RE: Consumer Security Web Site

From: Quark IT - Hilton Travis (hilton_at_quarkit.com.au)
Date: 06/29/04

  • Next message: Alan Melia (Melmac): "RE: Non Admin Rights + Visual Studio"
    Date: Tue, 29 Jun 2004 12:24:03 +1000
    To: <focus-ms@securityfocus.com>
    
    

    Hi Susan,

    I don't know how you keep doing it, but these links of yours are quite
    good. :)

    I think you also meant that there are some Small Business LOB
    applications that won't run on anything but MSIE - and I think these
    apps need a public laughing at.

    I think that the ThreatCode.com site needs to be given an airing in this
    forum, as it is rather relevant. (It isn't in your sig yet...) For
    those who are unaware of ThreatCode.com, here's part of why it was
    started...

    <snip>
    Any software application that - today - uses insecure, vulnerable,
    heavily buggy, 16-bit, non-standard, poorly written or generally
    unstable code needs to be outed. In public. Loudly. The authors need
    to be put in the stocks and have rotten eggs and soggy tomatoes thrown
    at them. It was 1995 that 16-bit code should have died, and its now
    2004 - 9 years later. But the bad practices that 16-bit coders brought
    through the years with them needs to now be stopped, finally. If its
    crap, we need to let people know why, where, and WHO is the issue. The
    exact same thing goes for any software that needs multiple inbound ports
    open. One I can handle, two is hard to accept, 3 or more? Well, there
    better be a damn good reason for it, and this reason gets exponentially
    harder to accept for each additional port. The same goes for NAT
    unfriendly protocols - get rid of them, they are dinosaurs.
    </snip>

    I still feel as strongly about this now as I did a week ago when I wrote
    that. :) All applications that force the user to run in a Local
    Administrator context are equally as liable to be listed on that
    website. There should be no need for regular usage of a regular office
    application (browser, word processor, accounting package, database,
    stick control app, fleet control, etc) to require local administrator
    privileges. This is just poor coding on the programmer's part, and they
    need to be outed in public.

    These apps - poorly coded, 16 bit, vulnerable, needing numerous ports,
    requiring local admin rights, unstable - WHATEVER - are reducing the
    security of our client workstations, therefore reducing the security of
    our networks. This is (and should always remain) unacceptable.

    Susan graciously started and hosted this site, and accepts email with
    decent documentation explaining what the software app is that needs
    placing in the Hall of Shame, why it needs to be placed there, and any
    workarounds that are relevant.

    --
    Regards,
    Hilton Travis                          Phone: +61 (0)7 3343 3889
    (Brisbane, Australia)                  Phone: +61 (0)419 792 394
    Manager, Quark IT                      http://www.quarkit.com.au
             Quark AudioVisual             http://www.quarkav.net
    http://www.threatcode.com/ <-- its now time to shame poor coders 
    into writing code that is acceptable for use on today's networks
    War doesn't determine who is right.  War determines who is left.  
    > -----Original Message-----
    > From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
    > [mailto:sbradcpa@pacbell.net] 
    > Sent: Tuesday, 29 June 2004 07:00
    > To: Eric McCarty
    > Cc: David Harper; focus-ms@securityfocus.com
    > Subject: Re: Consumer Security Web Site
    > 
    > But... some LOB web sites that small businesses use won't run 
    > on IE... keep that in mind too.
    > 
    > 
    > Here are a few but I'll get you more links that are good 
    > resources for SMBs.
    > 
    > Common Sense Guide to Cyber Security for Small Businesses
    > 
    > http://www.isalliance.org/resources/papers/Common_Sense_sm_bus.pdf
    > 
    >  
    > 
    > eSecurity Guide for Small Business
    > http://download.microsoft.com/download/2/5/1/2518982c-228b-40a
    > 8-a7bf-f683b37a0f38/eSecurityGuideforSmallBusiness.pdf
    > 
    > 
    > 
    > Eric McCarty wrote:
    > 
    > >One thing which I would recommend is the inclusion of links to 
    > >alternative web browsers. It's not that I don't like IE or use 
    > >it personally, but I've found it 99% easier to setup Mozilla or 
    > >Firefox properly and let novice users run with it. No pop ups, 
    > >spam/spyware/etc to contend with and no issues with unpatched 
    > >vulnerabilities (adodb stream...) causing mysterious programs 
    > >to be installed.
    > >
    > >
    > > Signed,
    > > Eric C. McCarty
    > > Systems Administrator
    > > Internet Security Officer
    > >
    > >
    > > -----Original Message-----
    > > From: David Harper [mailto:david.harper@thermon.com]
    > > Sent: Monday, June 28, 2004 8:50 AM
    > > To: 'focus-ms@securityfocus.com'
    > > Subject: Consumer Security Web Site
    > > 
    > > All,
    > > 
    > > I'm putting together a web site for home and small office 
    > > computer users to address computer and small network 
    > > security.  I'm hoping to eventually have a one-stop site 
    > > where non-technical consumers can get all the information 
    > > they need to protect their home and small office systems.
    > > 
    > > So far I'm planning sections on Viruses/Worms/Trojans, 
    > > Spam, Identity Theft, Cyberstalking, Hacking, Spyware and 
    > > Adware.  Each section is to cover the basics (what it is, 
    > > how to remove/prevent it, etc.) in a non-technical, 
    > > friendly-to-the-average-home-user way.  I'll also include 
    > > links to sites like Windows Update and other free tools, 
    > > with a strong admonition that their computer be checked 
    > > and patched - now.
    > > 
    > > I'd like to get input from the list on any other sections 
    > > to include on the web site.  What do you see as the most 
    > > glaring gaps in end-user knowledge?
    > > What information, tools, links, etc., would best enable 
    > > them to secure their systems easily against the most 
    > > common threats?  Also, I'm gearing this toward Microsoft 
    > > simply because 1) Microsoft runs the vast majority of 
    > > home/small-office computers, 2) Those using Linux are 
    > > already pretty computer savvy, and this site is for the 
    > > novice.  Should I expand the focus?  Include MACs?  What 
    > > about the buzz on cell phone viruses?  Should cell phone 
    > > security and privacy issues be included, as well?
    > > 
    > > Please keep in mind that this site is for the novice, so 
    > > explanations of elliptical curve cryptography probably 
    > > won't fly.  I just want to make it as easy as possible 
    > > for the non-technical user to stay up to date.
    > > 
    > > Your input is greatly appreciated!
    > > 
    > > Thanks,
    > > David
    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------
    

  • Next message: Alan Melia (Melmac): "RE: Non Admin Rights + Visual Studio"