Comments on: Who says safe computing must remain a pipe dream?

Web surfing gets riskier all the time. Computer security guru Bruce Schneier outlines a 12-step plan to protect yourself.

[poster48150]

Disabling HTML in Eudora?

Bruce Schneier wrote

"Turn off HTML e-mail" and then "I use ... Eudora for e-mail".

How do you turn off HTML e-mail in Eudora?

Thanks,
Jim

[centek]

Turn off HTML in Eudora

Open Eudora(I use eudora Pro 5.2) go to Tools>
Options>Under Category Click on> Viewing Mail.
On the left panel>uncheck []Use Microsoft's
Viewer. Click on OK.Close Eudora. Restart Windows
and check same to see if it remains disabled.

Joe

Hardware vs. Software

A few years ago when I was looking at firewalls, I heard quite often from people that a hardware firewall (router) was not sufficient and that a software firewall was an absolute necessity. In the past few months I've begun to hear people recommending a hardware firewall as better than a software firewall and in some cases instead of a software firewall. Just curious what everyone's take on this is? Software, hardware or both?
Mike

Not Both

If you need a router anyway use that.. If you aren't on a network or don't need a router, go software.
I wouldn't recommend using both, as it can cause various conflicts.

Hardware

Mike-
Go with a reputable hardware firewall and make sure the Firmware is up-to-date. Keep in mind that while a software firewall will ask the user on each and every attempt, this can be overbearing and often annoying.
Software firewalls tend to be a lot more intimidating to users due to the pop ups that ask what you'd like to do. Hardware firewalls do the quietest behind the scenes blocking....combining the two can be a bit of overkill but in this world....is it really overkill?

[slsturgi]

Use Both

A colleague had opted to rely on his home network router and against installing software firewalls on his individual computers. One of his kids visited some site and got infected somehow, and the infection then spread to his work machine. Had he been using software firewalls in addition to his router this would not have happened.

Though there was probably more to the story, such as missing patches, perhaps, is immaterial.

Use Both... IFF You Understand Them!

Most hardware/router firewalls only protect you against attempts to come IN using "strange" ports etc. They rarely protect against something which has put a trojan horse on your machine which logs keystrokes and (periodically) goes OUT through your firewall to send the data to "mother". Most software firewalls are designed to block all OUTGOING data from ANY program unless you explicitly say "OK, I understand that one, it's OK". Unfortunately, many people do not RTFM in depth enough to understand this aspect of software firewall behavior, and just turn it OFF as being too annoying - result, the trojan sends your (keystrokes) typing in your credit card number to that HTTPS "bank" or "merchant" SSL screen ... even if you suddenly decide NOT to hit the "send" button! Since a trojan can be planted via a fake website or through idiots clicking on some attachment they think is a picture of a hot chick etc., software firewalls (and periodic virus/trojan scans) are a good idea rather than relying on just the hardware router/firewall/NAT.

[tmick]

hardware or software.... why not both?

I have a router that has NAT (Network Address Translation) on it with a firewall on it and then I have Panda Antivirus Internet Security that comes with a SW firewall I have no problems with Viruses and very little spyware if any (that I can find anyway). I found it is better with both types of firewall on your system if for no other reason if you lose one you still have the other one to fall back on for protection. I also found the hardware firewall helps in blocking port scans from finding my computer in the first place, whereas the software firewall blocks any of the scans that do get through from finding the ports that could be open better than the hardware firewall does so in short they compliment each other with their strengths.
Cheers
tmick

Pluses and Minuses

I've worked with both types and all things being equal, hardware FW's CAN be more robust, more reliable and less invasive.

My preference for HW firewalls is SonicWall. They sport a high level of configurability yet work suitably out of the box.

The more complexity you add to a given PC, the more chance there is for problems. The SW firewalls that keep popping up to ask if a certain thing should be allowed through only confuses many users, which leads to frustration and an unhappy customer. They can also be quite resource and bandwidth hungry. Just a few years ago you couldn't touch a HW firewall with stateful packet inspection (SPI) for less than $500. Now, even the cheapest Linksys routers tout SPI. In short, HW firewalls are transparent and they work.
Brian

[Ubber geek]

software firewall

http://www.analogstereo.com/conrad_johnson_service_manuals.htm

[johnnybluenote]

Security Expert?

