Editor's note: These minutes have not been edited. The meeting started off with Phil Nesser briefing us on what will go into the Executive Summary of the SSH and USH (which Erik Huizer suggested during the last meeting). - Purpose of the summary: to give people reasons to read the documents - This will go into the Overview of the documents - Phil Nesser will do the write-up - Barbara will put in the final draft of the SSH next week - Gary will do the index - SSH should be released as RFC by the next IETF The rest of the meeting concentrated on the USH. Section 1: - Is Section 1.1 (Why was This Written?) necessary? It was decided that the heading for this section be removed and the text to go under Sect. 1 itself (Who Cares?) Section 2: - "Commandments" to be one-line summaries of points which are expanded on later in the document - Here are the ones we came up with at the meeting... suggestions for new ones and improvements are welcome: o Know your policy and who/what supports it. o Remember yor password and keep it secret. o Know who to call for help. o Everything on the Internet is accessible. o Don't ask, don't tell. o If in doubt, don't. o Know the risks, balance the benefits. o Logout before you leave. Section 4: - Add "Beware of leaving modem in auto-answer mode" - Java scripts section to be added possibly to scetion 4's Viruses and Other Illnesses (by Erik Guttman) - Add section on fake terminal session logins - Chris Lewis <> will do write-up Section 5: - Index has divided Section 5 into various parts... index not updated as it was decided at the last meeting to do away with parts Gary will update the index for Section 5 - Section is lengthy... Wilfred Erinbar <> will try to shorten it - Last paragraph is too general for this section, so it will be moved to Section 1 (probably 1.4) - Currently, this section touches only on users revealing secrets to to "social engineers" Lorna will add stuff on how users may be used by attackers as "remote controllers" .... to include an analogous example of how no one should help someone else carry their bags through Customs Section 6: - Main message to send across to users is that all information on their account IS important even though they may not think so - Also, to TELL users is that "computer networks are easier to snoop and sniff than telephone networks" - Users should bear in mind that any information sent over the Internet is as good as public information ..... include examples of what sort of information users may not want to reveal to simply anyone Erik Guttman (I think) is doing this - Stuff on credit card details sent over the Internet to be moved from Section 8 to Section 6. Section 7: - "Someone is using your system and you don't know it. Know the normal behaviour of your system, and be suspicious if it changes." - "Be familiar with modem activity" - "Upgrade networking software" --- this should not include only "networking" software but all other software. - Point out the "dangers" of upgrading shared system software... - "Do not take advice simply from anyone." - Add warning that even though USH may suggestion some things, the user should be aware of his site's policy as the policy may say "no" to certain things - "Dangers" of auditing tools... Section 8: - Should this section cater more to users who use the Internet through their ISP connection? - Point out clearly that "There are environments where services are run an ISP's (Unix) system, and others in which the user's own PC runs the jobs." - Point out that "Users should not connect up to their ISP at the same time they are connected to their LAN (and vice versa)." - "Beware of what anyone with physical access to your machine may do." - What about "Beware pf security software on public terminals." - Erik Guttman to touch up on this section. Misc: - We are looking for more urban legends to fit into the beginning of each section (as appropriate). Currently, there is the "Final Year Student" urban legend in Section 1.... try to keep other legends only as long as this one (not too long) - Add one part to say something along the lines of "by no means is this document exhausive" at the beginning of the document - "Some USH info is for you but not others..." Point out that not all information in the document will be relevant to all users, and that users should be aware of their own site's policy too - Throughout the document, there are parts catered to Unix account users and to PC users, but it is not clearly spelt out which is for which... Suggestion to have: "On a personal computer, " "On a Unix system, " - Throughout the document, we shold mention that "we offer suggestions but you should see your appropriate support staff for further information" - When most sections have been written, we will get people to look through the entire document for grammar, spelling mistakes, and to make improvements for clarity. In the meantime, any editorial comments may be sent to Gary Malkin ----- End Included Message -----