I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."
But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
Two years ago, I published a list of PC security recommendations.
The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security.
General
Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.
Laptop security Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data--including passwords and PINs--on PDAs than they do on laptops.
Backups Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.
Operating systems If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."
Applications
Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.
Browsing
Don't use Microsoft Internet Explorer, period. Limit use of cookies and applets to those few sites that provide services you need. Set your browser to regularly delete cookies. Don't assume a Web site is what it claims to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near-miss.
Web sites
Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.
Think before you do business with a Web site. Limit the financial and personal data you send to Web sites--don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.
Passwords
You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.
I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites.
Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.
Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.
E-mail
Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address.
Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.
Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to "high" and don't trust any received files unless you have to. If you're using Windows, turn off the "hide file extensions for known file types" option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.
Antivirus and anti-spyware software
Use it--either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to "daily."
Firewall
Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.
Encryption
Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.
If the secret police wants to target your data or your communications, no countermeasure on this list will stop them.
None of the measures I've described are foolproof. If the secret police wants to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you're unlikely to have any problems.
I'm stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don't need. I'm diligent about backing up my data and about storing data files that are no longer needed offline.
I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don't trust unsolicited e-mails. I don't care about low-security passwords, but try to have good passwords for accounts that involve money. I still don't do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I'm not using it.
That's basically it. Really, it's not that hard. The hardest part is developing an intuition about e-mail and Web sites. But that just takes experience.
Biography Bruce Schneier is CTO of Counterpane Internet Security, Inc. He is one of the world's foremost security experts. His latest book is "Beyond Fear: Thinking Sensibly About Security in an Uncertain World."
Open Eudora(I use eudora Pro 5.2) go to Tools> Options>Under Category Click on> Viewing Mail. On the left panel>uncheck []Use Microsoft's Viewer. Click on OK.Close Eudora. Restart Windows and check same to see if it remains disabled.
A few years ago when I was looking at firewalls, I heard quite often from people that a hardware firewall (router) was not sufficient and that a software firewall was an absolute necessity. In the past few months I've begun to hear people recommending a hardware firewall as better than a software firewall and in some cases instead of a software firewall. Just curious what everyone's take on this is? Software, hardware or both? Mike
If you need a router anyway use that.. If you aren't on a network or don't need a router, go software. I wouldn't recommend using both, as it can cause various conflicts.
Mike- Go with a reputable hardware firewall and make sure the Firmware is up-to-date. Keep in mind that while a software firewall will ask the user on each and every attempt, this can be overbearing and often annoying. Software firewalls tend to be a lot more intimidating to users due to the pop ups that ask what you'd like to do. Hardware firewalls do the quietest behind the scenes blocking....combining the two can be a bit of overkill but in this world....is it really overkill?
A colleague had opted to rely on his home network router and against installing software firewalls on his individual computers. One of his kids visited some site and got infected somehow, and the infection then spread to his work machine. Had he been using software firewalls in addition to his router this would not have happened.
Though there was probably more to the story, such as missing patches, perhaps, is immaterial.
Most hardware/router firewalls only protect you against attempts to come IN using "strange" ports etc. They rarely protect against something which has put a trojan horse on your machine which logs keystrokes and (periodically) goes OUT through your firewall to send the data to "mother". Most software firewalls are designed to block all OUTGOING data from ANY program unless you explicitly say "OK, I understand that one, it's OK". Unfortunately, many people do not RTFM in depth enough to understand this aspect of software firewall behavior, and just turn it OFF as being too annoying - result, the trojan sends your (keystrokes) typing in your credit card number to that HTTPS "bank" or "merchant" SSL screen ... even if you suddenly decide NOT to hit the "send" button! Since a trojan can be planted via a fake website or through idiots clicking on some attachment they think is a picture of a hot chick etc., software firewalls (and periodic virus/trojan scans) are a good idea rather than relying on just the hardware router/firewall/NAT.
I have a router that has NAT (Network Address Translation) on it with a firewall on it and then I have Panda Antivirus Internet Security that comes with a SW firewall I have no problems with Viruses and very little spyware if any (that I can find anyway). I found it is better with both types of firewall on your system if for no other reason if you lose one you still have the other one to fall back on for protection. I also found the hardware firewall helps in blocking port scans from finding my computer in the first place, whereas the software firewall blocks any of the scans that do get through from finding the ports that could be open better than the hardware firewall does so in short they compliment each other with their strengths. Cheers tmick
I've worked with both types and all things being equal, hardware FW's CAN be more robust, more reliable and less invasive.
My preference for HW firewalls is SonicWall. They sport a high level of configurability yet work suitably out of the box.
The more complexity you add to a given PC, the more chance there is for problems. The SW firewalls that keep popping up to ask if a certain thing should be allowed through only confuses many users, which leads to frustration and an unhappy customer. They can also be quite resource and bandwidth hungry. Just a few years ago you couldn't touch a HW firewall with stateful packet inspection (SPI) for less than $500. Now, even the cheapest Linksys routers tout SPI. In short, HW firewalls are transparent and they work. Brian
It amazes me how a person can be labeled a security expert and write books, then, make garbage suggestions like those that appear in this article.
First of all, I have used Windows OSs since Windows 2.0. My computer has been online all the time for the last 4 years, at least. I NEVER turn it off. I have NEVER had a virus nor had my credit card and/or banking information stolen or misued nor has any other security breach occurred. I teach my customers how to protect themselves and rarely do any of them have a problem once they become my customers.
Secondly, even if someone buys into this illogical argument, i.e. if everyone should switch to Mac or Linux, it would only be a brief matter of time until hackers and crackers started attacking those OSs as well.
While I don't agree with all of Mr. Schneier's recommendations and think some of them are too drastic, most of them have merit. And he is not merely "labeled" a security expert. His "Applied Cryptography" is a highly respected text among many computer programmers and he is the inventor or co-inventor of two highly regarded encryption algorithms, Blowfish and Twofish.
Man, I would hate to be one of your clients. It would be like having a doctor who smokes and doesn't yet have cancer telling me he is living proof that smoking is not harmful. "Light up. Enjoy. There's no harm wahtsoever", he'd intone, through his deep tonded, smoke damaged vocal chords.
