Re: The very basics of security

From: Todd Knarr (tknarr_at_silverglass.org)
Date: 09/24/04


Date: Fri, 24 Sep 2004 03:37:21 GMT

In comp.security.misc <2fe7b80f.0409231702.1610f0fe@posting.google.com> walterbyrd <walterbyrd@iname.com> wrote:
> Sometimes, you may have to use msie.
> - to upgrade your windows systems
> - to use a shockwave site (I had to fill out a timesheet on a
> shockwave site to get paid).

Windows Update you're right on. There's no need to use IE to get
Shockwave/Flash though, since plugins for it are available for the
Mozilla family (Netscape, Mozilla, Firefox).

> Practically all the HTML email I get is innocent. Stuff from my family
> etc. Good idea about the attachments.

And when someone in your family infects themselves with the latest
Windows worm and it starts e-mailing itself to everyone in their
address book, including you, using an HTML-based exploit to infect
the target machine without user intervention? Just because it came
from a trusted person's system doesn't mean that person sent it.

> Also, I think the "Remember This Passord" Feature can be shut off. I
> never cared for that "feature" anyway.

That's not what he was talking about, I think. One standard feature of
password-cracking programs is to do variations on known passwords, so
if the cracker knows you used password X on one site he doesn't have
to search all passwords for you on another site, he can start by trying
variations on X. If you use slight variations of the same password then
the search universe is relatively tiny.

-- 
All I want out of the Universe is 10 minutes with the source code and
a quick recompile.
                                -- unknown