By that I mean, who has their home desktop locked down the way they would desktops they are looking after for a coroporation?
Printable View
By that I mean, who has their home desktop locked down the way they would desktops they are looking after for a coroporation?
I test most of software and do other thing on my computers.
So they are secure just "sometimes" if I using them for a longer time.
(I am still in the deep learning mode) - hehe
Right now I looking for backup solutions, eh, difficult
Yes, Most definitely! I like to think my system is secure like Fort Knox but not so secure where its un-use able. Practice makes perfect. Do you Chsh? ;) Computernerd22Quote:
By that I mean, who has their home desktop locked down the way they would desktops they are looking after for a coroporation?
Hehe, I voted first, but I guess you couldn't see that. ;)
The answer is no, I don't. I have my home systems set up functional but not as secure as they could be. Well... everything except for my server, but that's not a desktop, so it's excluded from this. In fact, I'm writing this on my laptop, and it is as secure as my school sees fit, which is to say, not at all. Partly due to the fact that it's an acer, and for some reason they won't let me install XP with NTFS, and partly due to the fact that I could still login as administrator and do what I like.
i cant run a huge network yet, still green in that area
my home cluster is secure enough though... i dont have any valuable data like credit card numbers that could be stolen
just some saved games, maybe some pr0n, and afew projects for school
plus im the only 1 using my 5 computers in my room so it doesnt really matter how much security i have
but my 2 xp boxes run bitdefender professional plus 8, sp2, all updates avaliable, firefox, ad-awarese, microsoft antispyware, etc
basics on my slackware boxes aswell... but im starting a webserver again soon so il need to lock them down better
security is a big deal and overkill is never a bad thing in the buisness world..... but in my world it would be like arming myself with a minigun to kill the squirls in my garden
hex
I’m confident some folks will jump right in and say “absolutely”, for a multitude of reasons. Maybe they do, or maybe they have a fairly confident feeling about their home computer security, or might not want to look bad on AO :D. They might keep it patched, have a Firewall, AV, Malware software, and the like. However, on their home computer, did they really reduce the services down to bare bones? Did they create a user account with limited privileges for themselves? Do they check their logs, strong password policy, chrooting, back ups, etc?Quote:
who has their home desktop locked down the way they would desktops they are looking after for a coroporation?
Probably not ;)
So in response to your query, nope I don’t.
You do have to love its simplicity though!Quote:
Win98SE w/no Passwords or Policy Edits is still my favourite.
cheers
This is a yes and no situation... my home systems most serve for Office and a proving ground for various product ideas, most of which are security related as luck would have it.
Although security on the desktops is identical to the security in the office I run a lot of needless software (various database clients, etc) as well as software that has yet to be formally evaluated (various kernel modules, etc) both of which are typically big security no-nos.
Also since I do have a domain at home, most of the security is done at the server level and not the desktop level anyhow.
catch
Well,
I used to try to lock my home boxes down tighter than a dolphin's ass... but I've found that it's a bit overkill for no more than what I've got on them... mp3's, games and various proggies that I use for work (ironically, many security-related)... Of course, all of my important documents are backed up in various places throughout cyberspace (/me hugs his 2gB limit at gMail)...
On my XP boxes I've got Sygate firewall monitoring what's coming and going, and just cause I'm paranoid and have got the memory to spare, I let AVG run in the background...
On my *nix boxes, I just check my logs - I'm comfortable w/ the permissions and restrictions I've in place... If something seems off I'll fire up Ethereal, etc. to get to the bottom of it...
It should be noted that I and *only* I use the aforementioned boxes (or boxen? :p). I trust myself, and therefore don't have to scan for malware/viruses daily or worry about what 'unfriendly' programs may be running in the background... However, if there were 'less-than-security-conscious' people in the house, stricter security would be a must... . I'm sure most AOers feel the same way...
-Wiski C.