It amazes me how a person can be labeled a security expert and write books, then, make garbage suggestions like those that appear in this article.

First of all, I have used Windows OSs since Windows 2.0. My computer has been online all the time for the last 4 years, at least. I NEVER turn it off. I have NEVER had a virus nor had my credit card and/or banking information stolen or misued nor has any other security breach occurred. I teach my customers how to protect themselves and rarely do any of them have a problem once they become my customers.

Secondly, even if someone buys into this illogical argument, i.e. if everyone should switch to Mac or Linux, it would only be a brief matter of time until hackers and crackers started attacking those OSs as well.

Security Expert?

While I don't agree with all of Mr. Schneier's recommendations and think some of them are too drastic, most of them have merit. And he is not merely "labeled" a security expert. His "Applied Cryptography" is a highly respected text among many computer programmers and he is the inventor or co-inventor of two highly regarded encryption algorithms, Blowfish and Twofish.

[micky]

Security Expert: Yes he is...no doubt!

Man, I would hate to be one of your clients. It would be like having a doctor who smokes and doesn't yet have cancer telling me he is living proof that smoking is not harmful. "Light up. Enjoy. There's no harm wahtsoever", he'd intone, through his deep tonded, smoke damaged vocal chords.

[rbanffy]

Security

I too use Windows regularly (since Windows 1, btw), as I do Linux, NetBSD and MacOS. The very process of safely installing a Windows XP box while connected to the internet is so convoluted (in fact, much more convoluted than an average Linux install) I doubt any average home user will be able to follow it (even if he/she manages to find it on Microsoft's site) without a guru by his/her side.

Most advice in the article is very sound, while some of it may seem a little bit excessive. Avoiding mainstream software can and will reduce your chances of being vulnerable to any given exploit. Anyway, the best way to stay secure is to know, exactly, what you are doing with your computer. Altough most people would be reluctant on entering a swimming pool full of gasoline while smoking a cigarette (I would be reluctant to stand less than a hundred feet away from such a pool, with or without a cigarette), the very same people will happily open any small program that claims to be funny on their Windows boxes.

While using my Windows box, I put myself within the reach of any scrip-kid or clueless spammer. While I am on my MIPS/BSD or PPC/Linux boxes, I am comfortably above their reach with very little added effort.

[Inventor]

Security Expert

Folks:
I come from ths first computer store that ever was 32 years ago. We used CP/M in the spring of 1974 and the only security in "NOT BEING CONNECTED TO ANYTHING." Not a phone, cable or dsl. Keep everyone out of your office. Don't let anyone touch your computer ever. Then only your software will get you.
Never put any data that you "Can't" afford to lose or you want someone to know on a computer.

There, that clears that up. Now do what you want and suffer the consiquenses because that is what you will do anyway.

Run XP-SP-2 and all the New Viruses will get you.

The last one I had shut off my Symantec Virus Program, tried to trash my Linux server, execpt it shut down rather than be crupted. I spent 140 hours building a "NEW" hard drive, the old one was cycled until the "Head" was snaped off. Part of tne new Multitasking Viruses now out there.

Every day i learn something new, so should you.

Nuff Said.

Inventor.

[zdnet2]

It really is amazing

It's amazing how people who consider themselves safety experts can still advocate seatbelt usage. I could probably find millions of people who never wore their seatbelts and it did not make one bit of difference. They were never even in accidents. With their safety record, why should they start wearing seatbelts now? After all, it never helped in the past.

Of course, one could look at the traffic fatality rates for the nation and see that it really makes a difference, but if you are more concerned with your personal experience, then knock yourself out.

[Ubber geek]

Windows 2.0

http://www.analogstereo.com/bmw_3_owners_manual.htm

Put your password in your wallet?

I'm a big fan of Bruce and have been reading his commentary on security issues for years. But really, telling people to write down their password and put it in their wallet - are you kidding?

Now I know what his logic is - most people ARE incapable of creating and remembering secure passwords, and most people only loose their wallet a few times in a life time (hopefully). But you know, when that wallet is stolen and the thief gets your password and a bunch of credit cards he's going to be all over those banking websites quicker than you can say "Rob me blind!". Also people will not be able to guard that written down password - they'll be pulling out their piece of paper and leaving it around and dropping it letting friends see it inadvertantly.

