Slashdot Mirror
Computer Security for the Home and Small Office
The book covers popular OSs replacements for Windows applications and utilities; it explains vulnerabilities; it offers practical setup information for both Windows and Linux to harden a system and make it extremely difficult to attack.
The Preface describes the book in general terms. The Introduction explains firewalls and their limitations, and explains how to install Mozilla to limit email and http exploits and spam.
Chapter One debunks the malicious-hacker mythology and shows that most so-called hackers are only script kiddies who are easily thwarted with commonsense tactics.
Chapter Two explains malware, spyware, bad system configurations, and the scores of other routes to system exploitation and privacy invasion that firewalls and antivirus software don't address. It includes a step-by-step guide to simplifying and hardening a system. Most importantly, it offers a useful guide to turning off unnecessary services and networking components for both Windows and Linux, and setting sensible user permissions, and is liberally illustrated with screen shots.
Chapter Three offers a good breakdown of social engineering and phishing scams, and how to defend against them.
Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.
Chapter Five explains how to eliminate all traces of Web activity from your computer and defeat forensic recovery of stored data; how to surf the Web anonymously using an encrypted connection and defeat remote monitoring; how to set up and use SSH (SecureShell) to conceal both your identity, and the data content of your Internet sessions from all third parties, including your ISP. The many hiding places of sensitive or incriminating data are revealed for both Windows and Linux users.
Chapter Six explains the advantages and disadvantages of migrating from Windows to Linux; why Linux is easier to configure for security, and why it's better suited to less technically-inclined users; how to judge whether Linux is right for you, and the issues you should consider before migrating. The author is clearly biased towards Linux, but he understands that most users will stick with Windows. Hence the emphasis on tools that run on Windows.
Chapter Seven is a catchall essay explaining security from an anecdotal point of view. There were places where it got a bit tedious, but the idea is to look at security as a process or a frame of mind, not a specific series of computer settings. The material in this section is informative in only a general sense. The real configuration information comes in chapters Two, Four, and Five.
There are several indexes with useful information on firewalls, ports, Trojan activity, sources of information, and more. Most of this information is conveniently located and linked at the author's website, BasicSec.org
Overall, the book is exceptionally well written for a tech manual. The author is a good writer and his prose flows nicely. The book is highly readable, and even witty in parts. I found myself laughing aloud on several occasions. The author has the art of The Register's irreverent presentation. I enjoyed reading it. But it is not perfect, so I give it a 9 out of 10.
My biggest criticism is that the book shifts back and forth from practice to theory and back again. It's good that readers learn the reasons for the (very sensible) procedures and settings listed; but I felt that the book was organized wrong. This is a minor issue, and the book remains exceptionally useful; but instead of interlacing the various parts, theory and practice might better have been separated in two distinct sections. It's difficult simply to flip to a section of this book and learn what needs to be done: there is a lot of theoretical talk between each practical item. It's very good talk, and very instructive talk, all right, but I would have preferred that it be located in a particular place. I would rather not have to read the entire book through in order to tweak my system for good security. Unfortunately, the author has structured the book so that a read-through is necessary.
Overall, this book will tell professionals what they need to do, and novices everything that professionals ought to know, but probably don't. It's in plain English, so no one should worry that they can't grasp it. You can make your computer, or your network, very hard to attack, whether you use Windows or Linux. This book will show you how in excellent detail. You've got to read the whole thing, unfortunately -- but it will work nicely for you, casual user and sysadmin alike.
You can purchase Computer Security for the Home and Small Office from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
The banner urging you to install the latest Internet optimizer or a totally free peer-to-peer app is so much more convincing.
...at the company's expense. Everyone stumbles into the IT office and asks these questions, and the answer doesn't exactly fit in an FAQ because everyone has a slightly different situation.
And save your breath about whether or not it's my job to answer such questions. I probably don't work where you do.
Really, I'd LOVE to be able to point one of my tech support callers to a free online version of this book. It would be very helpful because I wouldn't have to explain to them why Firefox is better than Internet Explorer, and then have them think I'm just paranoid when I tell them all the ways spyware can get in their system.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
So basically, this book contains all the information that the average /. reader already knows.
--
Are you a Chipotle Fan?
Exactly.Too many people lack common sense.The only people with common sense (like us) go online to get info for free.
Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.
