Help with an assignment?



  • I have to "interview an expert in my field of study" so that I can include the information in a speech where the audience is the non-technical people in my class. The instructor said that we could use whatever communication medium we wanted. The subject that made the most sense for a short presentation to users was web security. Would anyone mind answering these questions either here or in email? I can ask different questions if you don't like any of them. We are supposed to include a name and phone number, but I asked her if we could use an alias and an email address. I wanted to be able to mention general experience level.

    I put the questions here so you can see if you like them. I only need 5 so you don't have to answer all of them if you don't want.

     

    1. What would you consider a security warning sign when you are using a website?

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    5. what do you think is the easiest way to manage passwords?

    6. Do you think about the general state of security and the internet?

    7. Is there anything that you think users should know?



  • @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?
     

    A popup that says my computer has 137 Malviruses. Then I know I'm being warned my security isn't good enough, and I should install the offered security protection.

    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

     Everyone seems to be willing to give it away for free to companies like Google and Facebook, rather than leveraging and monetizing their own personal information.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    Head trauma.

    @Chame1eon said:

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    No reason at all. In fact, everyone should use a separate browser for every site they visit. You can visit four whole websites by just sticking to the major browsers. Throw in a touch of IceWeasle if you need a fifth site. Maybe there's a text-heavy sixth site you can load in Lynx. Advanced users can double the number of sites they are allowed to visit by purchasing a second computer.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    Completely do away with them and rely on the honor system.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    See these questions.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    I'm performing complimentary credit-card security analysis after the show.

     

     

     

     

     

     



  • I'd recommend avoiding the use of a handle when using a quote in a speech.  You want a proper name of the individual as well as a quick descriptor of why they would be credible ("web developer so-and-so suggests..." or something like that).

     

    Edit: also you are going to get trolling answers here, but you may also get things you can use if you are lucky.



  • @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?
     

    When choosing password: "Password can not be more than n characters"

    Not using https for any login page.

    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    Not verifying the source of a message (anywhere online, not just email), and thinking that the web is a private place. It's not.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    In truth, you can't ever know for certain.

    @Chame1eon said:

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    I'm semantically confused by the ambiguous grammatical structure of this question.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    I have a good memory and a personal system for password generation, so I can't comment on any other methods like KeepAss.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    I have been online since the days of 28K8, so I kind of grew into it properly. That goes for most people here. What I see with regular users though, is that it's as if they're naive rural villagers coming to The Big City for the first time.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    My precious city that I helped build is being overrun with masses of idiot villagers and the shopkeepers are catering almost exclusively to them. 😞

    (just kidding. I have a twitter!)



  • @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?
    Not allowing you to use a fake name. @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?
    Believing that you can trust anyone on the Internet. @Chame1eon said:
    What would make you think that a web site is likely a safe place for your sensitive data?
    Low IQ.  @Chame1eon said:
    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?
    This question makes no sense.  You're not a Nigerian Prince, are you? @Chame1eon said:
    5. what do you think is the easiest way to manage passwords?
    Write them down and carry them with you everywhere you go.  However, easiest != best. @Chame1eon said:
    6. Do you think about the general state of security and the internet?
    Terrible.  Worse than terrible.  However, like everything else, the Internet is fine. It's people who are the problem.  @Chame1eon said:
    7. Is there anything that you think users should know?
    Trust no one.  Hate everyone.



  • @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?

    if norton tells me that site is unsafe, then it is most likely that site is unsafe and no good.

    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    Not using of latest anti-virus internet security anti-malware stuff before browsing on internet.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    Trick question? Don't place sensitive data on internet.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    rely on your brains unless you think they could be tricked. in that case, rely on diary. Keepass is also good option. Norton Internet security is also having place to store username and password.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    State is lamentable.

    @Chame1eon said:

    7. Is there anything that you think users should know?
     

    do not use same password on different sites. that will land you in trouble. sometime your wife will come to know of your bank account password and use it on your email. then she will know all that google knows about you. be afraid and very very afraid.

