Slashdot Mirror
A Security Guide For Non-Technical Users?
kin_korn_karn asks: "Like many of you, I am the family IT department. I cannot convince my parents to follow proper PC security procedures. I'm not talking about enterprise-level things such as card swipes and fingerprint scanners, just simple measures like logging off of the PC when it's not in use. They, like many people of their generation, seem to be willing to sacrifice security for convenience, as long as their real data isn't being impacted. I can't seem to get it through to them that it's only a matter of time until they are. Since my own arguments aren't working, I need documented proof to back it up. Can Slashdot offer up some kind of arguments or information that I can use?"
"Does anyone know of a guide to IT security that:
a) Is written for a non-technical audience, but is neither condescending nor overly 'soft.'
b) Defines the various terminology (trojan, virus, zombie, etc.) clearly.
c) Explains what threats each security measure protects the user from.
d) Uses cases and examples to demonstrate the before and after scenarios, like: 'Jane's credit card number was intercepted via a non-encrypted connection. She started looking for the padlock symbol on her browser's status bar. Now, her credit card number looks like this: @*#(!@($).' (That's just an example, by the way)
It's the content that's important not the media, so your suggestions can be anything, be it an online document, multimedia presentation, or a print book."
a) Is written for a non-technical audience, but is neither condescending nor overly 'soft.'
b) Defines the various terminology (trojan, virus, zombie, etc.) clearly.
c) Explains what threats each security measure protects the user from.
d) Uses cases and examples to demonstrate the before and after scenarios, like: 'Jane's credit card number was intercepted via a non-encrypted connection. She started looking for the padlock symbol on her browser's status bar. Now, her credit card number looks like this: @*#(!@($).' (That's just an example, by the way)
It's the content that's important not the media, so your suggestions can be anything, be it an online document, multimedia presentation, or a print book."
you should go outside and play catch with your son.
Right, the reason nobody is listening to him about security matters is that he's batshit insane, and is going on about logging off when you are not using your home machine, possibly to protect yourself from ninjas breaking into your house and stealing your files.
First The Fear: I don't have the document you're looking for. But I think the basic problem is this: in the Real World, if you leave your door unlocked (I didn't say "open") in most neighborhoods it'll take years, at least, before you get broken into. Most people aren't going around trying residential doors. (Assuming you aren't conspicuously advertising more wealth than your neighbors) And if you're going to get broken into, having a locked door won't make much difference...
I would say the mean time before someone breaks into your house BECAUSE you didn't lock the door averages at LEAST years.
The mean time until your online (routable) Windows computer is compromised if you don't have a reasonable firewall is something like 15 minutes (and falling) You need to strike home the fact that that's the AVERAGE time until someone WILL try to attack their computer. If someone is trying to steal from you every 15 minutes, you NEED to be paranoid.
Second, of course, is education.
First you need to decide whether you're going to keep fixing whatever messes they're going to make - or you need to say: "I've wasted enough time on your computer. If you don't follow the rules I set out for using it safely, I'm not fixing the problems you have - or I'm at least waiting weeks before I do." - and you need to be serious. If you fix it all for free, there is no incentive.
One rule is not to download and install anything without your approval. If they see that warning screen and click "yes" - that's their problem. Those smiley toolbars don't get there by themselves.
Then you need to do what you can for them automatically. I agree with another poster that logging off is not a high priority. A good "hardware" firewall is - with the "gaming" port forward OFF. Turn on automatic updates. Getting a mac is great : )
If you can't do that, disabling ActiveX - COMPLETELY - (preferably also removing the IE icon and installing an alternate browser) helps a lot. Installing Spybot SSD and it's automatic protections helps.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Hi Mom,
:-)
My clients are required to be at a certain level of security before they are eligible for our unlimited support plan. Until that point is reached, hourly billing is used. The reason for that is because it takes a lot of effort to keep their systems running smoothly at that point, so it's not profitable for us to keep them on the unlimited support plan.
