Slashdot Mirror
A Security Guide For Non-Technical Users?
kin_korn_karn asks: "Like many of you, I am the family IT department. I cannot convince my parents to follow proper PC security procedures. I'm not talking about enterprise-level things such as card swipes and fingerprint scanners, just simple measures like logging off of the PC when it's not in use. They, like many people of their generation, seem to be willing to sacrifice security for convenience, as long as their real data isn't being impacted. I can't seem to get it through to them that it's only a matter of time until they are. Since my own arguments aren't working, I need documented proof to back it up. Can Slashdot offer up some kind of arguments or information that I can use?"
"Does anyone know of a guide to IT security that:
a) Is written for a non-technical audience, but is neither condescending nor overly 'soft.'
b) Defines the various terminology (trojan, virus, zombie, etc.) clearly.
c) Explains what threats each security measure protects the user from.
d) Uses cases and examples to demonstrate the before and after scenarios, like: 'Jane's credit card number was intercepted via a non-encrypted connection. She started looking for the padlock symbol on her browser's status bar. Now, her credit card number looks like this: @*#(!@($).' (That's just an example, by the way)
It's the content that's important not the media, so your suggestions can be anything, be it an online document, multimedia presentation, or a print book."
a) Is written for a non-technical audience, but is neither condescending nor overly 'soft.'
b) Defines the various terminology (trojan, virus, zombie, etc.) clearly.
c) Explains what threats each security measure protects the user from.
d) Uses cases and examples to demonstrate the before and after scenarios, like: 'Jane's credit card number was intercepted via a non-encrypted connection. She started looking for the padlock symbol on her browser's status bar. Now, her credit card number looks like this: @*#(!@($).' (That's just an example, by the way)
It's the content that's important not the media, so your suggestions can be anything, be it an online document, multimedia presentation, or a print book."
I am growing increasingly convinced that before someone is allowed to connect to the Internet that they should have to attend Surfer's Ed, pass a written test, and practical test. Maybe this way we could increase awareness of how dangerous the Internet can be as well as cut down on the number of infected machines that are increasingly being used for purposes their owners likely didn't buy them for and probably aren't aware of.
you should go outside and play catch with your son.
Prove to them that their actions are potentially dangerous to them: send them emails with Trojans and steal their passwords. When they turn to you and say "whahappin?!" just tell them that you did it and even though they're ok this time, next time it might not be you. People respond to fear.
Life is rarely fair. Cherish the moments when there is a right answer.
Perhaps you know how Richard Feynman demonstrated unsecurity where he was working ? He opened the safes and left a note in it saying : guess who ! :-D
Likewise, you could go to a site like packetstorm, and learn the security holes of the monthe (some "exploits" are coded there in Perl, and rather easy to use). Most of the time, tey allow you to get root access via a buffer overflow or a series of escape sequences.
Have a close and truthful friend of yours pirating their/your machine while you are discussing with your relatives and they are working on it. Seeing messages addressed to them and coming form nowhere (and why not a shutdown -h with a safe delay) while you are notr on the keyboard should be a very good vaccination for them :-)
Signature omitted in order to save space. Thanks for your understanding.
I doubt this will convince anyone, but...
Yes, staying logged in all the time, and running as a priveleged user is convenient, for a while. Once your machine is compromised, however, the convenience goes out the window, and the pain begins.
If people continue to run as admins, and with limited security, their computers WILL become infected with all sorts of nasties. How convenient is it to have to remedy this? How convenient is it to lose work? Booksmarks? Emails? Family photographs? Then it is up to the family's IT person to fix things, and that is decidedly NOT convenient.
1- Never connect a Windows PC to the internet without first connecting to an external firewall (such as a router).
2- Never install Linux, who knows who's been adding what to it.
3- Never use a MAC if you can't wash your hands after.
4- Never use FireFox, it sends your personnal information to Google. Use elinks for secure browsing.
I think that covers it.
Linux violates 235 Microsoft patents.
What's their motivation to learn this stuff? Their kid is already taking care of everything for them.
How is logging off of their computer when it's not in use going to help them? Are there people walking through their living room, looking at the screen, and copying down their credit card numbers?
If they have broadband, get them a router with a built-in firewall. If they're running Windows, turn on automatic updates. Neither of those things require any continuing effort or education on their part.
Find free books.
Seriously. This is perhaps one of the best posts I've ever seen on Slashdot.
I dunno, but the "Dummy Guide To ...." seem to have done the job on many technical-like things to teach my dad: He now knows his way around the Internet, and isn't 'afraid' to use Windows anymore. :)
;) ;)
Before he was always shitscared to either delete something by accident, or crashing it; which as he saw it was breaking the computer... permanently
I think the Dummy Guides do a good job at not being too condescending, yet also maintain a good humorous writing style (just my opinion, and only from reading parts of the books I gave to my dad).
And other than that I think it's just very important to indeed stress that a lot of personal details/files could potentially be destroyed by viruses/trojans, yet don't make them too scared to use the Net at all: Installing Firefox would be a good start, but I assume you got that one covered
Then again, best prevention would probably be when one would be a victim of any such crime; But hax0ring your parent's computer probably takes it one step too far
What? Seriously? Get real. The only "security" that you should be worried about here is whether they have a solid non-Windows firewall box in front of the network. "Logging off"? Don't be silly: they don't have anything on there that's actually that confidential. What purpose does logging off serve? If you want quick access locking, set up a screensaver and password; it's automatic and it accomplishes the same thing.
The real security problem is they're probably using Windows. Any measures on top of this are laughable to begin with. If you really want to solve something, start by changing that. (While I'm not really an Apple fan, OSX is a definite viable alternative that lacks basic security issues like "open a mail message or document and infect your machine".)
Do these things and you'll actually help them, not "feel-good" measures for appearance.
Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
Yeah, I've heard the same stuff from my family... "what do I care if somebody watches what I type" "I don't care if somebody reads my boring email or looks at pictures of my grandkids" etc. Drove me nuts!! I patiently explained "well, your system could be zombied and you'd be spreading spam, be a hopping-off point for hackers, a drop-box for software, etc." but it just never registered.
I finally figured that I could either 1) go hardcore admin and completely lock down their PC to the point of only bare functionality (basic web browsing w/no active X, no HTML email, forced virusscans @ startup, etc.) and do lots of admin to keep it up to date (and in the process become the "bad guy") or 2) buy them Macs and quit worrying. I took the easy way out w/some old tangerine iMacs, a couple new Minis, and a family pack of Tiger.
Yeah, I know this doesn't really answer your question, but it's related. If you can't solve the problem, avoid the situation.
Install sub7, just mess with em, set their wallpaper to goatse, move files around, etc. Either that or smack em upside the head.
Infect and use their data to get their credit card info, etc. Show them how vulnerable they are by using their CC number to buy a whole new $3000 PC System :-).
Previewing comments are for sissies!
I was going to suggest a variation of this, except you NEVER tell them what you did. If you fess up, they won't learn the lesson - after all, OF COURSE you could hack their machine, but no one else could!
The trick would be to hose their machine into unusability without losing important data. For instance, if they only lost pictures that you sent them, tehy will ask you to re-send them - irritating, but no real data loss.
"As God is my witness, I thought turkeys could fly." A. Carlson
I'm not talking about enterprise-level things such as card swipes and fingerprint scanners, just simple measures like logging off of the PC when it's not in use.
It's been my experience that 95% of Windows viruses require some sort of stupid user action to install and spread. Logging off the PC will not help in that situation. Minimizing the machine's online presence will help far more: turn off unneeded services, use both software and hardware firewalls, and finally, make sure Preview mode is turned off in both Outlook and Outlook express. Finally, just make it a point every six months to run Hijack This, make sure AVG is up to date, and run several spyware scanners, and charge them $25/hr for the service.
You're completely right about people of a certain generation choosing convience over security- but there are things YOU can do to keep them safe in spite of themselves.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
It's not a document, but nothing convinces people more than having their passwords cracked. Run John the Ripper http://www.openwall.com/john/ or something like that on their accounts. They'll understand it's a real risk.
Your search is virtually impossible, because human nature isn't clear cut.
No matter what you do, you will be leaned on for support.
Best thing to do is to back out now, start telling everyone you meet that you know nothing about computers or the internet and in fact, your a luddite.
Make loud and stupid jokes about "those machines" and "the weird guys in block A/downstairs/basement/geekery" and take up a sport, like wrestling or hurling.
When your family ask you about your sudden lack of interest in helping them, tell them that you received a sharp blow to the head in a bizarre gardening accident and can no longer use a computer.
Follow my advise, become a closet geek - it's the only way to retain sanity.
A slashdotting - you get the stick first and then the carrot !
The exact thing that I did. *thumbs up* (I'm using Linux myself though.)
Once you start despising the jerks, you become one.
tried google: dummies guide to internet security http://www.google.com/search?hs=Cz6&hl=en&lr=&safe =off&client=opera&rls=en&q=internet+security+for+d ummies&btnG=Search
Why UNIX?
This isn't really going to answer your question since I'm not going to recommend any particular texts on security for non-geeks. Why don't you work on teaching them what they CAN do? Honestly, family or not, if I own a computer and constantly have someone trying to tell me that I can't do the things I want to do, I wouldn't listen and would probably start to resent it. It's not their fault they want it to be easy and convenient to use, but I'd try a little positive reinforcement and approach it from the other angle.
On top of that, if there are things you can do within reason to make their computing experience safer, go ahead and do those things as well. If they're using Windows, I'd enable automatic updates and install anti-virus/anti-spyware software that also updates and scans automatically. While I don't like Microsoft, their OneCare product is pretty easy for novices to use since it includes everything in one spot.
It's a learning experience. Most of us didn't read security books and become safer because we knew things ahead of time, but we got burned a few times and learned best practices after the fact. Well, that's my $0.02.
1)back everything up on said computer.
2)delete all of their files
3)"see this is what happens when you don't listen to me. no there is no way to get it back"
4)tell them what procedures to follow
5)2 weeks later: "eureka! I was able to restore your data. now, will you ever let this happen again?"
Send all text documents through a clever rot13 hack ;)
liqbase
...once!
... it was just an unlucky turn of events)
I had a similar problem with my parents several years ago (win98se), didn't belive me when I warned them not to run whatever came with the email and/or run wierd things downloaded from the web. So one day (by accident) a virus struck. An oldschool virus (atleast compared to todays more "useful" trojans, etc) which destroyed the MBR and partition tables.
After that day, my problems have become very few and far between.
Now, the moral of this story is:
Some people will never understand the importance of security until they've been hit. Sad but true.
Now, I'm not saying that you should infect your family's computer(s), but it's the most effective way to make them think twice.