(And so on.) It looks to me as if the book has failed completely as a guide for the average home or small office user. Your mom is the average user. Your mom plays Pogo all evening and clicks on every mail she receives. You need to explain security to her in such a way that it can fit on both sides of an index card. GnuPG? I think not.
www.kitchengeek.com -- Nosh for
IMO is Ch5: Chapter Five explains how to eliminate all traces of Web activity from your computer and defeat forensic recovery of stored data; how to surf the Web anonymously using an encrypted connection and defeat remote monitoring; how to set up and use SSH (SecureShell) to conceal both your identity, and the data content of your Internet sessions from all third parties, including your ISP. The many hiding places of sensitive or incriminating data are revealed for both Windows and Linux users.
This will help the casual web users who get bashed by the spyware-grabbers. Like my parents.
An open source advocate won't just give away the book for free. So why again should source code be made free? Just a thought.
The parent post is actually insightful (as well as funny). So many of us have tried to tell our parents, friends, relatives - even complete strangers - about the importance of security. But they still download Kazaa (not lite), they still choose a password named after their dog, and they still open every damn attachment they get.
Security = extra work, confusing settings, and ways to mess things up
Insecurity = identity theft, loss of property or information, and probably cancer
It sounds like a pretty easy choice to me.
"The banner urging you to install the latest Internet optimizer or a totally free peer-to-peer app is so much more convincing."
BANNER:
"Would you like to be secure from spyware? Would you like to keep the government from spying on you? Would you like to be free from unwanted advertising? How about viruses and blue screens? Click HERE to find out more."
I see the main benefit of a book like this
as something to take my less computer-literate friends past the basic steps of:
->install Firefox
->install firewall.
->install a/v software (and run said software).
->install anti-spyware software (and run said software).
If it is as simple and clear as stated, it might
replace the wonderful calls I get during dinner from my new-to-computer friends/relatives along the lines of
"I was doing x to that firewall software, and
now nothing works".
And I didn't get my first first post... I suppose that's what I get for being off-topic...
"Overall, this book will tell professionals what they need to do, and novices everything that professioanls ought to know, but probably don't."
While I agree that novices probably ought to know a lot of the topics covered, there is something fundamentally missing when many (most?) novices still barely realize they have an alternative to using Windows. I interface with lots of people who basically think you have two choices - owning "a computer", or owning "a Mac" (as though owning a Mac wasn't a real computer).
The bigger problem, aside from addressing security problems, is educating the general public that they have choices, and there are different security impacts based on your choices. We live in a world where hundreds of thousands of Windows users don't even know about Windows Update, which is arguably the simplest thing you can do to avoid security vulnerabilities (yeah, yeah, I know sometimes they introduce problems through WU, but Microsoft seems to fix half a dozen "critical" security flaws per month).
So what novice out there is going to even take note that there's a book that covers security problems/issues and offers fixes for problems they're not even aware of?
"You need to explain security to her in such a way that it can fit on both sides of an index card. GnuPG? I think not."
PGP can be made a transparent part of the process of using your computer.
Just in case his site gets /.'ed, here is his impressive list of links. - Jonah Hex in non-karma whore mode.
Downloads
Linux Wipe Tools: Three shell scripts for securely wiping all data from the swap partition, wiping unused disk space on the root partition, or wiping an entire disk, by Thomas C. Greene.
No Messenger: A batch file that eliminates Windows Messenger and fixes the problem of Outlook Express loading slowly when Messenger is absent, by an anonymous friend of The Register.
FileCheck MD5: A free, simple, lightweight MD5 utility for Windows, courtesy of Brandon Staggs.
Errata: A text file containing my various blunders and ommissions in the book (right-click and "save as," or view as HTML). Last updated 6 June 2004.
Links to Other Goodies
Mozilla: A free, open source Web browser and e-mail client for Linux and Windows, feature rich and far more secure than Internet Explorer and Outlook Express. Recommended for novices.
Firefox: A free, open source, stand-alone Web browser for Linux and Windows. Very light and fast. Recommended for intermediate users.
Thunderbird: A free, open source e-mail and news client for Linux and Windows. Recommended for intermediate users.
GnuPG: Gnu Privacy Guard; a free, open source replacement for PGP, for Windows and Linux.
WinPT: Windows Privacy Tools; a free, open source GUI frontend to GnuPG for Windows.