     



  • @dhromed said:

    Not using https for any login page.

    There's really no point using https for login if you aren't going to use it for the entire site. If someone gets your cookies, they can still do pretty much whatever they like.



  • @El_Heffe said:

    Trust no one.

    The Truth is Out There.



  • @locallunatic said:

    I'd recommend avoiding the use of a handle when using a quote in a speech.  You want a proper name of the individual as well as a quick descriptor of why they would be credible ("web developer so-and-so suggests..." or something like that).

     

     I can see why you would say that, but there are a lot of things that make a lot of assignments less than realistic.  I just don't want to ask for names unless I have to. This doesn't seem to justify it.

    @locallunatic said:


    Edit: also you are going to get trolling answers here, but you may also get things you can use if you are lucky.

     

     I was kind of expecting that. I just can't think of anything good to present to users that I don't have time to find myself. So I was trying to keep the pressure as low as possible. People obviously don't like boring questions that you'd hear over and over if It wern't for Google.  I'm just stuck with this. : (  I'm not sure if the person who created the assignment was thinking of them throught. 

    I also had to give a 2-3 minute speech that started with "My name is" and included my credentials where the audience was my "new coworkers" and the object was to "convince them to like me".

    I thought this was going to be about presenting estimates to management or something.

    Besides I thought at least it might be interesting or funny : P

     

     



  • @El_Heffe said:

    @Chame1eon said:
    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?
    This question makes no sense.  You're not a Nigerian Prince, are you?
     

     

    Gha I rephrased the question halfway though for some reason.  

    It seems to make more sense than saying close every window you have open clear your cache open one window for banking then clear your cache again. There was even an Onion article about this.



  • @dhromed said:

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    I have been online since the days of 28K8, so I kind of grew into it properly. That goes for most people here. What I see with regular users though, is that it's as if they're naive rural villagers coming to The Big City for the first time.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    My precious city that I helped build is being overrun with masses of idiot villagers and the shopkeepers are catering almost exclusively to them. 😞

    (just kidding. I have a twitter!)

     

    I had the impression  that the internet was better before I got to it, and now It doesn't really resemble what it did then and I think that people who use social networking are crazy. I don't care if that means I'm the only one who seems to not be.

    I'm waiting for someone to invent some new medium of communication so I can move to that now : (.

     



  • I will try to answer seriously. If you need a real name, PM me and I will give you my first name.

    @Chame1eon said:

    1. What would you consider a security warning sign when you are using a website?

    It really depends on what the website is used for. For example, this site, who cares? Now if we're talking a site where I'm expected to enter financial or sensitive data, then:

    1. Not using SSL on every single page and for every single resource (images, CSS, JS). Chrome gives a warning if a page is encrypted but the resources aren't, which is good.
    2. A questionable domain. I would trust "bankofamerica.com" but not "bankofamerica.4j328965j23o4ijrw2jtoi24jo.floopityfloopityfloo.ru".
    3. I wouldn't bother with a company that's not well-established and seemingly trustworthy. For example, I'll use PayPal but I wouldn't use "RemunerateAcquaintance".


    @Chame1eon said:

    2. Are there any common mistakes that you see users make that exposes them to lost information, identity theft or malware?

    Downloading software from untrustworthy sources (i.e. The Pirate Bay). Not running anti-virus. Giving their passwords out to scammers.

    @Chame1eon said:

    3. What would make you think that a web site is likely a safe place for your sensitive data?

    Trustworthy name. Uses SSL for everything. Those are the two big ones I can think of.

    @Chame1eon said:

    4. Is there any reason not to prevent cross site scripting by using a separate browser to prevent cross domain problems?

    I really don't understand this one. You mean using a separate browser session for every site you open? It would be kind of inconvenient to set something like that up, and it seems too technically-sophisticated for the audience. But otherwise the question doesn't really make sense.

    @Chame1eon said:

    5. what do you think is the easiest way to manage passwords?