(For the record, I didn't infect my parent's computer
As a matter of fact in the long run pc should become adapted to the habits of these kind of people. Do you think it's their generation only? Nope, i don't think so: a lot of this kind of people in the our generation and in the upcoming generations. I think there right, It,s up to the specialists to get the pc safe without any having to deploy 5 door and 7 locks by the end-user.
Again, one of the advantages of google's strategy: application run at their side.
(btw, I leave my pc on and logged on too)
just simple measures like logging off of the PC when it's not in use.
... why? I'm as paranoid about security as anyone but I'm not afraid of people jumping in the window and sitting down at my keyboard ... you might be going a little over the top with your parents.
Show them 1) the difference between a secure and non-secure connection and 2) good password conventions and that.
Right, the reason nobody is listening to him about security matters is that he's batshit insane, and is going on about logging off when you are not using your home machine, possibly to protect yourself from ninjas breaking into your house and stealing your files.
Tell them to watch a CitiBank commercial about identity theft. That should knock some sense in them.
Future ruler of a small Asian-Pacific island
Use Linux.
Don't bother. They are uninterested in learning.
What they do know: If they break it, you will fix it.
Stop fixing it, then they might be more willing to listen.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
Security comes in many forms. There are attacks from viruses and malicious humans (and often one from the other). There is also the risk of data loss due to hardware failure. A good back-up regimen that includes weekly off-site storage is better security from known and unknown threats.
First The Fear: I don't have the document you're looking for. But I think the basic problem is this: in the Real World, if you leave your door unlocked (I didn't say "open") in most neighborhoods it'll take years, at least, before you get broken into. Most people aren't going around trying residential doors. (Assuming you aren't conspicuously advertising more wealth than your neighbors) And if you're going to get broken into, having a locked door won't make much difference...
I would say the mean time before someone breaks into your house BECAUSE you didn't lock the door averages at LEAST years.
The mean time until your online (routable) Windows computer is compromised if you don't have a reasonable firewall is something like 15 minutes (and falling) You need to strike home the fact that that's the AVERAGE time until someone WILL try to attack their computer. If someone is trying to steal from you every 15 minutes, you NEED to be paranoid.
Second, of course, is education.
First you need to decide whether you're going to keep fixing whatever messes they're going to make - or you need to say: "I've wasted enough time on your computer. If you don't follow the rules I set out for using it safely, I'm not fixing the problems you have - or I'm at least waiting weeks before I do." - and you need to be serious. If you fix it all for free, there is no incentive.
One rule is not to download and install anything without your approval. If they see that warning screen and click "yes" - that's their problem. Those smiley toolbars don't get there by themselves.
Then you need to do what you can for them automatically. I agree with another poster that logging off is not a high priority. A good "hardware" firewall is - with the "gaming" port forward OFF. Turn on automatic updates. Getting a mac is great : )
If you can't do that, disabling ActiveX - COMPLETELY - (preferably also removing the IE icon and installing an alternate browser) helps a lot. Installing Spybot SSD and it's automatic protections helps.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Just consider yourself lucky they don't go around naked.
They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...
My in-laws would click on a email that read "Don't click this or all your data will be GONE!" They willy-nilly click on anything that pops up or they get in email. I think my father-in-law will subscribe to anything. Now they are complaining about the amount of spam they are getting. Here is what you do: 1. Ghost the machine after you have to reinstall everything. 2. re image the computer when the worst happens. 3. hand them a hanky to wipe up the tears after they learn all their data is gone. 4. repeat from step 2 each time disaster hits.
...when you're at home, if that's what you are talking about?
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
I've been wondering the same thing. I've just about given up on this topic with my family. But, I just got a great idea. I'm going to email them a link to this topic on /.
It can't hurt.
"A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
Get them to read Paperghost's security blog Vitalsecurity.org it's written in plain and often humorus english.
Hee Hee The drinking bird does all the work!
Hi Mom,
:-)
My clients are required to be at a certain level of security before they are eligible for our unlimited support plan. Until that point is reached, hourly billing is used. The reason for that is because it takes a lot of effort to keep their systems running smoothly at that point, so it's not profitable for us to keep them on the unlimited support plan.
You are enjoying unlimited no-charge support from me, but it takes away from our time to talk with each other. Wouldn't you rather talk to me about stuff other than work when I come to visit you? If so, please follow these simple guidelines and don't install any software unless you call me first.
Thank you Mom
Leonid S. Knyshov
Find me on Quora
Listen, if you really can't trust your family members to the totally boring, non-sensitive information available on the average adults computer, you've got a lot more problems than security. Exactly what do you think you're protecting when you tell them to log off the PC when not in use?
I never log off my own computer in my home. Why? Because I trust the people I live with, and I really don't have anything on the PC that's worth protecting anyway.
Your parents are right. Why should they log off? Why should they not be able to login AT THE CONSOLE without a password? If anyone needs educating on basic security and vulnerability, it's you. EVERYONE is willing to sacrifice security for convienence. That's actually a basic guiding principle of security. There's always a tradeoff between access and security. Often times access means convienence.
The thing you need to protect from is your computer being compromised from the outside by someone intent on using it for a botnet. That's really the only value that your PC has outside of physically stealing it. That means using anti-virus software, getting email filtered for viruses, keeping up on windows updates, using firefox instead of IE, and implenting WPA security . None of those things really interfere with anyones usage of the computer, so they shouldn't have any objections.
AccountKiller
Even if you buy into the ridiculous notion that a Mac isn't a "serious" computer, it's a great machine for anybody's parents to get. What do they do? Email, the Web, balance their checkbook maybe? I'm the help desk in my family and it's a relative breeze compared to what it would be if they had Windows machines and, most importantly, I don't have to worry about any of the sneakier security stuff. I still have to remind them not to send their bank account numbers to that Nigerian guy, but, hey, whaddaya gonna do?
I'm just sayin'.
You are asking for the impossible, as long as you keep them on M$. There is no end of effort required, as the last six years of "security is job #1" have shown, and none of it is easy to explain. When your parents lose data they care about, it won't be their fault it will be yours for not moving them. It is indeed only a mater of time before their computer is malwared out. It is much easier to move them to Mepis, Ubunto, Fedora or Debian, than it is to explain all of the easy to do things they should not do that won't mater in the end anyway. Microsoft's operating systems are so flawed that no amount of user inconvenience will fix it. It's better to offer them software that's designed well to begin with.
Friends don't help friends install M$ junk.
In order of importance
1) Buy a hardware firewall, they are like $20 bucks these days
2) Buy a USB flash or hard disk and setup an automatic backup to it of their files every day
3) Ensure automatic updates are on and working
4) Disable automatic preview in Outlook or upgrade to Outlook 2003+
Optional:
1) Disable windows firewall and install ZoneAlarm and AdAware
2) Block myspace.com with host file
3) Create user limited account and make them use it, although this is probably going to cause you more headaches than its worth since you can't install anything.
Unless you have unkown people with physical access to your computer, logging off isn't really going to do anything.
My parents don't know their admin/root password. They are logged in as "normal" users, own homedirectory, adressbook, ... - if something has to be changed, they will call me anyway!
If you cant trust your own family then something is horribly wrong. I dont give a damn about what my sister or mom see's. It's all love baby.
I have had this problem with my father. The silly part is he spent a lifetime in
the intelligence and security game. He has at times seemed almost smug in
turning down advice. I did finally get through to a degree, but it is not a complete
solution.
One thing I think would be helpful would be older voices giving the same advice.
The kid or the youngster (Note my father is in his 80's) does not get the same
creedence as another old fart giving advice.
Get enough of the informed older generation being a bit militant about security
and I suspect the non-adopters will pay attention.
Linux, BSD, Solaris... Whichever is your own poison.
Sure, there is "learning curve", but it is no steeper, than with Windows or anything else. All they are using is web-browser and e-mail (likely — through the browser), so they would not even notice...
Of course, this is not going to remove all threats, but it will severely diminish them.
And you'll be able to help them remotely...
In Soviet Washington the swamp drains you.
You can talk all you want, but ive had this problem with a family member too. There is a common expression: "There are two types of users: Those who backup regually, and those who have never had a major loss of data." The same holds true for security. They arn't going to worry about viruses until after their first work-preventing infection (If the virus just slows the system to a crawl, they will assume that is normal and wont realise they are infected). They wont worry about spyware until it makes their system unusable. They wont backup until their data is lost.
I have, at times, had to stage minor incidents to draw attention to security or backup procedures. It is better to have a problem you are in control of than wait for the real thing. Give them some adware, for example - the most obnoxious you can find. Set their homepage to a porn site and make it launch on startup, and every ten minutes after. Peg their processor usage at 100%. Put in a program that delays their startup by five minutes. Fill all but two meg of their drive. Whatever you want.
Then, you just need to put on a display of 'I told you so!' and be the hero who rescues their data and fixes the machine.
Pretty sure it's pirates, not ninjas. I hear them downstairs right now.
Why is this a troll? Sounds perfectly logical, I wouldn't tell them that you did it, though. While "repairing" it make sure to take an extra long time, such as a few extra days or a week or so.
I think maybe you need to really find hard facts on the risks, before you try convincing them of what those risks are. You might be very surprised. The sad truth is if a security measure makes things harder to use, that measure will often become a security liability. Force people to change their passwords every week and they post them on stickies on their monitors. You can't ignore the user as part of a security solution and only you know your users. You can change your users with education, but only a very small amount. Contrary to what many publications teach security and ease of use are not polar opposites. You can take steps to make things easier to use and at the same time more secure.
Depending on the tasks those you support want to accomplish and and the real risks you need to figure out how to make those things easy to do with relative security.
The problem of users not cooperating with security rules is largely a social problem, not a technical one, and needs social investigation.
We found that one of the biggest reasons people don't cooperate is that it takes too long to report problems, and they don't want the inconvenience.
We wrote a program that sends a screen copy to us by email when the user presses Windows_Key-F11. That makes it easy to get users to report problems that show some evidence on the screen.
If it is easy to report problems, the feeling of cooperation grows and eventually users learn that cooperation benefits them. Online bug reporting software helps, too.
--
George W. Bush comedy videos
Mod Parent Up. This is exactly what I thought of, but of course I wasn't FP.
Depending upon your "type of parent", just blame it on some random unknown hacker. Or if you pick the "It was me" approach, you add "and I'm just an amateur. The profesional Black Hats could run circles around me."
On a different level though, this is the discussion of the Age of Terror. "How exhausted do I want to be following security procedures compared to the risk of real damage?" For example, if you wanted the same effect as logging off, what if you just shut down the net conmnectivity, and told them "you have to double click this to get back on the net".
I would look for an 80-20 compromise that ALMOST protects them with the best value per minute ratio, and then hope for the best.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Rather than trying to bludgeon your family into compliance, why not work on finding a security solution that works with them not in spite of them?
