funsec mailing list archives
Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups)
From: Valdis.Kletnieks () vt edu
Date: Tue, 13 Oct 2009 09:02:26 -0400
On Sun, 11 Oct 2009 23:31:08 CDT, Dan White said:
1) Educating users on proper use of anti-virus and anti-malware tools - and being ADHD about installing OS updates.
No, you *don't* want them being ADHD about OS updates. You want them to be obsessive-compulsive about it. Somebody wit OCD will be going back and checking "Am I patched? Did I patch in the last hour? I better check again to be sure". Somebody with ADHD will end up visiting http://windowsupdate.microsohlookachicken.com
2) Replacing SMTP with something sane and secure. SMTP has got to be IETF's biggest failure.
Actually, SMTP is probably the IETF's best example of "so frikking successful that everybody jumped on the bandwagon, moving the goalposts in the process". The fact that it works at *all* 27 years after RFC821 is a demonstration of how well-designed it was...
3) Doing what we can to develop and increase our participation in a public key infrastructure and IPSEC.
Unfortunately, most of the problems we have would *not* be fixed with more crypto and IPSEC (with the exception of closing down unencrypted wireless and making the standard there WPA2 or a better follow-on). I mean, *seriously*, how often do you hear of successful sniffing attacks on copper or fiber, compared to the number of attacks where a keystroke logger or website hack got the unencrypted goods at the endpoint? You want to fix something - come up with a good way to enhance the trust for websites that load from multiple places. Go read Schneier's "Secrets and Lies", he has a good chapter on SSL snake oil, but to sum it up with a re-quote of an example from yesterday: If I'm on msnbc.msn.com, and click a link that takes me to discovery.com, what reason does my browser have to trust the Flash content that gets loaded from mstories.vo.llnwd.net? (Hint - your scheme has to work even if discovery.com is compromised - if the hacker can change the link, there's a good chance that if you depend on a digital signature of the page containing the link, he can re-sign the page as well. Probably not for discovery.com, which likely has separate devel and prod machines and the signing can happen on the devel boxes - but there's a *lot* of "update in place" websites that would almost certainly have the signing keys on the webserver. Bad idea, I know, but it's gonna happen.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- dumb. Comcast pop-ups RandallM (Oct 10)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 11)
- Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 11)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Larry Seltzer (Oct 12)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Valdis . Kletnieks (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Dan White (Oct 16)
- Re: dumb. Comcast pop-ups Alex Lanstein (Oct 10)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 16)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) G. D. Fuego (Oct 17)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)