Plus, it presupposes that people will actually uses a longer, safer password just because they wrote it down - now they'll continue to use lame-o-passwords like their dogs name and still get their logins compromise.

I agree with the SPIRIT of Bruce's suggestion here, but practically I don't think its a very good one.

How about "call your bank and demand they three level authentication with password, physical key and biometric confirmation". Banks save a ton of money when their customers use on-line banking, so consumers should also be demanding that they supply the necessary hardware free.

[Inventor]

Wallet Passwords

Folks:
Don't do it!!! You want to have a real problem?
Now a thief has your credit cards, password, home address for home invation and stealing your computer, a list of your valuables on your computer along with pictures, lockbox information and on and on and on. Take large gun, ****, shoot foot several times, don't call 911 watch your foot bleed. Makes as much sense?? You want security? Get one of those memory chips you wear around your neck that works with USB 2.0. Use an encription program and a USB cable or you may have a front port on your system. Just plug the memory in and it will ask you several random questiones only you would know. Each time you log in, it asks different questions. It's thats best way until "Brain Scans" come along.

Inventor.

[zdnet2]

Yes, write it down

One of the reasons people have to write down a password is that they have so many, and they have to change them so often. They may have email, an amazon.com account, etc. The problem is that users tend to reuse passwords. If I created a site and told people that they needed a username and password to use it, chances are I could take what they typed in and try their usernames at hotmail or amazon or any number of places, and a lot of them would work.

The way to get around that is to NEVER use the same username and password at more than one secure site. If you want to remember them, then use a good password manager that encrypts them and has its own master password that's hard to guess. And back it up.

But you may need to have some of your passwords with you. If you make them good enough that they give you some security, you will not be likely to remember them.

So here's how to write them down: Don't make it obvious. For example, if I have a card in my wallet listing my bank account number, the bank's 800 number, and my PIN, a thief might try my PIN. But if he does, the ATM may swallow up my card and never give it back. My REAL PIN might be digits 2-6 of the phone number, or a part of the supposed account number that only I know. For a password, I might have an easy way of altering the username or password or both to make it less obvious. I might have the first two entries with phony names, and the real password is really two lines down on the list. Or I might stick three random letters in front of each password, or two behind each one. Or I might come up with a simple algorithm that will give me a number between 1 and 4 for each line to figure out how many random characters to use. Or I might write them backwards with fake leading characters. Or I might write them backwards with an extra random character after position four. Or I might not write the username down at all, if I can remember them. Or if I make a habit of starting all of my usernames with "BOBBY" and ending them with a number, I can write down only the number, and the password encoded with one of the above rules. All of these are examples of ones I don't actually do, but are simple enough that if somebody found your list, it would be useless. Use your imagination.

[amackay--2008]

Passwords

I agree. Keeping passwords in your wallet is asking for trouble. I have had the experience of loosing my wallet once and having it stolen once. Neither was enjoyable. I can imagine what would happen if I had my passwords stored in my wallet at the time.

Instead, I use an encrypted password keeper program running on a different machine. That machine requires a seperate password to log on and a different password to access the password keeper program. I only access the program if I cannot remember a password. Works great as far as I am concerned.

[AndrewRich]

Delete cmd.exe?

Uh, no. Cmd.exe is the command prompt; it's an essential part of Windows. It's also part of Windows' System File Protection, so deleting it is going to be rather difficult (though not, of course, impossible). What I don't understand is why this was even included on an otherwise pretty sound list of recommendations. Or am I missing the joke?

[ccady]

Delete command.com and cmd.exe?

Bruce's advice to delete cmd.exe and command.com is bad. Although it can certainly decrease your chance of viruses, it will almost certainly break some programs that you run today. Those files are what give you a "DOS prompt" and without them, you will lose a very important part of the functionality of your computer.

Don't take this portion of his advice, or if you do, make *sure* you know what you are doing, and can restore those files if necessary.

[hqisguy]

cmd.com, etc.

