Posted 12 January 2011 - 09:30 AM
I could write lots on this, but Ive just posted some notes I made on reading it the first time. I don't care about the layout and readability, all that is just window dressing to pretty it up, Im interested in the meat of the contents.
I think it misses the big elephant in the closet that causes the whole issue of security to arise and be such a shock in the first place.
Computers are NOT a black box system. They are a framework which lets you hang what modules you like off them to do various tasks. Modules == software programs. Thats the reason users end up shocked at their first virus, because they missed this after treating them as a switch on and go consumer device.
The car and toilet analogies dont work for me either, to change the oil in a car needs some prior understanding of the car, the quantity of oil, the grade of oil, what quality of oil to use, the frequency of changing it, in fact a whole bunch of factors which understanding the need for, bootstraps into a understanding of the car as a system. To change the oil in a car with abstraction, would be to take it to the garage and pay them to do so. The oil still gets changed, but you dont have to know anything that way apart from how to pay for it. People are reading your paper because they want to learn about how to change their computer/network's oil and some of its inner workings, not just take it a garage.
"First and foremost, one needs to accept that their
information is fundamentally safe, but that doesn’t mean they don’t need to worry. "
Its not fundamentally safe. Otherwise they wouldnt need to worry would they? We could all go and procreate with stunning playgirl models instead of reading your paper. In fact, its fundementally unsafe, and we must just take our best measures to mitigate our exposure to the risk.
the basics of network security :-
"Vulnerability assessment is the very first,"
The very first step is to want to understand and secure it. Vulnerability assessment is how you quantify how secure it is according to some metrics once youve taken that decision. Its a small but important distinction. It puts the first step about securing a network as wanting and caring enough about a networked system to want to secure it. And we're in the caring for things business in a way.
Layer 2 The Data Link Layer:
Local layer 2 attacks, at the moment are common and more disturbingly, mind numbingly simple.
Theyre only mind numbingly simple because script kiddies are using someone elses abstraction without understanding it therefore without the tool its horribly complex so you rely on the tool to deal with all that. Having to rely on a tool that I dont understand how works isnt simple, its complex to me. Im trusting it knows best...
You could say "there are automated tools to perform this which do not rely on the attacker having a deep understanding of the attack vector or what is being done." , it'd be more accurate. Even a tool used like that is is not mind numbingly simple, not to 99% of the computer using populace, some of which your hoping to catch with this tutorial in some way. A analogy here would be that you do not have to understand how a gun works to kill someone with it. The script kiddies dont understand the gun/tool but the end results are still devistating.
Also I think your fine china udp analogy doesnt work , I thought about it a bit and I'd go with something like "udp is like shouting your message to someone and *hoping* they hear in the manner of a newspaper seller, and tcp is the same, except the seller waits for each person to shout back to say they received and understand what was shouted. If you have a LOT of data which it doesnt matter if a little gets lost on the way (streamed music for eg), the udp is more efficient because you dont have to wait for everyone to shout back they got it."
First and foremost, one needs to start thinking of their network as something tangible,
something that can be stolen, because make no doubt about it, if it's too vulnerable, it can, and more
than likely will be compromised.
To help you flesh out this bit , the something that can be stolen is the DATA contained therein and the computational resources. Your stopping people stealing your information to use it on their own systems to their gain, or stopping them stealing your network to co-opt it into a scheme under their own control, be it to attack other networks directly, to join a botnet or spam etc.
You think the above is bad, you want to see it when I get my red pen out on something I dont like.
The intent and effort your putting in is great, I hope the above comments help you think about the contents and concepts your trying to outline.