You are enjoying unlimited no-charge support from me, but it takes away from our time to talk with each other. Wouldn't you rather talk to me about stuff other than work when I come to visit you? If so, please follow these simple guidelines and don't install any software unless you call me first.
Thank you Mom
Leonid S. Knyshov
Find me on Quora
You seem to think that your problem is that your parents aren't technical enough to understand the threat. Your solution is to get them up to a similiar level of expertise that you're at. That's simply foolish.
The problem is you aren't communicating effectively, or your parents aren't willing to listen. I don't need to understand the reasons WHY I should change my oil in my car every 3-6 months to do it. I only need to trust that if I don't, my car will suffer. Mechanics don't give out chemical assays of oil, results of wear tests, or the breakdown of acid-inhibitors etc to convince people to change oil, they rely on communication and reputation. "Bill's a good mechanic, he always knows what's wrong with my car. If he says to change my oil every 3 months, he's probbably right". The world is too complex to try to learn EVERYTHING.
Maybe your problem is you don't really understand security yourself, so you can't explain it properly. Telling people to log off their own computer in their own household really adds no security from viruses, worms, etc. If you try to make this argument to your parents, you're just going to sound like you're (as another poster put it) "batshit insane". This destroys any credibility you have, and any sane advice like keeping up on updates, installing hardware firewalls, etc goes out the window.
So, you need to work on your communication skills, not try to get your parents to have the same amount of knowledge you do.
AccountKiller
One major problem is that many non-technical people try whatever is humanly possible to relate technical scenarios to "real-world" analogies. This goes for computer security, too; As other posters have mentioned, they try to line it up with their house in the neighborhood, and all too often come up with the line, "Well, why would they attack ME? I don't have anything valuable!". This, to them, equates with security. I should know, I've had that pulled on me before.
And this may be the problem you're experiencing. Try explaining that, in many cases, the computer itself is what "they" want (botnets, zombies, etc). Problem being, you'd be forced to come up with a real-world analogy for it. "It's like if someone could break into this house undetected, loaf around and steal food regularly, take your credit cards and use them freely, then start prank-calling the neighbors and blaming it on you, and everybody thought it WAS you."
The whole issue of a Windows machine being broken into in 15 minuts of a fresh install is even more difficult to put in non-technical terms. "Imagine there was an army of zombies [or robots, or people] roaming the neighborhood. They're going around trying everyone's front door to see if it's locked, and if it isn't, they walk right in and take over the place. Sometimes they try to pick the locks. They don't care if anyone calls the cops on them, there's far more of them than there are cops. And they don't care how long it takes, there's enough of them to try each and every door. And they don't talk to each other, so they'll keep trying the same doors over and over with different lockpicks. And each house they take over produces more zombies [or robots, or people]."
Now, both of those would just absurd to a non-techie, to say the least. So what I'm saying is that you need to try to draw analogies they can understand but don't sound ridiculous. You can provide documentation to back up your claims, but you'll need to convince them to read said documentation first, and that's where your creative storytelling skills come in.
Just my two units of fractional currency.
Demanding constant attention will only lead to attention.
I stay logged in all the time. The only way someone is going to hack my system because of that is if they break into my house. If they break into my house (and survive) they stuff they get off any computer is the least of my worries.
Even if my computer is turned off, and they run away with the hardware, it doesn't take much skill to recover data off it. If you have physical access to the device, you can read it, regardless of the OS.
Which is why you need to use an encypting file system.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
I've had some good success through demonstration, and letting them make mistakes.
.... "
:)
:) Neither my girlfriends machine, nor her son's machine have had anything bad happen to them. I've even broken my Linux box, from doing very ill advised things. Doing it once gives me the experience of "what happens if....?", so I can help other people later. For me, I don't really care if I completely hose an OS installation. I'll wipe it out and reinstall. I always have another machine that I can use. :)
My girlfriend is pretty good with her computer. She made mistakes before I met her, and learned from them.
