Talk:Computer security/Archive 1

This page is an archive of past discussions. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

Let's say I'm a 50-year old aunt, I've heard about computer security and know I should worry as a new computer user. I want to be a better computer user and protect myself, so I do a little research, find Wiki and this article. After reading this article, there is no way the average auntie is going to come away with any idea of how to protect themselves and set up their PC to avoid dirty-ing up the net with comprimised machines. There should be an outline level security section geared for small computing user with a checklist of items to tick off in order to harden their environment and protect privacy: Operating system security releases, software security releases, hardware or software firewall, antivirus software, alternative software (FireFox instead of IE), maybe even anti-spyware software. I'd normally add such information, but given the profile on the article, wanted to give the community to say yeah or nay. Revmachine21 11:46, 23 Nov 2004 (UTC)

This isn't a bad idea. You don't think it would be better form to post something of this nature on a separate website and then include the URL in the links section, or otherwise reference it?

---

OK, I've taken another tack. I've removed all the computer insecurity stuff into its own article computer insecurity, and I now propose that the security (computers) stuff should be merged into the remaining Computer security article. The Anome

True security can only come from within. (tongue in cheek)

Some random observations:

I don't know how capabilities apply to networking resources, hence I don't know what effect they'd have on "external attacks". My guess is that once systems are internally secure, external security reduces to the allocation of resources to completely untrusted entities. For example, flooding attacks would be much more expensive if an application only serviced one request per ip at a time.

Diverting a website in the router tables would still be there as an attack, but that's a fundamental problem in the protocol. I don't know what the solution to that is but I've never heard of anyone looking at the problem (though I'm sure someone has). -- Ark

The NSA has released a security-enhanced version of the Linux operating system which contains support for mandatory access controls based on the principle of least privilege. See Security-Enhanced Linux for more details.

I find it difficult to understand how you can apply the principle of least priviledge in a system based on ACLs. I tried to move this to computer insecurity but I couldn't find a good place.

I'm sympathetic to adding Windows but it's inaccurate to call it a fundamentally flawed security design; it has no security design! I heard some of these things were changed in NT but if I consider Unix fundamentally flawed .... -- Ark

I don't understand why people seems to think that a security "enhanced" Linux automatically qualifies it as a secure computing platform. Linux has had capabilities in the kernel for a long, long time and that's never made it secure. So now it seems like someone's aggressively applied ACLs (not even capabilities!) to the (static!) set of daemons and system utilities. Wow. Big fucking deal. The system can't be crashed anymore but your data is just as vulnerable to malicious access, corruption and destruction as ever. Now there's security for you. Give me a fucking break; I don't give a shit if Linux crashes, I'm a user, not a corporation!

Note that I've only briefly looked up the matter but that's all I needed to do since it's impossible to provide capabilities to users in a Unix architecture without radically redesigning the entire file system and its entire relationship with the kernel (you have to make the system orthogonally persistent to have widespread capabilities -- a conclusion I came to on my own and which the EROS developers confirmed). -- Ark

---

Whilst I do not have the in-depth knowledge to argue the relative merits of capabilities vs. ACLs (or, for that matter, the Unix security model), I do know that such debates are a vanishingly small part of computer security. This article is far too narrowly focussed, and when rewritten should give this technical issue the relative priority it deserves. --Robert Merkel

Which is the majority of the article. Of course, that depends on your defining "the relative priority it deserves" as "what most matters to security" instead of "what's the hottest topic among researchers". What other subjects would you rather the article talk about?

Cryptography? That's certainly a hot topic of research. Only problem is there's a grand total of three places where a typical computer would ever use it; authentication of users, data storage, and internet tunneling. For most people, only one of the three activities is relevant.

Or perhaps proofs of correctness? Another hot topic of research. And completely useless to us peons!

The only other issue I can think of is spoofing. And spoofing is only an issue in relation to either cryptography or capabilities, otherwise it's a non-issue to a systems designer.

Capabilities are the best and only way to improve the security of all computers. They're the most fundamental security measure you can have and they're also the only thing that will be accepted by most users (cryptography won't).

