Slashdot Mirror
Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware?
First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"
you've been compromised, and now you're spamming /.
Log into AOL's SMTP server with telnet and make an email that looks like it's coming from your uncle. Show him how easy it is to fake, and that the "to" field is actually incredibly untrustworthy.
...that'll a man will jump out of their screen and yell, "WHERE'S YOUR DAUGHTER?!" http://www.youtube.com/watch?v=U0wY4wIB5_4
In this case, let's say your uncle mails his letters by leaving them in his mailbox (I think some places let you do this) for the mailman to pick up. Now let's say a shady guy comes along and copies the names of people your uncle is mailing letters to, including yours, then sends him a letter purportedly from you asking him to loan you money by wiring it to a specific bank account or whatever.
Your NAME was involved but you had nothing to do with it, and the scammer found out your name from him.
I don't see why you think his account has been hacked.
Someone simply sent him email with your address as the "From" address. Doing that is trivial, and spammers do it all the time.
Post your uncle's email address and your email address, and thousands of us here will send you email with your uncle's email address as the origin.
Go ahead, post both addresses. You can trust me. I'm "Anonymous Coward", and you've seen millions of articles from me which show my wide variety of expertise.
Are you sure it was your uncle who sent you the instant message?
Seriously. Show him a segment in the e-mail header and say that's proof his shit was hacked. He won't know the difference anyway.
Explaining email issues can be very tricky, since there can be problems with authenticity at both ends of a one directional communication. For instance, perhaps your email host is owned, they can send messages as you. Alternately, the recipient's email host is poorly configured, and it's accepting mail with spoofed sources. It gets even more layered, when it you look at whether or not the sending MX is authoritative for the domain the message originates from, which is where SPF comes into play. Everyone who has a domain, whether it's used for sending email or not, should specify an SPF record (or TXT with appropriate content) specifying which servers can send mail, if any. Every mail server, besides not being configured to be a relay, needs to avoid accepting mail from senders using addresses only it should be authoritive for.
Tell him nothing else, just feel superior that you don't get malware. OR
You could point him to a website that has a simple explanation of how it is that you know for certain it is you know his machine is infected, instead of someone else's who has both your and his email addresses in it.
Or did it just spoof your name, and attach some made-up email address. In either case, tough to blame your uncle for "lack of sophistication". Anyone might have followed a link to "take a look at this hilarious clip" or whatever, under the circumstances, unless they were unusually observant and/or paranoid.
This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.
If you want to get them a platform that won't be targeted by malware authors for quite some time, install Linux Mint on their PC. As a bonus, it won't cost anything extra (unless they have some shitty printer that has no Linux support, but a new Linux-compatible printer is much cheaper than a new Mac). As an extra bonus, you can install the KDE version of Linux Mint and assuming they're coming from XP or Win7, they won't even have to learn a whole new GUI paradigm.
Why is he asking you for help? Just say "If you trust me enough to ask, trust me enough to accept my explanation."
Creating a non-administrator/root account for them should prevent the installation of most malware. DON'T give them the password.
And tell them that the Internet is like Mos Eisley: "It is a wretched hive of scum and villainy. We must be cautious."
Keep an up-to-date firewall and virus scanner like Norton. Turn on automatic updating for the operating system. And for the security software.
Hope for the best.
Really, I can't think oi a good reason to presume that either account was actually hacked. What's evidently happened, however, is that both parties have had their email addresses harvested, using one (falsely) as a sender and the other as recipient.
File under 'M' for 'Manic ranting'
Explain how to expand the e-mail header to show the senders full address ie. Josh
Then simply explain the whole "never talk to strangers" bit and make comparisons to tech where possible.
Yes, because that would totally prevent his AOL account from being hacked...
Holy shit you Apple people are fucking stupid.
I mean, when you're mailing from maximizeyoursize@maleenhancement.com there are just predictably going to be misunderstandings.
Most 'exploits' that get people these days are emails, etc, with fake notifications that get people to enter their login details for FaceBook, Gmail, etc. A Mac will not help for the majority of what gets people these days.
I think this is mentioned, but nothing mentioned indicates either party was hacked. The from part of an email can be forged as easily as the from address on a piece of stationary. That email could have come from anywhere in the world and anyone. The only thing we can gather is that the spammer somehow connected the submitter's name with that of his uncle. It could have been either side, or a public mention of both addresses, or a third relative getting hacked that has both of you in their contact list. The raw headers *might* be able to tell you if it came from an aol email server but that still doesn't itself tell you who sent it.
I have similar problems with my family (usually my mid-60's parents). Funny thing is, they're not dumb. But about a year ago when I was explaining to my mom for the 40th time what a URL is and how to copy and paste it in your browser, when she (a 10+ year computer user) asked me what a "browser" is, I gave up. They spent their money on that machine and if they can't figure out how to use it properly, it's their own fault.
A person can ask for advice. They can act on it as they see fit. If your adult uncle ignores your advice, you are off the hook. Maybe you know what's best for him, but if he's asked you and doesn't believe you, there's nothing you can do. I know you wish you could help, but you can't. We sell computers to people who aren't IT admins with the implication that they don't need to be one in order to operate them. Sadly this isn't true, but it's beyond your duties as a nephew to try to disabuse him of this notion.
This answer is probably less than satisfactory, but the world is an imperfect place and our ability to change that is very limited.
Perhaps other Slashdotters have some Jedi mind tricks for you to try, but I'm not optimistic, based on personal experience.
I am not a crackpot.
You can never be too sure, especially since the submitter thinks his uncle has been compromised.
Use of the words "good", "bad" or "evil" is almost invariably the result of oversimplification.
Tell him that the "from" that shows up in emails is like the upper left corner of an envelope.
I could write a letter, address it, and in the upper left corner write
And you could mail the letter. And the letter might even be delivered. But that doesn't mean that the President really sent that letter. It just means that whoever sent it claimed to be someone else when they were sending it.
Get them a Chromebook and save $1200+ off the price of the Mac and be done with it.
You were more likely the one who was hacked. After all, if you were a hacker, and you had compromised someone's email, which would you do: send one email to the account you hacked, or send a bunch of emails to everyone in that account's contact list? Of course, neither of you have necessarily been hacked, but there has to be some way the hacker knew to claim it was from you. So the hacked account could belong to someone you both know. That would be a sneakier way of avoiding detection for a bit.
Just tell him email is very easy to forge. That's it.
You don't have to explain the technical details of exactly how it is forged, what headers are, how SMTP works, how malware mines personal data, or any of that. If he cared about the technical details, he'd read up on them, and then he wouldn't need you.
Keep it simple: "email is very easy to forge."
Cut that out, or I will ship you to Norilsk in a box.
You did what you needed to do, you let them know they had a problem.
You are done.
It is not just non-tech savvy people that have this problem. My brother is, or so I thought, knowledgeable in the area of malware. One day I get a spam message sent from him, actually from his previous email address. I recognized that the message was also sent to quite a few people in his address book. After receiving a few more, I did a reply all to one of the messages, copied to his current email address and included a message that I hope you are not doing any banking or on-line shopping with that computer. His response was to send out a message to his entire address book asking people to set up their spam filters to ignore any messages from his old address.
I tried, I'm done.
The good news is that I now know of some juicy stocks that are going to really run up in price and three or four places where I can order some V1agra. Also, I was able to do all of my holiday shopping an a really great Russian sex toy shop. They even gift wrap! Everyone is going to be so surprised this year!
Again, you are done, move on.
You can tell a kid a hundred times that the stove is hot, he won't believe you until he burned his hand.
Tell him, if he chooses to ignore you, don't press on. You offered help, he declined, everything's fine. Sorry, but if ignorant people choose to reject the information they get from people who know more than them about the matter, you have to let the kid burn his hand.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Really, you could have just said, "my uncle uses AOL," and that would have explained everything.
Joking aside, why did you use the telephone analogy? It's email, a postal mail analogy would have been perfect: it's as if someone sent him a nasty letter and printed your address in the top-left corner of the envelope.
As for what to do with his PC ... well, if he's just the typical "Facebook and email" user, install Debian or something and rename the desktop icons ("Internet", "Email", etc.). I put Ubuntu on my mom's netbook and she pesters me no more often than she does about her Windows PC.
"What's malware?"
"You know how government officials tell you sweet things they'll do for you, so you vote for them, and suddenly you see your walled draining rapidly and all kinds of shit clogging up everything you do, and even after installing their 'fix', things keep running slower and slower and slower? Same thing but just on your computer."
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
This isn't "Malware". This isn't "Hacking". It's just Phishing.
