Slashdot Mirror
Just How Paranoid Are You?
An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"
The most critical item any computer security professional will tell you to take care of: Physical access. If you have a concern, this is your first line of defense and in fact, most top secret installations have considerable resources dedicated to physical access. Next down the line in terms of security risk will be issues related to physical access that again most top secret installations have resolved by disallowing any removable media in or around secured systems. After that comes any issues of network security because your greatest security risk is internal access.
You should not be carrying any sensitive work related items or data home, but if you have personal stuff (or a home business with IT critical information) you wish to secure, short of establishing a computer "vault" with limited access in your home (actually had one once for a project I was working on), you need to start with a secure OS. This does not mean Windows, unless you can afford a "hardened" version and are skilled at management. In fact, I would say from your question that all of the things you are already doing are the absolute minimum if you are using Windows. If you are truly this paranoid and keep sensitive info on your personal computer, and you obviously have a connection to the Internet, it should also mean, physically removing the Internet connection from your computer at times when you do not need it. Multi-casting OS capable machines like certain flavors *NIX are helpful here, so you dont have to deal with Windows network wizard every time you connect back up (if you use certain settings for your network). Wireless should be a no-no as well. IF you are really (read pathologically or are doing something quite illegal) paranoid, you could also build a Faraday cage around your room and charge it to reduce risk of TEMPEST related probes, but again if this is a concern, someone simply breaking in (again access) is often easier and cheaper.
When you are actually connected to the Internet, a hardware firewall is an absolute necessity. Network address translation will help limit some attacks. And aside from all the other things you are doing (strong passwords, encryption etc....), I would strongly urge you to constantly pay attention to your logs. Your most important data will be gleaned from the logs in terms of who is attacking, their strategies for attacking, when and where.
Visit Jonesblog and say hello.
Like I'm going to discuss that here on Slashdot! You know who might be reading.
I have OpenBSD on my firewall and main work machine. Encrypted partitions too. GPG everything. My Windows 2000 game machine is locked tight and on a DMZ without IE being used. My monitor is wrapped in tinfoil, naturally, with a small cutout just large enough to have a 640x480 window viewable. I wrapped my mouse in tinfoil but that made it hard to use so I cut a hole in the bottom which allowed the light to hit the desk surface. Problem there was the desk was wrapped in tinfoil, too. So I made my own mousepad because I don't trust the ones made by The Man. It's made from a dead rabbit I found on the street. I flattened it out and dehydrated it. When I need a random number I pinch some fur and pull. however many strands of fur I get in that pull is the random number I use. Of course I need a new mousepad every few weeks as I never reuse the same tuft of fur twice. Never trust the PRNG in any OS, even OpenBSD. Theo is watching. Speaking of that, the other day I was installing OpenBSD 3.6 on a new machine and then I realized... CDs are a form of RFID tag. The unique bit patterns on them can be detected from space. So I wrap my CDs in tinfoil when not in use. Speaking of tinfoil, I find it best to buy the cheapest stuff from dollar stores. They don't usually use the UPC barcoding at those places. Just "$1.. $1.. $1..". Barcode readers don't use OpenBSD but I think Theo is trying to get in there. Speaking of barcodes, the other day I pulled a package of gum from my pocket and the person I was with said "Ohh... Spearmint!" I ran away. He obviously has a remote UPC scanner and knew that I had spearmint gum. He says the wrapper was in plain site but I think that's just an excuse.
Trolling is a art,
After all, doesn't everyone have my best interests at heart? Why, just the other day, a nice Nigerian man sent me an e-mail about a wonderful offer, and I don't even know him!
Hellooooo, Mr. Government Man!
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
I lock the door to my house when I leave home
did you forget to take your meds?
Is there any point in trying to protect against BIG Brother really? I mean, if they WANT to get in, they could just storm your house and take away your PC. If the want they could slience you too. So why go so over the top?
Another idea is to make sure any sensitive infomation doesn't have any means of escape, hell build a machine with no network, and no floppy drive or cd writer. Take out the usb slots too, then maybe a passer by wont be able to access it.