Perhaps what you're looking for when you refer to "computer security" is the computer insecurity industry. -- Ark

Nope, I've come back to this, and the current article is still hopelessly misleading and presents *one* aspect of computer security as the One True Way. Capabilities have *nothing* to do with physical security, network eavesdropping (which is getting easier and easier with the profusion of wireless networks), and so on, and have nothing to do with the processes sysadmins actually go through to make current systems which don't use them as secure as they can. --Robert Merkel

Apparently you don't quite understand why there are two separate articles if you think that "make current systems which don't use them as secure as they can" has anything to do with this one. It doesn't, it belongs on computer insecurity.

There are two fundamental concepts in the design of secure computing platforms. One is cryptography. The other, whether you like it or not, is capabilities. Crypto is fundamental to the storage of information in an insecure medium (or over an insecure channel, which amounts to the same thing). Capabilities are fundamental to access security.

Most situations can be decomposed into those two concepts. For example, a wireless network is a resource, access to which should require a capability. OTOH, the airwaves (or copper wires) are an insecure medium so any capabilities transmitted over these channels must be encrypted. The same division applies to authentication, which is really the problem of transmitting a capability over an insecure open terminal. The solution is to use encrypted capabilities. Passwords and tokens are just particular (not very good) forms of capabilities.

Almost always, problems arise only when you can't afford to use these systems. Spoofing is when a process fakes the identity of the OS or some other trusted process. This is only a problem because humans can't do cryptography, so that processes can't authenticate themselves to human users. So instead of cryptographically secure authentication, the OS is forced to mediate the representation of processes so that their identity is clear to humans. This is a data representation problem. And given how it's limited by human psychology, it's probably intractable as a result.

The insecurity of the internet protocols (the routing tables and such) can be understood as the non-application of cryptography and capabilities. Whether this is an accident of history, or is unavoidable (eg, too costly) is a separate question.

Issues like what do you do when a web of trust gets too large only become relevant when you have a web of trust to begin with. And you can only build one using caps and crypto.

Then there are the denial of service, starvation and deadlock problems. Denial of service is just a special case of starvation, and so is deadlock. But starvation isn't a security issue at all. It's a politico-economic issue. If someone wishes to starve every other process by buying access to a crucial resource forever, that shows a serious defect in economic policy. But not necessarily security mechanisms.

The only independent issue I can think of is communication over covert channels. For example, when two processes communicate with each other using CPU utilization or page fault frequency. If there is a theory behind identifying and blocking covert channels, I don't know it. Every resource available to users provides a covert channel for communication. Blocking them is an esoteric art form and largely irrelevant since there are much bigger fish to fry.

I'm not against presenting issues other than caps and crypto, but these issues are exotic. They don't seem to admit to any theory and so are difficult to systematically incorporate into a design. -- Ark

---

The semantics of ACLs have been proven to be insecure in many situations (eg, Confused Deputy Problem. It has also been shown that ACL's promise of giving access to an object to only one person can never be guaranteed in practice. Both of these problems are resolved by capabilities.

This is bullshit. Only ACLs without setuid or similar mechanism are vulnerable to Confused Deputy Problem. Setuid has been present on Unices for ages. --Taw

This looks like interesting reading [1]

---

In the aftermath of the Ark Wars (tm), I propose moving this page back to computer security, which I think is the more common term (etymological quibbling aside.) Opinions? -- CYD

---

Redirecting this topic to point to Computer insecurity was an extremely bad idea. Whatever philisophical differences people may have over the specific approaches, such a drastic modification requires some sort of discussion. Has this taken place? I don't see it in the Talk pages of either article.

Let me kick it off by saying that I don't see the current Computer Insecurity article as appropriate or polished enough to be the main content for such an important subject. I'm going to change the link back, and if anybody disagrees, then let's talk it over before we make the change. Dachshund 03:35, 2 Feb 2004 (UTC)

---

SELinux is a MAC system. It'll keep you restricted to whatever the account you broke into is restricted to, plain and simple.

