When does convenience trump security?

Discussion in 'other software & services' started by RoamMaster, Feb 27, 2011.

Thread Status:
Not open for further replies.
  1. RoamMaster

    RoamMaster Registered Member

    Joined:
    Oct 1, 2006
    Posts:
    47
    I've been speaking with someone about how we set up friend's computers(and how we operate our own). I'm of the mind that if you restrict things too much, all you do is prompt someone to discard all of the measures and use what's convenient regardless of increased risks.

    When I set up someone's system, I make a limited user account, but I do two things. I change file permissions for the entire User class to allow write and modify access for all non-system partitions. And I add SuRun so logging on as admin isn't needed as much.

    I think these two things are pretty reasonable.
    Coupled with sandboxed browsers and Returnil I'd call this pretty secure, while not being overly restrictive for ordinary use.
    I also shut off Returnil's virus guard and grant the sandboxed browsers full directory write access to the non-system partition.

    If I wanted absolute security I wouldn't be running Windows. I'd be running OpenVMS. I wouldn't use Flash. Etc
    I think granting write access and using SuRun make the LUA a LOT more usable with very little security loss.
    I consider a standard XP LUA to be almost unusable. I know I would still be using an admin account for everything if Users couldn't create and modify files. That's just too big a deal for me.

    So where do you draw the line between security and usability?
     
    Last edited: Feb 27, 2011
  2. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    I draw the line when a PC is no longer user friendly.

    A PC was meant to be USED,not a security fortress like some think.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I draw a pretty high line on security, because it's still usable for me.
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I place a pretty high value on usability and performance. If anything gets in the way of that, I remove it. My security setup is very minimal here on Win 7 x64.
     
  5. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Yes, I agree. I think a minimalist approach can work fine. Common sense when you are browsing/surfing can preclude the need for overcomplicated security.
     
  6. wat0114

    wat0114 Guest

    Absolutely, especially the common sense part, which it seems many overlook as an important and useful component of any pc security setup. Personally, I place quite a lot of emphasis on security, leveraging as much as possible what's already built-in to the O/S, which helps to leave at least what is for me adequate convenience. I don't like constant security maintenance when using the computer.
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Common sense when browsing? Can someone explain me about it? How can I achieve such?

    Would you folks define visiting known websites as being what you call of common sense?

    Just like visiting a BBC owned website? Say, like this example here?

    If I were only to protect myself based on the common sense and nothing else, I'd be served a very nice exploit, resulting in a drive-by download. No need for user interaction.

    It's just like using the common sense when driving a car - Don't turn left, because you have to turn right; it will keep you safe. (I guess some forget to mention they will only be safe until they stop being. :D)
     
  8. x942

    x942 Guest

    m00nbl00d took the words from my mouth! That is why security is needed even legit sites may become compromised and deliver drive bys. it has happened before and bound to happen again.

    I focus on Security. Although even with all my security (look at my setup on https://www.wilderssecurity.com/showthread.php?t=111264) I barely take a performance dent. The only CPU heavy programs are Commodo and Avast! but neither of which slow my computer down. I am also fine with having to move Executable to an allowed folder. It may be a hassle for some people but I like it :) I even have UAC request a password (SUA setup)
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Common sense isn't the protection on the web that it used to be. When legitimate sites get hacked, including big financial institutions, there is no longer such a thing as a trustworthy site. The DNS system has been attacked. Hardware is being targeted. A minimalist defense won't protect you against these. This leads to the next question. Define minimalist criteria. That will mean a lot of things to different people.

    IMO, relying on what most call common sense is nothing more than rolling the dice and betting that it won't happen to you. Myself, I don't gamble. I only bet on sure things. In PCs, that's default-deny, isolating the attack surface, and restricting permissions to only what's necessary for an application to function. IMO, common sense says that the entire internet is vulnerable and any part of it (sites or system) can be compromised at any time. None of it can be completely trusted, and your security setup/policy should reflect that.
     
  10. wat0114

    wat0114 Guest

    More over hyped nonsense than one can shake a stick at. Part of common sense is as simple as keeping all applications up to date and running in a limited account, and that will prevent or at least mitigate a lot of the exploits from taking hold in the first place.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Patching is great, but it's also play and catch. Today a vulnerability is patched, but others are unknown; but, maybe not to attackers. So, it's needed to mitigate/contain what exploitation of such vulnerabilities can do.

    Running a limited account can contain a lot of what can happen; but, why is it that people still rely on exploits only targeting/requiring administrative privileges (actually the malware)? Not to mention privilege escalation.

    Carberp doesn't require administrative privileges; it will execute to memory. Not even SRP/AppLocker would be of any good.

    So, what else could you deploy to prevent/mitigate an exploit which could result in the mentioned above? MrBrian has proved that EMET won't be foolproof. Nothing is really. EMET is about mitigation; that is, mitigate to the maximum possible what the exploit does. But, what about actually prevent the exploit from initiating?

