Modified draft 9
Lorna Forey <lorna@singnet.com.sg> Thu, 15 October 1998 05:00 UTC
Received: from po1.cert.org (po1.cert.org [192.88.209.10]) by ietf.org (8.8.5/8.8.7a) with ESMTP id BAA04729 for <ssh-archive@odin.ietf.org>; Thu, 15 Oct 1998 01:00:42 -0400 (EDT)
Received: from smtp.cert.org (smtp.cert.org [192.88.210.47]) by po1.cert.org (8.8.8/8.8.8) with ESMTP id AAA12964; Thu, 15 Oct 1998 00:56:11 -0400 (EDT)
Received: from po1.cert.org (po1.cert.org [192.88.209.10]) by smtp.cert.org (8.8.8/8.8.8) with ESMTP id AAA03854 for <ssh@smtp.cert.org>; Thu, 15 Oct 1998 00:54:20 -0400 (EDT)
Received: from copper.singnet.com.sg (copper.singnet.com.sg [165.21.7.30]) by po1.cert.org (8.8.8/8.8.8) with ESMTP id AAA12850 for <ssh@cert.org>; Thu, 15 Oct 1998 00:52:21 -0400 (EDT)
Received: from mallow.singnet.com.sg (mallow.singnet.com.sg [165.21.1.11]) by copper.singnet.com.sg (8.8.7/8.8.7) with SMTP id MAA27167; Thu, 15 Oct 1998 12:52:16 +0800 (SGT)
Date: Thu, 15 Oct 1998 12:52:16 +0800
From: Lorna Forey <lorna@singnet.com.sg>
Subject: Modified draft 9
To: ssh@cert.org
cc: erik.guttman@sun.com
Message-ID: <Pine.3.89.9810151236.A20926-h200000@mallow.singnet.com.sg>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-1525350133-1115061142-908427136:#20926"
hi all, I've just gone through the document and have listed my comments below. I've incorporated some of Erik's comments and made a few other changes. In my comments below, changes I have ALREADY made to the (attached) document are markd with ^^^. The ones I am unsure of are put across as questions. Please provide the answers. There are also a few typographical errors which I've corrected but have not listed below. thanks, Lorna :) --------------------------------------------------------------------- The Users' Security Handbook is the companion to the Site Security Handbook (SSH). It is intended to provide users with the information they need to keep their networks and systems secure. Should we rather say: "to help keep their networks" ? ------------------------------------------------------------------------ A glossary of terms is included in an appendix at the end of the document introducing computer network security notions to those not familiar with them. ...at the end of this document, introducing... ^^^^ ^ ------------------------------------------------------------------------ policy created by the decision makers policy created by the decision-makers ^ ------------------------------------------------------------------------ users can and cannot do, what to do when problems arise and who to contact ...users can and cannot do, what to do and who to contact when problems arise... This sounds better to me, but changes the meaning slightly if it was really meant to be saying "what to do when problems arise and who to contact (at any time)" rather than "what to do when problems arise and who to contact when problems arise". So, which one do we really mean? ------------------------------------------------------------------------ However, an increasing number of products allow this to be done without fancy hardware, using cryptographic techniques. However, an increasing number of products allow for this to be done ^^^ ------------------------------------------------------------------------ - Do not panic. Consult your security point-of-contact if possible before spreading alarm. Consult your security point-of-contact, if possible, before .... ^ ^ ------------------------------------------------------------------------ It is possible that a web page will appear to be genuine, but is, in fact, a forgery. It is easy to copy the appearance of a genuine web page and possible to subvert the network protocols which contact the desired web server, to misdirect a web browser to an imposter. That threat may be guarded against using SSL to verify if a web page is genuine. When a 'secure' page has been downloaded, the web browser's 'lock' or 'key' will indicate so. It is good to double- check this: View the 'certificate' associated with the web page you have accessed. Each web browser has a different way to do this. The certificate will list the certificate's owner and who issued it. If these look trustworthy, you are probably OK. Should we lose the paragraph separator (ie. blank line) and make these two paragraphs one paragraph instead? ------------------------------------------------------------------------ A user has an account with a private Internet Service Provider and wishes to receive all her mail there. She sets it up so that her Email at work is forwarded to her private address. All the mail she would receive at work then moves across the Internet until it reaches her private account. All along the way, the Email is vulnerable to being read. A sensitive Email message sent to her at work could be read by a network snoop at any of the many stops along the way the Email takes. Should the "she"'s be "he"'s instead? I mean, the generic "he".... Also, for consistency, should all "mail" be changed to "Email"? ------------------------------------------------------------------------ Many mail programs allow files to be included in mail messages. The files which come by mail are files like any other. Any way in which a file can find its way onto a computer is possibly dangerous. (Again,) should "mail" be changed to "Email"? I'm