Check out the Secure operating systems article (yes, I originated it; no, it's not biased) to see security focused efforts. These entail one hell of a lot more than "oh look, Jim can't edit /data/audio/frank\'s_pl.m3u".

Check out also PaX, NX, buffer overflow, Stack smash protection, and a few others that you should be seeing in this article.

On a side note, W xor X needs to be written as well for OpenBSD W^X; and we need a proper Mandatory access control article.

--Bluefox Phoenix Lucid 02:30, 27 May 2004 (UTC)

---

Is there any good reason for the heading to read "Capability vs. ACLs" instead of "Capabilities..."? I understand the link was removed in accordance with style practices, but this spelling sounds kind of awkward to me... I stumbled upon it because it broke a "see also" link from Security focused operating systems. - DanielCohen

No, it should be consistent, either Capability vs ACL, or I think better is Capabilities vs. ACLs. For such a minor edit just be bold sometimes. But spend some time reading the conventions I guess, since talk page comments go at the bottom typically. - Taxman 18:40, Jul 14, 2004 (UTC)

Any ideas on how to illustrate this article? I'm wondering what I could photograph to illustrate it... Krupo 20:17, Aug 29, 2004 (UTC)

I got a simple little illustration, it’s copyrighted and used with permission, so if someone could make or find a "free" alternative then I know that would be better for Wikipedia.--Rbilesky 03:19, 4 November 2007 (UTC)

ok,

i've been pootling around this section of wikipedia, and since i know a far bit about IT security, i thought i'd start here. anyway, the article goes on about computer security in a very abstract way. i expected to read about some of the practical aspects, not limited to:

• Penetration Testing
• hardening
• Security policy (currently redirects to computer network security?)
• risk analysis

and so on. i realise that these all have entries, but i think they should be linked to from the main security article. i would also suggest that the stuff about capabilities and so on (actually 90% of the article) should be moved to computer security design or computer security architecture and the article replaced with a more broad overview, linking to many of the sub-topics, while providing brief summaries of them.

the article fails to mention confidentiality, integrity or availabilty either. i think this is a mistake. computer security involves "protecting computer systems and the information they contain against unwanted access, damage, modification, or destruction" and the article fails to cover this adequately. if people agree, i suggest moving the contents to Computer security design or somesuch, and creating a new stub here, with an agreed set of sub-headings, which can be worked on. as a featured article, i think it disappoints.

--m3tainfo 19:25, 24 Nov 2004 (UTC)

I agree that all of that needs to be covered. Some of it is already. I disagree that the article is 90% about capabilities, but in any case it probably goes into too much detail about that. The detail in the capabilties vs ACL's section is not central to the computer security topic, so instead should be summarized here. Then the detail on capabilities and ACL's should be covered in the proper article. Make sure keep all of that detail somewhere. Also disagree that the article should be moved. It needs to be expanded instead and left here. Finally I would add physical security to your topic list of what should be covered. It is probably as if not more important than the other topics in real life situation. TEMPEST, Social engineering, and simple physical access to a key machine can simply circumvent most other security measures. - Taxman 19:45, Nov 24, 2004 (UTC)

agreed. note that currently Secure computing redirects here. the computer insecurity page lists many specifica about vulnerabilities etc. my suggestion would be that the Computer Security article is a general overview. possibly take the 10 domains from CISSP as subject headers. then, have links to the secure computing and insecurity pages as separate entities, i.e. the capabilities discussion goes there, not here. i will append a proposed list of subheadings once i have thought about it. cheerz, andrew. m3tainfo 21:42, 24 Nov 2004 (UTC)

Hi thanx 4 the info Love me xxxxxxx

For Sanity sake, could this article distinuguish between Information Security and Computer Security. To make my point, all 10 security domains of the CISSP cert can be done with File Cabinets and 3x5 cards. No computer is actually required to encrypt a message in transit or restrict readership to the right persons.

I would love to read about Computer Security in a format that allows me to contribute without acting as a direct reference and aid to the simple hacking community. Internet freeware sites are so much more helpful in this regard for both the vulnerability prevention and simple hacking communities. Further, posting details in a non-preventative format could be seen as accidental approval of computer misconduct.