    Easiest? Just don't use one (or use the same, extremely simple one for each site). That's also the least secure thing you can do. I would recommend using some software like 1Password that generates new, random passwords for each site. Don't use the same one twice. Generate a random password to use as your master password for 1Password and memorize it. Also, write it down on a sticky and keep it in a locked safe or somewhere equally physically secure, in case you forget. Then you only have a single master password to remember.

    @Chame1eon said:

    6. Do you think about the general state of security and the internet?

    Significantly better than it was even a few years ago. Now virtually every big site I use that houses confidential data has SSL enabled. Even Google, Facebook and Twitter use SSL for everything now. Still, there's a long way to go to improve Internet security.

    @Chame1eon said:

    7. Is there anything that you think users should know?

    Best security advice I can give users: SSL is your friend. Learn what SSL looks like in your browser. Learn what SSL warnings, errors or outright missing SSL looks like. Avoid entering personal information into sites that have SSL warnings, errors or don't use it at all. Be careful! Some browsers will display a "favicon" (a logo used to identify the site in your favorites) right next to the URL, right next to where SSL information is displayed. Illegitimate sites can use an icon of a lock to trick users into thinking SSL is enabled when it is not. Thankfully, more browsers are moving away from displaying favicons next to the URL.

    Check the URL. something.bankofamerica.com is okay. bankofamerica.something.com is suspicious. bankofamerica.something.ru is bad.

    Use different passwords for different sites, especially ones where you enter confidential information. Use good passwords, like those generated and stored by a program like 1Password. Do not use the name of your pets, your wife's birthday, etc..



  • @morbiuswilters said:

    @Chame1eon said:
    5. what do you think is the easiest way to manage passwords?

    Easiest? Just don't use one (or use the same, extremely simple one for each site). That's also the least secure thing you can do. I would recommend using some software like 1Password that generates new, random passwords for each site. Don't use the same one twice. Generate a random password to use as your master password for 1Password and memorize it. Also, write it down on a sticky and keep it in a locked safe or somewhere equally physically secure, in case you forget. Then you only have a single master password to remember.

    1. Open Google Chrome
    2. Type the letter c into the address bar
    3. Type the letter h into the address bar
    4. Type the letter r into the address bar
    5. Type the letter o into the address bar
    6. Type the letter m into the address bar
    7. Type the letter e into the address bar
    8. Type the symbol : into the address bar
    9. Type the symbol / into the address bar
    10. Type the symbol / into the address bar
    11. Type the letter f into the address bar
    12. Type the letter l into the address bar
    13. Type the letter a into the address bar
    14. Type the letter g into the address bar
    15. Type the letter s into the address bar
    16. Push enter
    17. Enable this thing
    18. Close and reopen Chrome
    19. NEVER EVER MAKE UP OR REUSE A PASSWORD AGAIN


  • @morbiuswilters said:

    Learn what SSL looks like in your browser. Learn what SSL warnings, errors or outright missing SSL looks like. Avoid entering personal information into sites that have SSL warnings, errors or don't use it at all. Be careful! Some browsers will display a "favicon" (a logo used to identify the site in your favorites) right next to the URL, right next to where SSL information is displayed. Illegitimate sites can use an icon of a lock to trick users into thinking SSL is enabled when it is not. Thankfully, more browsers are moving away from displaying favicons next to the URL.

    By the way, this would be a good place for some visuals, if you're permitted. Show what SSL on and off looks like in the latest version of a few browsers. Get the users to understand which parts are chrome* (the parts the trusted browser controls) and which parts are controlled by the site itself, whose validity you are trying to assess.


    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome. Why not just name that shit "Mahlwear"?

    Me: "Okay, right here the browser is showing you a warning indicating this site might have malware.."

    User: "The site has my browser?"

    Me: "No, 'malware' the harmful software like viruses. The site might have them, so Mahlwear is giving you a malware warning... This would be a good time to show you how to install the latest version of Mahlwear.."

    User: "You want me to install a virus?"

