On Tue, 1 Mar 2005 20:00:28 -0500, Dave Watts <[EMAIL PROTECTED]> wrote:
> > Even "normal" home users are aware of the need for firewall > > (and av) software. A $40 dsl/cable/etc router contains a > > decent enough firewall to protect a MS-SQL server behind it > > with no more work than plugging it in and turning it on. > > Sure, that's one thing. So Joe Home User goes out and buys a $50 wireless > router which blocks external access, but allows internal access to other > machines connecting through WiFi. He plugs it into his cable modem and he's > all set, until his nextdoor neighbor infects his machine by connecting to it > through the open-by-default wireless connection! D'oh! I guess he's just an > idiot, because he doesn't know how TCP/IP works. Too bad he installed Visio > Enterprise so he could work on flow charts at home. How could anyone be so > dumb? If someone's installing Visio Enterprise to "work on flowcharts at home", they probably got it from work. Licensing issues aside (since we'll assume they're good there) then their home box gets hosed. PITA, but not much impact on the business. If it's a work laptop, then their security officer/sysadmin should be having a discussion with them about a number of aspects relating to security. Even if they're running WPA at home, they're potentially screwed as soon as the hit the coffee shop's open router to get some work while they're on a business trip. Or as soon as they VPN into the office with their infected box... How is this any different than the corporate education about opening attachments (bad) and phishing (bad)? Most people, I'd put forth, *do* know that the internet isn't all that safe and they should be running a firewall. WinXP SP2 finally has it builtin, for gosh sakes. > I've got news for you. Most people don't know how TCP/IP works. And if they > have to know that in order to use a PC, something is radically wrong with > PCs. Why would they have to know how TCP/IP works? Do they have to know how VBScript and ActiveX work to be aware that they should be running antivirus software? Or do they just need to be aware of the risk? > Who said anything about developers? Again, there are plenty of applications > with vulnerabilities, and these may be run by people other than developers. > Oh, and that list of apps that use MSDE is woefully incomplete, by the way. > I've worked with several applications that (a) aren't on the list and (b) > install MSDE without notifying the user. It's fair that that's an incomplete list. I'd venture that there isn't one single list of every commercial app running MSDE. > > The assumption that "I didn't know" is an acceptable excuse > > relating to security, whether it's configuration (e.g. > > firewall settings) or code (e.g. SQL injection > > vunerabilities) is a key reason why people get cracked. And > > frankly, I care less about someone with poor security getting > > hacked (something along the lines of "getting what you > > deserve") than what their zombie server can do to my sites or > > one of the sites I count on -- or about the consequences of > > the use/misuse of my data they're storing. > > If I leave my front door open and someone walks in and bops me on the head, > did I get what I deserve? Why is this any different? Actually, I think the answer to your question is yes, you did have something happen to you that was completely avoidable and probably deserve it. You chose to keep your door open when they're a high likelihood of attack (we're comparing to the security of the internet, remember). I think the analogy is more akin to having homeowners' insurance, sure odds are low your house will burn down, but when it does (or speaking to more personal experience, when trees split your roof in two consecutive hurricanes) you're going to feel pretty good you took some basic precautions. No one hopes to use their insurance, but nearly everyone gets it -- it's just what you do (or in the case of a mortgage, are required to do) to mitigate your risk. Same with antivirus, same with a basic firewall. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:197060 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