I think that the whole concept for this article is that if you want a totally secure computer you will need to take these steps. If you look back at the opening of the article - "I am regularly asked what average Internet users can do...'Nothing--you're screwed.'" It isn't a normal system to which he is referring, it is a "totally secure" system. This system is only a fantasy given the uses to which people put their systems.
Mr. Schneier is exaggerating the lengths to which a person need go. However, these tactics would work! Realistically, the only safe computer is one that is never plugged in. But we aren't talking about extremes. We are talking about the types of steps that *can* be applied. Take all the steps that you can afford to prevent system infiltration/infection/corruption.
With regard to seat belts (and other such passive approaches to safety), you need only one accident that propels you through the windshield or one infection that steals your credit card nuber to realize the necessity of such devices.
You guys can nitpick to your hearts' content, but if you stop looking for one single answer and find the safest method(s) that work for you, you will be much better off.
One more thing that you can do to make your computer safer is to (and this only applies to those who want to take the time) back up all data and reload your OS and all necessary updates once or twice a year depending upon how many people use a particular computer. Not only does this help with security, it also helps with a slowing system due to junk file buildup.

[ajbright]

Online banking is far more secure than offline

To be blunt, cancelling paper statements is one of the surest ways to avoid indentity theft. 99% of identity theft is caused by you telling people stuff they shouldn't be told (e.g. giving out personal information over the phone), or by people dumpster diving at the back of banks or even people's trash cans. So not using online banking is in no way any kind of a protective measure.

In fact the opposite is true.

Relying on your bank to shred all their printouts is far more risky than having non-complex passwords for your bank accounts and credit cards.

Also the advantage of online banking is you can see, usually to the minute, what transactions are taking place (except checks, which you usually have until 2pm local time the following day to get the bank to return them manually).

So not using online banking does two things. It leaves a possible paper trail (statements, debit and credit receipts) for people to steal if they haven't been cross shredded, and it prevents you from being able to easily keep track of transactions.

Add to this, most credit cards and banks offer zero liability against fraudulant transactions (good banks will re-deposit the disputed cash in 24 hours, then reserve the right to take it back up to a month later if they find out the transaction was valid), and you are far better off using online financing.

[zdnet2]

Absolutely

I once had a coworker who refused to use direct deposit. He wanted to go to the bank himself because he didn't trust the computer and was afraid that the tape might get lost.

The problem was that as soon as he handed his check to a teller, she just typed it into a computer anyway. Since the check does not have the account number of the depositor on it, it has to be done manually, and there's room for error.

That doesn't count the fact that the check run might be delayed and he would not get his check anyway, or it might fall out of his pocket on the way to the bank, or his briefcase might get stolen, or he might get hit by a car.

The down side is that he used to buy snacks for us when he went to the bank, and we lost those once he finally changed his mind and signed up for direct deposit. Oh, well.

Fallacy of Hasty Generalization

"I have...My computer...I NEVER...I have NEVER..."

Basically you are saying the author is wrong because of your own personal experience. I direct you to this article ( hxxp://en.wikipedia.org/wiki/Hasty_generalization ) on the logical fallacy of hasty generalization / biased sample.

[zdnet2]

But you are generalizing

If you think that teaching somebody about the fallacy of composition will keep that person from making myriad other errors in logic, then you will not accomplish much. (I'm not saying that you really believe that, but you are wasting your time because some people are hopeless.)

[Ubber geek]

hasty generalization

http://www.analogstereo.com/bmw_satellite_radio_installation.htm

Security Expert.......Anyone?????

The problem isn't the OS, the problem is the popularity of the OS (think David vs. Goliath) and the Users themselves!!!!!!!!!!!!!

If you didn't have 16,000 programmers attempting to exploit a hole in an OS (every second of the day) there would not be a problem (see Mac). If you're OS was fresh off the ground, chances are you're not going to have many problems (see Linux); but be patient because I gauruntee we'll be walking this same rope in the future with Linux.
Keep in mind that the majority of people who are experiencing these problems are your older generation (and other unsavvy users) who have taken advantage of High Speed Broadband with little or no computer/networking/security education.
In my 5 years of "Always On" connections I've obtained a single virus (curteousy P2P networks); have lost no capital through Online Purchases and have not become a victim of other "Online Traps".

While Cryptography is a great security advancement, perhaps it does not relate to the day to day operations of keeping workstations clean and secure.
I'll take advice from my Auto Mechanic when it comes to my car; I'll take advice from my baker when they say this bread is fresh, but I won't take advice from you on keeping my systems clean and secure.
I respect the President of the United States to all ends of the planet, but I'm not going to let him tell me how to secure my network.

