Slashdot Mirror
Computer Security for the Home and Small Office
The book covers popular OSs replacements for Windows applications and utilities; it explains vulnerabilities; it offers practical setup information for both Windows and Linux to harden a system and make it extremely difficult to attack.
The Preface describes the book in general terms. The Introduction explains firewalls and their limitations, and explains how to install Mozilla to limit email and http exploits and spam.
Chapter One debunks the malicious-hacker mythology and shows that most so-called hackers are only script kiddies who are easily thwarted with commonsense tactics.
Chapter Two explains malware, spyware, bad system configurations, and the scores of other routes to system exploitation and privacy invasion that firewalls and antivirus software don't address. It includes a step-by-step guide to simplifying and hardening a system. Most importantly, it offers a useful guide to turning off unnecessary services and networking components for both Windows and Linux, and setting sensible user permissions, and is liberally illustrated with screen shots.
Chapter Three offers a good breakdown of social engineering and phishing scams, and how to defend against them.
Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.
Chapter Five explains how to eliminate all traces of Web activity from your computer and defeat forensic recovery of stored data; how to surf the Web anonymously using an encrypted connection and defeat remote monitoring; how to set up and use SSH (SecureShell) to conceal both your identity, and the data content of your Internet sessions from all third parties, including your ISP. The many hiding places of sensitive or incriminating data are revealed for both Windows and Linux users.
Chapter Six explains the advantages and disadvantages of migrating from Windows to Linux; why Linux is easier to configure for security, and why it's better suited to less technically-inclined users; how to judge whether Linux is right for you, and the issues you should consider before migrating. The author is clearly biased towards Linux, but he understands that most users will stick with Windows. Hence the emphasis on tools that run on Windows.
Chapter Seven is a catchall essay explaining security from an anecdotal point of view. There were places where it got a bit tedious, but the idea is to look at security as a process or a frame of mind, not a specific series of computer settings. The material in this section is informative in only a general sense. The real configuration information comes in chapters Two, Four, and Five.
There are several indexes with useful information on firewalls, ports, Trojan activity, sources of information, and more. Most of this information is conveniently located and linked at the author's website, BasicSec.org
Overall, the book is exceptionally well written for a tech manual. The author is a good writer and his prose flows nicely. The book is highly readable, and even witty in parts. I found myself laughing aloud on several occasions. The author has the art of The Register's irreverent presentation. I enjoyed reading it. But it is not perfect, so I give it a 9 out of 10.
My biggest criticism is that the book shifts back and forth from practice to theory and back again. It's good that readers learn the reasons for the (very sensible) procedures and settings listed; but I felt that the book was organized wrong. This is a minor issue, and the book remains exceptionally useful; but instead of interlacing the various parts, theory and practice might better have been separated in two distinct sections. It's difficult simply to flip to a section of this book and learn what needs to be done: there is a lot of theoretical talk between each practical item. It's very good talk, and very instructive talk, all right, but I would have preferred that it be located in a particular place. I would rather not have to read the entire book through in order to tweak my system for good security. Unfortunately, the author has structured the book so that a read-through is necessary.
Overall, this book will tell professionals what they need to do, and novices everything that professionals ought to know, but probably don't. It's in plain English, so no one should worry that they can't grasp it. You can make your computer, or your network, very hard to attack, whether you use Windows or Linux. This book will show you how in excellent detail. You've got to read the whole thing, unfortunately -- but it will work nicely for you, casual user and sysadmin alike.
You can purchase Computer Security for the Home and Small Office from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
The banner urging you to install the latest Internet optimizer or a totally free peer-to-peer app is so much more convincing.
Really, I'd LOVE to be able to point one of my tech support callers to a free online version of this book. It would be very helpful because I wouldn't have to explain to them why Firefox is better than Internet Explorer, and then have them think I'm just paranoid when I tell them all the ways spyware can get in their system.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
So basically, this book contains all the information that the average /. reader already knows.
--
Are you a Chipotle Fan?
Exactly.Too many people lack common sense.The only people with common sense (like us) go online to get info for free.
Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.
(And so on.) It looks to me as if the book has failed completely as a guide for the average home or small office user. Your mom is the average user. Your mom plays Pogo all evening and clicks on every mail she receives. You need to explain security to her in such a way that it can fit on both sides of an index card. GnuPG? I think not.
www.kitchengeek.com -- Nosh for
An open source advocate won't just give away the book for free. So why again should source code be made free? Just a thought.
"The banner urging you to install the latest Internet optimizer or a totally free peer-to-peer app is so much more convincing."
BANNER:
"Would you like to be secure from spyware? Would you like to keep the government from spying on you? Would you like to be free from unwanted advertising? How about viruses and blue screens? Click HERE to find out more."