Read this: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201112_en.pdf
Explain that email was invented in the mid-70s and hasn't really changed that much. Security wasn't a factor back then, and its easy to write an email that appears to come from anyone.
If your uncle had been hacked, why would the attacker send him a malicious link?
My analogy is a letter with my name and address written in the return-address space. Does that guarantee that the letter's from me? Of course not, anybody could write that in if they knew my address, and all it takes to find my address is to look me up in the phone book.
As plain and obvious it seems to us tech nerds.. some people will just never get some of the tricks the spammers use like forged from addresses and no, you're not infected, don't click that link to install superantispyware 2013. If possible, take the PC/Laptop for an evening to "speed things up" put good anti-malware and antivirus on it, maybe make a clean image and a non-admin account if you can and expect the calls for when he screws it up again if you are his dedicated tech nerd.
What I'm getting at is that non tech-savvy people will not remember/act on the advice you give them. Better to get them something -usable-, with a low chance of infection. You could give them a *nix install if you prefer, but I don't want to be a support contact for my family's systems unless there is a dire need (eg. hardware). Also, you described a phishing attack, which I don't classify as 'malware'.
And then, go one better, and explain to him that by using PGP authentication, you CAN ensure that emails are from who they say they are, assuming you've verified the key. Show him how easy this is to do with Enigmail. And then join the ranks of us who've been frustrated by the glazed eye look that comes upon doing so.
Having to explain tech to the tech-clueless is definitely among the activities in some of the lower circles of Hell. Sorry, there's no magic solution here.
This happened to a guy I know recently. I was suprised to learn that Yahoo! and Google have a place you can check your login history at. I was able to show this guy evidence that my theory was correct, after which he became much more cooperative about changing his password. FYI on Gmail and other services with oauth you should also clear all those sessions I would think. I dunno if AOL has this history feature, but it's more common than I would have thought. If he's connecting from ARIN block IPs and you find some unexplained APNIC IP in the history it's a pretty good indicator of a problem..
Most of the non tech savvy will end up hacked. This will be the perpetual state of any Windows box which doesn't have full time support of a corporate IT department or a tech savvy user between the chair and keyboard 100% of the time.
AOL is a problem as well. You shouldn't be trying to support AOL users. Refer them to the AOL tech support number.
If your uncle isn't asking you for help it's none of your business. Why should people rally against infections which don't affect them?
My Windows partition contains a copy of Borderlands 2 and nothing else. Antivirus and Windows updates can't protect you from zero day exploits, which means they are useless and should be turned off. Boot to another OS to browse the Internet.
I think the first thing to tell your uncle is that he should get his tech advice from a more tech savvy relative who doesn't automatically assume that a forged email is done by hacking someone's account.
This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.
It is true that Macs are not (relatively) free from threats anymore, but damn, they sure have a lot fewer to deal with. No?
That's pretty much true. You should only get a Mac if you're trying to do real work. For web surfing and email a Chromebook would be better for most non-savvy users.
http://www.rootstrikers.org/
What he's getting at is that any OS on any computer is vulnerable to this sort of attack. Any OS at all that has a web browser: Windows, OSX, Linux, Android, iOS, *BSD, Solaris, whatever.
Once you click that link and enter your credentials, you are hacked. No resident virus required that has to hook your system via known attack vectors. Of course once you are hacked, it is much easier to get to that next step, if that's important to the attacker. But usually it's not, they're perfectly happy with your accounts.
It's bad, m'kay.
You are welcome on my lawn.
Hacks always go after the widest distribution and so naturally Windows XP/Vista/7 are affected much more than Mac's since they are still a much larger percentage of the online systems today.
By that logic, I would recommend they use Windows 8. Nobody uses it! Not for long anyway...
This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.
It is true that Macs are not (relatively) free from threats anymore, but damn, they sure have a lot fewer to deal with. No?
Not anymore. Remember that story posted not so long ago?
http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/
Apple is on that list twice (QuickTime and iTunes). Adobe is there a lot. No Microsoft products.
Feel free to bring the conspiracy/fraudulent research theories but really it's time people move on with old stuff.
lucm, indeed.
What he's getting at is that any OS on any computer is vulnerable to this sort of attack. Any OS at all that has a web browser: Windows, OSX, Linux, Android, iOS, *BSD, Solaris, whatever...
Which is the main reason you teach someone how to avoid this shit one time. Maybe twice. After that, they're on their own, and it fucking needs to be that way. Only way malware is going to ever become less of a problem is through education, not technology. This example clearly proves that.
Too cruel? Here, how about a car analogy then.
How many times are you going to help replace your friends flat tire because they keep driving over nails before you finally say, "fuck it, you're on your own."
My dad got infected by some malware a while back. He had WinXP Pro. My brothers tried to help him to no avail. He doesn't do well with keeping his antivrus and malware stuff updated. The old guy also does stuff I've told him not to do too. So he got this malware infection that told him that the FBI had locked his computer and to send $200 to a site to unlock it. He freaked out. So I installed Linux Mint 13 KDE 32-bit on his computer. He hasn't had to worry since. He likes it because its also faster. My family thinks I'm free tech support and I was getting real tired of fixing their installations. Now my brothers and uncle have installed Mint also. Life is much simpler for me now. :-)
Oh, yeah! Wise guy, huh? Woob woob woob woob! Nyuk! Nyuk!
...Having to explain tech to the tech-clueless is definitely among the activities in some of the lower circles of Hell. Sorry, there's no magic solution here.
Sure there is. Stop teaching.
Absolutely shocking to me that the one solution that is the most obvious (a user actually educating themselves about the tool they rely on) is the one that has somehow now been deemed "magical" due to mass ignorance.
I say fuck 'em. They'll learn one way or another, or they'll give up trying and stop using computers. Either way, it's a win for the educated and/or self-inclined.
And no, I don't feel I'm asking a user to program Java when learning the basic 101 rules of online communication. It is that simple. Learn it.
Yep, that way instead of having to explain email to his uncle, he gets to explain Unix, and Open Office, etc.
I just tell them to stop watching porn, stop downloading movies, and stop clicking on links inside email. For most people, that probably equates to "don't use the internet" which is fine as far as I'm concerned.. If you want to use a tool without getting hurt, invest a little time and effort into learning how. If not, just accept the fact that you will magically have problems crop up here and there, sort of like a car that never gets its fluids checked.
The problem is, most people simply don't want to learn new things past the age of about 16, so trying to elaborate any more than that is pointless.
Browser hijacks and browser vulnerabilities are exactly that, and have little to do with which operating systems they are being run on. Phishing attempts work on any operating system. My own operating system has been one flavor or another of Linux for many years now, and I have to be cautious. Mac, Windows, Unix, Solaris, Linux, DRDOS, MSDOS 6.22, - it doesn't matter which you are using if the exploit is aimed at the browser.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.
If you want to get them a platform that won't be targeted by malware authors for quite some time, install Linux Mint on their PC. As a bonus, it won't cost anything extra (unless they have some shitty printer that has no Linux support, but a new Linux-compatible printer is much cheaper than a new Mac). As an extra bonus, you can install the KDE version of Linux Mint and assuming they're coming from XP or Win7, they won't even have to learn a whole new GUI paradigm.
We have detected a suspicious transaction in your bank account. Please go to http://www.sitethatlookslikeyourbankbutisnt.com.ru/ and enter your username and password to confirm the transaction and also enter a brief description about why you think the OS you are running makes a difference here.
If he is in his 60's and using Facebook and AOL, abandon all hope. As others have said, if his "tech support" presumes that phishing is "malware", then his "tech support" needs tech support just like many lawyers need other lawyers... look it up.
I long ago ceased to help any family members with their online/computer problems if they run anything other than Linux/BSD, or if they think they should be providing massive amounts of personal info to the world via facebook or some stupid "family tree" site. People who insist on being dumb and reckless do not deserve help avoiding the consequences.
Apple is twice on that list, with Windows software. If you dig down all the way to the original reports, you'll find "Available for: Windows 7, Vista, XP SP2 or later". Windows is still a more vulnerable platform. I'm not saying that OSX is invulnerable - just that the top threats are still for Windows.
The company was a security firm for phishing. They said they sent phishing emails to clients to see if the employees fell for it.
I said,"That's a great way to find business. Spam the world with phishing emails, and people who fall for it, you tell them they need your product.". He laughed and said,"That's like if we did mechanic work and went out and wrecked into people's cars and told them.we could fix it". I think it is different. I think it is more like finding people susceptible to an illness and offering inoculations.