Anonymizer: Various services for anonymous Web surfing, e-mail, chat, etc.
OpenSSH: A free, open source SSH (Secure Shell) client and server for Windows and Linux.
PuTTY: A free, open source GUI frontend to OpenSSH for Windows.
Ethereal: A free, open source network traffic analyzer for Windows and Linux. Windows users will need to install WinPcap before installing Ethereal.
Ad-Aware: A free, closed source adware/spyware scanner for Windows.
SpyBot Search & Destroy: A free, closed source adware/spyware scanner for Windows.
Sam Spade: CGI gateways to numerous online tools, such as whois, traceroute, etc.
SourceForge: A vast repository of open-source software for Windows and Linux. The site can be overwhelming, but it has a search engine to help users locate packages.
GNU Project: The home base of the open source movement. A repository of open source products, chiefly for UNIX-compatible systems.
Security Information
About Internet/Network Security: An informative and useful site dealing with computer and Internet security, with reviews of security products and books, practical howtos and tips, and links to numerous tools and information resources, geared toward beginners and intermediate users.
SANS Institute: An educational and research organization with a vast archive of security research documents, news, and advisories, geared toward intermediate and advanced users.
CERT/CC: Computer Emergency Response Team Coordination Cente
The banner urging you to install the latest Internet optimizer or a totally free peer-to-peer app is so much more convincing.
To whom? This sounds like a totally elitist attitude to me! I consult for a number of small business owners that depend on their computers for business. When things are explained to them so that they understand (none of this "Just do this and shut up" crap) I have never had one of them that insisted on practicing unsafe computer acts again. I suspect that more of the problem lies in presentation than in stubborn/stupid computer users!
Remember; ignorance can be cured, stupidity can't!
Or reading any book for that matter. That goes for users in the workplace..Who happen to be home users
Simple
Use Adsense for Charity
"While I agree that novices probably ought to know a lot of the topics covered, there is something fundamentally missing when many (most?) novices still barely realize they have an alternative to using Windows. I interface with lots of people who basically think you have two choices - owning "a computer", or owning "a Mac" (as though owning a Mac wasn't a real computer)."
Well I'll say two things about an Apple computer. One they do pay attention to security. Two they present security in such a way that it isn't the onerous burden like it is for other platforms.
yeah but each of us that gets it for free knows a guy who does nothing but buy brand new tech manuals and then stuff them under the passenger seat of their car three nights later.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
There are no secrets on library shelves, either, but if the populace never signs out a book and actually reads it, or if they try to read it and can't understand the language, what good does that do them? OSS isn't inherently secure. It has the opportunity to be peer-reviewed and pronounced "secure" by the peer reviewers. And even they can be wrong, if they're not clever enough to spot a hole.
You see? You see? Your stupid minds! Stupid! Stupid!
Definitely. Free information online is teh best and guaranteed reliable or your MONEY BACK!
Do you love freedom??? Do you love freedom!!! DO YOU LOVE FREEDOM!!!!!!!!
If only that we true for SOs!!!! "What do you mean you use to be a man? Nah, no big deal, I'm cool with that...although I did always wonder why I caught you reading /. --that explains it."
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
No, they don't. They just don't (and/or don't want to) understand all the inner workings of technology they use every day. That's true for computers, cars, kitchen appliances, VCR's, whatever.
So in terms of computer security, an average user behaves like a dummie. The book should have been named "Computer security for Dummies" or something like that, to appeal more to the target audience. Isn't this "... for dummies" series of books very popular anyway?
CERT.org's tips for home network security. It's very basic but might help.
They also offer The Home Computer Security guide, which seems to parallel Mr. Greene's book in some key areas. This page includes a link to a pdf which goes into detail on the examples (encryption, firewall, anti-virus, patches, ACLs).
Point your tech support callers to these free docs - or others easily available via your favorite search engine - if the idea of a commercial book bothers you that much. Not everything has to be open source. Alternatively, why don't you write the open source manual that you need? Isn't that the idea behind F/OSS?
I want to drag this out as long as possible. Bring me my protractor.