I see the main benefit of a book like this
as something to take my less computer-literate friends past the basic steps of:
->install Firefox
->install firewall.
->install a/v software (and run said software).
->install anti-spyware software (and run said software).
If it is as simple and clear as stated, it might
replace the wonderful calls I get during dinner from my new-to-computer friends/relatives along the lines of
"I was doing x to that firewall software, and
now nothing works".
And I didn't get my first first post... I suppose that's what I get for being off-topic...
Perhaps not so simple. I'm gonna go ahead and make the assumption that a large number of people will have(have had) serious stability issues as a result of SP2. Remember the 3 out of 5 figure that everyone blew off because it was related to some malware that's incompatible with SP2? Well most users have malware on their machines, that's just the way it is. They don't know or care enough to remove it, or buy this book. And if they install SP2, all they'll know is that their computer no longer wokrs.
Just because the book contains more advanced topics doesn't mean it can't be aimed at the casual user. To me it seems that the book is aimed at the casual but interested user. Someone who's not the least interested in security will not pick this up no matter how basic it is. As Joe Sixpack starts reading this book he will learn more and more and by the time he comes to chapter 5 he will hardly be Joe Sixpack anymore.
There are no secrets on library shelves, either, but if the populace never signs out a book and actually reads it, or if they try to read it and can't understand the language, what good does that do them? OSS isn't inherently secure. It has the opportunity to be peer-reviewed and pronounced "secure" by the peer reviewers. And even they can be wrong, if they're not clever enough to spot a hole.
You see? You see? Your stupid minds! Stupid! Stupid!
The book is for the "home user". Most help desk / IT shop guys get asked a lot of questions by fellow employees that are not work related, and in those cases, no prob. not his job. On the other hand, is the boss going to want to pay for these books?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
No, they don't. They just don't (and/or don't want to) understand all the inner workings of technology they use every day. That's true for computers, cars, kitchen appliances, VCR's, whatever.
So in terms of computer security, an average user behaves like a dummie. The book should have been named "Computer security for Dummies" or something like that, to appeal more to the target audience. Isn't this "... for dummies" series of books very popular anyway?
CERT.org's tips for home network security. It's very basic but might help.
They also offer The Home Computer Security guide, which seems to parallel Mr. Greene's book in some key areas. This page includes a link to a pdf which goes into detail on the examples (encryption, firewall, anti-virus, patches, ACLs).
Point your tech support callers to these free docs - or others easily available via your favorite search engine - if the idea of a commercial book bothers you that much. Not everything has to be open source. Alternatively, why don't you write the open source manual that you need? Isn't that the idea behind F/OSS?
I want to drag this out as long as possible. Bring me my protractor.
In my opinion, the real problem is that computers aren't MADE for the average user. An average user should not have to worry about firewalls, security exploits and the like, just like an average driver does not have to worry that his engine or breaks might malfunction.
Nope I'm sorry but the original poster is right. The users I deal with day in and day out want NOTHING to do with security.
We have tried to explain both nicely and in the "Just do this and shut up" way.
No matter how we try and tell them they do not care.
"Thats not my job"
I have dealt with a very wide range of users and for the most part it has nothing to do with the sysadmins presentation more the users lack of knowledge.
When it comes to computers, security included, I would say that 90% of your average consumers (not your average /.er) does lack common sense. Before buying and/or using a computer, they should either get the proper manuals (books like the one reviewed here, though I didn't RTFA at all) or retain the services of someone who will keep their computer safe, secure and running correctly.
As an aside, I refuse to buy any "For Dummies" or "For Idiots" books, because I don't believe I am either.
I'm perfectly capable of understanding most anything, give me a reference manual or a "for beginners" type of book. I'm not dumb simply because I don't have the information. I'm dumb if I'm not able to absorb the information.
My blog. Good stuff (when I remember to update it). Read it.
"I interface with lots of people who basically think you have two choices - owning "a computer", or owning "a Mac" (as though owning a Mac wasn't a real computer)."
I find this a bit annoying, but I would blame the software manufacturers and salesmen more than the ignorant users. How many times do you hear of a piece of software running of PC or MAC when they really mean it runs on Windows or OS X (or 9 or whatever)? I remember back when a Novell rep tried to claim that multiplatform meant Windows 98 AND Windows NT (x86 only of course). While it's good to see our previous file and print server overlords overcome such ignorance, the average user still has not. To them there is PC and Mac and as long as software reps perpetuate this view, it won't go away.