Don't get the wrong idea

Bruce has some quality input. Firewalls are an exceptional idea, if you don't have one with an always on connection, there are lots of us out there who will work on your machine for a price.

Backing up is the best thing since sliced bread, it should be a no brainer. If it's not, make it a no brainer! You can be your best friend, or your own worst enemy.

Encrypting email is a quality standard if you're regularly in communication with other tech savvy people who understand the processes of encrypting mail (who use the same encryption programs), however most novice users are clueless if they recieve an encrypted email.

Utilize your anti-virus program to your advantage. Take the time to figure it out; read the manual; get automatic updates running; if you're unsure, scan it! Spyware...Ad-aware/Spybot/ if those fail, Hi-Jack-This (if you're a newby please seek help online with this one, you can wreck an OS).

Be extremely warry of emails as this is a hitting point for spoofing, phishing, scripts, .jpgs and attatchments.

I have to disagree with the passwords....make em tough for yourself to remember. If I can memorize a 26 digit wep key, a 8-12 character password can't be too difficult! Personally I yield away from on-line banking (but again I only started using banks recently, thanks real job!); and have told my users of my decision, and why I've made that decision. Follow if you'd like, go your own route if you'd rather!
Please, whatever you do, leave the cmd.exe alone as this is one of the best programs within XP!

Bald-Mullet w/ Pony Hairdo

thumbs up man! Welcome to 1979!

[zdnet2]

not quite

First of all, you can't see the top of the picture, so it's hard to tell if he's bald. Second of all, a mullet by definition requires shorter hair on the top and sides than on the back. That's not the case here. Finally, you are an idiot. Why don't you go to a physics group and tell them how Einstein had funny hair and mismatched socks?

Dont Forget these Other Tips

1) Kill all enjoyment in your life
2) Brush twice a day
3) Always swim with a buddy
4) Dont have any fun on your computer
5) Be afraid constantly, and only boot computer if you have to. Then ask yourself again.
6) Never use computer

Your point being?

The author makes valid points. They may not all apply to you, depending on your level of knowledge, experience, and foolhardiness. I see no reason (well, maybe #3) for you to make fun of his suggestions. Let's hear some practical alternatives, eh?

Many sides to the coin

I think there's sound bits of advice from all corners here BUT, as
someone has previously mentioned, just because one person
hasn't had any problems, it doesn't mean all people will have no
problems and we can't always point fingers at those that simply
are not coputer savvy.

I also believe the reasoning behind there being more Windows
holes and security problems is because the majority use
Windows and therefore has, according to Bri Lo "16,000
programmers attempting to exploit a hole in an OS (every
second of the day)" doesn't wash. Are you trying to tell me that
NO-ONE ever tries and creates a virus or security hack for Mac
OS X? Wouldn't that be the ultimate claim to fame? In an area
which is all about outdoing one another, surely the ultimate
virus would be one that spreads via 'bullet proof' OS X?

Perhaps the reason there are no Viruses for the Apple operating
system is simply because no one has ever managed to create
one that circumvents it without the users knowledge. I'm not
saying there never will be anythig for any other OS, including the
Mac but well, it simply doesn't make sense to not try and write
one for it.

"I respect the President of the United States to all ends of the
planet, but I'm not going to let him tell me how to secure my
network". You lost all respect with that comment with a man that
sends a nation to war based on lies - if you respect your
President as much as you respect your OS, you have my
sympathy!

[dcso580]

Delete without explanation???

Why would you tell a novice user to delete something without an explanation? Many readers of C/Net are novice users and the aticle is written to them. Caution should be warned of deleting things that they don't know what they are or the function they serve.

[rickster469]

You have my sympathy!

Mine to.

Why require IE to link to security article?

In today's article by Brian Cooley "Dealing with technology in real life" you included a link to another article. As promoted in prevoius articles as well as the security advisor quoted in this article, I use an altenative to IE whenever possible. However, in order to open the link, I had to use IEview to open IE?????? Why not write the articles so Firefox and other browsers work, too?

Firefox User

My default browser is firefox and I had no problem at all following the link to here. Perhaps it is something else with your setup.

[Inventor]

Mozilla

Folks:
I used Mozilla and it worked just fine and I was able to save the article as a file as well.

Inventor.

