Is user education necessary for security?

Discussion in 'polls' started by Hungry Man, Oct 11, 2011.

?

Does computer security necessitate user education?

  1. Yes, definitely

    79 vote(s)
    85.9%
  2. No, definitely not

    4 vote(s)
    4.3%
  3. Possibly in certain situations/ other

    9 vote(s)
    9.8%
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I think he's assuming that you wouldn't realize it's compromised.

    I mean, hey, when I see a file is digitally signed and verified by Verisign I think, yeah, it's probably legitimate. But am I going to rely on that? Nope. Certs get hacked, CA's hand them out too easily, and sites get hacked all of the time.
     
  2. wat0114

    wat0114 Guest

    If you're talking about an exploit on a browser or plug-in like java or flash, that doesn't matter any more than a compromised download. There are measures one can easily put in place to avoid the malicious effects of any one of these or similar, and whether one cares to admit it or not, instinct and common sense can play a huge part in that.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    No, I mean a compromised download that you didn't realize was compromised.

    As in, you go to download the latest Flashplayer and everythign looks fine and you go choose the file and you download it but in fact the site had been hacked and what you just downloaded was a file that only looked like a flash player plugin.
     
  4. wat0114

    wat0114 Guest

    Okay, that's fine, but it perplexes me to some extent that so many, yourself included, talk about this scenario as though it's commonplace, yet I never see it in my own experience. So what gives? Am I just fluking out and not representative of what's apparently happening to most people, or could it be most of this is overhyped?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Purely hypothetical. I don't know of Adobe's site ever being hacked to distribute malware in such a way.

    Bug legit sites do get hacked often and exploits are shown all the time.

    http://www.reddit.com/r/pwned
    http://www.reddit.com/r/xss

    Plenty of sites have lists like these where exploits are shown or the sites are hacked. Mysql's was posted here I remember, amnesty international is another high profile one. Lots of lower profile ones that us normal users might not run into, but someone will.

    Not to mention the Sophos report I posted either in this topic or another. I meant to read that today... I think I'll get on that.
     
  6. guest

    guest Guest

    "Yeah, "Reset" or "Refresh" or something. It sets the OS back to default but you keep your files/ documents."

    this is called imaging your system driveo_O
     
  7. wat0114

    wat0114 Guest

    I've only had a brief look, but a lot of those seem "wierd" to me, ones I'd never download from. However, the Garmin.com XSS was of interest to me, because I've installed updates on my GPS sometimes (nothing malicious ever to note :) ) When I click on it, IE9 comes nicely into play...
     

    Attached Files:

  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yep, like I said, you likely just haven't come across them because... well you don't go to them! haha

    And, of course, there are ways to mitigate these attacks. My point was only to show you that there are legitimate sites with vulnerabilities and some of them even get taken advantage of.
     
  9. wat0114

    wat0114 Guest

    I like to think my level of common sense steers me away from them :), and even if I venture to them sometimes, I've probably got enough in-built security to avert anything malicious. Failing that, i can instantly, in a calm, cool and collected manner, restore a recent image and all is "good and nice :D " again.

    Clearly, there seem to be two prevailing trains of thought on this type of matter; either one is deeply concerned and almost constantly worried that something bad will happen to them because they buy too much into all the FUD circulating around the 'net, or the one who approaches in a calm and confident manner, knowing that very likely nothing bad will happen to them, and if it somehow does, the results will be inconsequential because of their ability to have prepared themselves in such a manner to significantly mitigate the damage that could be done in such an unlikely (for them) event.
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Seems to me this whole topic is a never ending circle of pipe dreams...

    Only an OS that fully controls everything can be secure for everyone.

    As long as you have choise to use 3rd party software or modify system to your likings.. as long as you have the ABILITY to have root.. you are subject to the problems prevalent today. If you continue to exercise your right to root, and you don't have some form of education, then problems will ensue. No getting around that, only a matter of time in todays networked world.

    Sul.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    The way I see it a user turns off their security when their security bugs them or they no longer trust that security.

    So if a system doesn't bug the user and a system stays silent and without false positive (or maintains a system that ensure false positive tolerance) there is no reason for the OS to control anything and there should be no situation in which the user is successfully infected.
     
  12. wat0114

    wat0114 Guest

    If they're properly educated, they'll choose the right security, including one they can trust.

    But I thought you had always maintained that it's the O/S that should be responsible for security??
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    My point is that any program currently available will either not provide default adequate security or will at some point give the user a reason not to trust it or will simply be too high maintenance/ bug them.

    I meant in terms of a walled garden approach, which is what I believe Sully was referring to.
     
  14. wat0114

    wat0114 Guest

    Looking a bit further, the official Garmin website Support page -http://www.garmin.com/us/support

    ...renders no problems as opposed to the one listed in the XSS site list
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Don't ask me! I only posted the link that linked to that link =p

    It's possible that what you saw was that site witht he code in the url bar necessary for the XSS attack. That's what I would assume but I don't have what you put in your URL.

    Either way, hacked sites happen every day. Sophos puts 80% of malicious sites as being hacked.

    I have once again forgotted to read that report! I'm going to try to download it now.
     
  16. wat0114

    wat0114 Guest

    That's okay, I believe the XSS occurred, and that, with what little I know about XSS exploits, they redirect one to a different, but similar looking, malicious URL.
     
  17. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Yeah, either a redirect or they had some script running on the page (or would have if IE hadn't stepped in.)

    My point was to illustrate that all sorts of sites have vulnerabilities. It would not be too insane an idea to believe that a site that you may very well visit and trust could at some point be compromised.
     
  18. wat0114

    wat0114 Guest

    I know a lot of people frown upon YouTube links but in my efforts to to gain some info on it, the following seems to explain XSS very nicely...

    -http://www.youtube.com/watch?v=foTEOsJuR4c&feature=related
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    You won't see a complaint from me. Learning is learning.

    Thanks for the link.
     
  20. wat0114

    wat0114 Guest

    You're welcome! I hope it helps. It sure helped me gain a far better understanding of XSS than what I had :) I had no idea cookies were involved, and no re-direction, as I had thought, is involved either.
     
  21. marc57

    marc57 Registered Member

    Joined:
    Aug 15, 2006
    Posts:
    83
    Location:
    St Marys,WV. U.S.A.
    Yes, definitely
     
  22. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,797
    It is not a necessity per se but it may help to improve the state of security. I'd recommend "user education" but to depend solely on it for security is a no-go for me...
     
  23. Wroll

    Wroll Registered Member

    Joined:
    Nov 29, 2011
    Posts:
    549
    Location:
    Italy
    If his primary job is working with computers I would say yes. When I go to the doctor I show the doctor where it hurts me and I expect from him to know what is there, I don't expect from him to know the solution for the latest unpatched windows/linux/mac security vulnerability.
     
  24. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Well, yeah. If you're an IT guy or something it's obviously beyond necessary - it's their job requirement. I'm asking whether users need to be educated on security/ computers for them to stay secure or another way to put it is: can a complete novice computer be safe?
     
  25. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Knowledge & wisdom are separate things, & hindsight binoculars are difficult to buy on eBay these days. Seriously though, I think it is through experience that most people develop a security awareness online. I was wise enough not to click on any flash ads in an Eastern European journal site, but not knowledgeable enough to use an adblocker & NoScript when I was burnt by malware on the same site.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.