to view what's really going on. with
companies such as microsoft keeping its source code a secret, you've
got to wonder what are they hiding, and why should you put your trust
in such a large corporation to not only provide the services you agree
on the software licence but the security of not only you and your
computer, but the data that is held on that software. its all about
trusting the security of the operating system, and people seem to
trust big companies with their security, but are they trustable? its a
huge amount of trust you give microsoft everytime you agree to their
licence terms, most people just sit back and agree, most don't even
read the small print, this is sad. you are running a software that you
don't own, are merely borrowing the use of, and that software will
eventually expire and you need to repay the company every say 4 to 8
years per software life cycle. so essentially, why are you using
microsoft windows, and why are you putting your trust in them? not
only that but why are they providing security to the end user, without
sharing the code or encouraging the end user to find out more about
security. like i said, security is assumed, but it cannot be
guaranteed. they don't say hey, its a pretty good idea that you know
about new threats and how to mitigate them, the end user shouldn't be
relying on security professionals to keep their data secure, there is
nothing a security professional knows that the end-user can't find
out, so why are we not steering the end user towards computer security
websites? because they don't want to learn, they don't see the need to
learn, the security is provided by the vendor, the one we put our
trust in to provide a secure code base to run our commands in a
graphical environment. the end-user doesn't know about security, the
end-user doesn't really understand what it is that is running, they
know its microsoft windows, but do they know about the possible threat
vectors, and are they up-to-speed with security news? no, but they
should be but aren't encouraged to be or even think about security,
because the vendor does it for them, the people you trust.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists