Re: Modified draft 9

[Erik Guttman <Erik.Guttman@Sun.COM>]

Lorna Forey wrote:
> 
> hi all,
> 
> I've just gone through the document and have listed my comments below.
> I've incorporated some of Erik's comments and made a few other changes.

Awesome!

> In my comments below, changes I have ALREADY made to the (attached)
> document are markd with ^^^.  The ones I am unsure of are put across as
> questions.  Please provide the answers.

Will do.

> 
> There are also a few typographical errors which I've corrected but have
> not listed below.
> 

Sounds like we're cruising in for a landing.

Erik

> thanks,
> 
> Lorna  :)
> 
> ---------------------------------------------------------------------
> 
>    The Users' Security Handbook is the companion to the Site Security
>    Handbook (SSH).  It is intended to provide users with the information
>    they need to keep their networks and systems secure.
> 
> Should we rather say: "to help keep their networks" ?
> 

I like the current formulation.  We mostly talk about system issues not
purely 'network' practices.  For instance, what do screensavers and 
virus checkers have to do with networks?

> ------------------------------------------------------------------------
> 
>    A glossary of terms is included in an appendix at the end of the
>    document introducing computer network security notions to those not
>    familiar with them.
> 
> ...at the end of this document, introducing...
>                  ^^^^         ^

OK.

> 
> ------------------------------------------------------------------------
> 
>    policy created by the decision makers
> 
> policy created by the decision-makers
>                               ^
> 

Hmm.  I'd go without the hyphen.

> ------------------------------------------------------------------------
> 
>    users can and cannot do, what to do when problems arise and who to
>    contact
> 
> ...users can and cannot do, what to do and who to contact when
> problems arise...
> 
> This sounds better to me, but changes the meaning slightly if it was
> really meant to be saying "what to do when problems arise and who to
> contact (at any time)"  rather than "what to do when problems arise and
> who to contact when problems arise".  So, which one do we really mean?
> 

I like your text better too.

> ------------------------------------------------------------------------
> 
>    However, an increasing number of products allow this to be done
>    without fancy hardware, using cryptographic techniques.
> 
> However, an increasing number of products allow for this to be done
>                                                 ^^^
> 

Hard call.  Probably 'enable' is better than 'allow' or 'allow for' 
since we're talking about capability not permission.  IMO, the sense
of the sentence is clear in any formulation though.  So this is really 
a question of style.

> ------------------------------------------------------------------------
> 
>     - Do not panic.  Consult your security point-of-contact if possible
>       before spreading alarm.
> 
> Consult your security point-of-contact, if possible, before ....
>                                       ^            ^

Yes.

> 
> ------------------------------------------------------------------------
> 
>    It is possible that a web page will appear to be genuine, but is, in
>    fact, a forgery.  It is easy to copy the appearance of a genuine web
>    page and possible to subvert the network protocols which contact the
>    desired web server, to misdirect a web browser to an imposter.
> 
>    That threat may be guarded against using SSL to verify if a web page
>    is genuine.  When a 'secure' page has been downloaded, the web
>    browser's 'lock' or 'key' will indicate so.  It is good to double-
>    check this:  View the 'certificate' associated with the web page you
>    have accessed.  Each web browser has a different way to do this.  The
>    certificate will list the certificate's owner and who issued it.  If
>    these look trustworthy, you are probably OK.
> 
> Should we lose the paragraph separator (ie. blank line) and make these
> two paragraphs one paragraph instead?
> 

I don't think so.  The first paragraph introduces the threat.  The
second shows how to mitigate it.  Merging them reduces the impact
of the threat statement, IMO.

> ------------------------------------------------------------------------
> 
>       A user has an account with a private Internet Service Provider and
>       wishes to receive all her mail there.  She sets it up so that her
>       Email at work is forwarded to her private address.  All the mail
>       she would receive at work then moves across the Internet until it
>       reaches her private account. All along the way, the Email is
>       vulnerable to being read.  A sensitive Email message sent to her
>       at work could be read by a network snoop at any of the many stops
>       along the way the Email takes.
> 
> Should the "she"'s be "he"'s instead?  I mean, the generic "he"....

You mean the generic "she", right? ;-)

Its fairly common in all sorts of writing to find this used.  It does
two things:  It's a little cold water in the face of the reader, keeping
them alert to the point by being slightly different than expected.  It
also elevates the text a little by being a little PC, a little now, 
a little je ne sais quoi.

> 
> Also, for consistency, should all "mail" be changed to "Email"?
> 
> ------------------------------------------------------------------------
> 
>    Many mail programs allow files to be included in mail messages.  The
>    files which come by mail are files like any other.  Any way in which
>    a file can find its way onto a computer is possibly dangerous.
> 
> (Again,) should "mail" be changed to "Email"?
> 

Email.

We should be consistent and call Email Email in the text, even though other
names could be used. 