It's a pity he covers Windows and Linux but completely ignores Macs. (I checked his website; I'm sure). There must be the same number of home/office users of Macs as Linux, probably more. Although the Mac is secure against spyware, malware and viruses at present, it would be useful to inform people about security considerations for the Mac, how the built-in firewall works, and so forth.
www.lucernesys.comHorizon: Calendar-based personal finance
In my opinion, the real problem is that computers aren't MADE for the average user. An average user should not have to worry about firewalls, security exploits and the like, just like an average driver does not have to worry that his engine or breaks might malfunction.
A more secure home user? Simple. Make Internet use dependant on the user's I.Q.
.gov .net .com, save....
50 or below: Fox News, CNN, MSNBC, Hotmail, any
75 or below: Microsoft, Dell, Compaq, etc.
100 or Below: Slashdot, any
125 or Below: Any
150 or below: Apple.com
Pfeh. Letting blind people drive. Why, oh why are there so many accidents??
This strikes me as off-topic, but I can't think of anywhere to post it where it would be on-topic, and this is as close as it gets.
In my preferences, under "Exclude Stories from the Homepage", I have checked "Book Reviews". I just double-checked. So why does this story show up on my homepage?
Am I doing something wrong? Is there a bug in slashcode? Is this not really a book review, despite the words "Book Review"?
Can anyone help me out?
But can you ride a Segway without falling over? Finish a bag of pretzels without need of the Heimlich maneuver?
Tom Greene writing something insightful and instructive?
A rticle/id- 1983,subcat-NETWORKING.htmlo m/WileyCDA/DummiesArticle/id- 1808,subcat-NETWORKING.htmlo m/WileyCDA/DummiesArticle/id- 1518,subcat-NETWORKING.html
Well, that would be a first I suppose, him and Orlowski (sp?) are the two biggest problems the reg has IMHO.
For my money when there is already stuff like the Dummies Guide to Network Security (www.dummies.com) why bother?
For those that asked for online articles
http://www.dummies.com/WileyCDA/Dummies
http://www.dummies.c
http://www.dummies.c
etc etc
http://slashdot.org/~GuyFawkes/journal
Nope I'm sorry but the original poster is right. The users I deal with day in and day out want NOTHING to do with security.
We have tried to explain both nicely and in the "Just do this and shut up" way.
No matter how we try and tell them they do not care.
"Thats not my job"
I have dealt with a very wide range of users and for the most part it has nothing to do with the sysadmins presentation more the users lack of knowledge.
When it comes to computers, security included, I would say that 90% of your average consumers (not your average /.er) does lack common sense. Before buying and/or using a computer, they should either get the proper manuals (books like the one reviewed here, though I didn't RTFA at all) or retain the services of someone who will keep their computer safe, secure and running correctly.
Security = extra work, confusing settings, and ways to mess things up
Insecurity = identity theft, loss of property or information, and probably cancer
Well, you also have to consider that for all of the screaming privacy/security insanity on Slashdot, that security isn't important to most home users. Of course people get fucked over, but not everybody running unpatched Windows 98 is fucked. Even if a large % of users have backdoors, etc. installed, what % of those users have something worth stealing? It comes down to if the extra time, money and effort in securing a computer is really worth it to them.
As an aside, I refuse to buy any "For Dummies" or "For Idiots" books, because I don't believe I am either.
I'm perfectly capable of understanding most anything, give me a reference manual or a "for beginners" type of book. I'm not dumb simply because I don't have the information. I'm dumb if I'm not able to absorb the information.
My blog. Good stuff (when I remember to update it). Read it.
Few of us read books about auto safety, either, but automobiles and the roads they travel on are demonstrably safer than in years past. This happened because manufacturers designed and built safer cars. Sometimes legislation mandated those improvements, other times the market mandated the changes.
Imagine if someone started selling a hardware or software gizmo that promised to keep your machine free of all spam and viruses, forever, period. Imagine that this gizmo actually worked. Imagine the sales boost for PC's that sell with this gizmo built in.
Ditto for computer security. The best way to make home and SOHO computing more secure is to build that security into the hardware and software we use and in the networks are traffic moves on. And, yes, some of that will be legislated as the net becomes increasingly critical to our daily wellbeing.
We can't expect any but a tiny fraction of computer users to "learn" their way to better security. Nor can we pretend that the wide open and unregulated nature of the infant internet will survive.
-- Slashdot: When Public Access TV Says "No"
A badly programmed VCR won't do anything other than tape over something or tape the wrong thing. A microvave (for the most part) is point-and-cook. A computer is far-too multi-purpose and essential to be treated like a run-of-the mill appliance.