Not Microsoft

This dude is clearly not a windows user. I won't dispute his banking stuff but if you
are a windows user you do not have to stop using windows...
1) Do not enable ActiveX controls in your web browser. Make the setting disabled or prompt which is now default.
2) If you MUST use a laptop then setup an internal firewall on the laptop
3) Use www.blockallspam.com email services for anti-spam. Your anti-virus will not have to be as "lucky".
Anti-virus systems are more often than not FAR behind the viruses that are out on the net.
They are a false sense of security. Get fewer spams, download programs only when absolutely necessary.
4) Use EUDORA. It does not have security problems that can be exploited. You do not have to turn off HTML.
5) Monitor your equipment keep an eye out for Hard disk and network utilization.
6) And Yes, install and use an anti-virus system. It is better to have something than nothing if you download files.

[Inventor]

No Real Security

Folks:
Always remember, there is "NO" real security!!
If your information is too valuable for other people to see, "Don't Put it on a Computer"!!!

Inventor.

[aabcdefghij987654321]

A debit card is just as safe as a credit card

I hear this myth spread all the time about how debit cards have no fraud protection. It simply isn't true. If the transaction goes through the Visa network (you didn't put a PIN number in) then it has all the protection as a Visa credit card.

I so loathe stupid debit card myths. (BTW Yes I do work for a bank)

[Fritz T. Coyote]

Debit Cards dirty little vulnerability

If a fraudulent credit card charge hits your account, you dispute the charge, and your bank investigates. From the time it hit your account and during the investigation, your availble credit is reduced by the amount of the fraud. It will be restored when the fraudulent transaction is removed.
So your Risk is that you might not be able to charge things. (and you might convince the bank to up your credit limit during the dispute).

Now lets throw the same fraud on your debit card:
The money is taken from your checking accout:

Ooops... a bunch of checks you wrote just bounced!
Now you have a passle of return check charges,
Nasty dunning letters,
Notifications from credit card companies that the bad check triggers the 'default provision' and your new interest rate is 25%...
And your car insurance has been canceled, and notification has been sent to the Motor Vehicles Dept.
----
But don't worry, the Bank will but your money back just as soon as the fraud investigation is completed.
----
Sure hope that happens before they repo your car and foreclose your mortgage.
---

debit cards have other problems

While I do agree that debit cards function just like a credit card, indeed are one when used as one, perhaps the author had something else in mind.
I don't use my debit card on the net simply because my paycheck direct deposits into that account. Were someone to illegally access my account they can drain my entire paycheck (on a good day for them) and I've got to go through the hassle of dealing with that problem. With a true credit card they may get my whold credit limit, but it is (in my case) typically smaller than my paycheck and so much easier for me to lose access to for a few days.

Wrong wrong wrong...

1) Delete command.com and cmd.exe?!?!?! That's insane - any app that uses a batch file or command line function will fail. And honestly, any guy who knows anything about computers would at least have said "rename" them instead of "delete" them.

2) Yeah, right. Like all the home users out there are going to reformat their Windows computer to Linux, abandoning the vast amounts of software that they've paid for.

3) He's wrong - it's easy to create a secure password in two easy steps:
a) think of a word of medium length that has an 'o' in it (like 'football')
b) use that word, but make the first letter capital and replace the 'o' with zeros (so it would be 'F00tball'). That wasn't so hard was it?

4) My password solution above is a LOT more secure than the ridiculous statement of keeping passwords written down and stored in a wallet.

5) It's strange how this guy appears to be a Linux fan who doesn't like Microsoft, but actually uses the "windows update" feature to trust Microsoft to install whatever junk it wants onto your home machine. Use hfnetchk from download.com to keep up with Windows security updates. Really - a CTO who uses Windows Update. That's disgusting.

6) Destroy your old backups by putting them in your microwave??!?! Is this guy still in grade school or something? Do not destroy backups of your software by microwaving them. It'll make your home smell like melted plastic with fumes that are hazardous, and may cause damage to your microwave. Just get out your car keys and scratch up the surface. Then trash it. Use your microwave for food.

7) It's really unneccesary to encrypt your email (for home users). That's overkill. Instead, just make it your policy not to send financial or password information through email.

- - - - -

This guy is "... one of the world's foremost security experts."?!?!? What a silly boast. The world is a very big place, and this guy doesn't even come close to that title.