I too use Windows regularly (since Windows 1, btw), as I do Linux, NetBSD and MacOS. The very process of safely installing a Windows XP box while connected to the internet is so convoluted (in fact, much more convoluted than an average Linux install) I doubt any average home user will be able to follow it (even if he/she manages to find it on Microsoft's site) without a guru by his/her side.
Most advice in the article is very sound, while some of it may seem a little bit excessive. Avoiding mainstream software can and will reduce your chances of being vulnerable to any given exploit. Anyway, the best way to stay secure is to know, exactly, what you are doing with your computer. Altough most people would be reluctant on entering a swimming pool full of gasoline while smoking a cigarette (I would be reluctant to stand less than a hundred feet away from such a pool, with or without a cigarette), the very same people will happily open any small program that claims to be funny on their Windows boxes.
While using my Windows box, I put myself within the reach of any scrip-kid or clueless spammer. While I am on my MIPS/BSD or PPC/Linux boxes, I am comfortably above their reach with very little added effort.
Folks: I come from ths first computer store that ever was 32 years ago. We used CP/M in the spring of 1974 and the only security in "NOT BEING CONNECTED TO ANYTHING." Not a phone, cable or dsl. Keep everyone out of your office. Don't let anyone touch your computer ever. Then only your software will get you. Never put any data that you "Can't" afford to lose or you want someone to know on a computer.
There, that clears that up. Now do what you want and suffer the consiquenses because that is what you will do anyway.
Run XP-SP-2 and all the New Viruses will get you.
The last one I had shut off my Symantec Virus Program, tried to trash my Linux server, execpt it shut down rather than be crupted. I spent 140 hours building a "NEW" hard drive, the old one was cycled until the "Head" was snaped off. Part of tne new Multitasking Viruses now out there.
It's amazing how people who consider themselves safety experts can still advocate seatbelt usage. I could probably find millions of people who never wore their seatbelts and it did not make one bit of difference. They were never even in accidents. With their safety record, why should they start wearing seatbelts now? After all, it never helped in the past.
Of course, one could look at the traffic fatality rates for the nation and see that it really makes a difference, but if you are more concerned with your personal experience, then knock yourself out.
I'm a big fan of Bruce and have been reading his commentary on security issues for years. But really, telling people to write down their password and put it in their wallet - are you kidding?
Now I know what his logic is - most people ARE incapable of creating and remembering secure passwords, and most people only loose their wallet a few times in a life time (hopefully). But you know, when that wallet is stolen and the thief gets your password and a bunch of credit cards he's going to be all over those banking websites quicker than you can say "Rob me blind!". Also people will not be able to guard that written down password - they'll be pulling out their piece of paper and leaving it around and dropping it letting friends see it inadvertantly.
Plus, it presupposes that people will actually uses a longer, safer password just because they wrote it down - now they'll continue to use lame-o-passwords like their dogs name and still get their logins compromise.
I agree with the SPIRIT of Bruce's suggestion here, but practically I don't think its a very good one.
How about "call your bank and demand they three level authentication with password, physical key and biometric confirmation". Banks save a ton of money when their customers use on-line banking, so consumers should also be demanding that they supply the necessary hardware free.
Folks: Don't do it!!! You want to have a real problem? Now a thief has your credit cards, password, home address for home invation and stealing your computer, a list of your valuables on your computer along with pictures, lockbox information and on and on and on. Take large gun, ****, shoot foot several times, don't call 911 watch your foot bleed. Makes as much sense?? You want security? Get one of those memory chips you wear around your neck that works with USB 2.0. Use an encription program and a USB cable or you may have a front port on your system. Just plug the memory in and it will ask you several random questiones only you would know. Each time you log in, it asks different questions. It's thats best way until "Brain Scans" come along.
One of the reasons people have to write down a password is that they have so many, and they have to change them so often. They may have email, an ********** account, etc. The problem is that users tend to reuse passwords. If I created a site and told people that they needed a username and password to use it, chances are I could take what they typed in and try their usernames at hotmail or amazon or any number of places, and a lot of them would work.
The way to get around that is to NEVER use the same username and password at more than one secure site. If you want to remember them, then use a good password manager that encrypts them and has its own master password that's hard to guess. And back it up.
But you may need to have some of your passwords with you. If you make them good enough that they give you some security, you will not be likely to remember them.
So here's how to write them down: Don't make it obvious. For example, if I have a card in my wallet listing my bank account number, the bank's 800 number, and my PIN, a thief might try my PIN. But if he does, the ATM may swallow up my card and never give it back. My REAL PIN might be digits 2-6 of the phone number, or a part of the supposed account number that only I know. For a password, I might have an easy way of altering the username or password or both to make it less obvious. I might have the first two entries with phony names, and the real password is really two lines down on the list. Or I might stick three random letters in front of each password, or two behind each one. Or I might come up with a simple algorithm that will give me a number between 1 and 4 for each line to figure out how many random characters to use. Or I might write them backwards with fake leading characters. Or I might write them backwards with an extra random character after position four. Or I might not write the username down at all, if I can remember them. Or if I make a habit of starting all of my usernames with "BOBBY" and ending them with a number, I can write down only the number, and the password encoded with one of the above rules. All of these are examples of ones I don't actually do, but are simple enough that if somebody found your list, it would be useless. Use your imagination.
I agree. Keeping passwords in your wallet is asking for trouble. I have had the experience of loosing my wallet once and having it stolen once. Neither was enjoyable. I can imagine what would happen if I had my passwords stored in my wallet at the time.
Instead, I use an encrypted password keeper program running on a different machine. That machine requires a seperate password to log on and a different password to access the password keeper program. I only access the program if I cannot remember a password. Works great as far as I am concerned.
Uh, no. Cmd.exe is the command prompt; it's an essential part of Windows. It's also part of Windows' System File Protection, so deleting it is going to be rather difficult (though not, of course, impossible). What I don't understand is why this was even included on an otherwise pretty sound list of recommendations. Or am I missing the joke?
Bruce's advice to delete cmd.exe and command.com is bad. Although it can certainly decrease your chance of viruses, it will almost certainly break some programs that you run today. Those files are what give you a "DOS prompt" and without them, you will lose a very important part of the functionality of your computer.
Don't take this portion of his advice, or if you do, make *sure* you know what you are doing, and can restore those files if necessary.
