Bruce
Fri Apr 11 09:05:15 PDT 2008
Bill Ridgeway wrote:
> Bruce Chambers wrote, in response to my post -
>
> <<Not if one takes rudimentary precautions against unauthorized physical
> access to the computer, and uses a properly configured firewall>>. Good
> point but I wouldn't put a list passwords etc on the hard disk. It only
> needs one failure, one chink in the armour and it's gone.
Storing one's passwords on a hardware device that might fail is not
without a small amount of risk, true. But it's no riskier that having
them on scrawled on a piece of paper hidden in a desk drawer on in one's
wallet, or on a thumb drive. However, you're mistakenly equating
hardware failure with a security compromise. The two are not
necessarily the same.
> Remember that
> Microsoft issues (with very few exceptions) critical and security patches
> just once a month.
That's just not true. As one who claims to professionally support
computers, as implied by your signature, you're surely aware that
Microsoft issues Security Bulletins on a weekly basis to anyone who
cares to subscribe to the service. Granted, Microsoft Update propagates
routine patches on a monthly basis, primarily at the request of
corporate IT departments who need to test each patch before deploying
it, but critical security updates are pushed out when and as required,
regardless of the monthly schedule.
> Therefore, a security issue discovered just before the
> patches are released will go unresolved for a month (and perhaps a few days
> more).
>
Again, not so. See above. Remember Blaster? The requisite patch was
made available via Windows Update weeks before the worm spread
throughout the world, but people hadn't bothered to install it, or turn
on their built-in firewalls. But this is one of the reasons one should
have a properly configured firewall in place: just in case such a should
occur. If nothing unauthorized can get to the computer, it can't
exploit a vulnerability.
> <<How so? The two issues don't even strike me as remotely relevant.>> The
> two issues are very much relevant! Remove and destroy a hard disk before
> the (rest of) the computer is disposed of and sensitive isn't available to
> who knows who.
>
True, but what's that got to do with the original topic? And, as has
been pointed out numerous times, no one (outside of movies and
television programs) has ever been able to conclusively demonstrate that
it's possible to recover any sort of data - sensitive or otherwise -
from a hard drive that's been thoroughly wiped, formatted, and then had
an OS and applications reinstalled.
It's all very well to be security-conscious, and to take all reasonable
precautions, but I do think you're pushing it to the point of paranoia.
A proper risk assessment will balance the severity of a vulnerability,
the likelihood of its being found and exploited, and the costs in money
and effort of averting/countering that risk.
--
Bruce Chambers
Help us help you:
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/default.aspx/kb/555375
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. ~Benjamin Franklin
Many people would rather die than think; in fact, most do. ~Bertrand Russell
The philosopher has never killed any priests, whereas the priest has
killed a great many philosophers.
~ Denis Diderot