I'm not saying all casual users need to get certifications, but having a higher expectation of responsibility wouldn't hurt.
BUT, on the flipside, soft- and hardware makers need to be held to higher standards. Cars have to meet government standards, as do medical devices. PCs need to, also!
GTRacer
- Who do you want to DDoS Today?
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
Too many people lack common sense.
No, they don't. They just don't (and/or don't want to) understand all the inner workings of technology they use every day.
Considering that most of these people have to use computers at work on a daily basis, and probably use them at home at least every few days, isn't refusing to learn about the technology, by definition, lacking common sense?
I can't help it - I'm a 19D.
*shudders*
Why can't they be more like Dell and have a 1 sheet poster with cute pictures telling us how to setup our computer?
Honestly, the majority of computer users -- Joe6Pack&SoccerMom (TM) -- are stupid. They don't read the manual to a machine that is more complex than their automobile.
We're not asking the normal user to be an expert in rebuilding their engine or to understand how a transister works...but seriously. Read a few books and learn where the hell the gas/brake/power button is located and what double clicking/opening programs/start menu/interet means.
Maybe it's M$'s fault for not providing an Operating System where flaws/problems/features don't cripple the non-savvy user.
Too bad no one makes a computer system for the non-savvy...something easy where there aren't 500 holes that need to be patched before you connect it to the internet...what did you say, Apple? Macs? Oh, I take that back then.
>Tom Greene writing something insightful and instructive?
>Well, that would be a first I suppose, him and Orlowski (sp?) are the two biggest problems the reg has IMHO.
Disagree, Greene is a great writer and has written excellent articles for the register explaining to newbies and power users how to secure linux You could say its "insightful" and maybe even "instructive"...
It's like a Service Patch for wetware!
English is easier said than done.
Unfortunately, it's true. My father runs a small business and is constantly plagued by spyware, malware, viruses and so on. I've tried and tried and tried and tried to get him to switch to Firefox and Thunderbird. Even after running Spybot and showing him how much spyware he had on his system, he has yet to switch over. This isn't a matter of him not knowing how things work, or understanding the technical end of things. He simply doesn't want to deal with a process that he thinks (no matter what I tell him) is going to cost him a lot of time and energy switching over and getting used to. I would imagine that a lot of people are the same way. The flaws drive them nuts, but they're convinced that the solution is just too complicated and time-consuming to find.
http://angel.merseine.nu - Stuff for the poet, diva, geek, romantic and angel in all of us.
The first couple of paragraphs consist of an intro and a
description of the preface.
The third paragraph describes the first chapter.
The fourth paragraph describes the second chapter.
The fifth paragraph describes the third chapter.
The sixth paragraph describes the fourth chapter.
The seventh paragraph describes the fifth chapter.
The eight paragraph describes the sixth chapter.
The ninth paragraph describes the seventh chapter.
The tenth paragraph notes there are indexes.
Overall this review is skeletal at best.
I give it a 3 out of 10.
Overall, this review is useful for nearly some people, not so useful for others. It's
certainly written in English, so more than half of Slashdot's
readership will feel a vague sense of familiarity.
grammar-lesson free since 1999. (rescinded - 2005)
To use my car analogy again, the owner needs to know how to check the oil, tranny fluid, washer fluid and how to drive it safely. They don't need to know how to replace the drive shaft.
I think the government needs to regulate for safety, which, in computer terms, basically = security. The government should regulate Microsoft, Apple, SCO, etc. They should regulate AIM, Yahoo, Gain, etc... When you have Wind...erm...I mean Security Holes on your machine, you can fall victim to something like identity theft or, you could be used in part of a larger attack on another server.
I think most users would be "safe" and happy to leave replacing HD's or upgrading RAM to the "mechanics". The users who want to learn, well, it's much like a car - get in there and do it.
Unfortunately I use Windows at work. I use WinPT and Putty frequently. They're great apps, although they're a bit unpolished. I know little of networking and security and have no problems using them. But I'm a developer. I think an average user would have a problem using either. They're both for people who know what GnuPG and OpenSSH are and how to use them. They don't hide the details, which is a good thing in general, but hard for beginners. I think an average user might get by with WinPT since it adds a toolbar button to Outlook. Luckily Putty is for secure terminal sessions and FTP so it's unlikely an average user would need to bother with it.