God spoke to me
The problem is: everybody knows driving over nails is a bad idea. Nobody is so fucking stupid that they'll intentionally drive over nails. Now malware links are a whole other world. People can't see that the links are bad, and will intentionally click them. Over and over again. Even when you explain it to them, most of them are too dumb to understand it. They'll keep clicking them. Even if you teach them the mantra of 'never click a link to login, always go to the website yourself', because they're lazy or stupid or whatever. And then they'll tell you to fix their PC because it's broken, or you fucked up because the virusscanner didn't protect them from their account being "hacked" by some asshole.
Phishing != "Malware".
That's funny, I never had to explain those things to my wife when I set her up with Linux. LibreOffice looks just like pre-ribbon versions of MS Office (or close enough that you can figure it out from the menus), KDE works much like Windows, and you don't need to know jack about UNIX filesystems or other innards to use a web browser and LibreOffice.
I have only read 3 replies and can't be bothered to read the rest in true tradition so will simply offer up malwarebytes http://downloads.malwarebytes.org/mbam-download.php as one option. I find the free frisk will get rid of most (95.764% for the made up stats crew) crapware. TBH, the OP was a tad too long and I only got half way through.
My point is that, while Windows is probably still more vulnerable, Macs are growing in vulnerability because their popularity is growing, so having a Mac is no longer a good defense against malware, and it's only going to get worse.
How about, as in life, and on the internet, don't take candy from strangers?
YOU were hacked.
Mom, pop, don't do malware. It's the opposite of goodware. So just say no.
Is your wife a baby-boomer who can't understand how forged email works?
My buddy's dad is in his late 80's. Because the computer gave him tools he wanted to use (communication with a family out west, moving a whole lifetime of photographs, slides, 8mm and Super-8 movies going back over a hundred years into digital format, finding in mere seconds information that would have involved a trip to the library when he was a kid), my friend's dad learned how to operate a computer. And because he's the kind of man who does things properly, he took the trouble to learn how to stay safe on-line. His son, ironically, sounds a lot like your uncle. Put together a short PowerPoint presentation illustrating some of the bad stuff, teach him how to behave, and tell him to either get a brain or get off-line.
We live in a digital age. Uncle Dinosaur should learn to swim in it or leave his on-line business to people who are competent.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
And where, exactly, do you get paid money to buy a Chromebook?
MacBook Air starts at $999 for the 11" version, so in order to save 1200 bucks, you'd have to be given $201 when getting the Chromebook.
Sounds like a really bad deal for the manufacturer to be honest.
OSX runs on many PCs now, you might look into that. it would be a bit more user friendly then Linux. If you can get it to work that is.
It has nothing to do with being tech savvy, smart, or old. This is the sort of news that people do NOT like hearing. You tell them their computer is infected and they get defensive because they don't want to hear they did something wrong. Even though we know it's very easy to get infected if you aren't paying attention and there are a lot of traps out there to get you, but most people do not know that.
And when you tell someone something they don't want to hear, what do they usually do? Yes, lash out at you in anger. Not unlike what the article person did, tried to turn it around and blame their friend.
Back in the early 90's, there was this local person that I did a bit a computer business with, so we knew each other decently. This one time I got a disk from him, and it was infected with the Stoned virus https://en.wikipedia.org/wiki/Stoned_(computer_virus). Well, it took me a bit to figure out what was going on, and that i infected a few other of my boot disks in the process (it was my first virus, how we never forget out first!). When i figured it all out and told him that I got a virus from him, he wigged out and swore that he never gave me a virus and blah blah blah. I was just warning him so he could check his disks, i wasn't blaming him for anything, yet his first reaction is to deny it happened.
You find this happens for most everything when there is a chance someone did something wrong.
Be seeing you...
Tell him to go look it up if he doesn't believe you - there's a wide scope of places/users with info similar enough to convince anyone. It's Never too Late to Educate. (I'm 62 & my only edge over him is 'computing' since 1985 - sure I know a lot more, but that's exposure to the digital world over a quarter-century plus. Even if he only started recently, it ain't age - it's NEWBIE. It's the Holiday Season - be kind to a newbie.)
And where, exactly, do you get paid money to buy a Chromebook?
MacBook Air starts at $999 for the 11" version, so in order to save 1200 bucks, you'd have to be given $201 when getting the Chromebook.
Sounds like a really bad deal for the manufacturer to be honest.
Hi there, you must be very pedantic and love to point out how utterly moronic everybody else is compared to you.
Welcome to Slashdot!
You will fit in quite nicely here.
Your logic seems a bit off here.
The usual scenario for hacked account spamming is as follows: Spammer takes control of account (either via phishing, malware, or more rarely social engineering) then sends spam message out to everyone on the account's contact list. It's a great way to spam since a) the people you are sending to are usually real people and b) they will be more likely to click through since the message is coming from someone they know.
What I have not seen before is a spammer gaining control an account, getting its contact list, then sending a *single* message to that very same account from someone on that contact list. What could possibly be the point when you can do the usual trick above? Spam is a numbers game for the most part, and what you're proposing has happened seems to be one of the worst possible ways to reach as many people as possible.
I'm not saying you're wrong, but just that it doesn't quite add up.
Yea, change your email password.
Get them a mac and be done with it.
How is this insightful? Macs are prone to malware such as trojans, and malicious links are the prime attack vector.
Having said that, it irritates me to no end that email programs still insist on showing the reported sender's address instead of displaying the actual source address like they ought to. Tell your aged uncle that it's like sending regular mail- the sender can write whatever they want for the return address, doesn't mean it came from them.
Phishing != "Malware".
To the geezer this article is talking about, they may as well be the same thing. You can sit around and whine about the semantics of "malware" and "viruses" and "social engineering", or you can just admit that most of the common attempts at fucking with you are OS-independent and that the response of "get a mac" isn't going to do anything to help this guy out.
phishing is more like malware that works on the wetware.
In my experience, switching people from Windows to Linux is a lot less work than switching them from Windows to Mac: pretty as it is, the Mac has just too many annoying differences and annoying little usability problems. My parents could never get used to global menus on the Mac, for example. And remote system management on the Mac is also harder (the best you can do is try and set up remote desktop access). And, of course, there is the obvious advantage that people using Linux can continue to use the hardware they are already used to.
(Besides, you seem to be off your Apple marketing script: I thought the party line among Mac folks was that Mac is UNIX but Linux is not.)
Oh, you don't seriously think that they walk into the Apple store and leave just having bought a naked MBA. They'll get talked into buying the extended maintenance ("since it's such a valuable laptop"), sleeves, maybe an extra charger, USB sticks, and god knows what else, all crap you don't need with a Chromebook.
For email, it's actually really simple. What he sees in email headers (From, Subject, etc.) is the equivalent of the return address written in the top left corner of an envelope. There's absolutely nothing keeping you from putting false information there, and if he doesn't believe you ask him when's the last time he had to present identification to send a letter. What you're showing him instead is kind of like inspecting the cancellation mark on the stamp to determine that while the return address may say the White House, the letter was actually mailed from Portland, Oregon.
To give him an impression of the need to update, there are a few things to point out, and hopefully at least one will get through.
* First, among the most dangerous sites on the web these days are church websites - they're created as a volunteer effort by someone who may not even still be with the church (or who graduated HS and moved on in life). They're unmaintained. If they're infected, it may be a long time before someone even notices. In contrast, the "skeevy" sites like porn have a financial incentive to make sure their sites are safe.
* Second, once upon a time malware was written by spotty-faced geeks competing with each other for reputation. Those days are gone and have been gone for 20 years. These days malware is written by professional virus authors who do it for a living.
* Finally, show him the picture from http://www.deependresearch.org/2012/11/common-exploit-kits-2012-poster.html which shows a bunch of *commercially available* malware kits used to create new viruses and some of the security holes they target.
fencepost
just a little off
I told them my hourly rate and when they complained I sent them to http://www.geekinpink.com/
The women adore them and if it all works out the uncle will go to jail.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
I'm surprised that no one's brought it up yet, but -- One of the most common spam email profiles that I get these days has the name of a Facebook friend in "From", my name in "Subject", and the body being just a single hyperlink. Pretty clearly, something is scooping up names of friends from Facebook (and recall email address is required there), so there's no need for any personal computer involved to be hacked. And I'm getting these things with the names of some friends I've never had any contact with except through Facebook, so it's easy to deduce that's the source. I would think.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Even when you explain it to them, most of them are too dumb to understand it.
If you are a programmer, you are part of the problem. The user isn't dumb, s/he just has better things to do than become a Software Engineer just to use what has become an everyday appliance. The problem here is bad design, period. Accept that and maybe we can move on.