That said, there is a huge body of authoritative material spread across the globe that could be referenced. I would find it useful if it existed and so would start rebuilding with some encouragement.

Arctific 03:22, 12 March 2007 (UTC)

Many recent external links added here, really belong in computer insecurity. I suspect the temptation to put inappropriate stuff here might be reduced if the article was redirected to computer security design.

It needs to be made clearer from the outset that protection from viruses, hackers, spam, malware, phishing, you name it, is perceived to be a problem with a computer system that either has not been designed properly, according to the precepts of this article, or has not received competent security auditing such as that I am working on presnting with the article computer security audit.

The purpose of this article is how to design a computer system so that it is not vulnerable to hackers, spam, viruses, malware, you name it. This article is NOT about what to do to protect a computer system, operating system, software, etc. that was not designed properly in the first place.

Thus, information on how to cope with malware viruses, hackers, you name it, DOES NOT BELONG as additions to THIS article, but rather ought to be added to the computer insecurity article. Further, when it comes to what ought to be done to protect your computer system, and do it economically without a major hassle, check out the article computer security audit.

I think part of the problem is that the vast majority of the computer using world have not been exposed to computer systems that are secure from the ground up, such as the IBM AS/400. In the Microsoft world, and some others, we have millions or exploits, rapid growth in them, such that from year to year, the number fixed is microscopic compared to the number that got fixed. Each month there are critical patches that sound to the non-expert like they are fixing the same thing that should not have been broken in the first place, or if fixed should be fixed so that it does not have to be fixed again every month. While in the AS/400 world we might go 10 years until a new security problem is found. It is fixed within a month or so, and IBM can afford to do a major promotion to make sure all customers get the patch, because it may be another 10 years before another security problem with the IBM plaforms.

Thus, the vast majority of people arrive at Wikipedia with the mainstream notion that computers are inherently insecure, and the definition of computer security is to patch an infinity of problems. Thus, if the main article could get a new title like computer security design or something related to designing a computer system that is free from computer insecurity hassles, so we not need to constantly be staying current on anti-virus anti-spam anti-spyware etc. etc., with the main article pointing both to that and computer security audits and security breaches (I also got lots of work to do there to make it NPOV etc.) and the IT profession, then I think a lot of the risk of misconception could be avoided. AlMac 00:42, 18 July 2005 (UTC)

I went into more detail in Talk:Computer insecurity with respect to this notion that computer security science is immature. I believe that some aspects of it is immature, while some aspects of it are extremely well developed, as evidenced by systems that have not been cracked.

There are periodic security challenges.

• Bill Gates (CEO of Microsoft) unlisted home phone is on this Microsoft computer system ... the url is publicized ... anyone who can break into the system and calls him, will receive $ XXX,XXX.XX in exchange for educating Microsoft how they figured it out. No one ever got the reward. This proved that Microsoft had figured out some good security. The problem is in getting it to their customers on all their products.
• Mr Gerstner (former head of IBM) has opened a credit card with a balance of # XX,XXX,XXX.XX and the account number is secured at this url ... anyone who can get at that account number and explain how they got that account #, will get a reward. No one got it. An army of IBM security professionals monitored 100% of the accesses to that url, and learned a lot about what is needed to improve security.

AlMac|^(talk) 20:36, 6 October 2005 (UTC)

(neither of these ever happened. That's not to say there aren't security challenges, just that these aren't them. check out argus for instance, who paid out 50K USD to the LSD security group after they broke into it's pitbull server system. these hacking contests are rarely useful, however. m3tainfo 19:47, 1 April 2007 (UTC))

Audiences

One way to get clarity to these choices and discussion might be to consider the different types of people who might come here looking for help and guidance.