Developers: We can use your help.
I don't think that it's a problem to demonstrate the advantages of security. Everyone knows the advantages of security. The difficulty is demonstrating impact. The vast majority of people, since they don't understand computers, feel that the basic knowledge of how to crack security is enough of a deterrant and lock in and of itself. The general need for additional security measures is perceived to be paranoia.
Unless there's a widespread and media popularized outbreak of identity theft, or computer hijacking, or people who can't check their e-mail or browse the web, then computer security will continue to be perceived as a topic of paranoia.
Currently the impact of computer insecurity is considered to be an annoyance. Extrapolated damages of corporate insecurity are given the same regard as the extrapolated damages of trading mp3s. Until authorities take a tough stance on abusive network activities (spam, browser hijacking, unwanted pop-up advertising, unauthorized collection of consumer data) then the general populance will continue to accept a loose attitude towards computer security.
The fact is that insecurity is profitable as a business. There's no real motivation to protect the consumers so why should the consumers waste effort protecting themselves?
+++ATHZ 99:5:80
It is more like a car or boat. It needs regular maintance; while misuse is not lethal yet, it can have legal ramifications; and a certain amount of training is needed to just use them.
BTW, PCs do meet certain standards, as electrical devices they need to meet certain FCC regs, of course this is not much different than an FM stereo...
Just a Tuna in the Sea of Life
Dude you are taking your computer far too seriously. Heart-lung machine? Go outside.
you can't ack before you balls.. you just
Chapter Four is about using common tools, like Ethereal, Netstat...
If you're talking about Joe User, you need to stick to what works under Windows. Last time I checked, Ethereal on win32 platforms only worked on LAN (eth) adapters and not dialup connections. If you've got a cable modem or DSL hooked up via an ethernet adapter, then it's a viable option. I'll agree about netstat, but I really don't think I'd be able to teach my a non-technical person how to interperet the output -- even given a book with examples, a non-techie really doesn't stand much chance tracing down what programs have what ports open.
As far as monitoring open connections on a win32 box, I'd heartily recommend TCPView. It's capable of printing out information on all connections, their states and what processes they're associated with. Very powerful tool, and I can talk my mom through using it over the phone, even sending my the results via email.
I suppose that is true for, say, 90% (pick your number) of users? You can try to change that, or accept it.
Changing that means: educating users. For some limited groups that might work, but I'd say experience shows that for Joe average, it doesn't. Average users, for the most part, aren't gonna change their behaviour, they're just gonna keep on browsing random websites, clicking on random e-mail attachments, pop in random disks, and run random binaries.
Accepting that, means: consider a PC an appliance. Let maintenance be done in ways that are possible to do for a normal user, but might just as well be done by third parties (automatic updates is one way). So a possible solution would to be to create OS'es that make a PC behave such that it's safe to run random binaries, pop in random disks, click on random e-mail attachments, without worries about screwing up the system.
Current PC security ultimately depends on trusting the user, assuming that he/she knows what he's doing. I'd say, experience shows that for those 90% of Joe average, that trust is misplaced. For a user sitting behind a PC, it's just too easy to change essential aspects of the OS. Maybe some other security model would make more sense?
I sure as hell hope that the average user is concerned with his brakes functioning!
the government needs to regulate
Just what we need, more Gov't regulation. Because they do such wonders with everything else that they lay their hands on! If we get Gov't regulation of comp security I can guarantee that we'll shortly thereafter end up with all kinds of other government intrusions into the IT world, like a tax on email for instance.
Tell him you'll not help him with his computers anymore until he uses firefox+Thunderbird.
Next time his machine crashes and stays down, tell him you don't wanna hear about it.
It's cold, but if my friend told me his car's engine died because he wouldn't fix the clutch, after I'd told him what would happen if he didn't fix it, then I would just shrug and mutter: "I told you so", and let him buy a new one.
You know, people don't care about security because it does not cost them enough.
Charge $300 per hour for computer security repair. If they balk at the price, tell them to go elsewhere.
"Piter, too, is dead."
"We have tried to explain both nicely and in the "Just do this and shut up" way. "
Unfortunately there's no "stick" to your "carrot".
