Modified draft 9

[Lorna Forey <lorna@singnet.com.sg>]

hi all,

I've just gone through the document and have listed my comments below. 
I've incorporated some of Erik's comments and made a few other changes. 
In my comments below, changes I have ALREADY made to the (attached)
document are markd with ^^^.  The ones I am unsure of are put across as
questions.  Please provide the answers.

There are also a few typographical errors which I've corrected but have
not listed below.

thanks,

Lorna  :)

---------------------------------------------------------------------

   The Users' Security Handbook is the companion to the Site Security
   Handbook (SSH).  It is intended to provide users with the information
   they need to keep their networks and systems secure.

Should we rather say: "to help keep their networks" ?

------------------------------------------------------------------------

   A glossary of terms is included in an appendix at the end of the
   document introducing computer network security notions to those not
   familiar with them.

...at the end of this document, introducing...
                 ^^^^         ^

------------------------------------------------------------------------

   policy created by the decision makers

policy created by the decision-makers
                              ^

------------------------------------------------------------------------

   users can and cannot do, what to do when problems arise and who to
   contact

...users can and cannot do, what to do and who to contact when 
problems arise...

This sounds better to me, but changes the meaning slightly if it was
really meant to be saying "what to do when problems arise and who to
contact (at any time)"  rather than "what to do when problems arise and
who to contact when problems arise".  So, which one do we really mean?


------------------------------------------------------------------------

   However, an increasing number of products allow this to be done
   without fancy hardware, using cryptographic techniques. 

However, an increasing number of products allow for this to be done
                                                ^^^ 

------------------------------------------------------------------------

    - Do not panic.  Consult your security point-of-contact if possible
      before spreading alarm.

Consult your security point-of-contact, if possible, before ....
				      ^            ^

------------------------------------------------------------------------

   It is possible that a web page will appear to be genuine, but is, in
   fact, a forgery.  It is easy to copy the appearance of a genuine web
   page and possible to subvert the network protocols which contact the
   desired web server, to misdirect a web browser to an imposter.

   That threat may be guarded against using SSL to verify if a web page
   is genuine.  When a 'secure' page has been downloaded, the web
   browser's 'lock' or 'key' will indicate so.  It is good to double-
   check this:  View the 'certificate' associated with the web page you
   have accessed.  Each web browser has a different way to do this.  The
   certificate will list the certificate's owner and who issued it.  If
   these look trustworthy, you are probably OK.


Should we lose the paragraph separator (ie. blank line) and make these
two paragraphs one paragraph instead?

------------------------------------------------------------------------

      A user has an account with a private Internet Service Provider and
      wishes to receive all her mail there.  She sets it up so that her
      Email at work is forwarded to her private address.  All the mail
      she would receive at work then moves across the Internet until it
      reaches her private account. All along the way, the Email is
      vulnerable to being read.  A sensitive Email message sent to her
      at work could be read by a network snoop at any of the many stops
      along the way the Email takes.


Should the "she"'s be "he"'s instead?  I mean, the generic "he"....  

Also, for consistency, should all "mail" be changed to "Email"?

------------------------------------------------------------------------

   Many mail programs allow files to be included in mail messages.  The
   files which come by mail are files like any other.  Any way in which
   a file can find its way onto a computer is possibly dangerous. 

(Again,) should "mail" be changed to "Email"?

I'm pointing this out because as I read it, the "tone" of the document
seems to change as we move from the previous paragraph to this --- it's
all "Email" in the paragraph before, and then all "mail" in this one.

------------------------------------------------------------------------

   what the correct procedures are to stay virus free.

 what the correct procedures are to stay virus-free.
                                              ^

------------------------------------------------------------------------

   You should report it if a virus detection tool

You should report it if a virus-detection tool
                               ^

------------------------------------------------------------------------

   verify its presence using a virus detection tool

verify its presence using a virus-detection tool
                                 ^

------------------------------------------------------------------------

      These include files which only you should have access to, but
      which are available to anyone with system administrator

These include files which only you should have access to, but
which are also available to anyone with system administrator
          ^^^^

------------------------------------------------------------------------

   Most maintenance work will require special privileges which end-users
   are not given.  Users should guard the use of their accounts, and
   keep them for their own use.  Accounts should not be shared, not even
   temporarily with a maintenance staff or administrator.  Systems
   administrators will have their own accounts to work with and will not
   need to access a system via an end-user's account.

Should the sentences be moved around as follows?

Users should guard the use of their accounts, and keep them for their own
use.  Accounts should not be shared, not even temporarily with a 
maintenance staff or administrator.  Most maintenance work will require 
special privileges which end-users are not given.  Systems administrators
will have their own accounts to work with and will not need to access a
system via an end-user's account.

------------------------------------------------------------------------

    - Consider how private your data and Email need to be.  Have you
      invested in privacy software and learned how to use it yet?

- Consider how private your data and Email need to be.  Have you
  invested in privacy software and learned to use it yet?
                                          ^

------------------------------------------------------------------------

    Also, install updates of these tools regularly and keep yourself
    informed with new virus threats.

Also, install updates of these tools regularly and keep yourself
informed of new virus threats.
         ^^

------------------------------------------------------------------------


   It is very important to test your computer if you have been using
   shared software of dubious origin, other people's used floppy disks
   to transfer files, and so on.

It is very important to test your computer if you have been using
shared software of dubious origin, someone else's used floppy disks
				   ^^^^^^^^^^^^^^

"someone else's" sounds better to me than "other people's".....

------------------------------------------------------------------------

   Remember to be careful with saved mail.  Copies of sent or received
   mail (or indeed any file at all) placed in storage provided by an
   Internet service provider may be vulnerable.  The risk is that
   someone might break into the account and read the old mail.  Keep
   your mail files, indeed any sensitive files, on your home machine.


Should we change "mail" to "Email"?

------------------------------------------------------------------------

   There are four very important things to keep in mind as far as the
   security implications of running services on a home computer are
   concerned. First and most important,

    - If a server is not properly configured, it is very vulnerable to
      being attacked over a network.  It is vital, if you run services,
      to be familiar with the proper configuration.  This is often not
      easy, and may require training or technical expertise.


Should we move "First and most important" to the start of point #1?

------------------------------------------------------------------------

    - Some servers start up without any warning.  There have been web
      browsers and telnet clients in common use which automatically
      start FTP servers if not explicitly configured to not do so.  


I think the original text is not clear.  Is the following better?

- Some servers start up without any warning.  There are some 
  web browsers and telnet clients which automatically start FTP 
  if not explicitly configured to not do so.  

------------------------------------------------------------------------

Glossary:	Auditing Tools

	Should we remove the COPS and SATAN definition?

------------------------------------------------------------------------

Glossary:	 Configuring Network Services

      The part of an administrator's task that is related to specifying
      the conditions and details of network services that govern the
      service provision.  In regard to a Web server, this includes which
      Web pages are available to whom and what kind of information is
      logged to review the use of the Web server.

Should "In regard to a Web browser" be "With regard to a Web browser"
instead?

------------------------------------------------------------------------
------------------------------------------------------------------------