When phrasing the question, I realised I'd be having many answers like yours, which is why I provided three "yes" ish answers, and possible reasons/explanations why. I imagine many people are in that position, and there are probably a whole raft of reasons for each possible answer.Quote:
Originally posted here by catch
This is a yes and no situation... my home systems most serve for Office and a proving ground for various product ideas, most of which are security related as luck would have it.
Yeah, fair enough... I took it to mean the security policy of the system, which is as I said the same as comparable (dev stations) work systems, just my system at work isn't a dev station. :)
cheers,
catch
My system at home creates a similar answer to Catch's.... Sort of.... ;)
I don't really do anything dangerous from home and my sweetie only did _once_.... Spyware... She hasn't done it since because I locked her down a little bit more. I have a domain that she logs into and the policies are set there. Just to make things a little more difficult for her box to infect mine I don't log in as a domain workstation and nothing on the domain has any rights to my box. If I want to work on the domain I log in to the server via term services and do what I need to.
I use my work's mail sentry to pass all my incoming mail through for my personal domain so it is filtered for executables, viruses and spam there which protects sweetie.... If I want to pass an executable I rename it to .txt and it comes through just fine.
My box has two NIC's, one of which is attached to a hub outside the firewall and "stealthed" but it is usually disabled unless I see the firewall getting a lot of traffic or "odd" traffic in the logs. Then I either fire up Ethereal or Snort on it out of interests sake.
All boxes autoupdate and have AV and sweeties box is firewalled since she is wireless using WPA/PSK, MAC filtered etc. and the WAP is placed in the basement to minimize range... Once I leave the driveway it's almost unusable.
Actually... Now I've listed it all out.... I probably am pretty close to practicing what I preach... Just without the "techno-nazi" label.... ;)
Is hould get a prize for this:
Two routers with hardware firewalls, nothing is in the DMZ unless someone I trust asks to use my servers....Well, my PCs with services...
This box:
My room has tripwire at the door, anyone who doesn't know (Everyone but me) should **** with my PCs, and whatever they face plant (Fan blades) usually teaches them to not come in here. I have a web cam set up watching movement, speakers turned ona nd a Microphine so I can watch while I'm at school and tell people to get the **** out (VERY funny, I should record it, you'd be shocked how someone can pee their pants when my voice says "Move your ass out of this room or I trip the circuit braker".)
This box dual boots Windows 98 SE so I can play the games Quake and UT and Doom, and SUSE Linux, which is locked down, running no services, all updates are installed, I have custom rule sets for the firewall (I have hardware and then each PC runs software) my encryption is set to 4096 bit, and I have custom permission.
The box next to me is there as of right now soley for Doom3
The box next to that is my server, everything is locked, same as this one except FTP and SSH are allowed, from THIS machine and my laptop unless someone needs to use it then they are allowed entrance for the time being...
My laptop dual boots XP and SUSE, XP is there for Doom at school and on the road, and SUSE is there and locked down with an encrypted file system and some other locks so if it gets stolen, they aren't getting ****. Nothing is allowed, no email is allowed to be checked with XP, and on every box I set my minimum password length to 12 chars and run password cracks every night on each box and then if it cracks one, that account is removed.
My Mom's computer runs Windows 2000, I got pissed when she installed some shitty spyware scanner which was making it crash, so I set custom permission, she can save her **** and run a few choice games, that's it.
Did any of you expect less from the BOFH?
Ahh, for the WIndows installs, virii canners and firewalls and spy protection and no IE.
If you can get in from two routers and hardware firewalls, get into the PCs which ahve nothing running and firewalls on each one (Meaning you have to get in passed two routers, a hardware firewalll, the walls on each PC, and no PCs on here share ANYTHING....)
If you can get in all that I'll give you root myself.
That photo of you in the shorts with the two funny looking girls is on the server is pretty funny..... Root please.....:)Quote:
If you can get in all that I'll give you root myself.
I'll give you root, you couldn't do anything anyway. And that pic doesn't exist. Had you said "**** me your friends are hot and how did you get them to do that" then I would worry.
