Community Comments To Security Absurdity Article

An anonymous reader writes, "Earlier this year Noam Eppel's Security Absurdity article generated much debate in the Information Security community (covered on Slashdot at the time). He claimed that we are currently witnessing a 'profound failure' in security. Now the author has posted a follow-up highlighting some of the community comments prompted by the article, titled 'Feedback to Security Absurdity Article — the Good, the Bad and the Ugly.'"

Re:We wouldn't be having this problem if...

From the article:

"
        * Don't click on links in email messages. Type the URL in your browser manually.
        * Disable the preview pane in all your inboxes.
        * Read all email in plain text.
        * Don't open email attachments.
        * Don't use Java, JavaScript, and ActiveX.
        * Don't check your email with Microsoft Outlook or Outlook Express.
        * Don't display your email address on your web site.
        * Don't follow links in web pages, email messages, or newsgroup without knowing what they link to.
        * Don't let the computer save your passwords.
        * Don't trust the "From" line in email messages.
        * Never Use Internet Explorer and instead Switch to Firefox.
        * Never run a program unless you know it to be authored by a person or company that you trust.
        * Read the User Agreement thoroughly on all software you download to ensure it is not spyware.
        * Don't count on your email system to block all worms and viruses.
        * Get a Mac
"

Now, how many of those do you think the average computer user knows about? Not many, I think. Most people see features and want to use them so they ignore many of those suggestions. Thus, this common geek sense is not common sense to the average user, and frankly I wouldn't expect the average user to remember or know all of this stuff all of the time unless we tested computer users like we did drivers, and even that has gaping holes.

Windows and vulnerabilities

[Epsillon]

I know what you're thinking, mods. But it isn't just another "don't use Windows" post. TFA seems to concentrate on the dominant OS, so i will do the same.

I remember talking someone through setting up Tiscali broadband a few years ago using a Speedtouch and the Tiscali CD. His brand new, shiny Windows XP machine became infected over the connection in under 4 minutes. It's a classic catch-22 situation: You can't update your OS without a connection and you can't go online safely until you've updated your OS.

How about this: Virtualisation is a reality on most machines nowadays. Why doesn't MS use this technology to set up a simple one-time VM to connect and download from a single SSL connection, the public key of which is compiled into the VM, ignoring all other traffic with the single focus of fetching the patches for the worst vulnerabilities, those which have remote exploits? If this were mandatory before enabling the general TCP/IP stack for WAN connections, Joe Sixpack wouldn't be participating in quite so many botnets. Hello! New connection not in my private address checklist. Disable TCP/IP and get the updates before releasing the user to the big, bad Internet. Please wait whilst I sort my ragged arse out and stop you from becoming another statistic...

Or have I simply made the problem too simplistic in my own mind? It seems to me that a single connection from a single port over SSL with no intermediate DNS or man-in-the-middle stages makes sense, even more so if part of the download is the MD5 hash of the update image and the VM rejects any image not matching that.

Bear in mind that the above idea works only for machines using a direct non-RFC1918 or draft-manning address for Internet connections. Those using routers should already be protected from the worst culprits, attack vectors which utilise services running by default, as these usually cannot traverse NAPT, but the feature should include the option to enable manual initialisation over such connections.

Too simple?