> I'm pointing this out because as I read it, the "tone" of the document
> seems to change as we move from the previous paragraph to this --- it's
> all "Email" in the paragraph before, and then all "mail" in this one.
> 
> ------------------------------------------------------------------------
> 
>    what the correct procedures are to stay virus free.
> 
>  what the correct procedures are to stay virus-free.
>                                               ^

I'm partial to the unhyphened form.

> 
> ------------------------------------------------------------------------
> 
>    You should report it if a virus detection tool
> 
> You should report it if a virus-detection tool
>                                ^

Ditto.

> 
> ------------------------------------------------------------------------
> 
>    verify its presence using a virus detection tool
> 
> verify its presence using a virus-detection tool
>                                  ^

Ibid.

> 
> ------------------------------------------------------------------------
> 
>       These include files which only you should have access to, but
>       which are available to anyone with system administrator
> 
> These include files which only you should have access to, but
> which are also available to anyone with system administrator
>           ^^^^
> 

I agree.

> ------------------------------------------------------------------------
> 
>    Most maintenance work will require special privileges which end-users
>    are not given.  Users should guard the use of their accounts, and
>    keep them for their own use.  Accounts should not be shared, not even
>    temporarily with a maintenance staff or administrator.  Systems
>    administrators will have their own accounts to work with and will not
>    need to access a system via an end-user's account.
> 
> Should the sentences be moved around as follows?
> 
> Users should guard the use of their accounts, and keep them for their own
> use.  Accounts should not be shared, not even temporarily with a
> maintenance staff or administrator.  Most maintenance work will require
> special privileges which end-users are not given.  Systems administrators
> will have their own accounts to work with and will not need to access a
> system via an end-user's account.
> 

I like the new text more.

> ------------------------------------------------------------------------
> 
>     - Consider how private your data and Email need to be.  Have you
>       invested in privacy software and learned how to use it yet?
> 
> - Consider how private your data and Email need to be.  Have you
>   invested in privacy software and learned to use it yet?
>                                           ^

Hmm.  "Learned to use it" sounds kind of moralistic, victorian.  I
like "Learned how to use it" since this means do you know how it works
not that you know what's better for you.

> 
> ------------------------------------------------------------------------
> 
>     Also, install updates of these tools regularly and keep yourself
>     informed with new virus threats.
> 
> Also, install updates of these tools regularly and keep yourself
> informed of new virus threats.
>          ^^

Yes.

> 
> ------------------------------------------------------------------------
> 
>    It is very important to test your computer if you have been using
>    shared software of dubious origin, other people's used floppy disks
>    to transfer files, and so on.
> 
> It is very important to test your computer if you have been using
> shared software of dubious origin, someone else's used floppy disks
>                                    ^^^^^^^^^^^^^^
> 
> "someone else's" sounds better to me than "other people's".....

Yes.

> 
> ------------------------------------------------------------------------
> 
>    Remember to be careful with saved mail.  Copies of sent or received
>    mail (or indeed any file at all) placed in storage provided by an
>    Internet service provider may be vulnerable.  The risk is that
>    someone might break into the account and read the old mail.  Keep
>    your mail files, indeed any sensitive files, on your home machine.
> 
> Should we change "mail" to "Email"?

Yes.

> 
> ------------------------------------------------------------------------
> 
>    There are four very important things to keep in mind as far as the
>    security implications of running services on a home computer are
>    concerned. First and most important,
> 
>     - If a server is not properly configured, it is very vulnerable to
>       being attacked over a network.  It is vital, if you run services,
>       to be familiar with the proper configuration.  This is often not
>       easy, and may require training or technical expertise.
> 
> Should we move "First and most important" to the start of point #1?

No.  You can't say First and most important there are fou very important
things...  And the first thing on the list *is* first and most important...

> 
> ------------------------------------------------------------------------
> 
>     - Some servers start up without any warning.  There have been web
>       browsers and telnet clients in common use which automatically
>       start FTP servers if not explicitly configured to not do so.
> 
> I think the original text is not clear.  Is the following better?
> 
> - Some servers start up without any warning.  There are some
>   web browsers and telnet clients which automatically start FTP
>   if not explicitly configured to not do so.

OK.

> 
> ------------------------------------------------------------------------
> 
> Glossary:       Auditing Tools
> 
>         Should we remove the COPS and SATAN definition?

Nah, leave 'em, I say.

> 
> ------------------------------------------------------------------------
> 
> Glossary:        Configuring Network Services
> 
>       The part of an administrator's task that is related to specifying
>       the conditions and details of network services that govern the
>       service provision.  In regard to a Web server, this includes which
>       Web pages are available to whom and what kind of information is
>       logged to review the use of the Web server.
> 
> Should "In regard to a Web browser" be "With regard to a Web browser"
> instead?

OK, but I'm ambivalent here.

> 
> ------------------------------------------------------------------------

Erik