Your "hot" is my "funny looking".... :D
And your "hot" is my sale of depends. Old guy.
LOL.... My eyes still work.... :D
So with all that gore, (btw, thanks for providing a map of your defenses) you'd give me root on your boxes after I stole them all? ;)
At work, I'm forced to lock (or attempt to) everything. This is typically where I apply the Nelson-Shepherd cutoff about 10 times a day but that's another matter altogether...
At home, I play cat and mouse with my daughters (who just got thier "Chix0r" t-shirts from geekstuff) so I also run a tight ship here. Instead of blue printing meh setup, let's just say for example that if you asked me about a specific type of packet with, ohhh I dunno, say an odd window size value set, I can tell you when, where and who sent it and if it had an ill affect. ;)
For the hard core geeks, I'm experimenting with IDS tuned to respond like the human body does when an infection enters. Ignore everything normal and attack everything else. I'll let you know how it goes.
Hmm gore, that seems a little overkill, considering that I, true to form use no firewalls, malware scanners, and patch my system as often as my work does (every few years if a new application requires it). As for physical security Mike and Maddie (100lbs and 70lbs American Staffordshire Terriers respectively) have that covered... in reality I think they might attempt to lick an intruder to death, but they looks scary. :)
I guess I am past the "fun" phase of this field and am at the "if it ain't broke, don't fix it" phase.
cheers,
catch
hmmm..
after Gore's description I am left to shame..
when it comes to compared to work.. my home system is more secure.. (one my home ADSL modem /router has a basic hardware firewall) .. have IE security to max, set FF as default on All machines.
I have one box that is setup like how I prefered my girlfriends when I was a teenager (Insecure and easily penitrated), it lives either on the orange of the smoothy or on the red.
so in that regard I have one machine that is definatly less secure than any of my work or customers PC's..
As for physical security.. Home wins again.. Mrs Undies dont like nor will she go near the PCs with out being there.. and strangers dare not cross mrs undies (hell I dare not cross Mrs undies)..
Actually I'd give you an account if you wanted. You're one of the few I'd give it to though. I didn't list ALL defenses, though I maybe did list more than I should have :)Quote:
Originally posted here by chsh
So with all that gore, (btw, thanks for providing a map of your defenses) you'd give me root on your boxes after I stole them all?
I just now got home from the ER. My Ankle is fuxxored and.... I got a shot of Moprhine and Visterol :) And some Lortabs for tommorrow. It rocks :)
I love you all
Ich Liebe Du Alles.
Catch, remember I don't work in IT though.Quote:
Originally posted here by catch
Hmm gore, that seems a little overkill, considering that I, true to form use no firewalls, malware scanners, and patch my system as often as my work does (every few years if a new application requires it). As for physical security Mike and Maddie (100lbs and 70lbs American Staffordshire Terriers respectively) have that covered... in reality I think they might attempt to lick an intruder to death, but they looks scary. :)
I guess I am past the "fun" phase of this field and am at the "if it ain't broke, don't fix it" phase.
cheers,
catch
I work on cell phones and when it's not busy, Quake and Doom. The way I'm looking it over, if I can do this at home, it can become a habit so I don't screw up as much when I finally get into IT. I think you could agree with me there that at least, it's good practice.
LOL, Ask Horsey about my encryption ;) My key is biggers than youuuuuurs.
As for dogs they don't bother me, there are poeple in this Earth who can hold back the scent of fear and make it easy to get in. You could put a mountain lion at your door, and if you offered the right price I'd probably get past it.
I didn't type all this out though to make anyone feel bad, so sorry if I did, but I want to know I know how to do this properly.
HEh, now if you'll excuse me, Quake + Morphine = WOOT.
Oh, I'm not hurting much right now either hehe.
Actually, Chsh, you've given me an idea. We could set up a little war game on AO! Pooh did this before and I think it could be fun. It would be a fun discussion, and we could test who really has taken some time but not in the way it becomes a pissing match but like, set up a box to let people try to get into and if Jupiter gets involved maybe have a prize for whoever's box doesn't get owned.