I think that the whole concept for this article is that if you want a totally secure computer you will need to take these steps. If you look back at the opening of the article - "I am regularly asked what average Internet users can do...'Nothing--you're screwed.'" It isn't a normal system to which he is referring, it is a "totally secure" system. This system is only a fantasy given the uses to which people put their systems. Mr. Schneier is exaggerating the lengths to which a person need go. However, these tactics would work! Realistically, the only safe computer is one that is never plugged in. But we aren't talking about extremes. We are talking about the types of steps that *can* be applied. Take all the steps that you can afford to prevent system infiltration/infection/corruption. With regard to seat belts (and other such passive approaches to safety), you need only one accident that propels you through the windshield or one infection that steals your credit card nuber to realize the necessity of such devices. You guys can nitpick to your hearts' content, but if you stop looking for one single answer and find the safest method(s) that work for you, you will be much better off. One more thing that you can do to make your computer safer is to (and this only applies to those who want to take the time) back up all data and reload your OS and all necessary updates once or twice a year depending upon how many people use a particular computer. Not only does this help with security, it also helps with a slowing system due to junk file buildup.
To be blunt, cancelling paper statements is one of the surest ways to avoid indentity theft. 99% of identity theft is caused by you telling people stuff they shouldn't be told (e.g. giving out personal information over the phone), or by people dumpster diving at the back of banks or even people's trash cans. So not using online banking is in no way any kind of a protective measure.
In fact the opposite is true.
Relying on your bank to shred all their printouts is far more risky than having non-complex passwords for your bank accounts and credit cards.
Also the advantage of online banking is you can see, usually to the minute, what transactions are taking place (except checks, which you usually have until 2pm local time the following day to get the bank to return them manually).
So not using online banking does two things. It leaves a possible paper trail (statements, debit and credit receipts) for people to steal if they haven't been cross shredded, and it prevents you from being able to easily keep track of transactions.
Add to this, most credit cards and banks offer zero liability against fraudulant transactions (good banks will re-deposit the disputed cash in 24 hours, then reserve the right to take it back up to a month later if they find out the transaction was valid), and you are far better off using online financing.
I once had a coworker who refused to use direct deposit. He wanted to go to the bank himself because he didn't trust the computer and was afraid that the tape might get lost.
The problem was that as soon as he handed his check to a teller, she just typed it into a computer anyway. Since the check does not have the account number of the depositor on it, it has to be done manually, and there's room for error.
That doesn't count the fact that the check run might be delayed and he would not get his check anyway, or it might fall out of his pocket on the way to the bank, or his briefcase might get stolen, or he might get hit by a car.
The down side is that he used to buy snacks for us when he went to the bank, and we lost those once he finally changed his mind and signed up for direct deposit. Oh, well.
"I have...My computer...I NEVER...I have NEVER..."
Basically you are saying the author is wrong because of your own personal experience. I direct you to this article ( hxxp://en.wikipedia.org/wiki/Hasty_generalization ) on the logical fallacy of hasty generalization / biased sample.
If you think that teaching somebody about the fallacy of composition will keep that person from making myriad other errors in logic, then you will not accomplish much. (I'm not saying that you really believe that, but you are wasting your time because some people are hopeless.)
The problem isn't the OS, the problem is the popularity of the OS (think David vs. Goliath) and the Users themselves!!!!!!!!!!!!!
If you didn't have 16,000 programmers attempting to exploit a hole in an OS (every second of the day) there would not be a problem (see Mac). If you're OS was fresh off the ground, chances are you're not going to have many problems (see Linux); but be patient because I gauruntee we'll be walking this same rope in the future with Linux. Keep in mind that the majority of people who are experiencing these problems are your older generation (and other unsavvy users) who have taken advantage of High Speed Broadband with little or no computer/networking/security education. In my 5 years of "Always On" connections I've obtained a single virus (curteousy P2P networks); have lost no capital through Online Purchases and have not become a victim of other "Online Traps".
While Cryptography is a great security advancement, perhaps it does not relate to the day to day operations of keeping workstations clean and secure. I'll take advice from my Auto Mechanic when it comes to my car; I'll take advice from my baker when they say this bread is fresh, but I won't take advice from you on keeping my systems clean and secure. I respect the President of the United States to all ends of the planet, but I'm not going to let him tell me how to secure my network.
Bruce has some quality input. Firewalls are an exceptional idea, if you don't have one with an always on connection, there are lots of us out there who will work on your machine for a price.
Backing up is the best thing since sliced bread, it should be a no brainer. If it's not, make it a no brainer! You can be your best friend, or your own worst enemy.
Encrypting email is a quality standard if you're regularly in communication with other tech savvy people who understand the processes of encrypting mail (who use the same encryption programs), however most novice users are clueless if they recieve an encrypted email.
Utilize your anti-virus program to your advantage. Take the time to figure it out; read the manual; get automatic updates running; if you're unsure, scan it! Spyware...Ad-aware/Spybot/ if those fail, Hi-Jack-This (if you're a newby please seek help online with this one, you can wreck an OS).
Be extremely warry of emails as this is a hitting point for spoofing, phishing, scripts, .jpgs and attatchments.
I have to disagree with the passwords....make em tough for yourself to remember. If I can memorize a 26 digit wep key, a 8-12 character password can't be too difficult! Personally I yield away from on-line banking (but again I only started using banks recently, thanks real job!); and have told my users of my decision, and why I've made that decision. Follow if you'd like, go your own route if you'd rather! Please, whatever you do, leave the cmd.exe alone as this is one of the best programs within XP!
First of all, you can't see the top of the picture, so it's hard to tell if he's bald. Second of all, a mullet by definition requires shorter hair on the top and sides than on the back. That's not the case here. Finally, you are an idiot. Why don't you go to a physics group and tell them how Einstein had funny hair and mismatched socks?
1) Kill all enjoyment in your life 2) Brush twice a day 3) Always swim with a buddy 4) Dont have any fun on your computer 5) Be afraid constantly, and only boot computer if you have to. Then ask yourself again. 6) Never use computer
The author makes valid points. They may not all apply to you, depending on your level of knowledge, experience, and foolhardiness. I see no reason (well, maybe #3) for you to make fun of his suggestions. Let's hear some practical alternatives, eh?