One of the biggest obstacles to educating users is the attitude that they are all stupid or lazy, and there is only one solution to security even if it doesn't fit their needs.
Three Squirrels
... getting off that high horse of yours.
just simple measures like logging off of the PC when it's not in use.
If you have intruders in your house, the least of your concerns is them reading your email.
Call me a troll, but isn't this why WinXP/MacOS cost $100/copy, so that those without technical acumen (i.e. most users) are still able to use computers productively, but without shooting themselves in the foot and/or spending days rtfming *NIX man files for xdm, ipfw, sshd, or whatever.
Obama likes poor people so much, he wants to make more of them.
Interesting. For several years now I wanted to write Internet Security for Dummies. I guess there really IS a need for this book. You think I am kidding, too.
I suspect your problem is that you're trying to communicate to them based on your view of the world. If they are like most of us, they regard their home as a safe haven, and they shouldn't need to lock up things within their home. And, they probably don't visualize the Internet as the bad part of town where you always lock all doors and windows. And if they're like most of us, they don't read/understand anything that looks like an instruction manual.
So try and get behaviours based on their view of the world. As an example, instead of asking them to log off the PC, suggest that they turn it off to save electricity. The effect is almost the same.
Similarly, when there's an article about identity theft in the local paper, you can use that as a lead-in to discuss unsafe web surfing practices.
Another approach is to make them individual accounts and then customize each account based on their individual interests, so they get in the habit of switching accounts, but, be warned, they may end up both using one account, particularly if they share an email address.
Finally, you can help them out by making sure they have a safe configuration:-
- a proper firewall setup between their computer and the rest of the world
- you can force them to use a password to login - just apply it and blame a Microsoft security update.
- disable the caching of passwords and remembering stuff for input forms - of course they'll just write down the passwords on yellow sticky notes
- take away admin rights from the default account and make the admin account boring/difficult to use so even if they have the password they'll stick in the non-admin account.
I somehow became the free IT support for family, friends, friends of my family, family of my friends, friends of the family of my friends, and so on.
At one point I just had enough of corrupted registries, malware and those stupid IE toolbars, not to mention people asking me for pirated software (I am a committed Christian and do not want to break the laws of the land).
From then on I said that I only support free/open source software and that if they wanted support then they must install Linux. Anybody that complains gets a lecture about free software until they give up.
Some family moved to Linux, others stopped asking. Balance has been restored.
My little Linux and tech blog
I've given up trying to educate my parents. It's easier to take a few simple precautions and not explain.
1) Get a hardware firewall/NAT router. This is a given if they have multiple machines, but for even one machine the hardware firewall protects against most active inbound attacks.
2) Set them up with Firefox and remove all program shortcuts to IE. (Or at least hide them real good.) Ditto for Thunderbird and Outlook [Express] respectively.
3) Windows needs to be configured to automatically apply updates and reboot without user intervention.
4) Set up an antivirus/antispyware program configured to do (at least) weekly checks and automatically nuke anything it finds without asking for approval. Also have it configured to update automatically.
5) When the system does develop a problem due to "unauthorized" downloading, tell your parents how busy you are and how it'll be a few days before you can come over (or upstairs) and fix it. I find that keeping my parents afraid of inconvenience works better than trying to keep them afraid of making me angry (because no matter how much I yell, it doesn't matter). When they can't get their shit done, and they can't blame anyone else, they learn to think before they act.
My parents live on the East Coast and I live on the West Coast, so getting over to their place to fix their computer is a logistical nightmare. If they hose it to a point where I can't fix it via Remote Assistance, then they're fucked until I can find time to fly out there and fix it (generally not a high scheduling priority), or convince one of my friends back home to do it. (My friends are rarely willing, they have their own parental nightmares to deal with.) So the best solution to making them think before they act is to make them afraid of the downtime.
I replaced every XP/2k machine on the home network (save for my game machine) with Mac's running OS X. So far, 3 years later, I have no IT work to do aside from the occasional "repair permissions", replacing keyboards/mice, and installing software / updates as needed.
:) After all, family IT directors don't get paid.
Seriously, I keep hearing all this, "Mac users should prepare for viruses, etc" crap, but I've at least squeezed a 3yr vacation out of the conversion, and that alone was worth the money
This applies to both technical and non-technical users.
Game! - Where the stick is mightier than the sword!
I have installed an omnimorphic macro trojan key logger virus daemon on your parent's computer. It will add 47 strokes to your dad's golf score and change his Viagra prescription to aspirin. It modify your mom's recipes so that everything tastes like Chef Boy R/D. It will call the White House and make silly noises. It will break into the state's electronic voting machines and submit 67 million votes against Social Security and Medicade reform. It will send insulting email and bjornographic spam to everyone on your parent's email list. It will attack the Vatican web site with the pink-of-doom. Woe unto those who fear not the evil juan.
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
You seem to think that your problem is that your parents aren't technical enough to understand the threat. Your solution is to get them up to a similiar level of expertise that you're at. That's simply foolish.
The problem is you aren't communicating effectively, or your parents aren't willing to listen. I don't need to understand the reasons WHY I should change my oil in my car every 3-6 months to do it. I only need to trust that if I don't, my car will suffer. Mechanics don't give out chemical assays of oil, results of wear tests, or the breakdown of acid-inhibitors etc to convince people to change oil, they rely on communication and reputation. "Bill's a good mechanic, he always knows what's wrong with my car. If he says to change my oil every 3 months, he's probbably right". The world is too complex to try to learn EVERYTHING.
Maybe your problem is you don't really understand security yourself, so you can't explain it properly. Telling people to log off their own computer in their own household really adds no security from viruses, worms, etc. If you try to make this argument to your parents, you're just going to sound like you're (as another poster put it) "batshit insane". This destroys any credibility you have, and any sane advice like keeping up on updates, installing hardware firewalls, etc goes out the window.
So, you need to work on your communication skills, not try to get your parents to have the same amount of knowledge you do.
AccountKiller
One major problem is that many non-technical people try whatever is humanly possible to relate technical scenarios to "real-world" analogies. This goes for computer security, too; As other posters have mentioned, they try to line it up with their house in the neighborhood, and all too often come up with the line, "Well, why would they attack ME? I don't have anything valuable!". This, to them, equates with security. I should know, I've had that pulled on me before.
And this may be the problem you're experiencing. Try explaining that, in many cases, the computer itself is what "they" want (botnets, zombies, etc). Problem being, you'd be forced to come up with a real-world analogy for it. "It's like if someone could break into this house undetected, loaf around and steal food regularly, take your credit cards and use them freely, then start prank-calling the neighbors and blaming it on you, and everybody thought it WAS you."
The whole issue of a Windows machine being broken into in 15 minuts of a fresh install is even more difficult to put in non-technical terms. "Imagine there was an army of zombies [or robots, or people] roaming the neighborhood. They're going around trying everyone's front door to see if it's locked, and if it isn't, they walk right in and take over the place. Sometimes they try to pick the locks. They don't care if anyone calls the cops on them, there's far more of them than there are cops. And they don't care how long it takes, there's enough of them to try each and every door. And they don't talk to each other, so they'll keep trying the same doors over and over with different lockpicks. And each house they take over produces more zombies [or robots, or people]."
Now, both of those would just absurd to a non-techie, to say the least. So what I'm saying is that you need to try to draw analogies they can understand but don't sound ridiculous. You can provide documentation to back up your claims, but you'll need to convince them to read said documentation first, and that's where your creative storytelling skills come in.
Just my two units of fractional currency.
Demanding constant attention will only lead to attention.
I stay logged in all the time. The only way someone is going to hack my system because of that is if they break into my house. If they break into my house (and survive) they stuff they get off any computer is the least of my worries.
Even if my computer is turned off, and they run away with the hardware, it doesn't take much skill to recover data off it. If you have physical access to the device, you can read it, regardless of the OS.
Which is why you need to use an encypting file system.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Just give em' a nice linux install, I recomend Slackware, set up KDE or whatever, a couple of user accounts and show em' how to log on.
... Standards and Practices !
That's just the set up. Now you can leave the machines on forever and your poor parents logged in forever. All problems solved.
PenGun
Do What Now ???
I've had some good success through demonstration, and letting them make mistakes.
.... "
:)
:) Neither my girlfriends machine, nor her son's machine have had anything bad happen to them. I've even broken my Linux box, from doing very ill advised things. Doing it once gives me the experience of "what happens if....?", so I can help other people later. For me, I don't really care if I completely hose an OS installation. I'll wipe it out and reinstall. I always have another machine that I can use. :)
My girlfriend is pretty good with her computer. She made mistakes before I met her, and learned from them.
Her son has his own computer, and had made mistakes himself. With some stupid online game, someone got into his account, and messed it all up. His password was his own first name. I showed him some password scanning utilities, and explained how they work. I then described for him what a "good" password is.
He then asked me "Can you hack their account, and mess it up?" I told him that I could, but I won't. Could I? Maybe. Maybe they were just as stupid themselves, and used easy passwords. Maybe if I looked around enough, there was something exploitable on the site. I wouldn't though, to teach him that revenge doesn't solve anything.
I've shown both of them the joys of packet sniffing. While most of it was over their heads, showing them their own password was useful. "Look, I'm a hacker, and I can see everything you've done. To avoid me doing this, you should
Honestly, the best way I've found to protect myself is to learn what the bad guys are doing, and solve the problem. You have to teach them what the problems are, and how to protect themselves.
It's usually better to teach someone yourself. You can judge if they are absorbing the information, instead of letting them skim over the pages that are greek to them. "Password security? Ya, I have a password. It's 1234."
I've seen so many people in office environments who are just told "don't do this", but they don't understand why, so they'll still make mistakes. How many zombie machines are out there on the Internet right now, because people didn't understand what not to do and why?
Be Mr. Evil Hacker for a while. Mess with them. Tell them exactly what you did, and how to fix it. If you keep messing with them, it's very likely they won't keep making the same mistakes. There's no need to do anything particularly damaging. More than likely, they'll do it on their own.
In the last couple years, I've reinstalled Windows on my XP workstation three or four times, from using bad practices. It's my own dumb fault for doing things that I know I probably shouldn't be doing. Of course, I'm doing them to see how they work.
Serious? Seriousness is well above my pay grade.
And it is often the only way. Get ahold of a spyware-infected machine, and download the file to which it's logging all its stolen data, then show it to your parents. (You'd be surprised how easy this is most of the time...also you can score some free Myspace accounts this way.) Maximum scare points apply if their PC is already infected and you can show them their personal data in the file. Watch how fast they change their passwords and lock down their PC!
After that, they're on their own.
Why on earth would your parents need to log off of their personal machines when not in use? Do they take in boarders or something?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Hear Hear!