See... my security is based on the concept of "What costs the least amount to implement and even more so to upkeep that will mitigate at least the minimum amount of risk this system requires?"
A wargame would be fun... but I think the rules should require that each participant completely publish every step they followed from default install to the entered configuration, if it can't survive the attacker knowing everything about it, it ain't secure.
Each system should be kept online without administrator modification for 3-6 months, if it can't survive that long without patching, it ain't secure.
Attackers should be granted access to the administrative account (u/gid:0/sid:S-1-5-21-XXXX-XXXX-XXXX-500) which should retain all of its permissions (though perhaps not its privileges) again, if the system can't survive this, it ain't secure. (can you say "rouge admin?")
Keeps it more sporting that way, not to mention an excellent educational opportunity. ;) Anything else is just a matter of what new exploit comes out first.
cheers,
catch
Unfortunately my network isnt as secure as it could be but on that same hand I dont do anything that I really need to worry about. I have one hard wired system that is locked down running its own firewall and such for any purchases or billing I have to follow. Then I have a wireless router that the only thing I have changed on it is the default password. no WEP or anything else running, but then again if anyone ever got close enough to my house to use my wireless I would know about it and they wouldnt be able to stay around for long enough. All computers keep patches up-to-date and regulated/automated virus and spyware scans
I dont need my home computer to be locked down as tight as the network I work on. So I just do the basics. Patching, AV, Software firewall. Things like strog passwords are habbit so I do that always. But my work has the money to dump for high end hardware firewalls, better networking equipment, and has paid staff (like me) to lock things down.
I'm an idiot and don't work in IT. But I do like Windows and IE - use both nonstop, don't use an AV and think Linux is a fashion trend for wannabe geeks. I use WiFi, at times with WEP, but mostly without, save passwords and even write them down on paper if I forget them. Basically, a monkey with some time could break into my computer. But who cares? What are they going to get? My e-mail password? A list of Google searchs I've done? Bah at you internet security nutheads... majority of you that like me don't shop online and keep personal stuff off your computer should pull off your tin foil hats and put on your pirate hats... yar mateys!
Well, I think you made that abundantly clear...... :rolleyes:Quote:
I'm an idiot
but when your ISP cuts your internet connection out of nowhere one day becasue it seems your IP is a major participant id a DDoS, or a major spam distributor, then im sure you will say that its not your fault.Quote:
I'm an idiot and don't work in IT. But I do like Windows and IE - use both nonstop, don't use an AV and think Linux is a fashion trend for wannabe geeks. I use WiFi, at times with WEP, but mostly without, save passwords and even write them down on paper if I forget them. Basically, a monkey with some time could break into my computer. But who cares? What are they going to get? My e-mail password? A list of Google searchs I've done? Bah at you internet security nutheads... majority of you that like me don't shop online and keep personal stuff off your computer should pull off your tin foil hats and put on your pirate hats... yar mateys!
I'll put it this way: If I worked in IT, and someone had computers secured as well as my home computers are, I would fire them :P I keep em safe from viruses, worms, adware, etc, but I'm not worried about having it so secure that it's incredibly hard to get into... I've got a software firewall with decent rules that will tell me if I've got a RAT or backdoor or something of that sort, and that's enough for me...
Wellllllllll ..........Quote:
Originally posted here by okay
I'm an idiot and don't work in IT. But I do like Windows and IE - Bah at you internet security nutheads... majority of you that like me don't shop online and keep personal stuff off your computer should pull off your tin foil hats and put on your pirate hats... yar mateys!
Gotta LOVE this guy :D
any takers on just how long he COULD stay online WITHOUT a break ?
As for what 'they' could find ...............
that's not the point, the point is that 'they' use your PC to do 'their' dirty work, THEN when the police track 'them' down ................
It's YOU that gets busted, and YES, laws are on the way to make sure that the owner/operator has taken 'reasonable steps' to protect his machine.
As for running book ................