I think there's sound bits of advice from all corners here BUT, as someone has previously mentioned, just because one person hasn't had any problems, it doesn't mean all people will have no problems and we can't always point fingers at those that simply are not coputer savvy.
I also believe the reasoning behind there being more Windows holes and security problems is because the majority use Windows and therefore has, according to Bri Lo "16,000 programmers attempting to exploit a hole in an OS (every second of the day)" doesn't wash. Are you trying to tell me that NO-ONE ever tries and creates a virus or security hack for Mac OS X? Wouldn't that be the ultimate claim to fame? In an area which is all about outdoing one another, surely the ultimate virus would be one that spreads via 'bullet proof' OS X?
Perhaps the reason there are no Viruses for the Apple operating system is simply because no one has ever managed to create one that circumvents it without the users knowledge. I'm not saying there never will be anythig for any other OS, including the Mac but well, it simply doesn't make sense to not try and write one for it.
"I respect the President of the United States to all ends of the planet, but I'm not going to let him tell me how to secure my network". You lost all respect with that comment with a man that sends a nation to war based on lies - if you respect your President as much as you respect your OS, you have my sympathy!
Why would you tell a novice user to delete something without an explanation? Many readers of C/Net are novice users and the aticle is written to them. Caution should be warned of deleting things that they don't know what they are or the function they serve.
In today's article by Brian Cooley "Dealing with technology in real life" you included a link to another article. As promoted in prevoius articles as well as the security advisor quoted in this article, I use an altenative to IE whenever possible. However, in order to open the link, I had to use IEview to open IE?????? Why not write the articles so Firefox and other browsers work, too?
This dude is clearly not a windows user. I won't dispute his banking stuff but if you are a windows user you do not have to stop using windows... 1) Do not enable ActiveX controls in your web browser. Make the setting disabled or prompt which is now default. 2) If you MUST use a laptop then setup an internal firewall on the laptop 3) Use www.blockallspam.com email services for anti-spam. Your anti-virus will not have to be as "lucky". Anti-virus systems are more often than not FAR behind the viruses that are out on the net. They are a false sense of security. Get fewer spams, download programs only when absolutely necessary. 4) Use EUDORA. It does not have security problems that can be exploited. You do not have to turn off HTML. 5) Monitor your equipment keep an eye out for Hard disk and network utilization. 6) And Yes, install and use an anti-virus system. It is better to have something than nothing if you download files.
I hear this myth spread all the time about how debit cards have no fraud protection. It simply isn't true. If the transaction goes through the Visa network (you didn't put a PIN number in) then it has all the protection as a Visa credit card.
I so loathe stupid debit card myths. (BTW Yes I do work for a bank)
If a fraudulent credit card charge hits your account, you dispute the charge, and your bank investigates. From the time it hit your account and during the investigation, your availble credit is reduced by the amount of the fraud. It will be restored when the fraudulent transaction is removed. So your Risk is that you might not be able to charge things. (and you might convince the bank to up your credit limit during the dispute).
Now lets throw the same fraud on your debit card: The money is taken from your checking accout:
Ooops... a bunch of checks you wrote just bounced! Now you have a passle of return check charges, Nasty dunning letters, Notifications from credit card companies that the bad check triggers the 'default provision' and your new interest rate is 25%... And your car insurance has been canceled, and notification has been sent to the Motor Vehicles Dept. ---- But don't worry, the Bank will but your money back just as soon as the fraud investigation is completed. ---- Sure hope that happens before they repo your car and foreclose your mortgage. ---
While I do agree that debit cards function just like a credit card, indeed are one when used as one, perhaps the author had something else in mind. I don't use my debit card on the net simply because my paycheck direct deposits into that account. Were someone to illegally access my account they can drain my entire paycheck (on a good day for them) and I've got to go through the hassle of dealing with that problem. With a true credit card they may get my whold credit limit, but it is (in my case) typically smaller than my paycheck and so much easier for me to lose access to for a few days.
1) Delete command.com and cmd.exe?!?!?! That's insane - any app that uses a batch file or command line function will fail. And honestly, any guy who knows anything about computers would at least have said "rename" them instead of "delete" them.
2) Yeah, right. Like all the home users out there are going to reformat their Windows computer to Linux, abandoning the vast amounts of software that they've paid for.
3) He's wrong - it's easy to create a secure password in two easy steps: a) think of a word of medium length that has an 'o' in it (like 'football') b) use that word, but make the first letter capital and replace the 'o' with zeros (so it would be 'F00tball'). That wasn't so hard was it?
4) My password solution above is a LOT more secure than the ridiculous statement of keeping passwords written down and stored in a wallet.
5) It's strange how this guy appears to be a Linux fan who doesn't like Microsoft, but actually uses the "windows update" feature to trust Microsoft to install whatever junk it wants onto your home machine. Use hfnetchk from download.com to keep up with Windows security updates. Really - a CTO who uses Windows Update. That's disgusting.
6) Destroy your old backups by putting them in your microwave??!?! Is this guy still in grade school or something? Do not destroy backups of your software by microwaving them. It'll make your home smell like melted plastic with fumes that are hazardous, and may cause damage to your microwave. Just get out your car keys and scratch up the surface. Then trash it. Use your microwave for food.
7) It's really unneccesary to encrypt your email (for home users). That's overkill. Instead, just make it your policy not to send financial or password information through email.
- - - - -
This guy is "... one of the world's foremost security experts."?!?!? What a silly boast. The world is a very big place, and this guy doesn't even come close to that title.
The fact that he is the CTO of an Internet Security company is astounding, considering how completely senseless his suggestions are. If correct steps are taken, a home user can operate a Windows home PC very, very securely. Obviously, this buffoon has no idea how to properly secure a Windows OS. He also doesn't seem to care, being that he's a Linux fan. Rather than appeal to the vast majority of home computer users (a market dominated by Windows), he instead tells them to abandon the operating system and software that they have.
Could someone please pick this guy's pocket so we can get all his passwords and hack him? (Digging through his trash would probably work, too).
Anybody who writes a program to crack passwords will get that one as fast as football itself. It's far too common. The only advantage it has is that it gives the illusion of security when a site insists that passwords have at least one number.
With the creation of the Rainbow tables there is no such thing as a secure password in Windows!!