I've done the _exact_ same thing. Existing people are grandfathered in, but from (2 years ago) on wards; if you want computer support from me, you buy a Mac, or install Linux.
Period.
I do not fix IE problems anymore. I do not deal with spyware. I do not do reinstalls.
I can potentially be persuaded to do data recovery, but then I'll get the data you want, and put it on a CD or DVD. No Windows reinstall.
Ever.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Hmmm...you have to go visit your old, retired, disabled, super bored mother every month? Im sure she is really really interested in getting a computer that stops you from visiting her.
This couldn't be simpler. Hack into their machines yourself and place some really scary/offensive image as their wallpaper. Maybe erase some essential file from their most necessary program. After you come over to fix it, explain that you discovered their machine was being used to hack into the Pentagon. Tell them not to worry if the FBI shows up, because they didn't really do anything wrong, just answer the questions as best they can.
From that point on, any security suggestion you make should go down smooth.
Dave Williams
How about setting some boundaries? This is ridiculous. You do realize that you have options, don't you? Of course, she's not obligated to listen to you, but neither are you obligated to fix her computer if she insists on being stupid with it. Tell her if she won't listen to your advice, you can't keep fixing her PC.
Imagine she hits her PC with a hammer, then calls you and asks you to come over and fix it. You tell her "Mom, you have to stop hitting your PC with this hammer." She says "Piss off, son, I NEED to hit it with this hammer." Would you keep fixing it then?
On your way over to her house next time, stop at the store and get a pair of balls. It should make it easier to tell her she's on her own.
I'm wondering if you actually know what you're talking about, of if you're just some pedantic idiot attempting to assert he's smarter in something to his parents. Example: ...just simple measures like logging off of the PC when it's not in use.
WTF? Why do they need to log off their own damn computer in their own damn house? If someone breaks in and gets physical access, I'm betting that unauthorized surfing isn't their top concern. And if you think having them log-off with thwart a thief from getting their data, you're crazy. If the thieves want the data, they'll get it by just stealing the drive & mounting it as a secondary drive.
People like your parents are easy. They don't need to know about viruses & worms. You just set anti-virus to run and automatically update & have them use a mail client other than Outlook (e.g., Thunderbird or Euroda). You set up the firewall & just leave it. They don't need to know how to administer the fucking thing. Past that, you tell them basic things to avoid phising, never install anything without asking me. That's basically what we did with my mom & no problems. There's little chance of her fucking anything up, because, by and large, she doesn't know enough to get herself into trouble. She's not going to change the config on the firewall, as she doesn't even know what the hell a firewall is.
It's typically people with a little knowledge that are a problem. They're the ones who get themselves into trouble. And while it sounds like your parents don't fall into that category, it sounds like their son does.
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
Kids and old people have some tings in common.
They tend to have no clue.
Use Knoppix, Kanotix, Snofrix or Bestix and get rid of problems.
Give them a USB memory stick they can save their files on.
Show them the reset button and tell them to close the machine
to save energy when they are done.
Give them a Gmail account and you should have minimal problems.
And while I am at it - Get rid of funny keyboards and mice with batteries.
Optical mouse with PS2 plug and a good keyboard with PS2 plug is what you need.
Keep it simple. 10 to 8 year old girls operate this with ease and they keep asking for more computers. Just works.
I suggest you make an analogy between computer's and cars.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Seriously, get a Mac.
I know, that's the obvious answer. Especially coming from a Mac zealot.
However, I'm not a Mac zealot. Far from it. I probably run in the neighborhood of 10 different OSes in my home right now.
About a year ago, I got so sick and tired of dealing with the CONSTANT spyware my relatives were getting that I just got fed up. The kids were constantly downloading P2P apps and ruining the machine.
Finally, I said screw it. When one of my brothers decided he needed a computer for college, I bought him an iBook G4. Didn't even ask him.
He never noticed the difference. In fact, he never calls with a problem. It just works.
Did the same thing with my sister, my other brother and my mom. iBook G4, MacBook Pro and iMac respectively.
Nothing. No calls about the computer. Just works.
Mac OS is not the best system in the world. It has its quirks, and I would never run it as a server (for example). But for plain, old regular users, like my folks, it's saved countless hours of pulling my hair out. My 2 cents.
AMEN! I did the exact same thing with my mom... she refused to stop installing these idiotic screensavers and games bundled with malware, so I stopped fixing her computer. She still installs idiotic screensavers bundled with malware, but now she knows better than to call me for help. I'm not about to help someone that refuses to help themself, even if it's family.
Everything just plain works - no extra downloads, sound boards to configure, service pack 2 to install before you plug it in to the net, no anti-virus, no spyware checker, no warnings not to click on the big blue E - oooops! - you didn't - aw, dad! - well, I guess we can re-install...the list goes on, and on, and on. Seriously, it is a no-brainer. The delta in cost will quickly pay for itself in fewer phone calls and aggravation factor. The UI's are similar enough that learning curve is not a big deal. Get them a book from David Pogue for all the little how-to's....
http://slashdot.org/pollBooth.pl?qid=1340
Here, let me fix it up for you:
Don't use a PC.
There. Now you got it.
http://www.geek-happens.com/p/EN/files/passwords.h tml
:)) Sorry - could not resist,
BR,
F.OXYGEN
I had made the move to Linux 4 or 5 years ago, and also have used an OSX laptop for the last few years. The real beauty of this move isn't that Linux is that much easier to use (although I find it easier) but that I can use the excuse "i haven't used windows in years" when someone has a computer problem. I honestly don't know or really care how to fix those machines. It's a wonderful thing after years of being tech support for people. I still can and do on occasions fix windows issues, but I have to figure out what the hell I'm doing whenever I have to fix a problem.
Basically my time is too valuable to be spent fixing windows computers. Most people's time is, but they don't realize it. My advice is to get a Mac. They just work, and while they may eventually start getting viruses and spyware the infection rate won't be nearly as bad, and unless the users an idiot will be confined to one users logon.
Phil
But he lives at home, allow me to translate:
"prefers to call me and complain every time her computer is broken" = shout down to the basement.
"She's retired, disabled" = I live rent free on mum's disability allowance.
"I have to visit her and fix her computer" = Leave basement to fix computer.
"It's really a drag on my life" = I don't have a life.
"I have a family of my own to worry about" = I've got an ant farm and some sea monkeys.
"frankly couldn't give a shit whether her computer works" = I'm scared shitless of her.
M0571y H@rml355.
I'm wondering if you actually know what you're talking about, of if you're just some pedantic idiot attempting to assert he's smarter in something to his parents. Example:
Sadly, I think you're right. There's a big collection of kids out there that think PCs are just one big interface, and think they're experts because they know more than mom and dad (who know nothing). They get big egos when Mom and Dad ask THEM for help on something, so they assume they're some kind of genius. Of course they have little knowledge of what actually goes on under the hood.
As I said in another post, measuring your knowledge by how much you know compared to people who know nothing is always a bad idea. A much better approach is to measure your knowledge based on how much you don't understand. Then you at least won't make foolish statements like telling people that the computer is more secure when they've logged off it (and not even turned off).
AccountKiller
Sit down with your folks and go and find vulnerabilities in random PCs on the net. Find whatever the black-hat tool du jour is, test it out to find whatever options give impressive looking results and then show them how easy it is. Show them the black-hat websites, tools and forums. I'm not suggesting you actually compromise someone else's machine or do anything illegal, just that you get close enough to doing it to demonstrate how it happens. When they see how easy it is for the bad guy, they might get a more realistic view of the threat.
Chernobyl 'not a wildlife haven' - BBC News
If you understand the problems yourself, you'll have a better chance of helping them understand.
As a number of people have pointed out already, focusing on logging off in conversations here seems to indicate that you don't understand the problems yourself.
If you are talking about logging off after using a public terminal (library, starbucks, whatever), yeah, logging off is important. If they have people around the house who might do nasty things when their backs are turned, logging off is only a stop gap, and indeed might provoke a physical assault on the machine. (I don't mean with a hammer, I mean something like inserting a live CD on boot.)
If, by talking about logging off you mean to talk about making non-admin accounts and using those for ordinary work, well, let's think about that. Do you mean they should make individual accounts for every member of the family? I suppose that's appropriate for some families, but most families will be just fine with a single non-admin "us" or "fambunch" or even "family" account. make the account name interesting and there may be less initial resistance to using it.
Since they're asking you to set things up, go ahead and make the account, and move their bookmarks, mail, and other documents into the account's directories (changing the file owner as you do, of course, so they can access their stuff after the move). Change the admin password and don't tell them what it is. Clear all their stuff out of the admin account, to reduce temptation to use it. Etc. (In fact, I'd probably a new admin account, and back the old admin account up and delete it.)
Of course, if you're using Japanese, non-admin accounts may not work on their boxes. (Still do not know why, but one MSWxp workstation I was assigned was like that. Try to use Japanese from a non-admin account and the thing would freeze.)
Anyway, in the usual home, the password itself is primarily for keeping intruders from logging in from the web should they manage to breach the firewall.
The issue of not using the admin account is separate, and others have addressed that, I think.
Now, concerning the "internet for dummies" guide, what one finds condescending, another finds friendly. You know them as well as anyone, you're the best person to be able to figure out how to explain things, but it requires (again) understanding. People are more interesting than machines. Open you ears and eyes and listen to what they're telling you and you'll find the answers to how to explain without confusing or irritating them. But it does take many tries, and that's where patience comes in. You have to be patient both with them and with yourself. Think of it as a compiler for an unknown language, when your input is met with error messages, try something else.
As far as the jargon goes, I don't think I'd try to teach them the jargon. Definitely not all at once. The don't need to know the word trojan, or even virus, to understand that a "program" attached to an e-mail message might include stuff that instructs the computer to do bad things.
Applied lessons work. Let (make?) them watch you sift through their spam for real messages a few times. (In a non-admin account, of course.) Drop a spam with an attachment that looks viral on the desktop and open it with a text editor. Show them the headers and explain it in terms of snail-mail, envelope (which they don't actually see), address, return address. Show them the numeric addresses. Explain how the Sender address being a different domain from the domain of the server it's actually sent from can indicate that someone is trying to hide the true origin. The why generally explains itself, so don't dwell on that. Then look at the virus package in a binary editor and show them the execution offsets. Say, "This is where you see that this thing is intended to run something."
Don't belabor too many points at once. If your message exceeds two minutes, you've probably already lost them. One point understood this time, a different point the next ti
I'm a security professional and I confess I don't log off my PC at home or at work. I trust the people with whom I live, perhaps not entirely those whom I work with, but at the end fo the day it's the convenience. If they get into my computer at work, my god, they may copy the work that I have that they only need ask me for!
1. Hire someone who understands it to do it for you and never talk back.
now we all know this will never happen but hey we can dream
The other thing you can do to reduce the damage they can do is to set their accounts as limited. They don't need full admin access to the computer, and if they don't have admin access, neither does the malware that they load onto it.