pointing this out because as I read it, the "tone" of the document seems to change as we move from the previous paragraph to this --- it's all "Email" in the paragraph before, and then all "mail" in this one. ------------------------------------------------------------------------ what the correct procedures are to stay virus free. what the correct procedures are to stay virus-free. ^ ------------------------------------------------------------------------ You should report it if a virus detection tool You should report it if a virus-detection tool ^ ------------------------------------------------------------------------ verify its presence using a virus detection tool verify its presence using a virus-detection tool ^ ------------------------------------------------------------------------ These include files which only you should have access to, but which are available to anyone with system administrator These include files which only you should have access to, but which are also available to anyone with system administrator ^^^^ ------------------------------------------------------------------------ Most maintenance work will require special privileges which end-users are not given. Users should guard the use of their accounts, and keep them for their own use. Accounts should not be shared, not even temporarily with a maintenance staff or administrator. Systems administrators will have their own accounts to work with and will not need to access a system via an end-user's account. Should the sentences be moved around as follows? Users should guard the use of their accounts, and keep them for their own use. Accounts should not be shared, not even temporarily with a maintenance staff or administrator. Most maintenance work will require special privileges which end-users are not given. Systems administrators will have their own accounts to work with and will not need to access a system via an end-user's account. ------------------------------------------------------------------------ - Consider how private your data and Email need to be. Have you invested in privacy software and learned how to use it yet? - Consider how private your data and Email need to be. Have you invested in privacy software and learned to use it yet? ^ ------------------------------------------------------------------------ Also, install updates of these tools regularly and keep yourself informed with new virus threats. Also, install updates of these tools regularly and keep yourself informed of new virus threats. ^^ ------------------------------------------------------------------------ It is very important to test your computer if you have been using shared software of dubious origin, other people's used floppy disks to transfer files, and so on. It is very important to test your computer if you have been using shared software of dubious origin, someone else's used floppy disks ^^^^^^^^^^^^^^ "someone else's" sounds better to me than "other people's"..... ------------------------------------------------------------------------ Remember to be careful with saved mail. Copies of sent or received mail (or indeed any file at all) placed in storage provided by an Internet service provider may be vulnerable. The risk is that someone might break into the account and read the old mail. Keep your mail files, indeed any sensitive files, on your home machine. Should we change "mail" to "Email"? ------------------------------------------------------------------------ There are four very important things to keep in mind as far as the security implications of running services on a home computer are concerned. First and most important, - If a server is not properly configured, it is very vulnerable to being attacked over a network. It is vital, if you run services, to be familiar with the proper configuration. This is often not easy, and may require training or technical expertise. Should we move "First and most important" to the start of point #1? ------------------------------------------------------------------------ - Some servers start up without any warning. There have been web browsers and telnet clients in common use which automatically start FTP servers if not explicitly configured to not do so. I think the original text is not clear. Is the following better? - Some servers start up without any warning. There are some web browsers and telnet clients which automatically start FTP if not explicitly configured to not do so. ------------------------------------------------------------------------ Glossary: Auditing Tools Should we remove the COPS and SATAN definition? ------------------------------------------------------------------------ Glossary: Configuring Network Services The part of an administrator's task that is related to specifying the conditions and details of network services that govern the service provision. In regard to a Web server, this includes which Web pages are available to whom and what kind of information is logged to review the use of the Web server. Should "In regard to a Web browser" be "With regard to a Web browser" instead? ------------------------------------------------------------------------ ------------------------------------------------------------------------
- Modified draft 9 Lorna Forey
- Re: Modified draft 9 Erik Guttman
- Re: Modified draft 9 Barbara Fraser