I doubt if anyone would put money on 'more than a couple of days' :p
[edit]
I think I cut QUITE the dash in my tin foil hat anyway :D
okay's comments were perfectly reasonable.
Risk management is about reducing risk to an acceptable level, if he has no assets to protect, any resources spent on protection must be considered loss. (since more resources are spent protecting than are at stake)
All this BS about the police coming to him in the event his system is compromised and used in another attack... so what? He is under no requirement to maintain a secure system and until he has shareholders, is considered critical infrastructure, or is contractually bound to a security standard he has no obligation to implement any security whatsoever and is not liable for consequences there in. Furthermore if his ISP cancels his account because his system is used in DDoS attacks and if he lives in the US he has firm ground for a lawsuit as he cannot be discriminated against based on his knowledge of the relevant technologies.
cheers,
catch
Catch:
To hoist you on your own petard, (finally ;)):-
The fact that his internet access is removed is a cost. The fact that you have to take the ISP to court is also a cost with no guarantee of a win that offsets the cost. Yes, you could increase the cost by sending it to an appeal court but, again, you have no guarantee of winning.
Ok, the police probably won't appear at your door.... But if they do... I can assure you there is a cost and it isn't fiscal.
There are "costs" outside of financial but in many cases there will be fiscal cost. While I utterly agree that security is a balance of cost to loss what is the value of you losing your internet connection at home. If it exceeds a free AV and firewall then you failed to properly secure your computer. If you don't use AV and firewall but fail to spend the time and effort, (Read: Cost), to secure the computer without them then, again, you have failed to properly secure your computer. Either way, "Okay" is wrong.
The odds of his internet connection being disabled are near zilch, and if they do disconnect it he will most assuredly come out better financially (provided this causes him any loss whatsoever). With minimal effort, a lawyer would handle this case no fee up front as it is such a clear win (in the US anyhow)... I got free broadband for a year a few years back because my internet was out for a day due to a car crashing into the phone pole.
The odds of the police coming to his house are also minimal, they know how to tell a zombie system from an actual attacker... most likely if anything happens he'll get a notification from his ISP and the police may want the system for evidence... (this is made even more unlikely by having a less secure systems since the attacker will more easily remove traces of the transaction, so here less security actually reduces the risk.)
If the user has no need for availability... there is no cost to having the system unavailable. My grandmother goes for months at a time without turning her computer on, and frequently uses her neighbor's anyhow... how much security does she need to do nothing more than occasionally look up operas?
What if okay is a $500 an hour lawyer and it takes him, a non-IT person 10 hours to secure his computer annually... in this case should he still take the time to secure it? Should he pay someone else to secure it and upkeep it (again the time the contractor has the computer is a loss of availability)... none of this was considered. Fact is, if okay is happy with his level of availability, why should he spend more resources on it?
cheers,
catch
First, you're all assuming my computer is being used as a zombie in DDoS attacks, why? How many have you thought through that I may use a dial up modem? Or that I may disconnect my laptop from the network when I'm not online? Pretty stupid assumptions on your part. Next, like catch said, the computer is something I use for typing and occasional internet browsing - lately this site and CNN. I don't live online like you tin foil hat wearers.
Next, foxy, link me to these pieces of legislation? I live in the USA, heres a link to a site that shows all action on the Congressional floors and any proposed bills http://thomas.loc.gov Read it through carefully and ask yourself, who decides reasonable? Broad and undefined clauses like that leave gaping holes for attornies to pick open. Get real, laws like that will be ripped open based on constitutionality as well.
Tiger, don't assume things to be true. My computer fits my needs and it may not be secure, but what's that matter if it sits in a corner without an internet connection and is only used by me?
:hello:
I'm going to bring up a point that doesn't argue much from the cost/loss perspective, but more from the ethical.
I agree that you shouldn't secure a system at a greater expense than the data to be secured. However, I have a friend that worked on a system hosting some disgusting things. It belonged to an elderly couple that didn't know what they were doing. He called me up, and was completely freaking out. The couple was clearly attacked, and eventually worms ended their internet access, taking them to the shop. They didn't know anything about their server until it got brought in.