My wife is a baby boomer accountant who speaks 5 languages, has no idea how computers and anything technical works and only ever used Windows. While she had endless trouble with Vista, she had absolutely no trouble at all with Linux and I never explained anything to her. I just gave her, her username and password on a sticky note on top of a new laptop computer. Problem solved.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
You make it sound like it's some display problem in the email client. It's not. The entire email protocol is broken by design and always has been. The technical solution is easy, but it breaks compatibility with an enormous amount of deployed software. Things have to get pretty bad before people are willing to break that compatibility. Actually, "pretty bad" happened a long time ago, I should have said "horrendously fucked". Err, wait, never mind, It'll never happen.
But in fact you can put anything you like in the From: field. Most people don't know that.
http://michaelsmith.id.au
"I got an instant message from an uncle the other day, asking me what was in the link I sent him."
So he knew not to click the link, even though it was apparently from you. Uncle: 1
"I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box."
Massive assumption with no basis in fact. Nephew: -1
"This was confirmed when he told me the address the link had come from."
Confirmation bias. Nephew: -1
"When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.'"
A fair response. Uncle: 1
"I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not."
If someone calls him on the phone and pretends to be you, that doesn't mean his phone has been "hacked". Nephew: -1
"This uncle is far from tech savvy."
So far we have Uncle: 2 Nephew: -3
"He's in his 60s, and uses Facebook several times a week."
That means he can't be tech savvy? Ageism: Nephew -1. Able to use Facebook: Uncle 1
"He knows I'm online much more and kind of know my way around."
Apparently not, though.
"After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him"
He didn't click the link.
"How do I explain this to him, and what else should I feel responsible for telling him?"
Call him, tell him he's doing fine and he's more tech savvy than his Nephew.
I use Linux daily and personally love it, and I wasn't the one suggesting for the uncle to get a Mac; but nice try.
The problem with that attitude is that their lack of knowledge harms you too. They may share a network with you, which now has a compromised computer on it due to their ineptitude. They may have your personal information in their address books, and your data ends up in spammers' and scammers' databases. Their computers may end up DDoSing the web sites you like, or your favorite game server. Letting malware run rampant makes the internet an unsafe place, for anything, not just for doing business. Countries which are overrun by crime are not nice places, not even for those who can protect themselves. If we don't help protect the people who can't protect themselves, we're handing over our world to criminals.
Try these two solutions:
(1) Tell your Uncle to imagine that this is 1950 and you both live there at the same age and that you send him typed letters -- using a typewriter of course -- and suddenly he gets a letter that is typed and has your forged signature on it. He gets conned, thinking it's you. Tell him, that's what happened. Then introduce him to software that makes this harder to do e.g. EMSIsoft.
(2) If that doesn't work, he's probably hopeless and you can tell him that evil spirits are in his PC but a software program fights the evil spirits and introduce him to antivirus software or tell him to stop using his PC.
You might also get some software that returns that PC to the state it was in before you restart it and tell him to restart the PC every night and the damage will not be so bad.
Absolutely shocking to me that the one solution that is the most obvious (a user actually educating themselves about the tool they rely on) is the one that has somehow now been deemed "magical" due to mass ignorance.
It's easy to see how that happened. Information processing is abstract, you don't see any moving parts that make it obvious what's going on. Add the endless versatility and power of computers to that and computers are arguably amongst the most difficult devices to interact with. But to make personal computers (including the mobile computers we don't call PC's) popular and accessible the software industry has put such a strong focus on user friendliness and intuitive interfaces that the expectation has become that you don't need to learn or know anything to use a computer, it is expected to magically work. This push towards knowledge-free computing has helped to put computers in nearly every home, and I certainly see that as a positive effect. Unfortunately it has also resulted in a large majority of computer users who, apart from some operational knowledge, have no idea at all what a computer actually is and leaves them completely helpless when something goes wrong. Abstractions are far from perfect, and I keep having this nagging feeling that we would have fewer helpless users, *and* fewer problems with malware and phishing etc., if the OS builders had made interfaces that helped people to understand computers instead of trying to camouflage what they actually are. I suspect that quite a few people who do have the intellectual capability to understand what a computer is are kept in the dark because it's abstracted away too much. That doesn't mean I want everybody to use a Linux CLI or something like that, and I don't know what UIs would have been like if keeping the computer visible and transparent had been a goal as well as making it easy to use, but I do think the attempts to camouflage what's going probably confuse people more than they help in the long run.
I say fuck 'em.
No, fuck the corporations that misinform people about what they're buying and leave it to their friends and family to clean up the mess.
This is the dumbest argument I've seen on slashdot. Congratulations!
I'm a leaf on the wind. Watch how I soar.
Why are you telling him his account is hacked. In the phone analogy his phone isn't hacked, somebody just called him in the normal way.
Unless you can find any evidence that actions were taken using authority given to you or to him just ignore the email.
Funny - my wife had little problem migrating to Linux, either.
She resisted initially. But, I talked her into trying it out. I explained that I didn't want to spend yet more money on a license to install an operating system, when I could install a free system on her existing hardware. So, she went along, and tried it out.
There were some questions over the first few days. Fewer questions as the first weeks went by. Almost no questions over the next several months.
Today, I find her doing stuff that I NEVER told her about. Believe me, she is NOT a techy. She has little idea how any of the components in her machine work. She is NOT the person you want to choose new hardware. But, she has learned her way around Linux pretty well, with little pain. Occasionally, I even see a terminal open on her desktop. Do I pry? No way. Let the old girl do whatever pleases her - just like I do on my own computer!
Of course, most of what pleases her is Pogo games and watching soap operas. Silly waste of resource, if you ask me, LMAO
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I can send you a letter and write anyone's name and address in the upper left corner of the envelope (From field). The only legitimate marking on an envelope is the post mark and with email it is most of the IP addresses in the headers.
Keep the Classic Slashdot.
Gosh, maybe you should express yourself more clearly then!
Tell them bad people can use their computer to store and distribute kiddie porn. If that doesn't scare them then you might have a bigger problem.
what else should I feel responsible for telling him?
Nothing.
Tech enthusiasts often get satisfaction from helping others in this way. But you should always understand that you are not responsible for doing so, and they should understand that too. If they are difficult or unappreciative, well it's not your problem. If they don't follow your advice, it's not your problem. Your goal in doing it is because it's a nice and helpful i.e. good thing to do; when it stops feeling like that then you're not achieving the goal, it's not really nice and helpful no matter what your intentions, how right you may be or how much safer they might be for following it.
If your uncle knew a lot about cars and you were going to buy one, would you consider that he was obliged to find you a good runner and teach you how to drive? Would he even go into lots of detail or just give a handful of key general points? Would you definitely follow his advice to the letter or would you take it on board and do what you want to do?
The best advice I've given is that if there's any kind of account then you do not use links in emails, go to the site normally. Seeing as he went about asking you what the link was, perhaps that might already have sunk in.
FYI an email with your address in the "from" and his in the "to" field doesn't offer any clue which has been compromised, or if anyone has. One possibility would be if anyone has sent one of those stupid "forward 1000 times and Bill Gates donates $1b to charity" with both of your email addresses.
Get an ipad.
Give him a new mail account. And tell him not to trust anything, even if you sent it. And tell him that mails are basically electronic postcards that can be easyly searched, scanned and manipulated, even the sender and the reciever. If he's still with you, tell him a bit about mailheaders and look at them with him. ... Although I personally wouldn't bother going to much into the details of email, they are insane anyway, in my opinion. (The Type A email security incident you describe pretty much proves my point).
Clean his system, give him a fresh thunderbird install with a new account and - if he fell like doing this - set up an encrypted mail communication between you and him. Explain which part of that makes it a sufficiently secure means of communication and which part can still be compromised (his, your's or anybody elses system).
If he's a person who's usage patterns are covered by Ubuntu, offer to move his system to that. ... I got my daughter an ubuntu netbook for her birthday. The amount of hassle-freeness is refreshing. It does suck that sound and mic are causing trouble on Ubuntu 12LTS, but that's a minor tradeoff for the lack of headaches I've gotten in return.
Good luck.
We suffer more in our imagination than in reality. - Seneca
Unless he is willing to be full time 24/7 tech support that would be a BAD idea. Just look at the serious guttings that have happened to Linux in just the last 5 years, ALSA for Pulse, Gnome 2 for GnomeShell then this funky ass hybrid of the 2, KDE 3 to KDE 4 (which was frankly shoved out in alpha quality at best by ALL the "user friendly" distros) and finally the changes in the wireless networking that has made USB wireless hit or miss, usually miss.
