Slashdot Mirror
How Are You Protecting Your Computers?
b0m8ad1l asks: "I'm wondering what AV, software/hardware firewalls Slashdot readers are using these days. I remember another Ask Slashdot a long time ago, but i'm curious as to how everyone is keeping up with the times. I'm using Kaspersky AV, Sygate Personal Firewall Pro, behind a Netgear RP114 router"
The slashdot editors would have all the information they'd need to hack me...
D-Lonk DI-604 router, Zone Alarm personal, Norton AV 2K2. When I install XP, I disconnect the computer from the network, install XP, and SP1, Zone Alarm, Norton AV, then reconnect to network and patch up.
OpenBSD/pf.
If you add complexity to deal with complexity you are introducing additional vectors for even more security problems. (One example: trusting that a virus detector is working because it says 'everything is fine'...only to find out later that the last virus through disabled the virus detector so it would always report 'everything is fine'.)
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
AVG AntiVirus. (Free)
Windows Firewall (XP Pro). (~Free)
Aerielink (Soyo) router. (~$60, incl. USB-WiFi used by other computer)
Before the router I ran Tiny Personal Firewall (now Kerio PF), and loved it (free and better than Zonealarm or BlackICE, for my needs). Also had Norton AV for a while, but it was just 'eh', and isn't free.
-bZj
.sig
Yes, it's a bit of damn overkill for a home setup, but you can never be too safe. :)
:)
-cable modem->linux 2.4 kernel router running iptables
-norton antivirus corporate edition
-Microsoft Software Update Services for the Windows boxes
-iptables for the Linux boxes
-ntop and snort for traffic monitoring
-I have a WRT54G that I don't use for routing anymore, just as a bridge. Anything that I use over wireless is done over ssh. Host connection, bank account checking, email, vpn to work, etc.
-various other utilities to monitor tcp/ip traffic
-good old fashioned obsessive tailing of logfiles along with vgrep
while true ; do echo this is my sig; done
Software firewalls do a good job of monitoring outgoing connections, especially when it comes to setting permissions on what programs can access the internet.
Hardware firewalls are slightly more cumbersome when trying to set this up, as most only allow you to filter outgoing connections by ports.
I have a 5 port d-link router set up as a NAT, the cheapest I could find. After purchase I set the password and upgraded the firmware. That's the extent of my firewalling.
Most of my email and browsing is done in Mozilla. Never got infected through Internet Explorer or Outlook Express though. I have a Linux PC and a Windows XP PC running side by side. I don't use antivirus software and I don't get viruses or spyware.
I don't have a chance to dig up links for these, but diagnostic tools are a must if you really want to lock stuff down. First, generate and read logfiles whenever possible. Check things out with nmap, tcpdump, ActivePorts, Look@Lan, Kiwi syslog Daemon, Portlistener XP, Bazooka Spyware Utility, Spybot Search and Destroy, Socketlock ... the list goes on. Generally try any tool you can and you'll get a feel for what is actually to your tastes and useful.
US Democracy:The best person for the job (among These pre-selected choices...)
Hmmm... I don't know about this. You either want to run scripts or not. You either want to use plug-ins and accept cookies or you don't. Any browser that's configured to do those things will be somewhat insecure. You probably make yourself less of a target by using relatively eccentric browsers, but, if subjected to the same scrutiny as the more popular ones, are they any more secure? The real question is where does the lack of functionality outweight the lack of security/privacy? Do we all go back to Lynx?
=======
Science -- Sealed, Delivered.
It's amusing that people focus on the latest-and-greatest security software, which IMO is more counterproductive than it is productive.
You get a whiz-bang anti-virus/firewall system set up and what does it do? Give you a false sense of security so you can feel more confident about engaging in irresponsible computer use. The problem is almost every piece of security software out there has at one point or another been vulnerable, so you're flirting with disaster.
I think no matter how many advances we have in this area, the basic rules of security will always apply:
1. Limit Accessibility.
99% of security issues are inside jobs. Limit physical access to your resources. Don't put any sensitive data on a machine that anyone else has access to that you don't want public. Use encryption, multi-wipe free space and turn off your machine when you're not using it.