If so and so introduces a virus? Will they get penalized? If so and so breaks a multi-million dollar piece of equipment? Will they get penalized? If so and so leaks details of a contract to competitors? Will they get penalized?
"Thats not my job"
This isn't so much a bad person as it is bad managment? Is managment walking the walk? If so then everyone else should already be "secure". How so? If securities important to them, they will take the steps to make it important to everyone else that "still works there".
The only people with common sense (like us) go online to get info for free.
If only a small percentage of the total internet userbase "go online to get info for free", then how precisely is that common sense? It's certainly isn't very common. It's sensical, I'm not doubting that, rather what I'm saying is, common sense is standardized by the massses - it's what most people do. It's common. On the internet, common sense just happens to be ruled stupidity/laziness. Smart internet use, unfortunately, isn't common sense. It's the exception to the millions of ignorant users out there.
Macs are. Buy a Mac!
Know what a firewall is and how to configure it. Know not to run executable code unless you trust the source. Keep your machine up to date, and scan for viruses reguarly.
You forgot: "Don't use Internet Explorer or any version of Outlook." And that should have been the first one on the list.
The "dont run executables" is a tricky one under Windows
Try this variant: "Don't open any file you receive in email unless it's obviously some file you were already expecting that person to send you".
heh, no... You're dumb if you can't speak.
At least, that was the original meaning of the word.
You need to restart your computer. Hold down the Power button for several seconds or press the Restart button.
Don't mean to sound like a troll, but how do stuffed clutches kill the engine? I can see how it's possible, but how common is it?
Having said that, it's been a while since I had the chance to do so much as change oil. My work gives me a car (Good Thing) but it's automatic and I'm not allowed to do any more than refill the window washer reservoir. All that stuff I used to know...
Actually, their computer use policy is much the same. Do MS license cars?
Cogito, ergo sig.
A quote from Mr Greene himself, speaking about himself.
"I loathe Microsoft, adore Linux, loathe Feds, adore soldiers, loathe cops, adore firefighters"
yeah, I can see why slashdotters like the guy, the first 5 words alone are enough...
Fact is _I_ have never seen anything insightful or instructive from his pen, mainly perhaps because I have never seen anything original from his pen, it all appears to be stuff he has read elsewhere (same places as me perhaps) and then reworded and revamped himself... this might equate to "all my own work" in academic thesis circles, but that is not the same thing... I have no argument that he is a good source for a synopsis.
http://slashdot.org/~GuyFawkes/journal
personaly i find the dummies series a nice read. sure the titles are a bit wack but your looseing out on some nicely layed out info on the basis that you want to look more 1337 (did i just use that word/number?) then you may be...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Fact is green's articles on linux security are IMHO a joke, I have been asked the same question, any MY answer was thus.
"Get yourself a laptop, cpu not too important but make sure it has at least 512 meg of ram, pull the hard disk and sell it on ebay, now get yourself a couple of usb flash disks, make sure everything written to them is STRONGLY encrypted, now stick a 802 card in the pcmcia slot, now stick a knoppix live-cd in, now go somewhere where there is "war" type access and only then boot it up and do your thing..... you are now as secure as it gets, until someone with enough power says the thing that makes you give up the encryption key to your usb sticks."
_anything_ less than this simply is not secure.
http://slashdot.org/~GuyFawkes/journal
more like a lack of time and interest in keeping up to date with the latest exploit news, the latest viruses and so on.
this may offend a lot of users but i think we would be better of if most of the net was behind a freaking big firewall/proxy and where all traffic across or behind said firewall/proxy was checked for viruses and similar stuff. sure it shooting a big hole in the freedom of the net but its either or.
or we can start to ship console like boxes where the os and office apps are put on a cd or dvd as read only data and where the os dont allow for any app to be run of any rw media (or if they are, they should be sandboxed to hell and back. like most proper java apps are). that way there is nothing for the viruses to grab hold of. and if the customer signs up for getting a updated cd/dvd mailed to them ever so often they dont have to go into the minefield that is the net to get the latest updates. just pop the latest disc into the drive and you have spreadsheet, wordprosessor, mail and web at your service. and if you want to play games? eject the disc, insert game and the game starts.
basicly im talking about a extreme version of the xbox here...
sure its nothing a power user would be happy with but atleast it would keep the viruses at bay...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
It stresses the metal of the engine because of the rapid change in torque load. When the engine is stressed, things break. it can develop oil leaks, break seals, knock out valves, etc.