Frankly if you know what you are doing you can set up an "idiot proof" Windows that short of the old guy clicking "Why yes, I DO want to get infected, STFU and let me get infected!" then nothing is gonna happen. With this system I've had customers that picked up more bugs than a Bangkok whore on coupon day and they are squeaky clean. Everybody ready? Here we go..
You start by doing the most obvious thing, that is making sure all their software is up to date. Once that is finished you get their ass OFF IE onto something that doesn't have a giant bullseye on it, personally I prefer Comodo Dragon as not only does it have low rights mode like Chrome, but it also has Privalert, which will block all the tracking crap (you can of course whitelist any page with a single click, even grandma could do it) and you have the option of Comodo DNS which in this case i would say YES, use it, as it blocks many malware pages from loading. Once its installed go ahead and add ABP, in less he likes ads bugging the shit out of him, and I usually install ForecastFox as its nice to have the 5 day forecast and the radar right there.
Next you install Paragon Backup and Recovery Free as this will let you not only make a hidden backup capsule (think OEM restore partition, only custom made by you and up to date) but you can set it to any kind of schedule you like, including differential, daily, weekly, whatever. I used to use Comodo Time Machine as it allows you to restore even if they hosed the boot image but its not supported on Windows 8. if you are running 7 might want to check it out. Next you install FileHippo Update Checker and tell it to ignore beta releases. the reason you do this is to keep the old guy for falling for the "you need the latest flash, just download "Iz_Not_Bug_Iz_Flash.exe" right now!". you tell him if the little Hippo don't say there is an update there is NO update, period.
Finally you have the AV, here you can use either Avast free or Comodo IS, I prefer the latter as its not as "chatty" and has built in sandboxing by default but some folks like chatty, both are VERY good at stop malware pages before load and Comodo IS sandboxing means if the old guy does try to run something nasty it'll minimize the risk.
so there you have it, it looks more complex than it actually is, takes about an hour all told depending on how out of date the software on the system is. Once its done that's it, just leave them be, they'll be safe as houses. The browser is sandboxed and in low rights mode, you have the AV scanning every page before load, the browser is blocking ads (one of the biggest attack vectors) and tracking crap, and to top it all off the OS has a hidden encrypted partition with a backup image so if they by some miracle ever do figure out how to break something you can have it back up in under 30 minutes, no problem.
ACs don't waste your time replying, your posts are never seen by me.
Soap operas? Meh, Now soap operas with *vampires*...
He also might benefit from not using AOL. Their security is not very good, unlike Yahoo! Mail or Gmail.
Send him an email from BarrackObama, thanking him for his service or something,with a link to click on for an invitation to a whitehouse reception.
(or pick some other political social organization...)
This should demonstrate how easy it is to hack someone.
I would have said the reverse. The menu bar being at the top creates modality that makes it easy to discover which windows belonging to a given application. In the Windows/X11 world, trying to figure out which application a particular window came from can be a usability nightmare... except for apps that are designed so that all of your windows are subwindows of one big window, which makes your second monitor useless.
Or SSH or iChat/Messages screen sharing. The latter makes more sense for home use, IMO.
Unless it is ancient hardware with a PS/2 mouse and keyboard, you can usually just plug their existing hardware into a Mac and use it. People aren't used to the box on their desk; they're used to the peripherals and the OS, and you're changing the OS either way.
Check out my sci-fi/humor trilogy at PatriotsBooks.
People like you are the real problem.
Computers are working tools, and manipulating a tool is something that must be learned.
Many people seem to be strongly opposed to trying to understand how a computer works to use it, but sorry, that's just the way things work. People not trained in the use of machine tools are not allowed to use them, it should arguably be the same thing for computers.
I've done that to relatives plenty of times. They'll ask me what's wrong then disregard my advice. They dig themselves a deeper hole and come crying back to me. I tell them I'm kind of busy but if there's money involved I can clear a spot for them.
I get this kind of thing all the time. Endless demands for tech support and then when I do something they scream at me that I broke something and they know better. So from now on screw them, they're on their own.
Random relative or friend hacked hypothesis:
- malware resides in random person's PC (This person has been a participant/recipient in one of the family and friends chain letter/joke emails that have 50 recipient in teh To: field and Fwd:Fwd:Fwd:Fwd:Fwd:Fwd in the Subjectline.
- malware looks through random relative's address book
- malware, with the objective to infect more machines, emails Uncle and others in random relatives address book pretending to be him(chosen at random from the same address book.
If you're like me, you can't tell them to stop sending the FUCKING chain letters and fake virus warnings without alienating yourself from the family. 'Thanks Grandma, since it's my job I really do know about these things a few months before Ethyl tells you about it.' Teach your friends and family how to use BCC: it's the only hope.
Don't click on just any old link. Don't open shit in spam emails. Becareful on porn sites. Update you antivirus weekly. Automatic scans. Then be done with it.
I am very small, utmostly microscopic.
Just say "It's bad, m'kay? It's not good, it's bad." Works as well as jargon.
Gently reply
Anyone in the word can write your return address on an envelope and mail it to him. So explain to him that email is the exact same way.
None of the ten in your list are holes in operating systems; Oracle features prominently. The question is, how many trojans and viruses are there in the wild for the various OSes?
I'll believe MS is concerned with user security when they stop hiding extensions and stop mixing data and code.
Free Martian Whores!
And even dumber try an convince that Chromebook and a max'd out MacBook Air are comparable and a valid comparison.
his response was 'No, I think your account was hacked, since the email came from you.'
With this quote you want the OP to install Linux for him? LOL good luck with that...
In his 60s? A regular on Facebook? Still uses AOL? Believes he's in no danger?
Just cut him loose, man. He's a dinosaur on a path to total self-destruction.
You start by doing the most obvious thing, that is making sure all their software is up to date.
That's a little problematic on Windows, no? You have to open each app ever installed and figure out how to check for updates. Definitely a non-trivial issue. (One of the benefits of Linux package management is there is a single spot to update all S/W installed within the package management framework.)
Next you install FileHippo Update Checker and tell it to ignore beta releases.
Does this solve the problem for all installed software on Windows?
Yep, that way instead of having to explain email to his uncle, he gets to explain DOS
See how stupid that sounds when you turn it around? From the end-user's prospective there is no more "learning Unix" in any modern distro than there is learning DOS commands to use Windows.
As to Open Office, anyone who knows MS office will have no trouble migrating to Oo, especially if they've suffered from an MS Office upgrade.
Free Martian Whores!
People like you are the real problem.
You mean people who recognize that others have better things to do than waste their time learning a needlessly complex device? People like you are the reason Apple and Google are worth billions and you aren't because they understand design and you pretty clearly do not.
Computers are working tools, and manipulating a tool is something that must be learned.
So we should make tools intentionally difficult to use? I should have to learn a programming language to adjust the temperature on my thermostat? If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. That is 100% the fault of the designer. While there is a learning curve to everything, it is a question of degrees. A tool that is unnecessarily hard to learn just because the designer could not be bothered to make it simpler is a bad tool. (and the designer of that tool is bad at design) Just because you can figure it out with sufficient effort doesn't mean it is a useful application of time and effort to do so.
Many people seem to be strongly opposed to trying to understand how a computer works to use it, but sorry, that's just the way things work.
So you know everything about how how an airplane works? You know enough to do all your own home repairs, no matter how complex? You know everything about engine repair and never need a mechanic? Of course you don't. Computers are tools and you can get useful work out of a tool without knowing all the details about how it works. In fact it would be a HUGE waste of money, brains and time for you to try to learn all of that.
People not trained in the use of machine tools are not allowed to use them, it should arguably be the same thing for computers.
I run a manufacturing company that uses machine tools. Very few of our employees know how to use even most of the features of them and yet they are able to do their jobs and do them well. They are trained on the bits that apply to their job and we try to keep those as simple as possible. They don't care about all the arcane details of the tools and they don't need to. If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. Computers are no exception.
The only way to guarantee that someone sending an email is really who he claims to be is digital signing, and for some reason no one uses it.
No one uses digital signatures because hardly anyone understands digital signatures. Seriously, I can count one one hand the number of people among my family and close friends that understand what a digital signature is, why they should care about them and are able to figure out how to use one. Even if I sent one, virtually no one I email would have the slightest idea what I was doing. And 99.9999% of the time a digital signature would be of no value even if I did use it because it's quite rare that someone tries to spoof my email. I'm not even convinced the tools CAN be made simple enough to bother, though I recognize the potential value of digital signatures. Maybe they can be made easy enough to use but certainly no one has accomplished that feat yet.