• Personal computer user who is not a computer expert, is feeling a bit overwhelmed with viruses, spyware, spam, false positives, e-mail bouncing, phishing, hackers. This person needs to get a handle on the terminology of the new threats, how to protect against them, priorities dealing with them, how you know you are protected, and since Wikipedia is not intended to be a how-ot but an encyclopaedia, there needs to be careful language that is NPOV without placing them at risk of going to a predator site.
  • Such a user might also be directed to pros & cons of the alternatives out there. Yes, you can operate without Microsoft, but there are trade-offs. Yes, you can communicate without e-mail, such as RSS, but there are some pieces missing.
• Someone who works at a small business, with a similar feeling of being overwhelmed. Combined with limited budget, what can we do better as a practical matter?
  • Example from where I work. We have approx 50 users. We get in the neighborhood of 25,000 spam, many with viruses, per day. They are setup to automatically go into quarantine. There are far too many for some human to go looking to see if any false positives there. We run this option to delete everything that is in the quarantine. There are problems with various steps in the process "timing out."
• Human being who is at risk of Identity theft through no fault of their own. What can they do to mitigate that risk?
• Computer professional, perhaps new to IT resources associated with their industry, or the specifics of their employment, who wants to learn more about computer security outside of what is offered through the work place. The training may be inadequate. The potential student wants to know how you can tell that. Some employees may want to learn without the employer knowing how much they still need to learn.
• Experienced Computer Professioal who is ready to go after some kind of Security Certification and is interested in the pros & cons of the different kinds that are out there ... what does each offer, not offer ... what kind of market acceptance ... in other words if I get this or that certification does it make a hill of beans difference in the job market?

AlMac 01:11, 18 July 2005 (UTC)

Broken Links

I tried to follow the links up to to archives of peer suggestions to try to improve this article ... they probably some place on Wiki, but I not finding them. The links need fixing. AlMac 01:25, 18 July 2005 (UTC)

It would probably be best to move much of this material out of this article altogether and into separate articles on trusted computing, acls, etc. If you believe Bruce Schenier security is risk control, not risk elimination.

This article should be the hub article for a series of separate pieces on various aspects of computer security. It should present a historical treatment and also the state of the art in computer security design. Computer Insecurity should be computer related risks, sorry, that is the term of art used in the field.

I took out some of the people from the list of notables, sorry but even though I know them well they would not consider themselves amongst the ten most notable people in the field. I think that lists of that type are kind of clunky anyway.

The article is unfortunately POV to 1980s DARPA style security research. There should be treatment of the accountability approach as well. --Gorgonzilla 01:34, 15 August 2005 (UTC)

I added some comments on Gorgonzilla's talk page. We might also review the categories here. Plus I agree that new legislation, particularly SOX in USA, is having a dramatic impact upon what is expected. AlMac|^(talk) 18:15, 15 August 2005 (UTC)

Could you expand the acronym SOX or provide a link to description/explanation what it is? Zarutian 00:51, 21 September 2005 (UTC)

SOX = Sarbanes Oxley

Here is a link to several sets of rules for computer operations in the USA, that apply to companies publicly traded on the stock market, that do business in the USA but are based in foreign nations, have significant foreign ownership, and other combinations. AlMac|^(talk) 01:39, 21 September 2005 (UTC)

Hey, looking for reviewers for this article:

http://en.wikipedia.org/wiki/Wikipedia:Peer_review/Buffer_overflow

It would be great to have lots of input from different sources. - Tompsci 19:11, 7 January 2006 (UTC)

The following links were removed:

ww.networksec urityarchive.org/ - advertisements on bottom. content req's password to access.

ww.cgisec urity.com/ - google adfarm

ww.precis esecurity.com/ - google adfarm. commercial site.