Obviously anyone who thinks "f00tball" is a secure password needs to shut up and pay attention the next time his company does Security Awareness Training!
Think of a favorite song (lets say Rudolph the Red Nosed Reindeer). Now think of a favorite passage in the song (lets say "Rudolph the Red-nosed Reindeer, Had a very shiny nose"). Now, lets use the first letter of the passage as a password (RTRNRHAVSN). You are likely to never forget the song. You can sing it to yourself to enter the password. Its not "guessable". You can add a number to the beginning or end if its required. You never have to write it down.
I have always thought of myself as a fatalistic computer user. After reading this article, I feel that I am a moderately jovial computer user.
Back-ups of files, great. Careful that you are on a valid website, great.
On the other hand this is my entire arsenal.
Windows XP Service Pack 2 + Updates Latest Updated Norton Antivirus Router with a Firewall (Windows Firewall is off) Spybot Search and Destroy with resident monitoring Weekly Ad-Aware 6 Scan
Only Norton and Spybot are running resident. That's about all the overhead I'm willing to give up for security's sake.
I have even gone back primarily to IE6 instead of Firefox. It is much better now with XP Service Pack 2. I still like a few of the features I can get with Firefox and when I want them, I call it up. The "find on this page" function is great, it lets you keep your eyes on the copy of the web page during long searches. I also like the developer extension while I'm testing a web page.
Delete cmd and command.com? I don't trust any GUI interface that much, especially Windows, with good reason. Consider the filename: test.txt.html You could look at it forever in Windows Explorer and never see that it has two file extensions. "What is wrong with this file"? you keep muttering to yourself.
I could go on, but I think it would require more medication.
So now I find comfort in the fact that I'm not the most cynical computer user in the world anymore, someone way more "in the dark place" has supplanted me.
Dan McTaggart dan@firefoxie.net <a class="jive-link-external" href="http://www.firefoxie.net" target="_newWindow">http://www.firefoxie.net</a>
I've been running Windows 2000 for years without it. What I do have is a firewall, popup stopper and Spybot. I also use Netscape Communicator instead of OE.
I will admit that I did catch a worm once (because there was no warning out there, even for months afterward, that clicking a link could cause problems). But ZoneAlarm caught the outgoing program which I shut down immediately and within an hour I had the worm cleaned up.
I do occassionally run one of the free internet a/v checkers but there is never anything there.
These suggestions (though completely overdoing it in many cases---like deleting cmd.exe!) still won't protect you from shady websites or stores. I consider myself a computer security expert but still have been ripped off by online merchants. I would add an anti-fraud/anti-phishing product like EarthLink Scamblocker, or FraudEliminator, which actually identifies the country that the website is hosted in.
use antifiruss always adn make sure backup all computer stuff all times cause its not good lose all computer stuff. what is mullet? bald-mullet? i no udnerstand mebbe computer term i never hear?
i no my englische bad but give me break. hradware firewall is better opshun for peeple to use. keep sofware frum bugging user. i unserstand that Bruce say he paranoyd and what he rite sound praanoyd to me. take what you can use and leave what you do not ugree witha.
av good to have b/c u never kan tell!!!!! charlene must mean cheap in french or something but dun wurrie b/c u kan git freeee av sofware todaay! www.grisoft.com sav lot uv $$$$$$$$$ n' stay safe
Not using online banking does not mean your account is safe.
Good call on insisting that one's bank use SSL exclusively for any page involving account info. And as stated, the backend servers need attention as well.
"Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure."
Just because you don't access your account online doesn't mean it isn't on the same backend database server of customers that do bank online. Any weakness to that database server puts your account at risk just as much as anybody's who is using online banking. In simple terms your account might be accessible online(maybe not easily) wether you access it that way or not.
A.B. is right. Debit cards are just as good as Credit cards. In regards to fraud...this card will give you the same benefits.
As far as deleting the command.com and cmd.exe files go...why even bother if they only regenerate themselves! Was so silly for him to even mention this. Sheesh!
"Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express."
Hmm, as I sit here reading a link that was posted in the weekly SANS Newsbites update (and marvel at the concept of removing the one truly useful feature of Windows - the command line interface), I wonder about living in a world where far too much data is sent so rapidly to so many people, but so few turn it into information...
What actual difference to the average Windows newbie is there between a link that appears in a non-HTML e-mail (Outlook 2003 actually has a 'read everything as plain text' switch that's off by default - but at least it's there), and dropping it into their browser - almost undoubtedly Internet Explorer? Unless Microsoft is bundling Firefox into Windows XP OEM versions now?
Can anyone explain why, in order to sign up to CNet, and subsequently post this comment, I was expected to provide personal and professional details in the clear?
Firefox has this excellent feature that turns the address bar yellow when the page is encrypted, and it stayed white as snow on the registration page...
In other words, I agree wholeheartedly with many of Bruce's suggetsions, particluarly the one about lying if you're uncomfortable giving out personal details. Oh, and to all those 'people' trashing Bruce, his hair style &c, allow me to lower myself to your level: learn to formulate an argument, losers.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size-reader, and a great photo companion.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
"Turn off HTML e-mail" and then "I use ... Eudora for e-mail".
How do you turn off HTML e-mail in Eudora?
Thanks,
Jim
Options>Under Category Click on> Viewing Mail.
On the left panel>uncheck []Use Microsoft's
Viewer. Click on OK.Close Eudora. Restart Windows
and check same to see if it remains disabled.
Joe
Mike
I wouldn't recommend using both, as it can cause various conflicts.
Go with a reputable hardware firewall and make sure the Firmware is up-to-date. Keep in mind that while a software firewall will ask the user on each and every attempt, this can be overbearing and often annoying.
Software firewalls tend to be a lot more intimidating to users due to the pop ups that ask what you'd like to do. Hardware firewalls do the quietest behind the scenes blocking....combining the two can be a bit of overkill but in this world....is it really overkill?
Though there was probably more to the story, such as missing patches, perhaps, is immaterial.
Cheers
tmick
My preference for HW firewalls is SonicWall. They sport a high level of configurability yet work suitably out of the box.
