Slashdot Mirror
Computer Security for the Home and Small Office
The book covers popular OSs replacements for Windows applications and utilities; it explains vulnerabilities; it offers practical setup information for both Windows and Linux to harden a system and make it extremely difficult to attack.
The Preface describes the book in general terms. The Introduction explains firewalls and their limitations, and explains how to install Mozilla to limit email and http exploits and spam.
Chapter One debunks the malicious-hacker mythology and shows that most so-called hackers are only script kiddies who are easily thwarted with commonsense tactics.
Chapter Two explains malware, spyware, bad system configurations, and the scores of other routes to system exploitation and privacy invasion that firewalls and antivirus software don't address. It includes a step-by-step guide to simplifying and hardening a system. Most importantly, it offers a useful guide to turning off unnecessary services and networking components for both Windows and Linux, and setting sensible user permissions, and is liberally illustrated with screen shots.
Chapter Three offers a good breakdown of social engineering and phishing scams, and how to defend against them.
Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.
Chapter Five explains how to eliminate all traces of Web activity from your computer and defeat forensic recovery of stored data; how to surf the Web anonymously using an encrypted connection and defeat remote monitoring; how to set up and use SSH (SecureShell) to conceal both your identity, and the data content of your Internet sessions from all third parties, including your ISP. The many hiding places of sensitive or incriminating data are revealed for both Windows and Linux users.
Chapter Six explains the advantages and disadvantages of migrating from Windows to Linux; why Linux is easier to configure for security, and why it's better suited to less technically-inclined users; how to judge whether Linux is right for you, and the issues you should consider before migrating. The author is clearly biased towards Linux, but he understands that most users will stick with Windows. Hence the emphasis on tools that run on Windows.
Chapter Seven is a catchall essay explaining security from an anecdotal point of view. There were places where it got a bit tedious, but the idea is to look at security as a process or a frame of mind, not a specific series of computer settings. The material in this section is informative in only a general sense. The real configuration information comes in chapters Two, Four, and Five.
There are several indexes with useful information on firewalls, ports, Trojan activity, sources of information, and more. Most of this information is conveniently located and linked at the author's website, BasicSec.org
Overall, the book is exceptionally well written for a tech manual. The author is a good writer and his prose flows nicely. The book is highly readable, and even witty in parts. I found myself laughing aloud on several occasions. The author has the art of The Register's irreverent presentation. I enjoyed reading it. But it is not perfect, so I give it a 9 out of 10.
My biggest criticism is that the book shifts back and forth from practice to theory and back again. It's good that readers learn the reasons for the (very sensible) procedures and settings listed; but I felt that the book was organized wrong. This is a minor issue, and the book remains exceptionally useful; but instead of interlacing the various parts, theory and practice might better have been separated in two distinct sections. It's difficult simply to flip to a section of this book and learn what needs to be done: there is a lot of theoretical talk between each practical item. It's very good talk, and very instructive talk, all right, but I would have preferred that it be located in a particular place. I would rather not have to read the entire book through in order to tweak my system for good security. Unfortunately, the author has structured the book so that a read-through is necessary.
Overall, this book will tell professionals what they need to do, and novices everything that professionals ought to know, but probably don't. It's in plain English, so no one should worry that they can't grasp it. You can make your computer, or your network, very hard to attack, whether you use Windows or Linux. This book will show you how in excellent detail. You've got to read the whole thing, unfortunately -- but it will work nicely for you, casual user and sysadmin alike.
You can purchase Computer Security for the Home and Small Office from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
The banner urging you to install the latest Internet optimizer or a totally free peer-to-peer app is so much more convincing.
Really, I'd LOVE to be able to point one of my tech support callers to a free online version of this book. It would be very helpful because I wouldn't have to explain to them why Firefox is better than Internet Explorer, and then have them think I'm just paranoid when I tell them all the ways spyware can get in their system.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Exactly.Too many people lack common sense.The only people with common sense (like us) go online to get info for free.
Chapter Four is about using common tools, like Ethereal, Netstat, PGP, etc. It explains how to monitor an Internet connection to spot software secretly reaching out or phoning home to remote servers; how to monitor your system for signs of malicious processes; and how to use PGP and GnuPG to encrypt sensitive files and Internet correspondence. This is one of the best introductions to using encryption available anywhere.