    Me: "No, that time I meant 'Mahlwear', the registered trademark owned by Google to name their browser. Can't you hear me enunciating the 'h' on 'Mahl'? And "wear" is spelled completely differently. Try to keep up."

    User: "I'm getting confused.."

    Me: "Okay, let's shelve security for awhile and go back to the Harley Davidson Visual Application IDE / Motorcycle Design tool. Now, to build the UI for our application we click 'Add Chrome'. No, goddammit, that was the 'Add Chrome' button for motorcycle design! You can tell because we're on OS X and it looks like a slightly-different type of shiny metal. You just electroplated your fucking UI, you moron! Why can't stupid users follow simple instructions when someone tells you to click the 'Add Chrome' button so they can add chrome?? Instead they click 'Add Chrome' and chrome their chrome! Arrgggh!!!"



  • @morbiuswilters said:

    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome.

    Yeah, but what about all those times you want to talk about the Internet? Or a fox made entirely of fire? Or browsing the web on a vacation to Africa?



  • @Ben L. said:

  • Open Google Chrome

  • Type the letter c into the address bar
  • Type the letter h into the address bar
  • Type the letter r into the address bar
  • Type the letter o into the address bar
  • Type the letter m into the address bar
  • Type the letter e into the address bar
  • Type the symbol : into the address bar
  • Type the symbol / into the address bar
  • Type the symbol / into the address bar
  • Type the letter f into the address bar
  • Type the letter l into the address bar
  • Type the letter a into the address bar
  • Type the letter g into the address bar
  • Type the letter s into the address bar
  • Push enter
  • Enable this thing
  • Close and reopen Chrome
  • NEVER EVER MAKE UP OR REUSE A PASSWORD AGAIN
  • Sooo.. it knows every password-creation page in existence? And it has all of their arbitrary restrictions on password characters and length recorded and kept up-to-date? And it keeps them encrypted and secured with a master password? And the passwords are easily backed up? Oh, and of course they're easily accessible in other browsers? And of course it interfaces with non-web passwords, too, right? Because you're selling it as a complete replacement for an actual password manager, so surely it must do all of that.



  • @Ben L. said:

    @morbiuswilters said:
    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome.

    Yeah, but what about all those times you want to talk about the Internet? Or a fox made entirely of fire? Or browsing the web on a vacation to Africa?

    I can't even guess what the fuck you're trying to say..



  • @Chame1eon said:

    Would anyone mind answering these questions either here or in email?

    Happy to. DM me with your email address & I'll get in touch.



  • @morbiuswilters said:

    @Ben L. said:
    @morbiuswilters said:
    *Not the Google browser. Yes, one of the few places where I might actually need to explain the concept of UI chrome to end-users--for critical security purposes, no less--and Google decided to name their fucking browser Chrome.

    Yeah, but what about all those times you want to talk about the Internet? Or a fox made entirely of fire? Or browsing the web on a vacation to Africa?

    I can't even guess what the fuck you're trying to say..

    this fucking namemakes it hard to talk about
    Chromemotorcycles
    InternetTHE FUCKING ENTIRE INTERNET
    Mozilla Internet Browser Platform Blancmangeanything resembling an animal on fire
    Safariwhat morbs does when he feels like shooting a giraffe
    OperaOprah
    MahlwaerGoogle Chrome


  •  I'm really glad you replied to this. Thank you. 

    The instructor said that I don't need a name so I won't mention anything you don't want me to.

    For the browser I meant use any browser like Firefox for sensitive websites like banks and tax returns and and entirely different browser like Chrome for regular use. 

    It just seems like the simplest possible way to reduce cross site scripting or cross site request forgeries.  The idea was that it would be much more convienient than closing everything entirely and  it's easy to distinguish the "safe" browser form the "unsafe" one.  You could even apply a much stricter security configuration to the "safe" browser. (eg. noscript sandbox incognito mode etc. ) than most people would be willing to put up with on regular web sites. 

    I can't think of any reason that wouldn't be a good idea.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.