The more complexity you add to a given PC, the more chance there is for problems. The SW firewalls that keep popping up to ask if a certain thing should be allowed through only confuses many users, which leads to frustration and an unhappy customer. They can also be quite resource and bandwidth hungry. Just a few years ago you couldn't touch a HW firewall with stateful packet inspection (SPI) for less than $500. Now, even the cheapest Linksys routers tout SPI. In short, HW firewalls are transparent and they work.
Brian
First of all, I have used Windows OSs since Windows 2.0. My computer has been online all the time for the last 4 years, at least. I NEVER turn it off. I have NEVER had a virus nor had my credit card and/or banking information stolen or misued nor has any other security breach occurred. I teach my customers how to protect themselves and rarely do any of them have a problem once they become my customers.
Secondly, even if someone buys into this illogical argument, i.e. if everyone should switch to Mac or Linux, it would only be a brief matter of time until hackers and crackers started attacking those OSs as well.
Most advice in the article is very sound, while some of it may seem a little bit excessive. Avoiding mainstream software can and will reduce your chances of being vulnerable to any given exploit. Anyway, the best way to stay secure is to know, exactly, what you are doing with your computer. Altough most people would be reluctant on entering a swimming pool full of gasoline while smoking a cigarette (I would be reluctant to stand less than a hundred feet away from such a pool, with or without a cigarette), the very same people will happily open any small program that claims to be funny on their Windows boxes.
While using my Windows box, I put myself within the reach of any scrip-kid or clueless spammer. While I am on my MIPS/BSD or PPC/Linux boxes, I am comfortably above their reach with very little added effort.
I come from ths first computer store that ever was 32 years ago. We used CP/M in the spring of 1974 and the only security in "NOT BEING CONNECTED TO ANYTHING." Not a phone, cable or dsl. Keep everyone out of your office. Don't let anyone touch your computer ever. Then only your software will get you.
Never put any data that you "Can't" afford to lose or you want someone to know on a computer.
There, that clears that up. Now do what you want and suffer the consiquenses because that is what you will do anyway.
Run XP-SP-2 and all the New Viruses will get you.
The last one I had shut off my Symantec Virus Program, tried to trash my Linux server, execpt it shut down rather than be crupted. I spent 140 hours building a "NEW" hard drive, the old one was cycled until the "Head" was snaped off. Part of tne new Multitasking Viruses now out there.
Every day i learn something new, so should you.
Nuff Said.
Inventor.
Of course, one could look at the traffic fatality rates for the nation and see that it really makes a difference, but if you are more concerned with your personal experience, then knock yourself out.
Now I know what his logic is - most people ARE incapable of creating and remembering secure passwords, and most people only loose their wallet a few times in a life time (hopefully). But you know, when that wallet is stolen and the thief gets your password and a bunch of credit cards he's going to be all over those banking websites quicker than you can say "Rob me blind!". Also people will not be able to guard that written down password - they'll be pulling out their piece of paper and leaving it around and dropping it letting friends see it inadvertantly.
Plus, it presupposes that people will actually uses a longer, safer password just because they wrote it down - now they'll continue to use lame-o-passwords like their dogs name and still get their logins compromise.
I agree with the SPIRIT of Bruce's suggestion here, but practically I don't think its a very good one.
How about "call your bank and demand they three level authentication with password, physical key and biometric confirmation". Banks save a ton of money when their customers use on-line banking, so consumers should also be demanding that they supply the necessary hardware free.
Don't do it!!! You want to have a real problem?
Now a thief has your credit cards, password, home address for home invation and stealing your computer, a list of your valuables on your computer along with pictures, lockbox information and on and on and on. Take large gun, ****, shoot foot several times, don't call 911 watch your foot bleed. Makes as much sense?? You want security? Get one of those memory chips you wear around your neck that works with USB 2.0. Use an encription program and a USB cable or you may have a front port on your system. Just plug the memory in and it will ask you several random questiones only you would know. Each time you log in, it asks different questions. It's thats best way until "Brain Scans" come along.
Inventor.
The way to get around that is to NEVER use the same username and password at more than one secure site. If you want to remember them, then use a good password manager that encrypts them and has its own master password that's hard to guess. And back it up.
But you may need to have some of your passwords with you. If you make them good enough that they give you some security, you will not be likely to remember them.
So here's how to write them down: Don't make it obvious. For example, if I have a card in my wallet listing my bank account number, the bank's 800 number, and my PIN, a thief might try my PIN. But if he does, the ATM may swallow up my card and never give it back. My REAL PIN might be digits 2-6 of the phone number, or a part of the supposed account number that only I know. For a password, I might have an easy way of altering the username or password or both to make it less obvious. I might have the first two entries with phony names, and the real password is really two lines down on the list. Or I might stick three random letters in front of each password, or two behind each one. Or I might come up with a simple algorithm that will give me a number between 1 and 4 for each line to figure out how many random characters to use. Or I might write them backwards with fake leading characters. Or I might write them backwards with an extra random character after position four. Or I might not write the username down at all, if I can remember them. Or if I make a habit of starting all of my usernames with "BOBBY" and ending them with a number, I can write down only the number, and the password encoded with one of the above rules. All of these are examples of ones I don't actually do, but are simple enough that if somebody found your list, it would be useless. Use your imagination.
Instead, I use an encrypted password keeper program running on a different machine. That machine requires a seperate password to log on and a different password to access the password keeper program. I only access the program if I cannot remember a password. Works great as far as I am concerned.
Don't take this portion of his advice, or if you do, make *sure* you know what you are doing, and can restore those files if necessary.
Mr. Schneier is exaggerating the lengths to which a person need go. However, these tactics would work! Realistically, the only safe computer is one that is never plugged in. But we aren't talking about extremes. We are talking about the types of steps that *can* be applied. Take all the steps that you can afford to prevent system infiltration/infection/corruption.
With regard to seat belts (and other such passive approaches to safety), you need only one accident that propels you through the windshield or one infection that steals your credit card nuber to realize the necessity of such devices.
You guys can nitpick to your hearts' content, but if you stop looking for one single answer and find the safest method(s) that work for you, you will be much better off.
One more thing that you can do to make your computer safer is to (and this only applies to those who want to take the time) back up all data and reload your OS and all necessary updates once or twice a year depending upon how many people use a particular computer. Not only does this help with security, it also helps with a slowing system due to junk file buildup.
In fact the opposite is true.