The fact that he is the CTO of an Internet Security company is astounding, considering how completely senseless his suggestions are. If correct steps are taken, a home user can operate a Windows home PC very, very securely. Obviously, this buffoon has no idea how to properly secure a Windows OS. He also doesn't seem to care, being that he's a Linux fan. Rather than appeal to the vast majority of home computer users (a market dominated by Windows), he instead tells them to abandon the operating system and software that they have.

Could someone please pick this guy's pocket so we can get all his passwords and hack him? (Digging through his trash would probably work, too).

What a complete imbecile.

[zdnet2]

Your F00tball idea won't help

Anybody who writes a program to crack passwords will get that one as fast as football itself. It's far too common. The only advantage it has is that it gives the illusion of security when a site insists that passwords have at least one number.

f00tball is a Secure password???

With the creation of the Rainbow tables there is no such thing as a secure password in Windows!!

Obviously anyone who thinks "f00tball" is a secure password needs to shut up and pay attention the next time his company does Security Awareness Training!

Easy Password to Remember - Hard to Hack

Think of a favorite song (lets say Rudolph the Red Nosed Reindeer). Now think of a favorite passage in the song (lets say "Rudolph the Red-nosed Reindeer, Had a very shiny nose"). Now, lets use the first letter of the passage as a password (RTRNRHAVSN). You are likely to never forget the song. You can sing it to yourself to enter the password. Its not "guessable". You can add a number to the beginning or end if its required. You never have to write it down.

[eFox]

New Found Peace of Mind

I have always thought of myself as a fatalistic computer user. After reading this article, I feel that I am a moderately jovial computer user.

Back-ups of files, great.
Careful that you are on a valid website, great.

On the other hand this is my entire arsenal.

Windows XP Service Pack 2 + Updates
Latest Updated Norton Antivirus
Router with a Firewall (Windows Firewall is off)
Spybot Search and Destroy with resident monitoring
Weekly Ad-Aware 6 Scan

Only Norton and Spybot are running resident.
That's about all the overhead I'm willing to
give up for security's sake.

I have even gone back primarily to IE6 instead of Firefox. It is much better now with XP Service Pack 2. I still like a few of the features I can get with Firefox and when I want them, I call it up. The "find on this page" function is great, it lets you keep your eyes on the copy of the web page during long searches. I also like the developer extension while I'm testing a web page.

Delete cmd and command.com? I don't trust any GUI interface that much, especially Windows, with good reason. Consider the filename:
test.txt.html
You could look at it forever in Windows Explorer and never see that it has two file extensions.
"What is wrong with this file"? you keep muttering to yourself.

I could go on, but I think it would require more medication.

So now I find comfort in the fact that I'm not the most cynical computer user in the world anymore, someone way more "in the dark place" has supplanted me.

Dan McTaggart
dan@firefoxie.net
http://www.firefoxie.net

[cwroblew]

Who needs antivirus software?

I've been running Windows 2000 for years without it. What I do have is a firewall, popup stopper and Spybot. I also use Netscape Communicator instead of OE.

I will admit that I did catch a worm once (because there was no warning out there, even for months afterward, that clicking a link could cause problems). But ZoneAlarm caught the outgoing program which I shut down immediately and within an hour I had the worm cleaned up.

I do occassionally run one of the free internet a/v checkers but there is never anything there.

[sfpdiaspora]

still doesn't protect you from fraud!

These suggestions (though completely overdoing it in many
cases---like deleting cmd.exe!) still won't protect you from
shady websites or stores. I consider myself a computer security
expert but still have been ripped off by online merchants. I
would add an anti-fraud/anti-phishing product like EarthLink
Scamblocker, or FraudEliminator, which actually identifies the
country that the website is hosted in.

[Ubber geek]

websites or stores

http://www.analogstereo.com/cadillac_fleetwood_owners_manual.htm

What is bald-mullet? computer term? my timps

use antifiruss always adn make sure backup all computer stuff all times cause its not good lose all computer stuff. what is mullet? bald-mullet? i no udnerstand mebbe computer term i never hear?

i no my englische bad but give me break. hradware firewall is better opshun for peeple to use. keep sofware frum bugging user. i unserstand that Bruce say he paranoyd and what he rite sound praanoyd to me. take what you can use and leave what you do not ugree witha.

thanksx - Jibbity