30char password? Whats the point? I mean you can still brute force it, and even without doing this, theres still methods such as removing the hdd drive, mounting it under anther computer and 99% time, you got instant access to everything.
People need to learn, senstive data is only protected in ONE place, inside our minds.
Keep it there and no one can snoop it.
- http://www.milkme.co.uk
I run only knoppix Live CD, and I incinerate my RAM after I am done just to be sure there's nothing left on that RamDisk. Kingston loves me now!
Thanks for letting us know you have a 30 character password. That'll be much easier to crack than having to deal with 1 - 29 and 31 - infinity length password.
-- There is no sig line, only Zuul.
Security against 'Big Brother' is a myth, especially given that it is very easy for authorities all over the world to label someone a "terrorist", or a "person of interest", and lock him/her up for years without any oversight.
S
I keep a bunch of nerds surrounding my house for security. I feed them doritos and keep them motivated by issuing fake Duke Nukem Forever press releases. When I see them becoming too docile, I toss Windows Magazine at them to get them all riled up.
I always save my last mod point to mod up a good troll. You people are too serious.
Who wants to know?
The only things I really consider private on my computer are financial information. Receipts, credit card numbers etc. So yes I do go to some trouble protecting that, but for the most part I couldn't care less if my information was read illegally. There's just nothing of consequence there.
If someone actually compromised and trashed my PC on the other hand, I'd lose time in rebuilding it. HoweverI do back up my information regularly, so that's no issue either except being annoyed at the loss of time. (If someone made subtle changes to the information I'd still have older backups, so it would be painful but not unrecoverable).
If you truely need a private information store, it may be worth buying a PC that isn't net connected and that is physically secured. For the average person unless you're doing something illegal or have sensitive work material at home (arguably not a good idea anyway), why would you need a super-unbreakable encrypted PC?
These posts express my own personal views, not those of my employer
Actually the above post illustrates a problem- giving highly technical advice to the masses. The above post is imformative, but I don't think it addresses the correct audience. What do you do for a family that does not include a security professional in the household? "Don't let your children's friends have unlimited access to the computer" might be more appropriate
Never thought of effecting security by relocating my home server to the no-man's-land in the middle of the Korean peninsula. I think you may be on to something. No one would ever think to check there!
Don't blame Durga. I voted for Centauri.
Physical access is a concern. But I work from home and have my servers here (my business is currently home-based). So simple things like locking doors etc.
The first question is how you identify what threats you are protecting yourself from. My list includes viruses, script kiddiez, and the occasional person who has moderate resources and wants to break into my network. I am not too worried about tempest probes because the it would take a lot of time to get enough information off my systes this way to be of use, but I am more concerned about vandalism and damage.
So here are my mechanisms:
1) Keep door locked when not at home.
2) Hardware firewall on old Acer Advantage. Kernel does not support loadable kernel modules (which makes it a pain to change a network card, as the kernel must be recompiled). Firewall runs IPTables and logs most denied traffic.
3) Daily and monthly reports of firewall activity are sent to my inbox via cron and FWReport. FWReport leans towards false-positives, bit it gives you an idea of what "may" be happening.
4) Remote access requires SSH and public key authentication. Remote access is not possible via password.
5) Email servers run Qmail.
6) Most servers are jailed.
7) Most logs are set to "append only"
8) Servers run minimal configurations with a minimum of extensions. For example, Apache does not run any modules not currently required.
9) Windows is not generally allowed on the network.
LedgerSMB: Open source Accounting/ERP
I pile my old computer hardware into a wall around the house, and from time to time pour gasoline and light it on fire. A hadware firewall. The neighbors don't appreciate it, but it gives me a lot of security
Turns out bad sex is better than no sex. I'll have to be more grateful for what I get with the next girlfriend.
Paranoia Quotes
... ?
I was walking home one night and a guy hammering on a roof called me a paranoid little weirdo. In morse code. -Emo Phillips
No matter how paranoid I get, it's never enough to keep up.