ww.secures tandard.com/ - dead link

ww.infosy ssec.com/infosyssec/index.shtml - spam

ww.secur itynewsportal.com/index.shtml - spam

ww.eros -os.org/faq/basics.html#non-equivalence - already have link similar to this

ww.cs.was hington.edu/homes/levy/capabook/Chapter5.pdf - link already exists

ww.securi tyforest.com - dead site

ww.nucle onet.com - commercial site

ww.tren dmicro-europe.com/housecall - commercial site

ww.meu cat.com/passi.html - ad farm

planet-se curity.net/ - site is all in German

ww.cose ad.com/ - google adfarm

ww.bl uhat.com/ - dead site

ww.inci dents.org/ - ad farm

ww.secur ity.nnov.ru/ - google ad farm

ww.whit edust.net/ - nn site

ww.tec hbooksforfree.com/security.shtml - ad farm

ww.watch yourend.com/ - nn blog

blogs.itt oolbox.com/security/investigator/archives/006378.asp - blog, ads

If readding, please discuss your reasoning here. Monkeyman^(talk) 17:56, 26 February 2006 (UTC)

You may want to examine whether John Bambenek truly warrants inclusion in the list. There is a shill (possibly Bambenek himself) going around adding Bambenek to lists he may not be qualified for (e.g. most notable alumni of University of Illinois).

What do you think about adding a web site security section?

Hello Dear,

How to remove the hard disk only using dos command and without Formate & without Partition.

reply me dear

my email id : rahul_it1986@yahoo.com

Network security article redirects to this article. With more and more security being built into network infrastructure, we need to segregate these two terms. I propose we remove the redirect from Network security article and expand the article in it place. --Raanoo 06:05, 31 July 2006 (UTC)

Computer security covers more than "network security". The articles are fine. And please do not use {{helpme}} anywhere but your user talk page. Ryūlóng 06:12, 31 July 2006 (UTC)

That is precisely why we need to have different articles. While computer security may include the security measures taken for shielding it from the threats coming in from a network interface on which it is connected to, a network-wide security offered is still different. There are security measures that could be provided by the (hierarchy of the) network to protect an end-host (network connected computer) from being a victim of Denial-of-service attack. Raanoo 06:36, 31 July 2006 (UTC)

I agree generally, but I am not sure whether there is enough to make a whole article about it. It could be better to split it out into a separate section, but within the current article as some of the measures are related and someone looking for one topic might be interested in the other. At the very least, splitting it up like that would be necessary before forking to network security anyway. —Centrx→talk • 06:44, 31 July 2006 (UTC)

I support removing the redirect to create a Network security article,. A closely related article, Internet security, needs attention and could be fixed at the same time. Category:Computer network security has a generous list of topics to work from to create a good article. JonHarder 13:19, 31 July 2006 (UTC)

I don't see why there should be two articles - one on computer security and one on computer insecurity. Even if they are fundamentally different, there should be an umbrella article that links to both in a more streamlined fashion. User:Kvikram

Well, the proposal is not about computer security and computer insecurity; but about network security. --Raanoo 14:27, 17 August 2006 (UTC)

The list of notable persons is ever-growing. I can see it only growing in the future. Is this any kind of advertisement or what? What are the knights of Wikipedia doing? WP:NOT? —Preceding unsigned comment added by 61.2.58.216 (talk • contribs)

Deleting listcruft. Nobody outside the computer security field would care about that list, which makes it cruft. --DavidHOzAu 09:06, 27 September 2006 (UTC)

I quote, from the opening lines of what should be a major Wikipedia article:

In a secure system the authorised users of that system are still able to do what they should be able to do. One might be able to secure a computer beyond misuse using extreme measures:

"[T]he only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts." -- Eugene H. Spafford, director of the Purdue Center for Education and Research in Information Assurance and Security. However, this would not be regarded as a useful secure system.

This supposedly wry, tongue in cheek statement isn't funny and detracts from the tone of the article. If a point needs to be made, surely something along the lines of "It is difficult to achieve total computer security, however for any given case an approach can be taken that minimises the risks" would be more approporiate? Humour has no place in an encyclopaedia. —Preceding unsigned comment added by 81.178.243.13 (talk • contribs) 21:07, 19 October 2006 (UTC)

I agree that this quote should be removed. It is making a point IA isn't perfect and hurts usability, which is overemphasized in my view. Also, it is not factual. There are forensic means to remove information from computers that are powered off too. I doubt if Eugene would have said it if he thought someone would quote him here. John 02:48, 10 November 2006 (UTC)