It's Malware.. MMMkay and it's bad MMMkay
Geebus what a ridiculous question. Non Techies? Really? Look just give them an analogy that malware is like an STD. If you sleep around without protecting yourself, you'll get one and then your penis will fall off.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
My Mom was hacked by a relevant email with a link that made sense to her. The email FROM was a granddaughter's address and about pregnancy. The granddaughter WAS actually pregnant, so this fit.
Mom clicked the link using her Windows PC. She knew immediately that was bad based on what followed, but wasn't smart enough to unplug the box. She tried to close windows and shutdown - because I'd been so careful to make sure that she knew that was the "proper way" a decade earlier.
Her PC was a Pentium4 with 1GB of RAM.
She didn't tell anyone there was an issue. She just started re-using the PC the following day for surfing and emails. It became slower and slower over time. I tried to remote in to fix it and couldn't. I told her not to use it for anything that wasn't trivial. No airline stuff, no stock market anything, and definitely ZERO banking or email. 2 months later, I finally made a trip there - she's 4 states away - and I loaded Lubuntu on the box. She's still running Lubuntu and in a few weeks I'll migrate her from 10.04 to 12.04 LTS release.
She like Lubuntu. It is easy, simple, relatively secure and I can remote in easily. I've added weekly patching of her box to my normal weekly patching server list, so it isn't any extra effort for me at all. I'd already had Mom using Firefox and Thunderbird on Windows, so migrating to using them on Linux was nothing extra.
I even got Quicken running through WINE in 2009.
This summer, that P4 motherboard died. I haven't be for a visit, but I was able to talk a PC knowledgeable person through swapping the HDD out for a new computer. Inside the new PC, everything was exactly as before. All her data, programs, settings. Only the /etc/udev/rules.d/70-persistent-net.rules had to be deleted so the static IP would be put back so ssh port forwarding from the router would keep working. NOTHING ELSE WAS CHANGED. 100% working. No license crap to deal with. The new machine is a Core i7 monster, but Mom just thinks it is a little quicker, not 200x faster, thanks to the highly efficient Lubuntu OS and GUI.
With the new Core i7 w/ 8GB of RAM, I could setup VirtualBox and give her a WindowsXP VM for Quicken, TurboTax and a few other Microsoft-Windows-only programs. Nah ... don't want to open that Pandora's box again.
She's better off and happier with Lubuntu. Definitely do not inflict Unity on anyone. Keeping the interface as much like WniXP has been good for her.
IS FER PWN3'n N00BZ!
"Flyin' in just a sweet place,
Never been known to fail..."
DOS is an operating system? The only DOS that I know of is denial of service attack.
I remember Solaris. George Clooney, Natascha McElhone and Viola Davis where in that movie.
because he received the mail and didn't click the link. Yet. He was smart enough to call you and verify if you were the sender before clicking on it. Since you declined he is safe, and doesn't need to do anything else.
...and that he should take it to PC Doctor and have it fixed. There is really nothing else you can do as there is no hope of convincing him to stop using Windows.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358
Malware is an end user problem. Computers exist to, yup, run software. When you aren't careful about what you are running, you run bad things. No technology is ever going to stop that without making general use computing pretty useless. The problem is that most computer users are not educated, and worse, are overly trusting of their 'security' software and the ads they see on tv to 'make your computer faster'.
The solution is education:
- only install software from trusted sources, that you explicitly install (this is where that whole unix permissions thing works better than the alternative)
- keep the software you do have installed patched and up to date (much easier these days, has been easy in linux longer than in windows or mac worlds)
- install adblock, and maybe even noscript for your browser and use them.
- don't click on random links from unknown sources in email. Not even from friends, if the link seems 'out of character' for them.
- do not run unnecessary software or services on your computer
- don't use software that provides easy vectors for malware. Unfortunately, microsoft office and even libre and openoffice fall into this category. But not opening these types of files from unknown sources somewhat mitigates this. Again, *THINK*.
- use a hardware firewall at home (this probably isn't an issue these days, as that is the way things come by default now)
- use a software firewall on laptops (even windoze does this by default now, but it will still merrily broadcast all kinds of SMB nonsense. Most home users don't have a need to run client and printer sharing at all, however, so it should simply be disabled anyway)
- have a good backup strategy, USE IT, and TEST IT. Re-installing an operating system isn't that big a deal. Losing your digital life's history could very well be.
- don't aggregate your 'cloud' stuff between facebook, google, dropbox, whatever. As far as storing things in the cloud? Probably not a great idea, despite the convenience. Better to spend a little money on a home NAS.
And, for those of you who make a career out of keeping your co-workers and families safe
- Transparent dansguardian proxy
- Sendmail + Mimedefang + Spamassassin + ClamAV
But, again, it's a behavior problem. The above solution are more to cut through the cruft. Ultimately, end users need to understand safe computing.
People don't usually care what "application" a window belongs to; the fact that you care on the Mac is a holdover from the Mac's single tasking heritage (where the entire menu bar paradigm originated). What people do care about is that the menu entry they select operates on the document they are working on, and people get confused about that relationship on the Mac.
SSH isn't a good option because OSX command line administration is extremely obscure. iChat is mac specific.That points out another problem with switching to Mac: if you switch your parents, you really have to buy another Mac for yourself and set up Apple-related accounts and infrastructure everywhere. You can't maintain a Mac if you don't use one yourself, it is just too different.
I went down that road; bought a Mac for my parents and a MacBook and desktop for myself. It was a lot of work. In the end, the small benefits of OS X over Windows just didn't justify the big expense and work. A couple of machine generations later, my parents are on Linux, I'm back on Windows and Linux, and we're all a lot happier.
My mother is your stereotypical baby boomer who can't figure out tech...can't figure out how to connect a new monitor to a desktop; asks me every time I'm home what the difference is between an app and a mobile site....and she's been using Ubuntu for a few years now. Of course, even though the menu is at the top, all the icons are different, all the names are different...she still can't understand that is not Windows.
Thing is, people like that see computers as an appliance where they've been trained on certain tasks. Replicate those tasks and you're good to go. In her case, she uses thunderbird instead of outlook express, open office, and still has Firefox. And that's all she uses. And now I don't have to worry about making sure antivirus or a firewall is running and up to date (she'll never get that, and it's amazing how she can somehow end up with those disabled every time.) So she can't go buy any random software and install it. Doesn't matter. She wouldn't be able to do that on Windows either, and she'd need me to even know that she wanted to in the first place.
When she used Windows I was fixing the pc every time I came home. With Linux, I haven't touched the thing since I set it up a couple years ago. For people like that (and their family geeks,) it actually is a better choice.
To "immunize" a Windows system, I effectively use the principles in "layered security" possibles!
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
I.E./E.G.-> I have done so since 1997-1998 with the most viewed, highly rated guide online for Windows security there really is which came from the fact I also created the 1st guide for securing Windows, highly rated @ NEOWIN (as far back as 1998-2001) here:
http://www.neowin.net/news/apk-a-to-z-internet-speedup--security-text
& from as far back as 1997 -> http://web.archive.org/web/20020205091023/www.ntcompatible.com/article1.shtml which Neowin above picked up on & rated very highly.
That has evolved more currently, into the MOST viewed & highly rated one there is for years now since 2008 online in the 1st URL link above...
Which has well over 500,000++ views online (actually MORE, but 1 site with 75,000 views of it went offline/out-of-business) & it's been made either:
---
1.) An Essential Guide
2.) 5-5 star rated
3.) A "sticky-pinned" thread
4.) Most viewed in the category it's in (usually security)
5.) Got me PAID by winning a contest @ PCPitStop (quite unexpectedly - I was only posting it for the good of all, & yes, "the Lord works in mysterious ways", it even got me PAID -> http://techtalk.pcpitstop.com/2007/09/04/pc-pitstop-winners/ (see January 2008))
---
Across 15-20 or so sites I posted it on back in 2008... & here is the IMPORTANT part, in some sample testimonials to the "layered security" methodology efficacy:
---
SOME QUOTED TESTIMONIALS TO THE EFFECTIVENESS OF SAID LAYERED SECURITY GUIDE I AUTHORED:
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=2
"I recently, months ago when you finally got this guide done, had authorization to try this on simple work station for kids. My client, who paid me an ungodly amount of money to do this, has been PROBLEM FREE FOR MONTHS! I haven't even had a follow up call which is unusual." - THRONKA, user of my guide @ XTremePcCentral
AND
"APK, thanks for such a great guide. This would, and should, be an inspiration to such security measures. Also, the pc that has "tweaks": IS STILL GOING! NO PROBLEMS!" - THRONKA, user of my guide @ XTremePcCentral
AND
http://www.xtremepccentral.com/forums/showthread.php?s=672ebdf47af75a0c5b0d9e7278be305f&t=28430&page=3
"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff! My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads. APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getti
Oh hey, did you know you were on Penny Arcade? You were featured as "last commenter in panel 2". http://penny-arcade.com/comic/2011/05/16
If you want to get them a platform that won't be targeted by malware authors for quite some time, install Linux Mint on their PC.
