On Tue, Dec 2, 2008 at 11:29 AM, Elazar Broad <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On Tue, 02 Dec 2008 11:50:46 -0500 rholgstad <[EMAIL PROTECTED]> > wrote: >>Mike C wrote: >>> On Mon, Dec 1, 2008 at 5:27 PM, rholgstad <[EMAIL PROTECTED]> >>wrote: >>> >>>> and how does making a color based on these inputs protect >>people? >>>> >>>> >>> >>> Once all desktops have an icon or widget (say at the right hand >>> corner) with the color, and this is consistently seen >>everywhere, the >>> users will start associating with their online security. they >>will be >>> reminded that they have to be careful with the data they share. >>> >>> This, if implemented correctly will be a boon to security >>industry, >>> where the weakest kinks currently are 'n00b' users. >>> >>> >>you are joking right? >> >>So some widget is going to stop the next SMB remote or IE client >>side >>and protect the 'n00b' users? Please explain how this works. Also >>please >>explain how "they will be reminded that they have to be careful >>with the >>data they share. " has anything to do with protecting a users >>machine >>from being compromised. > > Thats the whole point. There is a fine line between using visual > alerts to put people(Joe six pack) into a state of "awareness"(more > like mild hysteria) of a threat versus knowing how to protect > oneself against that threat and using that awareness indicator as > the kick in the ass to get moving and shore up the defenses(hell, > how many security folk do this too, then again, every time > something goes bump we see red). Visual alerts are great at > persuasion tools, especially when the goal is to get Joe to buy > your latest all-in-one-will-make-your-coffee-and-buy-you-beer > AV/Malware/Spyware/Foo(whats this doing here?)/evil monkey in the > closet package. So of course, Joe will never learn how to properly > defend his computer/data, and the "industry" will prosper. >
I dont think it is a lost battle. This method could prove an excellent way to solve this age old problem. > Now, thanks to our good friends over at the DHS, the color system > has turned into a complete and utter joke(for the most part), so my > friend, you see, this a complete exercise in futility(besides the > fact that every friggin AV/IDS/Security/SIM company out there has > red, yellow and green as their corporate "flag", if you are just > joining the party, then you can completely ignore this) > DHS implementation leaves a lot to be desired. Please do not compare this to DHS's implementation. > If you really want to change state of security for the n00bs, > spread the knowledge, not the colors. > Thats what project Chroma is all about.. Are you on board?! -- MC Security Researcher Lead, Project Chroma http://sites.google.com/site/projectchromaproject/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/