(And so on.) It looks to me as if the book has failed completely as a guide for the average home or small office user. Your mom is the average user. Your mom plays Pogo all evening and clicks on every mail she receives. You need to explain security to her in such a way that it can fit on both sides of an index card. GnuPG? I think not.
www.kitchengeek.com -- Nosh for
Just because the book contains more advanced topics doesn't mean it can't be aimed at the casual user. To me it seems that the book is aimed at the casual but interested user. Someone who's not the least interested in security will not pick this up no matter how basic it is. As Joe Sixpack starts reading this book he will learn more and more and by the time he comes to chapter 5 he will hardly be Joe Sixpack anymore.
There are no secrets on library shelves, either, but if the populace never signs out a book and actually reads it, or if they try to read it and can't understand the language, what good does that do them? OSS isn't inherently secure. It has the opportunity to be peer-reviewed and pronounced "secure" by the peer reviewers. And even they can be wrong, if they're not clever enough to spot a hole.
You see? You see? Your stupid minds! Stupid! Stupid!
No, they don't. They just don't (and/or don't want to) understand all the inner workings of technology they use every day. That's true for computers, cars, kitchen appliances, VCR's, whatever.
So in terms of computer security, an average user behaves like a dummie. The book should have been named "Computer security for Dummies" or something like that, to appeal more to the target audience. Isn't this "... for dummies" series of books very popular anyway?
CERT.org's tips for home network security. It's very basic but might help.
They also offer The Home Computer Security guide, which seems to parallel Mr. Greene's book in some key areas. This page includes a link to a pdf which goes into detail on the examples (encryption, firewall, anti-virus, patches, ACLs).
Point your tech support callers to these free docs - or others easily available via your favorite search engine - if the idea of a commercial book bothers you that much. Not everything has to be open source. Alternatively, why don't you write the open source manual that you need? Isn't that the idea behind F/OSS?
I want to drag this out as long as possible. Bring me my protractor.
In my opinion, the real problem is that computers aren't MADE for the average user. An average user should not have to worry about firewalls, security exploits and the like, just like an average driver does not have to worry that his engine or breaks might malfunction.
Nope I'm sorry but the original poster is right. The users I deal with day in and day out want NOTHING to do with security.
We have tried to explain both nicely and in the "Just do this and shut up" way.
No matter how we try and tell them they do not care.
"Thats not my job"
I have dealt with a very wide range of users and for the most part it has nothing to do with the sysadmins presentation more the users lack of knowledge.
A badly programmed VCR won't do anything other than tape over something or tape the wrong thing. A microvave (for the most part) is point-and-cook. A computer is far-too multi-purpose and essential to be treated like a run-of-the mill appliance.
I'm not saying all casual users need to get certifications, but having a higher expectation of responsibility wouldn't hurt.
BUT, on the flipside, soft- and hardware makers need to be held to higher standards. Cars have to meet government standards, as do medical devices. PCs need to, also!
GTRacer
- Who do you want to DDoS Today?
Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
It is more like a car or boat. It needs regular maintance; while misuse is not lethal yet, it can have legal ramifications; and a certain amount of training is needed to just use them.
BTW, PCs do meet certain standards, as electrical devices they need to meet certain FCC regs, of course this is not much different than an FM stereo...
Just a Tuna in the Sea of Life
Chapter Four is about using common tools, like Ethereal, Netstat...
If you're talking about Joe User, you need to stick to what works under Windows. Last time I checked, Ethereal on win32 platforms only worked on LAN (eth) adapters and not dialup connections. If you've got a cable modem or DSL hooked up via an ethernet adapter, then it's a viable option. I'll agree about netstat, but I really don't think I'd be able to teach my a non-technical person how to interperet the output -- even given a book with examples, a non-techie really doesn't stand much chance tracing down what programs have what ports open.
As far as monitoring open connections on a win32 box, I'd heartily recommend TCPView. It's capable of printing out information on all connections, their states and what processes they're associated with. Very powerful tool, and I can talk my mom through using it over the phone, even sending my the results via email.