Just out of curiosity:
Sometimes I've heard people claim that Linux's design makes it next to impossible to get infected via a web page (or e-mail URL).
Is there any basis for this claim?
That's what I tell all my friends and relatives - get a Mac next time. Way easier for them to figure out and use, and everyone who's taken that advice has been grateful, and thanked me. Think of that! After that, the only thing you need to tell them is to use a non-admin account, make one good password, then setup, and show them how to use Keychain. I'd like to get them to use the email app, but ok, if you like webmail, fine. Plus, when I have to work on it for them, which is rare, it has a shell. No more "hacked" accounts, no more virus paranoia, and no more obscure problems every f^^ckin week. OTOH, they all stop calling me after a while, and I start to feel like the Maytag repairman.
-- sudon't
Air-ride Equipped
Does this solve the problem for all installed software on Windows?
No. But it works on enough. Remember that this isn't about you or me, or us nerds, this is about an older guy who isn't big on computers. He probably doesn't have a/several TB HDDs full of stuff. My Biweekly update fest is annoying, but I have it down rather well. FileHippo gets around 50% of my installed software, another bunch is old and doesn't update (or has built in updating), leaving around 6 or seven programs I have to manually update. If he is using popular software, he probably won't have to update much of anything by hand. Windows takes care of all MS apps, Filehippo takes care of most popular software, and everything else takes care of itself.
If he is anything like my own father, his biggest problem is relatives installing crap, and teaching him basic security (don't install crap from sources that seem dubious, don't click on links that seem dubious, treat installing software like answering your door). I've been trying this for around 10 years now, and I admit I haven't had any success. Especially the former, of late. Every single kid/stepchild/grandchild who comes over now treats his computer like their own, which basically means that even if I trained my dad, I have to deal with the bad habits of everyone else. It is worse since he now runs a rather lucrative business, and keeps tons of information on his computer, or in places where his computer has quick access. Sure, I could talk him through accounts and security, but it would be about as useful as trying to teach him to macrame, in Klingon.
Hell, one of the kids (ex-husband of his wife's daughter) decided to fix some internet problems by opening up their wifi, no password, no nothing. He used to work for Cox, so obviously he is more trusted than me, whose only been working on computers for 30 years, and only set up their whole network, and all their systems. Not that I can't understand where he was coming from, my dad has a completely different password for EVERYTHING, but all of them are variations of the same four things (dog name, his birthday, his wife's birthday, and their anniversary) (try poopsie3445, no? try 4534poopsie, no? try 121792poopsie? try p00psie1217344592, no?).
A patriot must always be ready to defend his country against his government. -edward abbey
Windows security is so hopelessly broken that only experts can properly secure it. Just imagine what can go wrong when you want to install Skype.
or just take a Ubuntu or Mint CD, install in 20 minutes and be done with it. No "special" browsers and virus scanners required whatsoever. It comes with firefox, open office and gimp. No need to twist your mind around the Ribbon.
And all software+updates from a defined, dependable and secure source.
..is very good. Skype works as expected.
Just install Mint Linux and claim it is the "latest, much more secure version of Windows".
First, shell out serious money for an insecure operating system.
Then shell out more money to attempt to secure that OS.
Finally, take away the user's right to administer the system.
Or, get Mint Linux for free and be done with the security nightmares.
I did this too for my daughter in her second year of college. After bringing the Winxp laptop home fully infested with spyware. At the time I was using mepis. Quickly showed her around and sent her back to school. She had a few issues, but her school's computers had OpenOffice on them so no issues there. She was virus free for 3 years, playing her mp3s and sharing photos etc. and the techs at the school loved it that someone other than they used linux. Her senior year she got a mac - so instead of saying "I have a Linux Box", where she would get looked at by others saying "WTF???", she could now say "I have a mac", and they would give her a sympathetic look and pat her on the head and say "We understand".
The point is she understood what she wanted to do and figuring out how to do it whether or not it is Windowsx, Linux or MacOS is not that difficult anymore.
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
it irritates me to no end that email programs still insist on showing the reported sender's address instead of displaying the actual source address like they ought to
Pray tell, what is "the actual source address"? Perhaps my dynamically-assigned IP with a nonsensical reverse lookup domain name? I don't think so.
Ezekiel 23:20
"Looks like they might have hacked both of our accounts, just to be safe I think we should both change our passwords."
Oh, you don't seriously think that they walk into the Apple store and leave just having bought a naked MBA. They'll get talked into buying the extended maintenance ("since it's such a valuable laptop"), sleeves, maybe an extra charger, USB sticks, and god knows what else, all crap you don't need with a Chromebook.
And you don't think the salesguy would try to upsell you on that stuff if you bought a Chromebook? Hell, retail stores try to sell you extended warranties on $60 video games; of course they will try to sell you one for a $200 computer.
If you can't convince them, convict them.
Those commercials helped people understand this stuff more than any tech article
My dad was the same way, here is how you solve that. You set up Win 7 (or whichever one he's on) to time out to the screensaver after 20 minutes and have it require a password, since everybody knows his regular password (and this is strictly for local access) I'd suggest using his social. You then set up a limited user in Win 7 that doesn't require a password and ONLY has the software you pre-approve of. In the case of my dad's PC it has only Comodo Dragon with ABP, no IE links anywhere, no file explorer, and the Windows Games, that's it, that's all the can run. If they don't like it? Go fucking home and hose your own system, thanks a bunch.
Now if my idiot cousin or my dumbass uncle come over they can still check their mail, hell my cousin can even shop on amazon for parts for that damned vette he is putting together, but they can NOT install shit, modify shit, or mess shit up. Works like a charm friend, I used to have to deal with my dad's system all the time, now with this in combination to the little "idiot proofing" I posted earlier? Haven't had to mess with it for over a year now, and even when I did have to mess with it it was simply to load a new USB HDD and set the backup schedule as his old one finally bought the farm.
ACs don't waste your time replying, your posts are never seen by me.
Of course it matters. If you are a newbie running many versions of Windows, the browser is running with Administrator privileges unless you go out of your way to lock it down. If you are running Ubuntu Linux , then they can just sudo to gain the same level of OS access. If you are running a real OS, then they might explout the browser, but they still can't own the OS. Also, plenty of "browser exploits" use the browser as an attack vector, but the flaw exploited is in an OS library, which will not have the same vulnerability on a different OS.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Your best bet is to stop trying to explain things to him until you understand them yourself. Nobody's account was cracked. Neither your e-mail, nor your Uncle's, has to be cracked for someone to forge an e-mail. Any script kiddie can send an e-mail to anyone else that claims to be from whomever they want. All that is needed is an open SMTP port. RFC 822 See also RFC 822
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Oh please, you're living 10 years in the past.
Grab the latest Linux Mint KDE and install it on fairly recent hardware: it "just works", as long as you have decent hardware (the more Intel parts, the better). I've never had any problems with PulseAudio, and you can avoid the whole GNOME mess by using KDE, which works just fine now. The KDE4 alpha-quality debacle was 4 years ago. Get over it.
Don't be stupid. Even the biggest moron knows that buying a reliable car (versus an unreliable car) isn't going to protect you from a speeding dump truck or other road hazards, but that it's still smart to pick a reliable car so you don't have to deal with too many mechanical failures. It's the same way here.
Probably not; a serious browser vulnerability could still lead to some sort of malware infection, in theory. However, since the user almost never runs the browser as root on Linux, the malware could only affect that user's account (barring a second, privilege-escalation vulnerability that the malware knows about and can take advantage of) rather than the whole system, but for a single-user system that's probably cold comfort. But more importantly, with the underlying OS being different than the other two OSes which have much greater marketshare and popularity, and also possibly some of the system-dependent code in the browser being different OS-to-OS, a vulnerability in Browser X on Windows, exploited by Malware A, probably isn't going to be a problem on Linux, and the malware authors are unlikely to bother making a Linux version since so many more people use Windows and Mac. Of course, with mobile OSes becoming so popular, both iOS and Android are probably going to be targeted by malware too, but even in the case of Android, the system is very different from Linux (aside from the kernel, which is nearly identical), so Android vulnerabilities are unlikely to affect Linux.