Some people don't want to hear this but it needs to be said: DON'T USE WIRELESS if you're worried about security. No matter what precautions you're taking, by going Wireless you dramatically lower the integrity of your personal security PERIOD. It's one thing to use wireless on the road, but you should limit the sensitive information on your laptop in the first place because it's mobile, but it's really just plain lazy and irresponsible to run wireless in a permanent installation like your home if there is any practical way to avoid doing so.
I can't stress this enough: *unconditionally* WIRELESS IS MUCH LESS SECURE. It doesn't matter what protocol/encryption you're using, by going wireless you introduce additional ways your system/data can be accessed.
Remember the first commandment: True security is more dependent upon reducing access points than it is implementing protection of access points.
2. Disable ALL non-critical services. Don't run anything except what you need on your PC. Close all unused ports; remove all services and extra features and plug-ins that aren't needed. The fewer systems, the fewer points of vulnerability.
3. Keep all software fully-patched and up to date.
4. If possible, never use the "industry standard" software if it's not the most secure solution available. Dump IE and Outlook and switch to Firefox and Eudora.
5. TEXT ONLY E-MAIL... This, after #1 is IMO the biggest threat of them all. The added superficial benefit of html-email is not worth the security liabilities that come along with it. If you want to use html e-mail, I'd recommend a second, sandboxed account for that.
6. Never put a machine on public-addressable IP space unless it's a public server. Use a DSL/cable switch and put your systems on a VPN on the other side of a hardware firewall that filters out all non-essential traffic.
7. After you've taken care of 1-6, then and only then should you consider anti-virus/spyware and related software to be a useful addition.
Well, you could go so far as to say (correctly) that by inviting any data into your computer, you're less secure. Even by plugging in a network cable and letting it sit there you're less secure.
"Scripts or not" doesn't help when something like the recent GDI debacle occurs.
The trick is in finding a balance that keeps you safe enough from attack but open enough to do what you want to do.
So far, considering how fast they put out updates and how many exploits the leading browser has, I think Firefox does a pretty good job of this.
vk.
Everyone does it, and just because one person has to install a firewall and another person has to hunt down drivers doesn't make either person superior to the other. Yeah I know, this is slashdot, where "Windows sux and Linux rulez", but if we're going to be asking serious questions we might as well be giving serious answers.
Myself, I use KPF and AVG, with AdAware on the side. Fortunatly, these three programs don't have much to do, thanks to Firefox and my cheap yet trusty DI-604 router. I'm actually going to be putting together a box for my parents this weekend too, so i've been busy loading up my USB flash drive with some of the aforementioned programs, and other first boot goodies. And if i'm lucky, my parents will turn over custody of their old computer (an aging P3-500) to me, which I hope to turn into my very first Linux box to muck around on. Then i'll get to experience the numerous pains-in-the-ass of both worlds! Should be fun.
I completely covered my PC with it. There`s no airlow, but at least it`s safe. I also sprinkled some holy water on it for good measure. Those Nazis will never get to my PC now.
>>>>>> Chewie, take the professor in the back and plug him into the hyperdrive.
"I don't know what you mean by "suddenly disappear" (it certainly wasn't in reference to anything I stated in my post)."
I apologize if I have misinterpreted your meaning, but your post does read that way.
"If you run Linux (or OS X, which you left out in your reply), your odds of being cracked/spywared drop low enough that it's not really worth fretting over--even if you don't turn on the built-in firewalls (which are infinitely superior to the Windows built-in firewall)."
I left out OSX only because he cannot install OSX on a Windows machine.
As for the odds being low, that doesn't really help, does it? You still have to regularly install updates to Linux and the apps you run on top of it, Mozilla for example. I found this out myself. Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted. Our newly hired Linux expert had to rebuild it 'securely'. Thankfully for them, they had him on hand to clean up the mess caused by my incompetance.
"So while you may be playing the pedant card and using language that is "technically correct", you have added more confusion than clarification to the issue. I hope you don't mean that Windows, Linux, and Mac OS X are all equally crackable. If you aren't careful, you can end up with a cracked XP system during the install process, what a joke!"
My only real point is that you have to be vigilant either way. It's a question of whether or not it's 'worth the fuss'. Interestingly enough, Windows' highly publicized insecurity has lead to some interesting developments such as auto-updating virus protection and Windows Update itself. If Linux doesn't have these, it needs them, especially when it reaches enough users for worms etc to really be an issue.