I disagree, I quite liked the quote, whether Spaff said it or not. Chadnibal 01:05, 23 November 2006 (UTC)

Would whoever wrote "Computer security is a logic-based technology." please clarify and elucidate? Doesn't seem to mean anything at all to me, too tired to try to fix. I went to the last USENIX Security, and I still can't remember enough of my CISSP stuff to come up with a better definition. "Computer security is an emergent property of systems." would seem to be much more accurate. No mention of security hardware either, dammit. Section needs massive rewrite. Chadnibal 01:02, 23 November 2006 (UTC)

COMPUSEC is simply miltary jargon for computer security. --Ant 10:02, 9 January 2007 (UTC)

The article simply needs to have tips for new users about keeping their identity safe (Using a good password like: 'sralik87cl' compared to their name and birthdate, Using Mozilla FireFox instead of Internet Explorer to help deter hackers keeping viruses out, Not to use personal information on unkown sites, etc.), a few good/free anti-virus or anti-spyware programs(AVG Anti-virus, Ewido Anti-spyware), along with a list of the best computer security programs out there. You could also define certain terms pertinent to a person's internet safety. (Suggestions: phishing, trojan, virus, spyware, cookie, keyloggeer, downloader, etc.) This, more than detailed descriptions of how viruses are created and sent, would be most beneficial to the common computer user. Malinaccier 22:15, 10 January 2007 (UTC)

... but so is the field it describes, so maybe that's just par for the course.

I agree that the article is a mess. It seems to describe little about the field. --some web surfer.

How was this ever a featured article? It would need a complete rewrite.

Oh, and why was the archived peer review deleted? --DavidHopwood 04:18, 21 January 2007 (UTC)

No arguments about the mess. Yuck.

Here's my suggestion for how to fix it - a ground-up rewrite covering only basic concepts and a bit of history, and linking to other pages. Make "Computer Security" itself intelligible to the layperson, but a reasonable jumping off point for the expert.

The things that I associate with "Computer Security" are already written up well on Information Security. I would like to see a consensus on what other pages should be prominently displayed.

There are a lot of good suggestions on this page for things that the article should link to - particularly tips for the layperson on security their own personal computer. I wouldn't try to incorporate that into Wiki, though, just link to guides from sites like | CERT.

Edited to add - I agree with whoever said the content on this page right now should be moved to someplace more precise. Secure Computer Systems Design or Security by Design?

--Sgorton 19:34, 13 February 2007 (UTC)

I find it ironic that a page about computer security happens to have spam on it. It should be removed and this article should be organized better. Whoever thought up "Notable Persons in Computer Security"?!?! "Free textbooks on this topic" should be removed. Parts of the article need to be organized such as the list of bullets "Techniques for Creating Secure Systems". --PokeYourHeadOff 00:21, 1 April 2007 (UTC)

Is the reference to Folder Lock a form of advertising and should be removed?

It seems like it was added to the end of the section of encryption, and doesn't seem relevant.

FutureDomain 22:13, 26 April 2007 (UTC)

"There are few, if any strategies to add-on security after design."

Well, there are actually two I can think of off of the top of my head: Sandboxing and virtualization - both which (theoretically) allow insecure designs to work within a secure environment without compromising security.

And to be honest, Microsoft has been guilty of trying to add security to inheritly insecure designs. I still wish they would get rid of ActiveX and the built-in scripting support that very few people actually use - except virus writers. CobraA1 01:27, 18 May 2007 (UTC)

How can sandboxing or virtualization be added on after design to achieve security? John (talk) 01:52, 18 February 2008 (UTC)

Hello. This article has one or more references, which is good. I added a "citations missing" tag though because one or more sections have no inline citations. OK in advance from me to remove or change this tag. Good luck with your article. It saved me having to check several articles listed at spoof. No pun intended, Princeton University for example was a very good leader in the field of spoof research about ten years ago. I have never been there and have no way to verify this, but just from memory, thank you and to the editors of this article which the talk page says at one time was a featured article (not easy to do). Best wishes. -Susanlesch 15:50, 13 November 2007 (UTC)