Relying on your bank to shred all their printouts is far more risky than having non-complex passwords for your bank accounts and credit cards.
Also the advantage of online banking is you can see, usually to the minute, what transactions are taking place (except checks, which you usually have until 2pm local time the following day to get the bank to return them manually).
So not using online banking does two things. It leaves a possible paper trail (statements, debit and credit receipts) for people to steal if they haven't been cross shredded, and it prevents you from being able to easily keep track of transactions.
Add to this, most credit cards and banks offer zero liability against fraudulant transactions (good banks will re-deposit the disputed cash in 24 hours, then reserve the right to take it back up to a month later if they find out the transaction was valid), and you are far better off using online financing.
The problem was that as soon as he handed his check to a teller, she just typed it into a computer anyway. Since the check does not have the account number of the depositor on it, it has to be done manually, and there's room for error.
That doesn't count the fact that the check run might be delayed and he would not get his check anyway, or it might fall out of his pocket on the way to the bank, or his briefcase might get stolen, or he might get hit by a car.
The down side is that he used to buy snacks for us when he went to the bank, and we lost those once he finally changed his mind and signed up for direct deposit. Oh, well.
Basically you are saying the author is wrong because of your own personal experience. I direct you to this article ( hxxp://en.wikipedia.org/wiki/Hasty_generalization ) on the logical fallacy of hasty generalization / biased sample.
If you didn't have 16,000 programmers attempting to exploit a hole in an OS (every second of the day) there would not be a problem (see Mac). If you're OS was fresh off the ground, chances are you're not going to have many problems (see Linux); but be patient because I gauruntee we'll be walking this same rope in the future with Linux.
Keep in mind that the majority of people who are experiencing these problems are your older generation (and other unsavvy users) who have taken advantage of High Speed Broadband with little or no computer/networking/security education.
In my 5 years of "Always On" connections I've obtained a single virus (curteousy P2P networks); have lost no capital through Online Purchases and have not become a victim of other "Online Traps".
While Cryptography is a great security advancement, perhaps it does not relate to the day to day operations of keeping workstations clean and secure.
I'll take advice from my Auto Mechanic when it comes to my car; I'll take advice from my baker when they say this bread is fresh, but I won't take advice from you on keeping my systems clean and secure.
I respect the President of the United States to all ends of the planet, but I'm not going to let him tell me how to secure my network.
Backing up is the best thing since sliced bread, it should be a no brainer. If it's not, make it a no brainer! You can be your best friend, or your own worst enemy.
Encrypting email is a quality standard if you're regularly in communication with other tech savvy people who understand the processes of encrypting mail (who use the same encryption programs), however most novice users are clueless if they recieve an encrypted email.
Utilize your anti-virus program to your advantage. Take the time to figure it out; read the manual; get automatic updates running; if you're unsure, scan it! Spyware...Ad-aware/Spybot/ if those fail, Hi-Jack-This (if you're a newby please seek help online with this one, you can wreck an OS).
Be extremely warry of emails as this is a hitting point for spoofing, phishing, scripts, .jpgs and attatchments.
I have to disagree with the passwords....make em tough for yourself to remember. If I can memorize a 26 digit wep key, a 8-12 character password can't be too difficult! Personally I yield away from on-line banking (but again I only started using banks recently, thanks real job!); and have told my users of my decision, and why I've made that decision. Follow if you'd like, go your own route if you'd rather!
Please, whatever you do, leave the cmd.exe alone as this is one of the best programs within XP!
2) Brush twice a day
3) Always swim with a buddy
4) Dont have any fun on your computer
5) Be afraid constantly, and only boot computer if you have to. Then ask yourself again.
6) Never use computer
someone has previously mentioned, just because one person
hasn't had any problems, it doesn't mean all people will have no
problems and we can't always point fingers at those that simply
are not coputer savvy.
I also believe the reasoning behind there being more Windows
holes and security problems is because the majority use
Windows and therefore has, according to Bri Lo "16,000
programmers attempting to exploit a hole in an OS (every
second of the day)" doesn't wash. Are you trying to tell me that
NO-ONE ever tries and creates a virus or security hack for Mac
OS X? Wouldn't that be the ultimate claim to fame? In an area
which is all about outdoing one another, surely the ultimate
virus would be one that spreads via 'bullet proof' OS X?
Perhaps the reason there are no Viruses for the Apple operating
system is simply because no one has ever managed to create
one that circumvents it without the users knowledge. I'm not
saying there never will be anythig for any other OS, including the
Mac but well, it simply doesn't make sense to not try and write
one for it.
"I respect the President of the United States to all ends of the
planet, but I'm not going to let him tell me how to secure my
network". You lost all respect with that comment with a man that
sends a nation to war based on lies - if you respect your
President as much as you respect your OS, you have my
sympathy!
I used Mozilla and it worked just fine and I was able to save the article as a file as well.
Inventor.
are a windows user you do not have to stop using windows...
1) Do not enable ActiveX controls in your web browser. Make the setting disabled or prompt which is now default.
2) If you MUST use a laptop then setup an internal firewall on the laptop
3) Use www.blockallspam.com email services for anti-spam. Your anti-virus will not have to be as "lucky".
Anti-virus systems are more often than not FAR behind the viruses that are out on the net.
They are a false sense of security. Get fewer spams, download programs only when absolutely necessary.
4) Use EUDORA. It does not have security problems that can be exploited. You do not have to turn off HTML.
5) Monitor your equipment keep an eye out for Hard disk and network utilization.
6) And Yes, install and use an anti-virus system. It is better to have something than nothing if you download files.
Always remember, there is "NO" real security!!
If your information is too valuable for other people to see, "Don't Put it on a Computer"!!!
Inventor.
I so loathe stupid debit card myths. (BTW Yes I do work for a bank)
So your Risk is that you might not be able to charge things. (and you might convince the bank to up your credit limit during the dispute).
Now lets throw the same fraud on your debit card:
The money is taken from your checking accout:
Ooops... a bunch of checks you wrote just bounced!
Now you have a passle of return check charges,
Nasty dunning letters,
Notifications from credit card companies that the bad check triggers the 'default provision' and your new interest rate is 25%...
And your car insurance has been canceled, and notification has been sent to the Motor Vehicles Dept.