    Maybe for some certain security measures aren't necessary or aren't seen as such by them, but to others it is. In the end, it depends on what use you give to your system and what you consider acceptable to happen. Anyway, that's how I see it.
     
    Last edited: Feb 27, 2011
  12. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Maybe, but what I mean is that I have an AV (& SUPERAntiSpyware) & some browser-end security extensions (adblocker, NoScript etc). Most of the sites I visit aren't Russian porn sites & I don't download just anything that takes my fancy. When I download installers (inter alia) I will scan them. That's what I mean by common sense.

    I agree with much of what you are saying, I'd hardly say that I was just rolling the dice though. Apart from using some form of sandbox/virtual box I am not sure what else I can really install. I think my set-up is minimal but effective.

    I think that a bit of common sense, the UAC on Windows Vista/Seven, a decent AV , some good browser-end security extensions & maybe a good on-demand scanner like SAS or MBAM (&/or something like SpywareBlaster) should be sufficient.

    Although to be honest even that sounds a bit complex. Common sense, a good AV & some browser security extensions should be good enough for anybody.
     
  13. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Exactly! :thumb:
     
  14. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Actually, what you said was:

    OK, now I see you don't fully trust the Common sense when you are browsing/surfing. I guess you just didn't think of mentioning the rest. :)
     
  15. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Browsing the net is not as difficult as some make it out to be.
    One of my co-workers has nothing on her PC except Returnil System Safe 2011,plus Windows firewall and all updates.thats it period~!

    Til this day, she's got no malware,virus or any other issues!
     
  16. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Yeah, I believe in a common sense approach ... but I'm not stupid LOL! ;)
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, without a doubt. I have been living on the internet now for over 15 years, with minimal security, meaning nothing much more than an AV, going literally everywhere, good and bad, and have not once in all that time been compromised. I don't think I need to say much more than that....
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've never felt that a secure system had to be inconvenient.

    In developing a security strategy, it's not necessary that the resulting policies/procedures and security products installed should have to interfere with usability.

    ----
    rich
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Are you sure? Isn't it just another trojan that needs to install/execute before doing any dirty work?

    Trojan.Carberp
    Risk Level 1: Very Low
    http://www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99
    As such, wouldn't this be easy to prevent with SRP/AppLocker?

    ----
    rich
     
  20. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    That is a trick question around these forum :D

    Some folks enjoy the trip through pop-up land. They enjoy knowing they have control over most any aspect. So for them, I would say they don't care about anything but security, at least right now.

    For myself, I no longer care about security that means inconvenience. BUT, that doesn't mean I don't care about security or that I have less security. It only means that I had to adapt how I approached it to try and achieve a balance between the two. As it stands now, if I stick to my scheme, little can happen. If I deviate from the scheme (and it does/will happen), I just need to make sure I have followed the rest of the scheme as well as possible, and all losses SHOULD be at a minimum. I am talking worst case scenario here, not simply removing some pesky virus. I am talking about online transaction protection, data protection, etc.

    Sul.
     
  21. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    An up to date system with a browser where scripting can be either restricted or a white list of sites used is about as inconvenient as I will go. The av and firewall/behavior monitor work ok but if they become buggy they are removed quickly. I think a lot of people read the antivirus detection reports and believe it's doomsday. But really a lot of those tests are done on outdated systems, outdated browsers and few if any patches. How about an antivirus test on an up to date system, even being run as admin, where the OS is Windows 7? Combine that with a browser that has a no-script like component and the chance of getting infected is very, very small. So downloads and what goes into a computer via a cd or email would be needed to be scanned. But that's fairly easy. And for me, not something I do much.

    Also, if a person is going to do some purchase online- have two checking accounts. They are usually free anyway. Have one where a small balance is kept, just to cover online purchases. If your credentials get hacked you are only out a few bucks.
     
  22. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Absolutely! I have a separate account, which I have no checks for, only a debit/credit card. I transfer/deposit only the amount +/- 10$ the day before I purchase. I have been doing this a couple years now, and it works very well for online transactions.

    Sul.
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    I don't see why convenience trumps security. It could if you go overboard.

    In general, it is possible to enjoy yourselves immensely, without doing any special or drastic. Security is fairly overrated. You can get infected, if you want, but if you don't, you let the hype and the scaremongering pass you by, while you enjoy the Internets.

    And someone commented on Russian porn sites - why single out? What's wrong with those sites, if we put aside personal taste, preference and perceived morality? No different from any other site. And makes no difference to the overall security strategy.

    Cheers,
    Mrk
     
  24. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    Sorry, just my odd British sense of humour (I once contracted a trojan in a Russian journal site). :D
     
  25. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
    RWhen does convenience trump security?

    :thumb:
     
Loading...
Thread Status:
Not open for further replies.