A badly programmed VCR won't do anything other than tape over something or tape the wrong thing. A microvave (for the most part) is point-and-cook. A computer is far-too multi-purpose and essential to be treated like a run-of-the mill appliance.
I'm not saying all casual users need to get certifications, but having a higher expectation of responsibility wouldn't hurt.
BUT, on the flipside, soft- and hardware makers need to be held to higher standards. Cars have to meet government standards, as do medical devices. PCs need to, also!
GTRacer
- Who do you want to DDoS Today?
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
Unfortunately, it's true. My father runs a small business and is constantly plagued by spyware, malware, viruses and so on. I've tried and tried and tried and tried to get him to switch to Firefox and Thunderbird. Even after running Spybot and showing him how much spyware he had on his system, he has yet to switch over. This isn't a matter of him not knowing how things work, or understanding the technical end of things. He simply doesn't want to deal with a process that he thinks (no matter what I tell him) is going to cost him a lot of time and energy switching over and getting used to. I would imagine that a lot of people are the same way. The flaws drive them nuts, but they're convinced that the solution is just too complicated and time-consuming to find.
http://angel.merseine.nu - Stuff for the poet, diva, geek, romantic and angel in all of us.
I don't think that it's a problem to demonstrate the advantages of security. Everyone knows the advantages of security. The difficulty is demonstrating impact. The vast majority of people, since they don't understand computers, feel that the basic knowledge of how to crack security is enough of a deterrant and lock in and of itself. The general need for additional security measures is perceived to be paranoia.
Unless there's a widespread and media popularized outbreak of identity theft, or computer hijacking, or people who can't check their e-mail or browse the web, then computer security will continue to be perceived as a topic of paranoia.
Currently the impact of computer insecurity is considered to be an annoyance. Extrapolated damages of corporate insecurity are given the same regard as the extrapolated damages of trading mp3s. Until authorities take a tough stance on abusive network activities (spam, browser hijacking, unwanted pop-up advertising, unauthorized collection of consumer data) then the general populance will continue to accept a loose attitude towards computer security.
The fact is that insecurity is profitable as a business. There's no real motivation to protect the consumers so why should the consumers waste effort protecting themselves?
+++ATHZ 99:5:80
It is more like a car or boat. It needs regular maintance; while misuse is not lethal yet, it can have legal ramifications; and a certain amount of training is needed to just use them.
BTW, PCs do meet certain standards, as electrical devices they need to meet certain FCC regs, of course this is not much different than an FM stereo...
Just a Tuna in the Sea of Life
Chapter Four is about using common tools, like Ethereal, Netstat...
If you're talking about Joe User, you need to stick to what works under Windows. Last time I checked, Ethereal on win32 platforms only worked on LAN (eth) adapters and not dialup connections. If you've got a cable modem or DSL hooked up via an ethernet adapter, then it's a viable option. I'll agree about netstat, but I really don't think I'd be able to teach my a non-technical person how to interperet the output -- even given a book with examples, a non-techie really doesn't stand much chance tracing down what programs have what ports open.
As far as monitoring open connections on a win32 box, I'd heartily recommend TCPView. It's capable of printing out information on all connections, their states and what processes they're associated with. Very powerful tool, and I can talk my mom through using it over the phone, even sending my the results via email.
I suppose that is true for, say, 90% (pick your number) of users? You can try to change that, or accept it.
Changing that means: educating users. For some limited groups that might work, but I'd say experience shows that for Joe average, it doesn't. Average users, for the most part, aren't gonna change their behaviour, they're just gonna keep on browsing random websites, clicking on random e-mail attachments, pop in random disks, and run random binaries.
Accepting that, means: consider a PC an appliance. Let maintenance be done in ways that are possible to do for a normal user, but might just as well be done by third parties (automatic updates is one way). So a possible solution would to be to create OS'es that make a PC behave such that it's safe to run random binaries, pop in random disks, click on random e-mail attachments, without worries about screwing up the system.
Current PC security ultimately depends on trusting the user, assuming that he/she knows what he's doing. I'd say, experience shows that for those 90% of Joe average, that trust is misplaced. For a user sitting behind a PC, it's just too easy to change essential aspects of the OS. Maybe some other security model would make more sense?
Tell him you'll not help him with his computers anymore until he uses firefox+Thunderbird.
Next time his machine crashes and stays down, tell him you don't wanna hear about it.
It's cold, but if my friend told me his car's engine died because he wouldn't fix the clutch, after I'd told him what would happen if he didn't fix it, then I would just shrug and mutter: "I told you so", and let him buy a new one.
You know, people don't care about security because it does not cost them enough.
Charge $300 per hour for computer security repair. If they balk at the price, tell them to go elsewhere.
"Piter, too, is dead."