The attack didn't cost them much more than a trip to geek squad + the loss of emails & pictures, but I'm sure they would have paid more than that just to prevent that crap from getting on their system. Since then I make an effort to see that those around me have at least the most basic security in place, because I would hate to clean that **** up. It's selfish to ignore basic practices if you have the know how to prevent something like this from happening.
This doesn't mean I hold the uneducated accountable, I just think it's important to educate and help out others where you can.
First, you think that just because you have dialup or because you disconnect your laptop from the network when you're not using it that you're safe? Pretty stupid assumption your part, if you ask me. Ever hear of the Sasser worm? Came out the second half of the year before last, IIRC. At that time, I was working for a small ISP doing tech support and we were utterly swamped by calls from customers who a) used dialup b) were infected by just being online for a short period of time. I remember hearing "But I was only online while I downloaded my e-mail." from more than one customer. Didn't matter. They were still infected. A simple firewall would have protected them.Quote:
Originally posted here by okay
First, you're all assuming my computer is being used as a zombie in DDoS attacks, why? How many have you thought through that I may use a dial up modem? Or that I may disconnect my laptop from the network when I'm not online? Pretty stupid assumptions on your part.
The tone of your original post gives me the impression that you're just some guy wanting to seem bad-@$$ed by seemingly breaking the rules. Trust me... you don't seem all that cool.
- Xierox
I ever say I wasn't using a firewall? But nonetheless, do you even understand what Sasser exploited? Do you know that it used port 445 to exploit lsass? Do you even understand that Windows computers sharing files use port 445? Do you comphrend that most computers running a firewall and allowed file sharing would've been exploited? OS failures don't represent a lack of knowledge nor security on a user's side. Lame example.
And trust me. I'm totally not cool. But aside the point, do I care what you think? No.
Well, I use Avast AV, spybot and adaware, spyware blaster for malware prevention, and CWshredder... All I do is update and scan with everything once a week, and the only things that sometimes get through is adware/spyware, which gets deleted after the scans anyway... I don't get any pop ups, no system slowdowns, just doing this keeps your system pretty clean and running fine. When I suspect something I use hijack this and check the log out.
Oh and for the computers that aren't on my router/firewall, I use Sygate.
It takes a while to download and install and get everything set up right and such, but after your done with that, it's simply a matter of updating and scanning once a week, and paying attention to your firewall logs.
I know some members like The_specialist will disagree with my methods (If I remember correctly he doesn't use any software), but it works for me...
***EDIT***
Heh, judging by Okay's last post, I think he earned himself the The_specialist_junior name :p
I'm sorry. You didn't say you weren't using a firewall, I assumed that you weren't from your first post. My mistake.Quote:
Originally posted here by okay
I ever say I wasn't using a firewall? But nonetheless, do you even understand what Sasser exploited? Do you know that it used port 445 to exploit lsass? Do you even understand that Windows computers sharing files use port 445? Do you comphrend that most computers running a firewall and allowed file sharing would've been exploited? OS failures don't represent a lack of knowledge nor security on a user's side. Lame example.
And trust me. I'm totally not cool. But aside the point, do I care what you think? No.
No, I do not know specifically how Sasser worked. I knew it exploited lsass, but past that I was not clear. Thanks for teaching me something.
Ok, now I'd like to apologize to okay. It seems I misjudged you by a longshot. I have a friend back home whos computer was infected by all sorts of crapware. I offered to clean it up for him because a) it would run better and b) he would be doing the rest of the internet a favor and that he was responsible for what his computer was doing on the net. His reply? "Show me the law that says I have to keep my computer clean." Made me mad, real mad that he didn't care if his computer affected anyone else or not.
I assumed you shared the same mentality, but the more you defend your views, the more I think that you're not his type.
I was wrong to attack you like that. I'm sorry, and I apologize.
- Xierox