Re: Modified draft 9

[Barbara Fraser <byf123@ibm.net>]

Hi Lorna,

Here are my votes on your questions. They're later than planned so if
you've already firmed up a final -10 draft, just ignore them. I'm looking
forward to draft -10 as I'm sure everyone else is. I'm working at my
sister's house over the next week or so and she's reviewing the document
from a user's point of view. I'll pass along her thoughts later today.

Barb


>
>   The Users' Security Handbook is the companion to the Site Security
>   Handbook (SSH).  It is intended to provide users with the information
>   they need to keep their networks and systems secure.
>
>Should we rather say: "to help keep their networks" ?

yes, just insert "help"

>
>------------------------------------------------------------------------
>
>   A glossary of terms is included in an appendix at the end of the
>   document introducing computer network security notions to those not
>   familiar with them.
>
>...at the end of this document, introducing...

yes


>------------------------------------------------------------------------
>
>   policy created by the decision makers
>
>policy created by the decision-makers
>                              ^

There were several two word phrases that you suggested hyphenating. I'm not
sure all of them are correct so I've asked one of our editors to review
them. I'll pass along her comments when  get them. I think, here, decision
makers is correct without the hyphen.

>
>------------------------------------------------------------------------
>
>   users can and cannot do, what to do when problems arise and who to
>   contact
>
>...users can and cannot do, what to do and who to contact when 
>problems arise...
>

yes.


>
>------------------------------------------------------------------------
>
>   However, an increasing number of products allow this to be done
>   without fancy hardware, using cryptographic techniques. 
>
>However, an increasing number of products allow for this to be done
>                                                ^^^ 

yes

>
>------------------------------------------------------------------------
>
>    - Do not panic.  Consult your security point-of-contact if possible
>      before spreading alarm.
>
>Consult your security point-of-contact, if possible, before ....
>				      ^            ^
>

yes

>------------------------------------------------------------------------
>
>   It is possible that a web page will appear to be genuine, but is, in
>   fact, a forgery.  It is easy to copy the appearance of a genuine web
>   page and possible to subvert the network protocols which contact the
>   desired web server, to misdirect a web browser to an imposter.
>
>   That threat may be guarded against using SSL to verify if a web page
>   is genuine.  When a 'secure' page has been downloaded, the web
>   browser's 'lock' or 'key' will indicate so.  It is good to double-
>   check this:  View the 'certificate' associated with the web page you
>   have accessed.  Each web browser has a different way to do this.  The
>   certificate will list the certificate's owner and who issued it.  If
>   these look trustworthy, you are probably OK.
>
>
>Should we lose the paragraph separator (ie. blank line) and make these
>two paragraphs one paragraph instead?
>
no, keep the separation. 

>------------------------------------------------------------------------
>
>      A user has an account with a private Internet Service Provider and
>      wishes to receive all her mail there.  She sets it up so that her
>      Email at work is forwarded to her private address.  All the mail
>      she would receive at work then moves across the Internet until it
>      reaches her private account. All along the way, the Email is
>      vulnerable to being read.  A sensitive Email message sent to her
>      at work could be read by a network snoop at any of the many stops
>      along the way the Email takes.
>
>
>Should the "she"'s be "he"'s instead?  I mean, the generic "he"....  

Either she or he can be used generically. Just be consistent throughout the
document.

>
>Also, for consistency, should all "mail" be changed to "Email"?

yes, and check entire document for consistency. Perhaps "email" would be
better than the capitalized form.


>   what the correct procedures are to stay virus free.
>
> what the correct procedures are to stay virus-free.
>                                              ^
>

Again, I'm checking on the proper form.


>------------------------------------------------------------------------
>
>   You should report it if a virus detection tool
>
>You should report it if a virus-detection tool
>                               ^
>
>------------------------------------------------------------------------
>
>   verify its presence using a virus detection tool
>
>verify its presence using a virus-detection tool
>                                 ^
>

Checking this one too.

>------------------------------------------------------------------------
>
>      These include files which only you should have access to, but
>      which are available to anyone with system administrator
>
>These include files which only you should have access to, but
>which are also available to anyone with system administrator
>          ^^^^

yes, but change the first "which" to "that": "These include files that
only..."

>
>------------------------------------------------------------------------
>
>   Most maintenance work will require special privileges which end-users
>   are not given.  Users should guard the use of their accounts, and
>   keep them for their own use.  Accounts should not be shared, not even
>   temporarily with a maintenance staff or administrator.  Systems
>   administrators will have their own accounts to work with and will not
>   need to access a system via an end-user's account.
>
>Should the sentences be moved around as follows?

No

The term "maintenance staff" sounds funny to me and sounds like you're
referencing the cleaning personnel. Suggest changing 2-4 sentences to the
following:

Users should carefully protect their accounts. Accounts should not be
shared with anyone, including system administrators or other staff
performing maintenance tasks. Such staff members will have their own
accounts and do not need to access computer systems via an end-user's
account. 

>------------------------------------------------------------------------
>
>    - Consider how private your data and Email need to be.  Have you
>      invested in privacy software and learned how to use it yet?
>
>- Consider how private your data and Email need to be.  Have you
>  invested in privacy software and learned to use it yet?
>                                          ^
>

yes

>------------------------------------------------------------------------
>
>    Also, install updates of these tools regularly and keep yourself
>    informed with new virus threats.
>
>Also, install updates of these tools regularly and keep yourself
>informed of new virus threats.
>         ^^
>
yes

>------------------------------------------------------------------------
>
>
>   It is very important to test your computer if you have been using
>   shared software of dubious origin, other people's used floppy disks
>   to transfer files, and so on.
>
>It is very important to test your computer if you have been using
>shared software of dubious origin, someone else's used floppy disks
>				   ^^^^^^^^^^^^^^
>
>"someone else's" sounds better to me than "other people's".....

yes

>
>
>------------------------------------------------------------------------
>
>   There are four very important things to keep in mind as far as the
>   security implications of running services on a home computer are
>   concerned. First and most important,
>
>    - If a server is not properly configured, it is very vulnerable to
>      being attacked over a network.  It is vital, if you run services,
>      to be familiar with the proper configuration.  This is often not
>      easy, and may require training or technical expertise.
>
>
>Should we move "First and most important" to the start of point #1?

yes

>
>------------------------------------------------------------------------
>
>    - Some servers start up without any warning.  There have been web
>      browsers and telnet clients in common use which automatically
>      start FTP servers if not explicitly configured to not do so.  
>
>
>I think the original text is not clear.  Is the following better?
>
>- Some servers start up without any warning.  There are some 
>  web browsers and telnet clients which automatically start FTP 
>  if not explicitly configured to not do so.  

I wasn't aware that some web "browsers" will automatically start up an FTP
server. Is this true? At any rate, I'd suggest the following wording

Some servers start up without any warning. For example, some web browers
and telnet clients automatically start an FTP server unless the user has
modified the default configuration to explicitly turn it off.

>
>------------------------------------------------------------------------
>
>Glossary:	Auditing Tools
>
>	Should we remove the COPS and SATAN definition?

Yes


>
>------------------------------------------------------------------------
>
>Glossary:	Configuring Network Services
>
>      The part of an administrator's task that is related to specifying
>      the conditions and details of network services that govern the
>      service provision.  In regard to a Web server, this includes which
>      Web pages are available to whom and what kind of information is
>      logged to review the use of the Web server.
>
>Should "In regard to a Web browser" be "With regard to a Web browser"
>instead?

yes,  and here's another nit suggestion: "...to whom and what kind of
information is logged for later review purposes"