The question is not whether I'm paranoid, it's whether I'm paranoid enough.
The truly paraniod are rarely conned.
Doesn't matter if I'm paranoid - they're still after me.
I sincerely believe people talk about me. Mine would be a pretty meaningless existance if they didn't.
Why are some people terrified of "black helicopters" and don't even notice that they are being monitored almost constantly by the whole network of obvious surveilance cameras, credit cards, ATMs, EZpass, company ID/access cards, magazine subscriptions, SSNs, taxes, fees, video rentals, Internet firewall recording, 'cookies',
Paranoia: the belief that someone cares.
Paranoia is the belief in a hidden order behind the visible.
When everyone is out to get you, paranoia is only good thinking.
"Paranoia is knowing all the facts." - Woody Allen
"Paranoia is just another word for longevity." - Laurell K. Hamilton, The Laughing Corpse
"Perfect paranoia is perfect awareness."
"Paranoia is reality seen on a finer scale." - Philo Gant, Strange Days
"The issue is not whether you are paranoid, the issue is whether you are paranoid enough." - Max, Strange Days
"Why are you so paranoid, Mulder?"
"Oh, I don't know. Maybe it's because I find it hard to trust anybody." - Scully & Mulder, The X-Files, "Ascension"
Paranoia strikes deep / Into your life it will creep / It starts when you're / always afraid. You step out / of line, the man come and / take you away.
"I don't agonize over decisions as much these days. The criteria of what's important to me is clear. The insecurity that you feel, and the paranoia that you feel, have been around for a long time -- you know it's a liar because it's been lying to you all along -- every time you start something new. You get used to it, and you sort of go, 'Oh, you're showing up again, well f*** you.'" - John Cusack
Freedom is just a hallucination created by a pathological lack of paranoia.
Paranoia doesn't mean the whole world really isn't out to get you.
If you ever wanted to know what a person with acute paranoia looks like, just keep watching.
I have the power to channel my imagination into ever-soaring levels of suspicion and paranoia.
Paranoia is heightened awareness.
Paranoia is a social disease--you get it from screwing other people.
"Paranoia is the delusion that your enemies are organized." - Arthur D. Hlavaty.
"This is the Nineties, Bubba, and there is no such thing as Paranoia. It's all true." - Hunter S Thompson
"There are two kinds of paranoia: Total, and insufficient. I am both, because if you think you are sufficiently paranoid, you're not." - Guildenstern, Rosencrantz and Guildenstern are Dead
"The truly paranoid are clever enough to not *act* paranoid." - Q, Star Trek: The Next Generation
"When everyone _is_ out to get to you, being paranoid isn't going to help." - Q, Star Trek: The Next Generation
"When did you get so paranoid?"
"When they started plotting against me." - The Paper
"Paranoia is only the leading edge of the discovery that everything in the world is connected." - `The Illuminatus Trilogy'
When you've been through everything I have, paranoia is merely a precaution!
Paranoia is not the belief that everybody's out to get you -- they are. Paranoia is the belief that everybody's conspiring to get you.
The greater the concentration of power, the greater the paranoia it generates about its need to destroy everything outside itself.
I love this job. Nothing like paranoia and neurosis. Who needs a Coke habit? I've got journalism!!
There's something inherently American about paranoia. Given the i
Can we get a "-1 Wrong" moderation option?
Why do you think only "corporate" (which seem to be big iron since you contrast it to "personal computers") have sensitive data?
What about doctors? Lawyers? Accountants? Schools? Bookstores? etc.
If you've been paying attention to the news you'll know that every so often somebody buys a used computer disk and finds the results of STD tests (including AIDS) for tens of thousands of people. Or the name, address and credit card information for thousands of customers.
The loss of this information may not cause the DJIA to drop 10%, but it can be devastating to the people involved. But security is often lax since it's "only" a PC and it never occurs to these people that their computers may be stolen precisely because of the confidential information on the disk.