Her son has his own computer, and had made mistakes himself. With some stupid online game, someone got into his account, and messed it all up. His password was his own first name. I showed him some password scanning utilities, and explained how they work. I then described for him what a "good" password is.
He then asked me "Can you hack their account, and mess it up?" I told him that I could, but I won't. Could I? Maybe. Maybe they were just as stupid themselves, and used easy passwords. Maybe if I looked around enough, there was something exploitable on the site. I wouldn't though, to teach him that revenge doesn't solve anything.
I've shown both of them the joys of packet sniffing. While most of it was over their heads, showing them their own password was useful. "Look, I'm a hacker, and I can see everything you've done. To avoid me doing this, you should
Honestly, the best way I've found to protect myself is to learn what the bad guys are doing, and solve the problem. You have to teach them what the problems are, and how to protect themselves.
It's usually better to teach someone yourself. You can judge if they are absorbing the information, instead of letting them skim over the pages that are greek to them. "Password security? Ya, I have a password. It's 1234."
I've seen so many people in office environments who are just told "don't do this", but they don't understand why, so they'll still make mistakes. How many zombie machines are out there on the Internet right now, because people didn't understand what not to do and why?
Be Mr. Evil Hacker for a while. Mess with them. Tell them exactly what you did, and how to fix it. If you keep messing with them, it's very likely they won't keep making the same mistakes. There's no need to do anything particularly damaging. More than likely, they'll do it on their own.
In the last couple years, I've reinstalled Windows on my XP workstation three or four times, from using bad practices. It's my own dumb fault for doing things that I know I probably shouldn't be doing. Of course, I'm doing them to see how they work.
Serious? Seriousness is well above my pay grade.
And it is often the only way. Get ahold of a spyware-infected machine, and download the file to which it's logging all its stolen data, then show it to your parents. (You'd be surprised how easy this is most of the time...also you can score some free Myspace accounts this way.) Maximum scare points apply if their PC is already infected and you can show them their personal data in the file. Watch how fast they change their passwords and lock down their PC!
I'm wondering if you actually know what you're talking about, of if you're just some pedantic idiot attempting to assert he's smarter in something to his parents. Example: ...just simple measures like logging off of the PC when it's not in use.
WTF? Why do they need to log off their own damn computer in their own damn house? If someone breaks in and gets physical access, I'm betting that unauthorized surfing isn't their top concern. And if you think having them log-off with thwart a thief from getting their data, you're crazy. If the thieves want the data, they'll get it by just stealing the drive & mounting it as a secondary drive.
People like your parents are easy. They don't need to know about viruses & worms. You just set anti-virus to run and automatically update & have them use a mail client other than Outlook (e.g., Thunderbird or Euroda). You set up the firewall & just leave it. They don't need to know how to administer the fucking thing. Past that, you tell them basic things to avoid phising, never install anything without asking me. That's basically what we did with my mom & no problems. There's little chance of her fucking anything up, because, by and large, she doesn't know enough to get herself into trouble. She's not going to change the config on the firewall, as she doesn't even know what the hell a firewall is.
It's typically people with a little knowledge that are a problem. They're the ones who get themselves into trouble. And while it sounds like your parents don't fall into that category, it sounds like their son does.
-Bill
SlashSig Karma: Excellent (mostly affected by moderatio
You see, it's a generational gap. You need to explain things to your parents in terms they can understand. Explain that leaving your home computer logged in is like allowing the Soviets (don't worry, they'll know who the Soviets are) to put missiles in Cuba.
Then explain to them that you're kind of like Joseph McCarthy and you're just trying to protect them. I think that'll get them to pay proper attention to your important message of salvation.
Try pointing them at GetSafeOnline.org which is intended for a broader audience than security professionals. Failing that, once they get trashed, stick a Knoppix CD in the drive and boot off that for ever more.
Andrew Yeomans