I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.
"Derp de derp."
I bought a Macintosh ^_^
.. which also doubles as my Squid proxy/cache and DNS machine ..
...
Gotta say, I love the bootCD firewall solutions. Pretty darn hard to beat
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
I apologize if I have misinterpreted your meaning, but your post does read that way.
No problem. If you re-read my original post you'll see it's more of how you read it than how I said it (I imagine you read it through slashdot-colored glasses, as it were).
I left out OSX only because he cannot install OSX on a Windows machine.
But presumably it is an option available to him. Cost is an issue he'll have to weigh for himself if he deems it worthwhile. I was just offering two options that work for me.
Buying all of Slashdot's hype that Linux is secure, I built a Linux webserver for my company. 2 weeks later it was rooted.
The guy doesn't sound like he's interested in running a web server. There are plenty of ways to make an apache install insecure. Again, to make a fair comparison, it's easier to crack IIS than it is Apache. That you got 0wn3d doesn't detract from my point. I never said Linux was uncrackable, I said it's more secure (by a large margin).
My only real point is that you have to be vigilant either way.
This is the "what do you mean by that realm". 'Vigilant' is a term that is subjective. Under Debian, 'vigilant' means running apt/aptitude/dselect (whichever is your choice) and telling it to update your system. Under Mac OS X, 'vigilant' means clicking "install" when Software Update pops up. Under Windows, 'vigilant' is far more involved.
Subjectively you can say both require 'vigilance', but they are not equal. You are repeating the confusion of a Windows apologist. When a Linux advocate (yeah, sometimes they are rabid too), claims that Windows is less secure, the Windows apologist will say Linux has security holes too. But when you look closely, you'll see a world of difference. Both a glass of water, and a handfull of rattle snakes can kill you, but one is far safer than the other.
It's far easier to crack a Windows computer than a Linux computer by a wide margin.
It's a question of whether or not it's 'worth the fuss'.
Which is what I said in my original post.
I'll put it another way: I'm a Windows user. I have several machines I have to take care of. I don't have problems with exploits trojans or spyware. Once in a great while something will come along. I take care of it, bfd. I spent more time building the ill-fated Linux/Apache server than I have in a year of maintaining exploit-related Windows problems.
Then Linux isn't for you. I never said it was for everyone. I suggested he consider it (maybe he has, maybe he hasn't, I have no way to know, but both Linux and Mac OS X are viable alternatives and worth considering).
Many questions:
Why did you choose TightVNC? Why not RealVNC, UltraVNC, or TridiaVNC?
Is it better to pay for VNC software, like Tridia VNC Pro or Radmin? Which software has video resolution scaling of the remote desktop?
What security is best? Is it good to use a VPN for secure access, or is SSH better? What Windows SSH server do you use?
What VPN hardware is best? We bought a NetGear FVS318 hardware firewall/router/VPN for a customer, and discovered that the remote administration password is openly transmitted. We found that logging out in the remote administration menu didn't always actually log out. We found Javascript errors. With the 2.4 firmware, more than one client can be logged in at the same time. That situation, two clients at the same time, would give an error message with the 2.3 firmware, so things seem to be going backward in some ways, in firmware that is already shaky. Our experience with Netgear technical support is that it is very limited. On the telephone we got someone in Tamil Nadu, India, who was allowed to practice for a short time with Netgear equipment, but who doesn't any longer have access to actual equipment. The online tech support just gave error messages. Not only that, but Fry's and Netgear arranged a rebate trick. They have a very long rebate receipt, and ask you to enter your address both at the top and at the bottom. If you don't enter it at the bottom, they deny your rebate.
Install IPX/SPX or NetBEUI on both machines. Keep TCP/IP on the non-sensitive machine, but have no TCP/IP stack installed on the sensitive machine, and use IPX/SPX or NetBEUI for networking betwixt them.
For added obscurity points, you could use something like Banyan Vines or LANtastic.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
While no OS is good enough to ignore security issues on, OpenBSD comes damn close. You couple it with a good firewall policy and the chance of someone getting inside the default install is virtualy nil.