It's not that common because without a working cluch, generally the car won't go, so it gets fixed. But a slipping clutch can stress the engine.
"Piter, too, is dead."
Viruses? Spyware? Bad installs? Not a chance of writing to the CD. Problems? Just restart.
I'd like to be able to recommend a disk - IMHO Knoppix is almost there, but needs a few less alternative programs (e.g. browser, mail) and a few more easy-setup programs (for network, ISP, email) - plus the "Dummies Guide" book.
Andrew Yeomans
found here. It does exactly what you ask, though for Mozilla rather than Firefox.
Andrew Yeomans
The hardware has to meet certain standards, but the software does not... 99% of the problems with todays computers is caused by bad software.. theres rarely something wrong with the hardware.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Well, since corporations are afforded the same, or often more, legal rights as people... Insecure computer(s) could quite easily kill a corporation, either by leaking secrets, by being used for denial of service etc... Surely, if corporations have the same rights as humans, this would be considered murder.
It's also possible you could kill a human using an insecure computer, you could manipulate police computers to plant evidence and place someone on death row, or you could take control of a computer controlled device that has peoples lives in it's hands, such as an aircraft.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
I'm pretty glad to say that that was more or less what I thought would happen. I haven't lost it yet!
Cogito, ergo sig.
I never meant too imply I consider my machine as essential as a heart-lung machine. I was just illustrating that the risks in improper use, maintenance or design are more catastrophic for PC's than for washing machines.
And I DO go outside - twice a day in fact when I have to go to work and back. But that's about it ;)
GTRacer
- Not alabaster or cream
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
I don't expect to see more l33t home users. What I want to see is something along the lines of PC inspection stations or checkups where every so often users have to have the machine scanned for common and new vulns, and for patch compliance.
I know this is getting into Big Brother tinfoil hat territory, but I'm getting tired of being hosed by stupid or malicious people taking advantage of end-user trust.
GTRacer
- Spyware REALLY sucks!
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
Keeping up-to-date for the average user really isn't all that hard.
I'm gonna play devil's advocate here, but Microsoft does patch a whole lot of security holes with Windows Updates. How many of those viruses/exploits that they talk in the news also say "It affects unpatched Windows systems" or "Users should download the latest Windows Update to stop being vulnerable".
If the average user even slightly cared about 3 things, overall security would be much much higher : Automatic Windows Update, Firewall, Anti-Virus software.
Together, those 3 things can probably stop 90% of all attacks/hacks. Refusing to try and learn that is the car equivalent of refusing to understand how the brake pedal works.
After 3 days without programming, life becomes meaningless
- The Tao of Programming
but as it have been shown, getting a newly installed system to update of the net is a bad idea as the very exploits its suppoed to get protection againt hits your system while your getting the updates to stop them...
yes there is systems like slipstream but most home computers theses days as shipped with recovery cd, not windows install cds...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
Well, yes. But the book and the thread are about home computers.
you can't ack before you balls.. you just
Even if a large % of users have backdoors, etc. installed, what % of those users have something worth stealing?
-----
You're talking out your ass or you'd know why those home users get targetted. The attackers don't generally want what's on the computers, they want to use the computers themselves.
They use them to send spam, hack even more computers, store files, etc. If your computer is used as a significant part of an attack (e.g. they use it to hack a DOD computer), you can expect the Feds on your doorstep. If they store illegal files (e.g. child pornography, for which there is strict liability--if you possess it, you're guilty of a crime, do not pass go, do not collect $200) on your computer, you can very well be hosed, too. You could say that that's hypothetical, but all of these have happened.
Granted, in the child pornography case, the evidence that there was a backdoor on the computer was enough to cast doubt on whether it's owner actually "possessed" the illegal files. However, if you look at cases like Steve Jackson Games vs. the US Secret Service, you'll see that even if you're not found to have any tertiary legal liability for those using your computer or network unlawfully, you CAN still suffer for it. Granted, I hope that the government is smarter in its execution of search warrants now than it was when Steve Jackson was made to suffer, but still you have to realize that being involved in any such case is not fun.
And yet you illustrate why we need to give more of a security education to home users. It is for exactly this reason I give free lectures on this at my local public library, and I encourage anyone else with security knowledge and a convenient forum to do the same.