Even home users can face a difficult situation if they take their work home. They have a duty to protect that information... then they work on those files on virus-ridden systems. Today's viruses seem to focus on spam and stealing credit card numbers, but it's not hard to imagine more sophisticated attackers looking for other information.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Anyone without a strong root password is likely to have a strong root password provided for them by an "outside consultant". :-)
Life is short: void the warranty.
This type of discussion really worries me for "single owner" systems.
You have setup a system that will keep people away from the data unless you and only you try to access this. What happens if something happens to you. Your family might need your account numbers if you die, have a stroke, etc.
If you are protecting your child porn stash, then maybe this is the best solution. For things like credit card numbers, on-line banking, etc. you should "escrow" your passwords somewhere so that others can get to them if needed. This could be as simple as a printout of your passwords/accounts in your safe deposit box to having information kept by your lawyer.
Remember that bad things can happen beyond just hackers trying to get data.
And I am not just trolling for karma. My wife just had a friend die suddenly and one of the first questions from the family was "how do we get his laptops password". My anser was, "it depends, if he really secured it well, you are pretty much out of luck".
Good topic. I wish there were more serious posts so the rest of us could gleam some knowledge from the replies instead of the geeks trying to be funny.
We had a couple people leave work recently and they had some data in the computer that we needed to get ahold of. Since my company requires passwords and restrictive permissions on all Windows systems my team was worried that we might never get the docs off the systems.
A co-worker got out the Knoppix security tools distribution ( http://www.knoppix-std.org/ ) CD and was able to bypass the Windows passwords very easily. And it read the hard drive ignoring windows permissions.
If someone wanted a secure system. The Knoppix STD CD could be a good tool to use. Try and see if you or a trusted friend could get in to your PC.
- Bruzer (trying to be constructive)
"Tempt not a desperate man" - Willy S.
My password's set to my dog's name.
My dog's name is currently 4$ter*Zf1, but I change it every 90 days.
bp
Here are some simple policies I practice: /think/ that you /might/ just run a web server.
/does not/ imply encrypt.
1. Unless currently being used, the computer remains at an "off" state.
2. Change your passwords often - how often is up to you, but be reasonable. I suggest 30 to 60 days for medium/low security, and 7 days for higher security. Remember, however, that any password can be breeched - it's just a matter of time.
3. Segregate your network (if you have one) into zones. For Instance - You should not put your wireless access point straight off your network, instead, come off of your firewall in a new "wireless" zone. Terminate all wireless connection into your firewall via ipsec. Do not rely on WEP/WPA.
4. Block all outbound and inbound ports on your firewall, until you need them. I.E, don't just open up port 80 because you
5. Virus scanner.
6. Password protect
Anyway, these are just some basic concepts that are OS independent, and if your average user followed some of these guidelines, we'd all be in a better position.
http://www.accelerateglobalwarming.com
Of course, that's not the only blunder. A cracker under the name "The Cheshire Catalyst" broke into a network service they were demonstrating, and started piping songs onto the computer screen in the TV studio.
These security breaches got the kind of publicity few crackers could ever hope to achieve today. A live television audience of maybe 7-8 million, and next to zero chance that the camera is going to pull away?
One important lesson I learned, over these incidents, is that security is rarely accidental. Nor is it something you can consider seperately from the rest of the design. Designing something to be consistant and uniform means that errors will stick out like a sore thumb. In terms of security, or reliability, elegence is everything.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
30 character password
... [later:] bamm, fracking puter lands on the sidewalk.
Now, that;s not paranoid, just plain stupid. Just imagine, early in the morning, quickly checking mail before tumbling out the door going to work, and I mistype 1 character: bamm, type again, mistype 1 character again: bamm, type again,
Why would someone do such a thing to oneself, being sane to a very minimal extent ? Buy a darn iris scanner, or fingerprint authentication stuff, whatever floats your boat. But 30 chars to type just to get into your spyware-house ? Get a life.
Regarding the main question, i.e. being paranoid: one can efficiently and effectively protect even a Windows PC without becoming, well, posessed.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.