Leythos said:
(e-mail address removed) says... [snip]
I kinda sorta don't blame people for being upset that their shiny new
XP computer gets cracked.
I also don't blame users when their systems are compromised, unless it
was due to not following rules of basic security. The sad part is that
all the information on how to be safe is easily available on the web,
but those types don't look for it.
Yes and no. I mean, you apparently know all about configuring
computers. Many people don't.
I find myself eeriely drawn to this thread... I now really want to
understand where you are coming from.
PC users that know nothing about computers just plug their computer in
and starts using it. Dell or Gateway or Whatever has configured it anf
the get what is generally known as a "Craputer" for all the services
and programs running at start-up. They probably have AV and two
firewalls (XP's and one from the AV company). And they have Automatic
Updates from Microsoft. They are also bombarded with warnings about
"Viruses" everyday. (Which is why they accept the AV software and
Windows Update and "Activation" paying extra money for service plans.)
But what these people don't have is any understanding of Internet
protocols and RFCs and traceroute and DNS servers.
And on top of that they are used to electronic gadgets, like telephones
and cdplayers, to always "just work".
At this point, is the new XP box secure? Or are the users required to
spend the hours necessary, online, reading about how to secure their
computer?
(I am not in anyway arguing or trying to argue -- I may be drifting off
topic here...)
Imagine all the people that open the ebay email and actually go to the
fake ebay site and enter their personal information - that one mode of
getting peoples personal info has been on every news channel, in most of
the tech sections of news papers, listed on ebay's real site, and is
easy to determine if it's real or not, but people still fall for it.
Ignorance is not an excuse, it's a wanton action of being lazy in my
opinion.
In this example, yeah, sure.
Yea, but with a properly secured network they would not be able to
download any content that might contain malicious files - like we don't
allow .SCR files to pass through the HTTP sessions in our firewalls.
Well, I meant to write that I am LESS likely to sympathize.... (I ain't
always smart.)
As an aside, I'd like to know how to setup XP to block such files. Do
you use a router? Third party software? Basic XP can just deny access
globally or per website via IE. I am obviously missing something here.
I can, as there is no reason to allow outbound ports 135~139, 445, 1433~
1434 and FTP outbound should be limited to a specific internal machine
or to know good FTP sites. We have all the Sororities setup so that
outbound traffic to destination ports 135~139, 445, 1433~1434, and to
non-approved FTP locations is blocked - in addition to blocking content
in HTTP sessions.
Windows can not come hardened out of the box, it would break to many
existing methods and fail in corporate environments. They need a new
version, abandoning all the prior versions.
But you just said that "there is no reason to allow outbound ports
[...] and FTP outbound should be limited to a specific internal machine
or to know good FTP sites."
How does the average user learn to do this? And if I can do this why
can't MS do it by default?
And I have always that MS should have skipped XP and come out with a
completely new OS, one specifically for Home use where no servers ever
need to be run, only client software with basic Internet access.
[snip]
This is the start - knowing that you don't know and accepting that you
have to learn more - that's all that I ask of my team. Never say you
know when you don't, never fake it, never feel afraid to say "I don't
know". It's always better to learn that to hide.
I know what I know and I thought I knew what I did not know. I now know
more about what I did not know as I have seen various Worms and Trojans
completel;y take over XP boxes I thought "secure" behind routers.
--