I put my money on the Zombies. They'll amble over and eat your brain eventually...
It doesn't hurt to be nice.
They have to put down the Microsoft crack pipe. tough love.
Your average Mac has lots and lots of software that ma and pa Kettle can make use of - iLife, safari, etc. it's all happy.
If they won't behave responsibly, then give them toys they can't hurt themselves with.
RS
Shoes for Industry. Shoes for the Dead.
Your request is self-defeating. I am a de-facto sysadmin for most of my friends and family, and I can summarize their stance on security in a few bullet points:
1). Security is not important. Only computer geeks worry about it. I just want to browse the web, send email, and play games.
2). Viruses happen to other people. I have nothing special on my machine, thus virus writers don't care about me, thus there's no need to worry.
3). I don't know what spyware, trojans, backdoors, or keyloggers are, and I don't care (see (1)).
4). I will not do anything, or install any software, that requires me to take any additional actions whatsoever, no matter how rarely (see (1)).
5). If my computer is not working properly, the likeliest cause is that all the security software (antivirus, spyware scanner, etc.) is messing things up. The obvious solution is to disable it.
6). There's no reason for me to learn about security by reading books or articles, because I already know all I need to know (namely, (1)-(5)).
You may think that I am caricaturizing the views of non-technical people, but, rest assured, I am not. This is literally how people think. Thus, showing them security guides etc. is useless, because they won't read them. It also means that whatever antivirus software you install has to be completely invisible, or they'll remove it. Most unfortunately, when they do get infected with some horrific trojan, they will neither understand not care about what happened; if it becomes too much of a problem, they will either call you in to "make my computer fast", or they'll buy a new PC.
I think the reason for this is that non-geeks think about computers in a completely different way from geeks. Non-geeks do not know, or care to know, how the computer works. To them, the computer is a monolithic tool, sort of like a fork or a spoon or a TV or a car. It does what it's supposed to do. It doesn't have any user-serviceable parts. Messing with it is for special people who like to mess with things, such as car mechanics or computer engineers.
Keep in mind that most geeks also feel this way about various objects. Can you claim the same level of understanding about the food you eat, or the car you drive, or the airplane that takes you to DefCon, or even your microwave oven, as the understanding you have about your Linux distro ? Most people cannot.
So, it is not the case that end-users are especially stupid, or especially lazy. It just means that human nature itself prevents computer security from becoming an end-user concern.
>|<*:=
I agree with most of this.
The only exception being I use Autoruns from Sysinternals rather than MSConfig, its easier to do everything in a larger resizable frame than the tiny interface MS supply (and it doesn't ask you the stupid message after rebooting)
liqbase
While this is morally a sound way to go, its kind of false to just claim that - especially to impressionable children. I saw a study a year or so ago that said revenge is a socially functional instinct. The point im trying to make is that while it may not make up for the injustice that was done to you, it provides closure and puts a nice big smile on your face. ''Revenge can be a very good deterrent to bad behavior, and bring feelings of completeness and fulfillment.'' Turning the other cheek always seemed kind of meek to me and its one of the reasons I do not support christianity as a philosophy.
I'll just use my special getting high powers one more time...
Technical stuff like security is boring for casual computer users. Try to work on your delivery. I always try to put some jokes/humor in my presentations, usually related obviously, to keep people alert.
3 /protect-your-computer.html
Here's my attempt to contribute a bit.
http://seiruu.freeflux.net/blog/archive/2006/11/0
everyone telling this poor man that logging off his computer doesn't know the full story.. their family cat is a gawdamn cyber-terrorist that installs all sorts of ape-shit apps while the humans are away. .. that cat is fuckin' nuts ..
I will point out, however, that YOU are the one building an imaginary backstory about someone you will never know, then bothering to post it on a BBS for nerds in the hopes that other people who you will never know will judge it funny, and thus validate your pathetic life.
Of course, I'm replying to you, which makes me pathetic too...
>you buy a Mac, or install Linux.
Whenever someone who looks a bit newbie asks what computer to get, I say a Mac because for three years they can go into the Apple Shop and ask any stupid question they like and someone will diligently answer. Hopefully, within the three years they will learn just enough to wing it from there.
Existing hardware can become Linux easily, as long as people get out of the habit of buying any old USB device and expecting it to work.
This is not only a Linux problem. I have one relative that has a USB wireless keyboard (Logitech) and a USB printer (Canon). She installed all the crap that came on the driver CDs. The result, when she prints, the keyboard ceases working in Windows as the printer driver seems to completely takes over the USB Bus.
I have never found such a problem using official Linux kernel drivers.
My little Linux and tech blog
addressed recently on /.:4 4230
http://it.slashdot.org/article.pl?sid=06/10/09/16
The linked article, and the follow-up/related articles in the series, detail the risks associated with not taking security seriously these days. Since it's from "the BBC", your family might give it some credit.
The harder part will be to convince them that security is a never ending process, no matter how MS is telling everybody the software is the most secure ever, security is their priority and all that crap!
What you need is one of your fathers work retainers to break into the house, steal some of their files in front of their very eyes but lose an arm in the attempt while exclaiming "And that's why you need to log out when you're not using the computer!"
I just can't be bothered.
According to my dictionary:
impacted (adj): 1. wedged in. 2) (dentistry) denoting a tooth incapable of growing out or erupting, and remaining within the jawbone. 3) driven together; tightly packed.
Now, which of these meanings should I be using in the quoted sentence?
The first, as you said is that the computer or the internet connection is what these people are after. They don't understand that there's value (however small) in an internet connection.
The other thing that people don't understand is the automated nature of the attacks. People are used to thinking of thieves picking and choosing who they steal from with some discretion. They'd probbably think "Why would someone want MY computer? It's just a chincy $500 Walmart special, and I only have the cheapest DSL connection". They don't understand that an automated attacker doesn't care about that, he just wants the maximum number of machines possible. And with an attack spread through a virus, he can't even control that anyway.
AccountKiller
Whenever I read the sig, "Whenever I hear the word activist, I reach for my revolver," I reach form my 9mm semi-automatic.
Technically, murder-suicide does not violate the golden rule.
Personally I fell off my chair laughing. Nicely done mate hehe.
I'm rather looking forward to Vista, because I will be able to honestly say "I've never really used vista, I can't help you."
My site is a very high-level introduction to the internet and security issues for anyone getting online who has little or no experience. It is not specific to any O.S. or applications. It is a work in progress. It may bring your friends/family to you with more questions. And of course -- your mileage may vary. (And it's ad-free, so I don't consider this astroturfing).
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
.. I found that when I stopped talking about 'computer security' and started saying 'this is a matter of basic hygene' the message got though. People understand the need for hygene while accepting they don't understand the microbiology that requires it, so the metaphor strikes home. They also understand that people with self-respect observe the rules of hygene.
But I would set them as limited users and just install an av program...avast is free for home users, and run the usual scans for spyware, spybot, lavasoft adaware, ewido, even trendmicro does a free online scan for spyware and viruses.
I had some friends that bought a used pc, i got it set up for them, and within two weeks i had to reinstall it(they were click happy). Two weaks later, again...and then even again after that. At that time, i was tired of doing it for them, so I told them, they will have limited rights this time, and I wont tell them the admin password, and if it happens again they are getting linux or FreeBSD.lol But since I gave them limits rights, they have never had another problem since.
I installed everything they would want at first, but basically if they click on smiley central, they arent aloud to install it. That set up has saved me a lot of time and headaches.
'sig' deleted due to the stupidity of it's 'nature'
Simply collect as much information remotely from your parents as you can over the coarse of a month, print it all off, and give it to them along with a letter outlining what you could have done with that information. Also try filling their My Documents folder with hardcore porn when your not around for a few days. I have been in the same boat as you in the past, I chose Ubuntu as my solution, although my parents (at least my father) may be more willing to learn a new OS. I have seen posts suggesting the use of a alternate browser, and i will agree that is a good first step, with little or no impact on ease of use. You may even be able to do this without them noticing by being diligent about installing all plug ins and transferring bookmarks and settings (along with changing the desktop icon to the blue "e" and naming it "Internet Explorer"). Spybot S&D with TeaTimer running, or Zone Alarm, can be a tad intrusive, and even cause more damage than good if not properly configured, they may be a second step taken only when the first is accepted and used. You can show them how a firewall works by simply pinging their computer over the network, and be sure they are sitting at the computer with you the first time you run an anti-spyware program, you want them to see the hundreds of pieces of malware that already reside on their computer collecting personal info. Whatever you do be sure to lay on the FUD campaign real thick, don't just tell them what can happen, SHOW them what can happen, then try to teach them how to stop it.
I was just getting ready to lambast the poster myself but you seem to have covered it. The gist of my post would have been a little more indirect (less finger pointing, not that its not throughly deserved). The average person need to know very little about security, and I never seen a good reason it shouldn't be that way. Your right to poke holes in the logging off assertion. Thats plain silly unless they've got ninja hackers sneaking into their house constantly downloading illegal warez and pornography. Chances are the only *threat* is hypothetical. Very noobish.
:)
Lets stay practical. Realistic seems to work best.
If your real intention is to improve the users experience and not simply to attempt to talk down to them (as sexy as that may seem, its lame) there are very few areas where you might be able to cut through the techno-babble and actually make a difference. Backup are one good one. Even if your family and friends followed every piece of dogmatic advice ever foisted upon them there is one rule of thumb: at some point it will break. Power supply's, fan(s) then hard drives (opps!) and motherboards. Every system out there will die some day, its just a matter of time when and if you don't like to gamble or can't afford to, backing up some of your important data can be a world of difference (I'm not talking about spanned multi-disk backups or fancy archival systems, just, you know, copying important files to physical media with some regularity so when you Geek Squad flunky tells you your going to have to replace your hard drive because you've got a silly virus you only need to lightly curse under your breath knowing you at least have most of your important files.
Adware software and viruses are probably the next practical concern (ok, after updates) and if you can get most family/friends using some form of (legitimate) virus scanner/adware removers and let their systems autoupdate chances are you'll save both them and yourself a lot of unnecessary trauma (drama?). But lets be honest, thats our bread and butter.
You will never get users to give up convenience for security unless you make it realistic and practical (or policay but that usually takes a few "accidents" before it really sinks in and its hard to do outside of enterprise, you know, without legal ramifications).
Quack, quack.
I got tired of fixing the same old problems every time I visited my parents, so I sat down and asked exactly what things they need the computer to do. I reinstalled Windows XP, set optimum preferences for everything then password-locked the admin account and now they can only use an unprivileged user account, whose preferences are all borrowed from "all users". It is impossible (save for bugs in the OS, natch) for them or any malware to screw up the machine, and if by chance they catch malicious software that fucks up userspace (not as likely since they'd have to download it themselves) a new user account is easy to make.