-- Agnitum.com's "Outpost" firewall, with all kinds of free plug-ins which let me control -- on a PER-DOMAIN basis -- things like scripts, activeX, java, referrers, etc. Also controls those things separately for http vs mail vs news. :o
Tried it on trial, liked it so much I paid for it.
-- McAfee VirusScan, because I got it free (corporate) and it seems to work ok.
-- on another system, english.mks.com.pl "mks_vir", which has recently been favorably reviewed for its dynamic adaptablility to not-yet-signatured new threats.
-- SpyBot, AdAware
Check out what I've got on my flash drive: http://exocet.ca/phpwiki/BradsTools
It's not a lot of drivers and such. More oriented to useful utils that can come in handy in a pinch. It's stuff that I tend to use fairly frequently and don't like to be without.
Exocet Industries - Taking over the world, one computer at a
I have a Linksys wireless switch behind my cable modem. My main Linux server is set up as a DMZ host. This server was built via Gentoo and the only services running that are exposed is ssh and Apache2.
:-)
I've not had an issue in the 2 years I've had this setup. I don't have problems with email worms and such because well all my machines run Linux
I've got a similiar setup for my parents and they've had minimal problems running all Windows. They've had some spyware issues lately because of some bad downloading but what can you do.
int func(int a);
func((b += 3, b));
[Note that I make no judgement on whether STO is necessarily a good thing or a bad thing].
Cryptography is obfuscation
Yes, but "security through obscurity" is a technical term of art. It's either ignorant or disingenuous to use English-language definitions to define a technical term when that term is clearly used in context. Yes, the private key in an RSA implementation must be "obscure" in the English sense for the system to be at all secure.
But, as wikipedia puts it (you can read more there):
"In cryptography, the reverse of security by obscurity is Kerckhoffs' principle from the late 1880s, which states that system designers should assume that the entire design of a security system is known to all attackers, with the exception of the cryptographic key"
This is supported by how this term is used in practice by experts in the field.
The key principle of systems described by "security through obscurity" is that the _design_ of the system (algorithms, etc) is hidden.
The key to non-security-by-obscurity systems is that the design of the system is public so that it can be publically audited and the assertion that "it's secure when used with any key that satisfies condition X" is well-vetted (X is usually: "Product of 2 large primes", in some algorithms it may be "Never reused" or "not a Weak Key" for some rigorous definition of weak key, in some algorithms other ). It's also usually key that there is a good objective test for condition X, such that implementors have a high degree of confidence that not only is their crypto implementation basically sound but that the keys they implement are believed to be secure as well.
More generally, in non-keyed systems it's not considered reliant on "security through obscurity" if the system architecture as a whole is well-vetted and the conditions that are prerequisites to security are documented and objectively testable via some well-vetted method.
Of course, you probably already new that and were trying to change the accepted definition by arguing against the OP based on an idiosyncratic (within the context) definition.
(Of course, whether or not a system relies on security through obscurity is kind of a spectrum; very few systems are completely non-STO and very few are completely STO.)
rage, rage against the dying of the light
That was a very clear, well written and reasoned refutation, and you are substantially correct. In fact, IMHO it is the first post in this thread to be worthy of positive karma!
I will admit that I have taken "security by obscurity" to it's logical literal extreme here, which is indeed an ideosyncracy of mine. It's not that I'm particularly trolling - It was originally because someone disagreed with my assertion that RSA was not secure in an absolute sense, which I (still) believe is utter tripe.
In fact it's mostly that I won't back down from an argument just because someone tells me I'm wrong unless someone responds to what I have written, and not to what they think they have read. I am, however, happy to injure their prejudices with the cognitive dissonance of unusual usage to get my point across...and while I may be being disingenous I am only returning the favour.
I don't mean to confuse people by this method, but if it does, I believe it's because they're reacting, instead of thinking. I strongly dislike the automatic use of perjorative Terms Of Art such as "security by obscurity" because they promote Lazy Thinking; i.e. "That is bad" rather than "That is bad in this case because..."
However you have responded reasonably, and so I admit defeat.
For the benefit of others: I still maintain transmitting data in a physically secure medium is still inherently better than broadcasting it.
Anyway comparing broadcasting RSA encrypted packets and clear packets down a wire is comparing apples to oranges.
--