On 2005-02-14 at 09:24-06 Aleksandar Milivojevic <amilivojevic@xxxxxx> wrote:
> Have in mind that braking into your desktop PC is almost zero-risk
> thing. There'll probably be no consequences for attacker even in
> unlikely case that he is detected. You do not have sufficient funds
> to do much about it. Your funds are barely enough to set up basic
> defenses for that matter.
I think you underestimate the strength of the defenses that can be
prepared from some second-hand PC hardware, the Fedora Core
distribution, and the application of a little knowledge and time.
> On the other hand breaking into accounting company's computers or
> government computers is completely different story. They have funds
> to hunt down the attacker.
And those same funds are what make them a juicy target for attackers
in the first place.
Script kiddies will be stopped by trivial defenses. Intelligent and
determined attackers aren't going to waste their time targeting Joe
User's home PC; they're going to go after more rewarding targets.
Even when intelligent and determined attackers *do* target home PCs
(e.g., because spammers are paying for spam zombies), for every PC
with even moderate defenses, there are at least 100 that can be
successfully attacked with virtually no effort. Why climb 50 feet up
the tree to pluck a single fruit when there's plenty of fruit that's
just as juicy at ground level, just waiting to be picked?
> Unlike you, they have funds to create secure environment.
Unlike me, they have to hire employees to run and maintain that secure
environment.
This is significant, because it's relatively well-established that
most security breaches originate from the inside (not from external
attackers). Here's a recent study:
http://www.itsecurity.com/tecsnews/feb2005/feb78.htm
Why do you trust more? Yourself, or some random companies' hundreds
of employees?
> If I have to keep my confidential data anywhere, the last place I'd
> like to see them stored is desktop Windows machine.
In terms of network threats, I assert that a home Windows desktop
machine, competently managed (up-to-date on security updates, running
anti-virus software, running anti-spyware software, etc.) and used
(using Firefox instead of IE, all accounts set up as restricted users,
et. al.), protected by an intelligently configured Linux-based
firewall, is a more secure location for one's confidential data than
the fileservers of a big corporation.
Of course, with a home PC, physical access attacks (e.g., a burglar
breaking into your house and stealing your computer) are more
difficult to defend against, but even physical access attacks can be
mitigated to some degree...
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