My mom complained once when she bought a new printer herself and couldn't install it without help, but I told her, "isn't this much better than it used to be? When you couldn't even go online without porn popping up?" Fortunately, I always use passwords that look like gobbledy-gook, so even when I told her what to type over the phone, she didn't remember it.
Agreed on Sysinternals Autoruns. Everything from them is good. I don't remember if it provides protection, or just allows you to disable existing autorun stuff.
See http://www.mlin.net/StartupMonitor.shtml for a good protector. By the same guy, there's also a control panel applet with similar functionality to SI's Autoruns. It's surprisingly small and powerful.
Procrastination -- because good things come to those who wait.
If they run Macintosh, they will have no viruses, trojans, or spyware. They will not become zombies on a botnet. They will not acquire keyloggers or malicious rootkits. Mac OS X Tiger's security features will take care of them. No need for anti-virus software or anti-spyware software.
Your parents still need to know how to protect themselves from phishing attacks and other human engineering fraud. They still need to know how to protect their privacy.
But if you simply switch them to Macintosh, the most serious and malignant problems simply won't exist any more, and you won't have to worry about protecting your parents from them.
Dealing with the folks:
1) Plaster OpenBSD on their box with no X server.
2) Cancel their broadband account. (We all know that you forced them to get one.)
3) Let 'em leave it on or unplug it if they so choose. Since they obviously won't have root access, shutting it down is going to be tricky.
4) Profit!
Why would anyone care about intrusions or anything when they have you around to obsess? Besides, they have you to fix it too.
5) Buy everyone a Mac.
About the logging off thing, does logging off not limit the number of running exploitable programs?
I'm not reccommending it is a policy, because that would be like racing to shut off your computer the second you finished with it, which is obviously stupid. But someone could save me some google work if they'd give me a quick yes or no.
Cheers.
Relax I just want some peanuts.
At least when the ninja flips out and kills you, you'll be comforted by the knowledge that no-one will be able to get at your files. Unless they know anything about PCs, of course.
You see, it's a generational gap. You need to explain things to your parents in terms they can understand. Explain that leaving your home computer logged in is like allowing the Soviets (don't worry, they'll know who the Soviets are) to put missiles in Cuba.
Then explain to them that you're kind of like Joseph McCarthy and you're just trying to protect them. I think that'll get them to pay proper attention to your important message of salvation.
Some friends of mine were setting up a new computer and asked for my help. I created usernames for all 3 of them (Mom, Dad, and kid), that way when the log in, they get their own mail, their own IM accounts, etc.. It was all working fine.
Then I came back a couple weeks later, and they had deleted the other accounts, and were using only 1 account. They said it was too complicated to use their own account.
Now when the log in, they have to change the username of the last person who logged into IM, Mail, etc.. It looks far more complicated to me doing it how they are than using their own accounts. It makes no sense to me. And yet there are probably a lot of people like that.
-- -- Warning. Do not stare directly at the sun.
The Groovix company offers a Debian based server with 4 or so screens and keyboards attached - with full telephone support. I haven't tried it, but it sounds like a viable solution for those who aren't linux experts.
At first, the kids complained about not having Windows games. But now, they like Linux games (some of our terminals can boot off local disk and have 3D cards to play Tux Racer, etc). They can play Windows games at any of their friends houses, but their friends come over to play Linux games.
Remind me again why we need Windows at home?
Ok, PC tax software is only available for Windows. Some years I fire up an old Win 98 box to run the tax software. Other years, I just do it manually. TaxAct and others offer free online tax software - but I dislike putting all my info in some companies remotely accessible database. When I fire up Win98, I pay $20 for the deluxe version. I wish I could buy electronic tax forms annually for $20 and run them on an open source engine. I guess the companies are afraid to do that without some kind of DRM.
>> ...say a Mac because for three years they can go into the Apple Shop and ask any stupid question they like and someone will diligently answer.
Now you know how parents feel. Except the questions last for 17 years.
Faithful translations are a rare and difficult thing, and that's what you're asking for. You want to translate from the language of a nation of techies, a nation that has years of experience that lets them instantly understand the implications of a phrase like "plaintext authentication", to the language of normal people who don't look under the hood and run systems that would make it hard to look under the hood if they wanted to.
I know it's hard because I try it. I have a security blog for the nontechnical where I try to explain things like botnets. It's a challenge.
Best suggestion? The old rule of "don't tell 'em, show 'em". Point out that the entries in the firewall log every few seconds are breakin attempts. Image the machine, install an antispyware package, and show them how often it alerts when you follow links to "free games". Then restore the machine, because no antispyware package has complete coverage.
I grew tired of the all-weekend-long disk recoveries, so I approached the problem of my Mom and siblings the same way I would in a small-to-medium-sized office: extreme paranoia plus enterprise management. First, I tried my best to encourage my family to be suspicious of every email, every web site, every floppy disc (or CD-R, or flash stick). I bragged about all of the hacking demos that my buddies and I performed, especially the ones where we wrote our own viruses and set up dummy web sites that looks almost (but not quite) like the real thing. Nowadays, Mom is pretty good about not running anything that she receives in an email, even if it looks OK like a movie or an MP3 file, unless she's expecting it.
Then, I set up an enterprise environment in miniature. I have a standard desktop environment, with application software and browser security settings pushed out from a central location. (If someone ran into a web site they couldn't use, I told them to call me and that I would help them get it working.) I moved all of their files off their computers and onto my server, where I could run backups and create mirrored disks and so forth. For my parents, I set up a branch-office VPN (thank God for OpenVPN and OpenWRT). I encouraged everyone to move to my hosted email system, where I set up anti-spam and anti-virus filtering. The whole setup isn't perfect, and there are aspects of it that might not scale in the real world (though I still plan to install a server at Mom and Dad's house in order to get a second replica of everyone's home directories, the directory service, and the email system). It also costs money and time that some people might not have. I didn't mind buying the software or building the infrastructure. The whole thing evolved over the last 6 years - maybe three or four major iterations of the general idea - and it's only gotten really stable in the last two.
So keep 'em scared of the big scary Internet, so that they don't trust what pops up on the browser or in their mailbox, and layer defenses around them and shove the right tools and settings down their throats, so that they don't have to worry about keeping themselves up to date or anything silly like that. If OneCare or MyCIO or ASAP or whatever weren't so blasted expensive and worthless, I probably wouldn't have made this much of an effort. I mean, security services that don't automatically include off-site backup? What idiot came up with a risk assessment missing "Availability"? The biggest threats to home users isn't the exploit du jour - it's the hard drive that inexplicably fails, taking 5 years worth of kids photos and your Mom's poetry journal with it.
I'm proud of my Northern Tibetian Heritage
Well that's an easy one. My *entire* family are change-avert, so I'm used to "but the old one works fine" etc etc etc. It's incredibly annoying when I am forced to just chuck out slightly dated hardware (I *had* an old but good-for-the-time ISA sound card and a handful of ~10gb hard drives) that would work perfectly in their computer (can't sell on ebay, no boxes, i'd only get about $2 for it). Noone else i know has a computer that would be UPGRADED with said outdated hardware. You should just start to say her computer is broken for good and/or will need hardware replaced (therefore will be out of commission for a couple of days), and 'lend' her a mac in the meantime.. she'll either find another hobby (after calling you up and yelling, but that already happens anyway), or get used to macs.. it's probably a little harsh to take your own mothers PC away from her, but it's for both your own goods - good for her security and good for your sanity.
Commodore64_love: I don't comprehend people who're so frightened of death that they'll bankrupt themselves to stay alive
There are really people this sad in the world that would post a thread like this. I mean even if people on slashdot would take this post seriously, your typical response is "install firefox and that will protect you from anything". Dude your family isnt dumb...they know that someone can walk up to the computer and look at their data....but honestly if you think your wife is going to hack your computer...then you probablly have given her a reason to be checking on you. And if someone else breaks in your house...i dont think they are going to use the computer as a hot spot to do some surfing. People leave there car doors unlocked all the time...they know that someone may go inside and steal things...this is a risk they are willing to take and so be it. locking your computer to me seems far less risky than leaving my house or car unlocked, so let them take the risk. Lastly if someone wanted data off a computer and had physical access to it, your shits gone. Norton Ghost works wonders, along with hundreds of other tools just like it.
You should point them here ---> http://www.getsafeonline.org/
This is non FUD and actionable information targeted at the audience you requested.
Give them limited user accounts on their winbloze box.
Then they can't install any software, and those pesky viruses can't turn things off like fw software, av software etc. Set them up with a hardware based firewall, turn off all external ports. As for protecting data, make sure they store this on a usb flash drive (or two) and have them remove it after use. Older people know the value of backing up data on floppies, as they used to do it back-in-the-day, just expand on that to a usb flash disk. Make sure auto updates are running on the av sw and on winbloze. Disable un-needed services, user accounts, and port scan the workstation to see if there is anything you missed.
Then if they want to install something, then tell them they will need to call you. That's the price for your services. If they don't like it, tough. btw having them log out of their WS is not going to help; granted it is best practice for a sysadmin or business user... Most casual users don't leave their machines on when they arn't using them.
I don't usually log out of my main desktop either, because session management on Linux sucks, so when I log back in all I get is the same applications open. I do not get all the same web pages open, all of my bash histories contained within the correct Konsole windows (both scrollback history and command history), same vim or scite sessions open, etc. It's not much better on other OS's (except that there can be "fast user switching" which is sortof a good idea). And who wants to have to remember passwords?
What is needed is really good session management - every app comes back up in _exactly_ the same state. (This can be achieved two ways - either don't ever quit the applications, just leave them running in the background, doing their output to a virtual screen which can be later realized on the physical screen; or, every app could support a session-saving/resuming API which is consistent across the windowing system. Either one would be a helluva lot better than we have now.) And, people need to start using physical dongles of some sort to log in, rather than the username/password mess. Stick in your key, and you are right where you left off ASAP (preferably in under a second). The key remembers every sort of token, PGP key, web ID, etc. for every system you use, and can be plugged into every system you use. It can be a USB key designed for this purpose, a smart card, or an iButton (but there needs to be a standard). Then guard that key like your car keys, and your information will be at least as secure as your car (or quite a bit more so, depending on how much you use the key to actually encrypt your data). If you can't justify more security for your car, it's probably enough information security, too.