...which does fuckall for forged headers or any other subtle form of phishing that depends on stupid people being complacent.
If you're a Mac user kidding yourself in this manner, then you are the proverbial old geezer that has no social defense mechanisms against telemarketers.
A Pirate and a Puritan look the same on a balance sheet.
AOL and Yahoo accounts tend to get hacked. It's best just to avoid those services entirely. You also have to acknowledge the possibility that yes it is YOUR email service that got hacked rather than the victims.
I thought it rather insightful of the "n00b" that the originating account could have been hacked. I also found the dismissiveness of the "expert" to be unwarranted.
A Pirate and a Puritan look the same on a balance sheet.
There is a level of technological savvy that's vastly underestimated. There are TONs of people out there using AOL and Hotmail and stuff and these are your family. You can't just let them hang. Do your best to migrate them. Gmail will have a lot more security and it will let you import AOL. Heck lie, tell him you got mail from him so it's both of your accounts are hacked. Whatever it takes. I'm not trying to go full on Machiavellian but there's some validity to the thought: Ends justify the means. Shame it's an online problem or you could just install teamviewer and clean it out yourself. I find sometimes chicanery is the most efficient way to deal with these types of situations. Sorry.
Just another second banana
It all depends on the requirements.
Apple fanboys like to gloss over that part: the actual end user requirements.
They may be far less than what is warranted for an overpriced token of conspicuous consumption. They could also be far more interesting than what can be done with something that's crippled in the name of ease of use.
What's the user going to do with it? That's the most important question.
A Pirate and a Puritan look the same on a balance sheet.
And that attitude is precisely why we have the security problems that we do. Viruses and trojan horses are design problems. Phishing is not, unless you consider the fact that anyone can create a website without "adult supervision" to be a design problem. Short of removing the ability for arbitrary people to create websites without audits, you're never going to prevent phishing, because there will always be someone clueless enough to believe that a2342730872983.ru is really Chase Bank's website.
When it comes to phishing and other social engineering attacks, unless you did something really, really obviously wrong in your design, the core problem behind phishing is always lack of proper security consciousness on the part of the person who got attacked. Don't get me wrong, bad UI can make things worse by hiding critical information or making it too easy for people to hose themselves even when they do know what they are doing, but for the most part, modern software is way beyond that point already.
Sure, there are some UI design decisions and software design practices that can make it so that people don't have to understand as much, but the problem is that the farther you go down that path, the more your users treat the device as an appliance, and the more you need to protect them. (Ironically, the very ease of use that makes computers so great at transforming society also leads to the false confidence that makes phishing attacks possible, and thus makes computers seem harder to use.) At some point, protecting users from their own lack of skills becomes a vicious cycle that can only end in locked-down devices with no ability to tinker and no ability to access the Internet except through specific websites that are specifically designed to have no outgoing links—basically shutting off the Internet and going back to the world of curated BBS companies like AOL. I mean, if a Netflix viewer is what you want, that's fine, but it isn't a computer anymore at that point.
As long as arbitrary people can create arbitrary content without bounds, naïve users are not safe. Period. Heck, as long as users can add apps without each one going through a meticulous code review to look for backdoors, easter eggs, etc., there is at least some possibility that users are not fully safe (even if they are not naïve). The only way to completely and reliably prevent phishing and social engineering is to educate the users so that they are not naïve and do not make the mistakes that lead to their digital lives becoming compromised. Either that or make computers so hard to use that you need years of training to be able to use them, but that's probably not a change of direction that anyone wants to see.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I think you have things backwards. I find myself having that problem in X11 every time I try to use it. On the Mac, there is exactly one non-pallette-style window that has focus at any time (bugs notwithstanding), and the visual style of the window's title bar makes it blindingly obvious which window you're working with. Therefore, when you pull down a menu, you can instantly see what window will be the target of that action. With floating palettes in X11, you have basically no idea what's going to happen when you click on it.
As for not caring what application a window belongs to, that's only true for very simple, document-based apps. As soon as you get into complex apps that involve multiple windows for a single task—multitrack audio apps, for example—it really helps to know that your menu bar is always going to be in one place and cannot ever be hidden, no matter how many windows you have littering the screen. The only good alternative is to waste space in every window with a redundant menu bar, and that's just bad UI.
Check out my sci-fi/humor trilogy at PatriotsBooks.
*shrug* I've been using Kubuntu on several machines for the past ~2.5 years, and have been using KDE 4.x (on Gentoo) since the 4.0 days. Kubuntu is perfectly fine for even the most non-technical computer user. (If we want to cherry-pick operations that suck ass in a given platform, let's talk about a) associating an A2DP headset with a Win7 machine, then b) routing existing (or, hell, even new) audio streams to the newly associated device.)
With Mac-style menus, when you're looking at the menu bar, you're not looking at the title bar, and that's exactly the problem. You can rationalize as much as you like, my parents really did get confused by this (and I tripped over it too when I was still using a Mac).
Yes, like the kind parents tend to run.
Viruses and trojan horses are design problems.
Agreed.
Phishing is not.
No, phishing is also a design problem, here's why:
Web authentication is fundamentally broken. We've known this since forever. The whole idea of typing your credentials into a web page is a poorly thought out idea. Authentication/authorization should be done out-of-band, in a way that cannot be plausibly emulated by the content of a web page.
There's a reason why phishing attacks don't work against your local computer account password. You get an email saying "your computer has been compromised, please go to this website and enter your user name and password" and you immediately know something is wrong, even if you have no idea how any of this works. Why? Because you're never asked to go to a website to do anything related to administering your local computer.
Actually, even without phishing attacks (which took a surprisingly (in retrospect) long time to become common) web authentication would still be horrible design, just from a usability standpoint.
"Weird, I got an email just like that. I opened and the same thing happened! So I think it's a virus." No blame, no shame.
After making the Nth four hour round trip drive to "fix" my parents PC, I ultimately got tired of it and wiped Windows from the machine and replaced it with Ubuntu. Has been running for quite some time now problem free. ( Ubuntu 10.10 ) Couldn't be happier.
If I had to do it today, it would likely be Linux Mint since the Ubuntu folks have obviously lost their damn minds.
That points out another problem with switching to Mac: if you switch your parents, you really have to buy another Mac for yourself and set up Apple-related accounts and infrastructure everywhere. You can't maintain a Mac if you don't use one yourself, it is just too different.
Just switch your parents for ones using Linux then. Duh.
You seem to confuse "most vulnerable" with "most targeted". Just how hard was it for those OSX exploits to run rampant? If OSX was targeted more, then the "top threats" would be there and not in Windows.
It's like saying Israel is more vulnerable because they have the most rockets fired at them... Israel is one of the most secure nations in the Middle East, brother.
Now let's pick ourselves up, dust ourselves off and forget this fanboy slap-fight ever happened.
Ever heard of that "here, let me google that for you" website known as lmgtfy.com ? Well, someone had sent me a link to that with "f**k you" as the search phrase. And of course I had left that window's search results open. Mother of 7 kids living across the street asks me for help dis-infecting her malware and spyware infested computer, and in discussion, I offered to look up something online for her real quick about her particular problem. We go back to my screen, I enter my password to unlock it, and lo and behold is that search page still open with the F-bomb on it. I tried to reassure her that it was a friend who had sent me a link to that page, but it was no use; she thinks I sit around googling swear words.
Not sure why Anon. Coward got marked "Funny"? It's the most likely explanation, because it's in fact a common trick. If your machine is compromised, or even better if an email you sent to a bunch of people is received/stolen, it's fairly likely that many of the recipients know each other. And it's more effective to forge mail from one of the recipients than from the account that got compromised, because that leads to "You must have gotten hacked" "No, not me, must have been you" conversations between you and your uncle, instead of "Did you get hacked?" "Oh, yes, better fix that!" between your uncle and your cousin Alice who really did get infected.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
just tell him to always wear protection. he will figure out the rest.
All the stuff that is on a good 90%+ of PCs. You can tell it custom paths if you want it to check software it doesn't normally check but all the stuff most people have that isn't done by Windows Update, your Java and Flash, your third party browsers (although Dragon autoupdates so you don't need the Hippo for that) and most of the mundane everyday software like VLC or messenger, I'd say a good 90% of my customers FileHippo covers all the software they install and use.
BTW you want to save even more time you can use Ninite to not only do first installs but to also update the systems. just tell 'em to check the boxes on the stuff they use and hit run, that's it. No toolbars or other crap, no getting a bunch of dumb questions asked, its a fully automated install and that page covers most of the software your average user is running, from iTunes to .NET.
ACs don't waste your time replying, your posts are never seen by me.