Editor's note:  These minutes have not been edited.

The meeting started off with Phil Nesser briefing us on what will
go into the Executive Summary of the SSH and USH (which Erik Huizer
suggested during the last meeting).

- Purpose of the summary: to give people reasons to read the
 documents
- This will go into the Overview of the documents
- Phil Nesser will do the write-up


- Barbara will put in the final draft of the SSH next week

- Gary will do the index

- SSH should be released as RFC by the next IETF


The rest of the meeting concentrated on the USH.

Section 1:

- Is Section 1.1 (Why was This Written?) necessary?
 It was decided that the heading for this section be removed and the text
 to go under Sect. 1 itself (Who Cares?)


Section 2:

- "Commandments" to be one-line summaries of points which are expanded
 on later in the document

- Here are the ones we came up with at the meeting... suggestions for new
 ones and improvements are welcome:

       o  Know your policy and who/what supports it.
       o  Remember yor password and keep it secret.
       o  Know who to call for help.
       o  Everything on the Internet is accessible.
       o  Don't ask, don't tell.
       o  If in doubt, don't.
       o  Know the risks, balance the benefits.
       o  Logout before you leave.



Section 4:

- Add "Beware of leaving modem in auto-answer mode"

- Java scripts section to be added possibly to scetion 4's Viruses and
 Other Illnesses  (by Erik Guttman)

- Add section on fake terminal session logins

- Chris Lewis <> will do write-up


Section 5:

- Index has divided Section 5 into various parts... index not updated
 as it was decided at the last meeting to do away with parts
 Gary will update the index for Section 5

- Section is lengthy... Wilfred Erinbar <> will try to shorten it

- Last paragraph is too general for this section, so it will be moved
 to Section 1 (probably 1.4)

- Currently, this section touches only on users revealing secrets to
 to "social engineers"
 Lorna <[email protected]> will add stuff on how users may
 be used by attackers as "remote controllers" .... to include an
analogous
 example of how no one should help someone else carry their bags through
 Customs


Section 6:

- Main message to send across to users is that all information on their
 account IS important even though they may not think so

- Also, to TELL users is that "computer networks are easier to snoop
 and sniff than telephone networks"

- Users should bear in mind that any information sent over the Internet
 is as good as public information ..... include examples of what sort
 of information users may not want to reveal to simply anyone
 Erik Guttman (I think) is doing this

- Stuff on credit card details sent over the Internet to be moved from
 Section 8 to Section 6.


Section 7:

- "Someone is using your system and you don't know it. Know the normal
 behaviour of your system, and be suspicious if it changes."

- "Be familiar with modem activity"

- "Upgrade networking software" --- this should not include only
 "networking" software but all other software.

- Point out the "dangers" of upgrading shared system software...

- "Do not take advice simply from anyone."

- Add warning that even though USH may suggestion some things, the user
 should be aware of his site's policy as the policy may say "no" to
certain
 things

- "Dangers" of auditing tools...


Section 8:

- Should this section cater more to users who use the Internet through
 their ISP connection?

- Point out clearly that "There are environments where services are run
 an ISP's (Unix) system, and others in which the user's own PC runs the
 jobs."

- Point out that "Users should not connect up to their ISP at the same
time
 they are connected to their LAN (and vice versa)."

- "Beware of what anyone with physical access to your machine may do."

- What about "Beware pf security software on public terminals."

- Erik Guttman to touch up on this section.



Misc:

- We are looking for more urban legends to fit into the beginning of
 each section (as appropriate). Currently, there is the "Final Year
 Student" urban legend in Section 1.... try to keep other legends only
 as long as this one (not too long)

- Add one part to say something along the lines of "by no means is this
 document exhausive" at the beginning of the document

- "Some USH info is for you but not others..." Point out that not all
 information in the document will be relevant to all users, and that
 users should be aware of their own site's policy too

- Throughout the document, there are parts catered to Unix account users
 and to PC users, but it is not clearly spelt out which is for which...
 Suggestion to have:

       "On a personal computer, <blah, blah, blah>"
       "On a Unix system, <blah, blah, blah>"

- Throughout the document, we shold mention that "we offer suggestions but
 you should see your appropriate support staff for further information"

- When most sections have been written, we will get people to look
 through the entire document for grammar, spelling mistakes, and to
 make improvements for clarity. In the meantime, any editorial comments
 may be sent to Gary Malkin <[email protected]>




----- End Included Message -----

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.