I really hate the teeming, breeding crowd of security wonks these days because EVERY idea they come up with always increases the pain-in-the-ass factor to using the system in the first place. Government-mandated privacy policies just add to the mountain of paper trash that gets mailed every day. The fact that doctors cannot release details about patients without patient consent means I can't even ask about my own family members without a prior written release. Corporate IT policies where I work require making up new passwords every 90 days that are not only unique, but contain uppercase, numbers, lowercase and punctuation, and can never be re-used. And they expect me to remember them?!? And multiple intranet systems require independently changing passwords, too. Every web site requires its own userid/password to login (even Slashdot), and every damn time you have to fill out the same damn form (with a few quirks) and confirm with an email. There's a new web site that you need to sign up on every few days or so, and they all have their own password restrictions, and blithely assume any old fool could remember a password or two (neglecting the hundreds of others the same fool is already remembering). Enough already! Isn't about #$^!@ time we had a real hardware user ID system? The hardware is already out there, and nobody's using it!
Don't say it's big brother, because it's voluntary and does not require vendor lock-in. The software to support it should be open-source by all means, and there is room for multiple hardware standards too (but you can be sure that one hardware standard would emerge after a while). But why the hell are we not even on a path in this direction, at all?
Compared to what working techie people have to deal with, your parents have it easy. But it goes to show just how much of a PITA it really is - that they can't even deal with this one little idea, logging in with a username and password. And we're expected to deal with orders of magnitude more.
Your answer is that it doesn't exist.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
How about the CERT home security guide?
y /
http://www.cert.org/homeusers/HomeComputerSecurit
It even has a nice PDF version, on that page, if they want to read it off-line.
It doesn't cover all the things you wanted, but you might start with that, and write some more along that style?
"Security is like an analogy. It only works up until the point that someone considers an angle or aspect that you haven't previously considered and accounted for."
``They, like many people of their generation, seem to be willing to sacrifice security for convenience''
There shouldn't be a trade-off between those two. Your system can only be convenient to use if it's also secure. A system that runs dog slow, crashes at inopportune times, and crowds the display with pop-ups and toolbars isn't very convenient, is it?
Please correct me if I got my facts wrong.
I'll bet a dollar the account they used was the admin account.
Today's show is brought to you by the number 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0: 25
An 18 page article by Karen Spark-Jones at http://www.cl.cam.ac.uk/~ksj21/securksj3a.pdf might be worth looking at jamesM(j . a. mal colm at herts dot ac . uk)
Get the book, read it yourself first. And if you deal with a lot of people in need of education, keep 2 copies in your personal library.
:-).
:-).
Having said that, my target audience differs (senior Board members and CEOs) because most of my family and friends have suffered enough from virus infections to stay with Linux (they have games consoles so that argument disappeared quite early on
I teach IT and business security to CEOs and Board members as part of my work and the issues are 100% identical because they're usually told a lot of BS by vendors and consultants pushing their wares, and by their own staff because of politics.
I don't just wish you luck - I wish you lots of patience..
You'll need it
Insert
The problem with PC security is largely one of externalities, these days. It's not the users whose computers are infected that pay the price, but the people handling the spam and DDoS attacks. As soon as users start noticing the ill effects of bad security, they'll develop an interest in improving it.
Please correct me if I got my facts wrong.
"They, like many people of their generation"
I take exception to this quote because in my experience, it's not the generation that makes the attitude, its the user. The current attitude is almost always, "I don't care!" As long as the web browser works they just don't care. I say let them lose everything to identity theft first. Then say "I told you so." Leave it at that. I've argued with family members until they shout at me "I DONT CARE!!!" It's a losing cause. Give it up and keep yourself safe. And have as little to do with them as possible (computerwise that is).
there are two books thatmade my non computer parents more security concious the art of intrusion - kevin mitnick Secrets & Lies: Digital Security In a Networked World - Bruce Schneier despite their technical stuff i couldn't stop my mum reading them after i had shown her them they will be more comfortable with books than manuals online
www.tdobson.net #### Dare to Dream #### blog.tdobson.net
Try the UK government's Get Safe Online website. www.getsafeonline.org. They have a ten-minute guide to security which is a good starting point and checklist. From there they have detailed explanations of many security topics which are written for regular people not techies. Because it doesn't come from a vendor, it doesn't have anything to sell and no particular axe to grind (there is advice for Linux and Mac users too, for example). Also, they have a blog: www.getsafeonlineblog.org.
Hi Cliff, ;-)
In Belgium there is an information campaign to inform non-tech PC users about security. I don't know how good your Dutch or French is but here is the website:
http://www.belgium.be/peeceefobie/
It is all about "Ginette" who is your guide in real 60's style
You may want to take a look at the Hacker Highschool Lessons at http://www.hackerhighschool.org./ It's an exercise in critical thinking in terms of computer security and does teach all the things you're talking about. It's also been developed through the ISECOM (http://www.isecom.org) guidelines as an openly developed and openly reviewed project so best of all its free!
http://www.educause.edu/content.asp?PAGE_ID=7103&b hcp=1
... I just got back from a few days with my folks in QLD Australia.
:)
You can get alot more analogies across alot quicker with well constructed video I beleive.
FORGET written documenation for non-tech/older-generation people. They just won't get into it for many reasons. Laziness, lack of interest, lack of ability. Time.
Its just a waste of both your time trying to flog that horse.
Naturally there are exceptions to the rule, like my aunt to was as inquisitive and sharp as a tack till the day she died.
I myself have often pondered where documentation for computer novices would be and/or in what form it would be exactly. I can't recall finding anything out there, I would direct my parents to.
There is simply too much under the hood of computers for older generations who didn't grow up with computers to grasp. The other day an late aged friend, though she had done a Computer & Office 101 course, didn't really understand what a browser was or when you use it. How are you supposed to explain things like phishing or encryption if they can't even grasp what they are interacting with.
Personally I think there is huge opportunity for someone to create an online education business directed at novices. But again, the only implementation I can think of that I could see successful is via video. So YouTube style tutorials, but by professionals
As far as what is available and what approach to take right now, these are my feelings (and what I do).
1. Forget trying to educate them about every last thing (you think is even highly important), instead you (or your resident geek) make their PC as tight as you possibly can, so they are not led unto temptation. Such as:
- Firstly, if money is an issue (and perhaps even if not) my tact is to use free products well, and instead spend money on better hardware (especially broadband stuff). The aim again being give them easier avenues for help. eg. faster broadband with higher quotas means you might be able to remotely manage (eg. via UltraVNC - reverse connect) their computer if they need it. And for godsake get off dialup.
- Don't let them use an account with Administrator privileges. If possible setup each family member with their own Windows account. Contains individual blunders.
- Use Firefox or some other browser that does not use ActiveX (the doorway to virus hell). Install Adblock extension for less ads, popups, viral paths and faster browsing.
- Install WinPatrol which easily allows you to manage (disable/remove) stuff that runs at Windows startup. Remove anything unnecessary that has potential to confuse/annoy them.
- Naturally you need antivirus, but you don't need an all-in-one beast (like Norton), just a good one that doesn't get in your face or slow things down. For free ones, I like Avast, AVG, BitDefender.
- Get a decent broadband router/modem/firewall and if you want to get paranoid install a better firewall software like ZoneAlarm or Kerio (esp if you don't have a hardware router/firewall). But again those can just add to more confusion so I'd avoid that if they got a decent hardware firewall.
2. Accept they will prob use the least appropriate tool for the job, but they will get by. If you've made things secure as you can, and they know not to enter their password at the drop of their hat (esp from email links), chances are good they will never do something overly silly. But really there are never any guarantees because of frustration with the way computer software and the internet operates. Its up to the tech heads to come up with better solutions/security IMO.
3. Though often laced with technical jargon, places like Webopedia and Wikipedia and are a good source of the facts and are usually quite comprehensive.
My rant is dragging on so I'll leave it there, but to summerise if you fortify the best you can, make it easy for them to get help (eg. from you) and reduce clutter they will surprise you with what they actually discover and master by themselves.
When I moved overseas, I explained to my parents that I had installed VNC and setup the router to accept connections from me if something weird happened. Before I even left, they messed up 2 computers with spyware by using IE. I installed FF and told them not to use IE and removed the icons. Well, they went looking for IE anyway and I haven't VNC'd in - ever. They still use IE and their computer is still slow... My mom finally got tired of asking for help because I refused. "Am I going to help you gas up a Pinto? No...." Last time they argued with me, I threatened to show up while they where on vacation and replace their PC's with Macs. Haven't heard a peep since.
" I cannot convince my parents to follow proper PC security procedures .. just simple measures like logging off of the PC when it's not in use"
How about putting a password protected screensaver on your parents computer. Or how about setting them up on a Linux desktop where the system is protected from the average non-techie user. Relying on the end user to do anything to secure the computer is bound to fail as they don't understand or can't be bothered.
For instance I installed a file server with an external scsi tape backup in an office. I gave them five tapes marked mon, tue etc. To function properly all was required was a tape be inserted on the said day. I kept getting supports call about the backups not working. One long car journey later I find a tape unit with no tape in it and the unit showing up as disabled in device manager.
I ask where are the tapes. The answer comes back 'they're at home'. You see he was in the habit of unpluging the unit and taking it home at night to copy the files. The schedular not finding the unit would stop working and so when it was plugged back in the following day - it wouldn't work. If there's something that requires user interaction to work, or something they're not supposed to touch you can rely on the average user to do the wrong thing.
davecb5620@gmail.com
THE only change you need to to is: install firefox, and if they need yahoo messenger, manually install it, in order to uncheck all crapware toolbars that gets installed onto firefox
Per-user accounds are nice, and an important part of security (keeping each person accountable) in an enterprise environment; but there are reasons why someone might not want them at home:
- Added hassle of logging on/off (and it might take a lot of time on an older computer)
- Lack of knowledge about how to share data-files that really need to be shared (Mom and Dad both want to look at and make entries in the checkbook; everyone should have at least read-only access to the geneaology database)
- Sometimes, a program doesn't run properly in a multi-user environment. For instance, SimCity 2000 stores the registration-key under HKEY_CURRENT_USER\Software, and so it thinks it's unlicensed if run from a user acount other than the one used to install it.
- It makes it harder for Mom and Dad to make sure Johnny isn't looking at pr0n or planning some illegal or dangerous activity. "Why is 'www.sexkittens.com' in the history-list of [the web browser]?" Now, the real solutions to this are 1 - prior education/good example and 2 - transparent proxy with logging and filtering on the firewall, but there might be a perception that a child would get into trouble easier with a personal account.
- It makes it harder to share a cool bookmark or desktop-photo with a loved-one.
I still think per-user accounts are best-practice even in a home environment, but the best time to sell them to someone is with a new computer or operating-system, and it's certainly possible to have a secure shared account on a family computer. Others have already pointed out the difference in expected time-to-own1ng based on an insecure OS, an unsecured OS or a physically unsecured home, so I won't repeat their statistics.You mean you left their PC's unprotected, without some kind of malware buster like Spy Sweeper, SpyBot, or even (Gasp) Windows Defender? Why would you do something like that; you were just ASKING for them to be infected by spyware. The reason they went to use IE is because there are websites that FORCE you to use IE because they don't work in FF. I've even seen some webmail that doesn't work in FireFox, even the latest and greatest. FF isn't the be-all and end-all either. True, it's better than IE, but it's not a cure for bad browsing habits. Even anti-spyware programs aren't a cure, but they are better than nothing.