----
But don't worry, the Bank will but your money back just as soon as the fraud investigation is completed.
----
Sure hope that happens before they repo your car and foreclose your mortgage.
---
I don't use my debit card on the net simply because my paycheck direct deposits into that account. Were someone to illegally access my account they can drain my entire paycheck (on a good day for them) and I've got to go through the hassle of dealing with that problem. With a true credit card they may get my whold credit limit, but it is (in my case) typically smaller than my paycheck and so much easier for me to lose access to for a few days.
2) Yeah, right. Like all the home users out there are going to reformat their Windows computer to Linux, abandoning the vast amounts of software that they've paid for.
3) He's wrong - it's easy to create a secure password in two easy steps:
a) think of a word of medium length that has an 'o' in it (like 'football')
b) use that word, but make the first letter capital and replace the 'o' with zeros (so it would be 'F00tball'). That wasn't so hard was it?
4) My password solution above is a LOT more secure than the ridiculous statement of keeping passwords written down and stored in a wallet.
5) It's strange how this guy appears to be a Linux fan who doesn't like Microsoft, but actually uses the "windows update" feature to trust Microsoft to install whatever junk it wants onto your home machine. Use hfnetchk from download.com to keep up with Windows security updates. Really - a CTO who uses Windows Update. That's disgusting.
6) Destroy your old backups by putting them in your microwave??!?! Is this guy still in grade school or something? Do not destroy backups of your software by microwaving them. It'll make your home smell like melted plastic with fumes that are hazardous, and may cause damage to your microwave. Just get out your car keys and scratch up the surface. Then trash it. Use your microwave for food.
7) It's really unneccesary to encrypt your email (for home users). That's overkill. Instead, just make it your policy not to send financial or password information through email.
- - - - -
This guy is "... one of the world's foremost security experts."?!?!? What a silly boast. The world is a very big place, and this guy doesn't even come close to that title.
The fact that he is the CTO of an Internet Security company is astounding, considering how completely senseless his suggestions are. If correct steps are taken, a home user can operate a Windows home PC very, very securely. Obviously, this buffoon has no idea how to properly secure a Windows OS. He also doesn't seem to care, being that he's a Linux fan. Rather than appeal to the vast majority of home computer users (a market dominated by Windows), he instead tells them to abandon the operating system and software that they have.
Could someone please pick this guy's pocket so we can get all his passwords and hack him? (Digging through his trash would probably work, too).
What a complete imbecile.
Obviously anyone who thinks "f00tball" is a secure password needs to shut up and pay attention the next time his company does Security Awareness Training!
Back-ups of files, great.
Careful that you are on a valid website, great.
On the other hand this is my entire arsenal.
Windows XP Service Pack 2 + Updates
Latest Updated Norton Antivirus
Router with a Firewall (Windows Firewall is off)
Spybot Search and Destroy with resident monitoring
Weekly Ad-Aware 6 Scan
Only Norton and Spybot are running resident.
That's about all the overhead I'm willing to
give up for security's sake.
I have even gone back primarily to IE6 instead of Firefox. It is much better now with XP Service Pack 2. I still like a few of the features I can get with Firefox and when I want them, I call it up. The "find on this page" function is great, it lets you keep your eyes on the copy of the web page during long searches. I also like the developer extension while I'm testing a web page.
Delete cmd and command.com? I don't trust any GUI interface that much, especially Windows, with good reason. Consider the filename:
test.txt.html
You could look at it forever in Windows Explorer and never see that it has two file extensions.
"What is wrong with this file"? you keep muttering to yourself.
I could go on, but I think it would require more medication.
So now I find comfort in the fact that I'm not the most cynical computer user in the world anymore, someone way more "in the dark place" has supplanted me.
Dan McTaggart
dan@firefoxie.net
<a class="jive-link-external" href="http://www.firefoxie.net" target="_newWindow">http://www.firefoxie.net</a>
I will admit that I did catch a worm once (because there was no warning out there, even for months afterward, that clicking a link could cause problems). But ZoneAlarm caught the outgoing program which I shut down immediately and within an hour I had the worm cleaned up.
I do occassionally run one of the free internet a/v checkers but there is never anything there.
cases---like deleting cmd.exe!) still won't protect you from
shady websites or stores. I consider myself a computer security
expert but still have been ripped off by online merchants. I
would add an anti-fraud/anti-phishing product like EarthLink
Scamblocker, or FraudEliminator, which actually identifies the
country that the website is hosted in.
i no my englische bad but give me break. hradware firewall is better opshun for peeple to use. keep sofware frum bugging user. i unserstand that Bruce say he paranoyd and what he rite sound praanoyd to me. take what you can use and leave what you do not ugree witha.
thanksx - Jibbity
sav lot uv $$$$$$$$$ n' stay safe
p.s. gud lucks w/ ur worms
Good call on insisting that one's bank use SSL exclusively for any page involving account info. And as stated, the backend servers need attention as well.
"Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure."
Just because you don't access your account online doesn't mean it isn't on the same backend database server of customers that do bank online. Any weakness to that database server puts your account at risk just as much as anybody's who is using online banking. In simple terms your account might be accessible online(maybe not easily) wether you access it that way or not.
As far as deleting the command.com and cmd.exe files go...why even bother if they only regenerate themselves! Was so silly for him to even mention this. Sheesh!
Hmm, as I sit here reading a link that was posted in the weekly SANS Newsbites update (and marvel at the concept of removing the one truly useful feature of Windows - the command line interface), I wonder about living in a world where far too much data is sent so rapidly to so many people, but so few turn it into information...
What actual difference to the average Windows newbie is there between a link that appears in a non-HTML e-mail (Outlook 2003 actually has a 'read everything as plain text' switch that's off by default - but at least it's there), and dropping it into their browser - almost undoubtedly Internet Explorer? Unless Microsoft is bundling Firefox into Windows XP OEM versions now?
Firefox has this excellent feature that turns the address bar yellow when the page is encrypted, and it stayed white as snow on the registration page...
In other words, I agree wholeheartedly with many of Bruce's suggetsions, particluarly the one about lying if you're uncomfortable giving out personal details. Oh, and to all those 'people' trashing Bruce, his hair style &c, allow me to lower myself to your level: learn to formulate an argument, losers.