Doug Franklin mused:
>
> As with any security-related endeavor, though, a multilayer defense is
> the only way to go. That includes the people. The weakest links in
> the vast majority of security chains are the people. The computers
> themselves can be (but usually aren't) made arbitrarily secure, until
> you give people access to them. That said, the layers in my defense
> system are:
>
> I. Technical
> A. My ISP scans email for viruses
Check
> B. My computers are isolated from the Internet connection with
> a firewall that implements NAT and blocks virtually all
> incoming TCP and UDP ports
Check
> C. My computers scan all files for viruses with two scanners
Check
> D. HTML email goes straight to the bit bucket
.. or, at least, gets filtered and quarantined
> E. Any email attachments that I'm not expecting go straight to
> the bit bucket
See (D) above
> F. I do spyware scans about twice a month with three different
> scanners ... i've only ever gotten one spyware, and that was
> from a Broderbund commercial product
Not that often, simply because I've never been infected
> G. I check for OS updates at least weekly
Check
> H. My firewall and anti-virus software look for updates daily
Check
> I. My computers have a software firewall running on them that
> blocks all outgoing traffic on a per-application basis
Check
Add to that:
J. I don't read email on a Windows system. Although I'm sitting
in front of a Windows machine, I'm logged in (over a secure
link) to a Unix box, which is where I actually read mail.
K. I don't read email from an account with enhanced privileges.
So even if I were to run across a malicious virus targetting
a BSD or Debian platform, it wouldn't be able to do anything
to the system software.
L. I run additional scanning and filtering software via procmail
on the Unix box, so any viruses that do get as far as the MUA
still don't make it to my inbox.
This is why HTML in email is a bad idea; not everybody reads email
using a whizz-bang graphical interface. My connection to those Unix
systems is text-only, but works just fine for email and newsgroups.
I'm using a smart virtual terminal, so I can easily follow a URL link
if I want to (by a pop-up menu), but only if I explicitly choose to.
(Don't even suggest using an X-windows graphical browser for email.
Although SSH-tunneling removes a number of the glaringly obvious
loopholes, the X Windows System is riddled with security nightmares)