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
Perhaps I should have explained further that it was all setup, but not activated. They just had to login to the router, activate the firewall rule and actually startup VNC and allow it to pass through the extra firewall (zonealarm) I had installed.
As for FF vs IE - they don't use anything special that requires IE. They download their email, check the news and occasionally browse around.
Try pointing them at GetSafeOnline.org which is intended for a broader audience than security professionals. Failing that, once they get trashed, stick a Knoppix CD in the drive and boot off that for ever more.
Andrew Yeomans
http://www.faqs.org/rfc/rfc2504.txt
First of all, the SANS Institute, www.SANS.org has lots of procedures that you could try to get them to implement that are not terribly invasive. They also document the nature of attacks in lay terms. However, I am afraid, that your position on this will NOT be supported. Most of the problems occur from user error and not from outside attacks. Even in your IT environment, probably most of the support time and resources that have to be hired are those that buy a new keyboard when someone spills coffee on theirs, inserts a floppy (if that is still possible in an organization) that comes from an infected outside computer, erases files that they feel they do not need like ntdtect, and so one - just look at your own company for insights. Therefore, I suggest that the solution for you is to: Purchase and install Spybot on their computer, the price is right Purchase and install the self updating associated Spyware Blaster - $9.00 (an inexpensive gift) Set up their automatic Windows Updates Get rid of Internet Explorer and install Opera, again the price is right. Install an antivrus program, even a free one will probably suffice. And, above all, get them into some classes about Windows or Office, or whatever they are using. Good Luck!
Take some time with them. Patience is the key. Walk through their email with them. Show them the Paypal phishing scams from Eastern Europe, China, Russia, and Europe. Explain about the Russian Mafia paying for every infected PC. Show Mom how the Viagra stuff gets to her (and your daughter's) PC. Explain that bad people use automation to take over their PCs and if they don't take measures THEY will be sending those nasties all over the world. If you have turned on the firewall show them how many attacks they are getting. Trace one or two back for them and show them where they come from - like a neighbor's machine on the same cable subnet - or a cable system across the country. MAKE IT REAL for them.
Explain that a PC that is turned off is the only truly safe PC. If they want the convenience of going up to their PC and taking a quick look they need to log out and log in. Explain that when they log out it is much harder for those attacks you showed them to get through.
One of my clientelle, a retired kindergarten teacher was finally taught the necessary respect and caution when she asked me how to get rid of the penis enlargement spam. I traced a few for her, showed her how stuff like that happened, and showed her that everytime I had to clean up her machine it was likely because HER machine was sending the stuff. It has been nine months, now, and her machine is clean. She dutifully runs her Norton, Adaware, and Spybot. She avoids clicking emailed links. The most recent one was the Paypal scam. She smelled a rat, sent me a copy of the spam, and I showed her where the link really went, and how to see where it went. Now she is an active participant in protecting herself.
It is really hard at first to take the time and use up all that patience especially without coming off as condescending. Remember, none of this really makes sense at a gut level; evil seldom does. I have three similar cases among my friends, and all are now cautious and safe.
Do you think they'll bother reading if they don't really care that much?
I can partly see the point in logging off (turning off would be better - nothing happening to the PC during that time and you save on the electricity bill! so there's two positives there)
as for the end user (friend, parent, whatever) - some will use common sense - other will see a button and click it without thinking. an example of this I've had with internet tech support:
me: now on this window, change this option for me...
user: ok
me: now also on this window there is an XYZ option...
user: I don't see it!
me: it should be on the same window there just towards the left corner...
user: I still don't see it!
me: ok then - what are you looking at now?
user: (describes something else)
me: have you already clicked on the OK button?
user: yes I have
me: ok we now need to go back to the specific window to change a few more settings.
(repeat process a few more times until all the right settings are changed)
So even under instruction - they are gonna click on anything or need a lot of effort to guide them through the most basic of issues.
along with setting up your users to use internet hardened software like firefox, thunderbird, etc. I would like to add the concept of setting up the machine so that their EVERYDAY USE is NOT running with ADMINISTRATOR RIGHTS!
most of these machines are usually setup to operate as a single user machine with a far too easy functionality that allows a program to be installed too easily - a readily available exploit just waiting to be tapped! they really need to be setup so that a procedure has to be done to get an application installed - otherwise block anything that isn't required.
add the usual reliable security software (that won't keep bugging a user about annoying things, but operates more discreetly in the background and only jumps up if something serious happens.)
network wise (home or business) lock down and configure the router sot that it blocks a lot of nasties before it gets to the user.
overall - set the user up with restrictions to block accidental mishaps, but make it so it doens't block their usual network/local computing activity - if they want extra things then you decide if it's worth setting it up for them (factoring the risks).
"It's typically people with a little knowledge that are a problem. They're the ones who get themselves into trouble."
Correction - anybody who *clicks* before they think are problematic. Treat them like a drunk driver, take the keys off them and drive them home yourself (or turn on autopilot). That way they won't crash as soon as they get around the corner!
1..2..3..4.. That's the same combination I have on my luggage!
(1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
Zoolander!!!!
Once I wrote a 'how-to print tables in Excel' in the style of King James old testament style.
Open thee to the list of Files found next to the list of edit and view. Visit not ye unto the list of edit and view, for there a foul stench longs and sight not meant for thee. Yea you shall find the list of files to reveal the secret of the 'Print Area'
It would really be worth your time to spend a day reading up on your style as you go into it; Douglas Adams would be an inspiration to a great non-tech manual, but he's done that already. I'm just saying it would be best to write your own, choose a style amicable to your audience and sock it to em.
It is like with small children. Some are sensible enough to understand 'hot' and don't have to burn their fingers more than once or a few times before they understand that listening to warnings makes sense. Others have to try out each and any thing despite being warned. Usually they will survive the experience. Some do not. There is no way to protect them if they are unwilling to listen. These users or yours are the same. Once they have lost some years of work or email or photographs or had to reinstall everything, they start to undertstand that the warnings were not only academic and some may even seek the knoledge on how to protect themselves.
My advice is to give a reasonable amount of warning and then let them make their own experiences. Some will ask you for more advice. But some will insist they know better. It they come complaining after they have been bitten, you can stop them with an "I told you so" and either tell them to fix it themselves or ask for some reasonable compensation for your time. But you cannot give them the wisdom they so obviously lack. Stop trying.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Let the poor non-technical people roam free; over the hills, toss cookies to the botnets, run off giant cliffs etc... Sure for a system with sensitive info I'd protect it(still wouldn't give you a guide cos im evil like that) but I don't give a toss what people do on their own home systems.
do people put up with all the painful security issues on PC's??? There is an alternative solution where security problems just plain don't exist. Seriously. You know what I'm talking about. I won't even mention the word. Unless gaming is your life, it's absolutely the best way to eliminate security headaches!
I think that educating non-technical family members is one of the toughest jobs in IT. Honestly, my mother has actually come to me saying she needs a new memory stick for her digital camera because she's filled hers up. Combine that with the fact that she seems constitutionally incapable of understanding such basic concepts as drag/drop copy/cut/paste no matter how many times I sit down and explain them to her, and you can see how bad it can truly become.
Good Luck.
The Digital Sorceress
I find that installing Zonealarm and leaving it in the default mode (where windows pop up showing you when you are getting pinged) is a nice way to show users just how many people want to find a home on their box. It's usually the "I had no idea" look on their face that makes me smile.
Securing a windows system isn't really that hard. If you following the following eight easy steps, you will avoid most security problems... unless your users (family) really do something dumb. This procedure will work for most users (do not use for high security/military/banking applications)...
... have the installed automatically
Step 0: Remove all the pre-installed crap from their new computer (this may require reinstalling Windows and the 200 MB of updates); all the manufacturer's shovelware just causes problems (especially Norton, AOL, and other free trials)
Step 1: Install all the programs they will need (pick you choices of mainstream programs...like Quicken, MS Money, Office, games.
Step 2: Set up their account as a normal user (not Administrator); check the NTFS security that they don't have write permission into directories like Programs
Step 3: Buy a cheap (but effective) home router...something by dlink, linksys, etc. Ideally don't set them up wirelessly... but if they really need wireless use a MAC filter to only allow their machine to connect... don't bother with anything fancier.... yes I know James Bond can spoof their MAC address... but really... Turn on the hardware firewall.
Step 4: Install a reliable, but light-weight AV solution (I like Grissoft AVG... it's free); set it to auto update
Step 5: Enable auto updates from Microsoft
Step 6: Turn on the windows firewall
Step 7: Remind them to leave their machine turned on so autoupdates are applied (unless you're worried about physical security, there really isn't a need to have them log off).
This configuration will block active X controls (make sure you install whatever they need); between the AV solution and write-protecting the various directories you should be set....
It's really not that hard to have a secure setup for windows.... 95% of the problems would be avoided if people did not run as administrators. In this configuration the machine will be rock solid... I've had system never require a re-boot (except for the odd update).
Step 8: stop by every so often and say hi... ask for a free diner in exchange
Good advice to apply to what I'm writing!
So stop fixing the damn thing. Why on Earth would you "have to" keep on fixing it ? Are you codependent or something ?
Besides, it sounds to me like she's just using it as an excuse to get your attention. If I'm right, then she'll just switches to some other method if the computer problem ever gets solved for good.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
- Anti-Virus (pick your favorite) with subscription for auto-updates
- Windows set to auto-update
- Hardware firewall with no incoming ports and uPnP disabled.
- 802.11+WEP (WEP key taped on the router)
- Email through a webmail provider that virus-scans (pick your favorite)
- Don't open email attachments that you didn't specifically request, and even if you did request, realize that there is still some risk.
- Don't install cute cursors, taskbar buddies, etc. They will cease to be cute after about 90 minutes, but they will slow down your machine forever
I think that's about it for their training. Notice that it doesn't involve them having to do any maintenance themselves and it keeps them pretty-well protected. I lock my own machine down much harder, but I am willing to tolerate that inconvenience.By the way, your suggestion that computer safety begins with logging out of your home machine while you're not at the keyboard made you look like the biggest jackass I've seen in a long while. I'm just sayin'.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
If you need to contact me with any apologies, you can find me at my attorney's office rebalancing the asset allocations in my will.
Love, Dad.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
http://www.schneier.com/blog/archives/2004/12/safe _personal_c.html
December 13, 2004
Safe Personal Computing
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."
But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
[...]