[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e734df3a0812031845p351ea2adlc94b3642e7d4c668@mail.gmail.com>
Date: Wed, 3 Dec 2008 18:45:59 -0800
From: "Mike C" <mike.cartall@...il.com>
To: "Elazar Broad" <elazar@...hmail.com>
Cc: full-disclosure@...ts.grok.org.uk, vulcanius@...il.com
Subject: Re: Project Chroma: A color code for the state
ofcyber security
On Tue, Dec 2, 2008 at 11:29 AM, Elazar Broad <elazar@...hmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>
> On Tue, 02 Dec 2008 11:50:46 -0500 rholgstad <rholgstad@...il.com>
> wrote:
>>Mike C wrote:
>>> On Mon, Dec 1, 2008 at 5:27 PM, rholgstad <rholgstad@...il.com>
>>wrote:
>>>
>>>> and how does making a color based on these inputs protect
>>people?
>>>>
>>>>
>>>
>>> Once all desktops have an icon or widget (say at the right hand
>>> corner) with the color, and this is consistently seen
>>everywhere, the
>>> users will start associating with their online security. they
>>will be
>>> reminded that they have to be careful with the data they share.
>>>
>>> This, if implemented correctly will be a boon to security
>>industry,
>>> where the weakest kinks currently are 'n00b' users.
>>>
>>>
>>you are joking right?
>>
>>So some widget is going to stop the next SMB remote or IE client
>>side
>>and protect the 'n00b' users? Please explain how this works. Also
>>please
>>explain how "they will be reminded that they have to be careful
>>with the
>>data they share. " has anything to do with protecting a users
>>machine
>>from being compromised.
>
> Thats the whole point. There is a fine line between using visual
> alerts to put people(Joe six pack) into a state of "awareness"(more
> like mild hysteria) of a threat versus knowing how to protect
> oneself against that threat and using that awareness indicator as
> the kick in the ass to get moving and shore up the defenses(hell,
> how many security folk do this too, then again, every time
> something goes bump we see red). Visual alerts are great at
> persuasion tools, especially when the goal is to get Joe to buy
> your latest all-in-one-will-make-your-coffee-and-buy-you-beer
> AV/Malware/Spyware/Foo(whats this doing here?)/evil monkey in the
> closet package. So of course, Joe will never learn how to properly
> defend his computer/data, and the "industry" will prosper.
>
I dont think it is a lost battle. This method could prove an excellent
way to solve this age old problem.
> Now, thanks to our good friends over at the DHS, the color system
> has turned into a complete and utter joke(for the most part), so my
> friend, you see, this a complete exercise in futility(besides the
> fact that every friggin AV/IDS/Security/SIM company out there has
> red, yellow and green as their corporate "flag", if you are just
> joining the party, then you can completely ignore this)
>
DHS implementation leaves a lot to be desired. Please do not compare
this to DHS's implementation.
> If you really want to change state of security for the n00bs,
> spread the knowledge, not the colors.
>
Thats what project Chroma is all about.. Are you on board?!
--
MC
Security Researcher
Lead, Project Chroma
http://sites.google.com/site/projectchromaproject/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists