Slashdot Mirror
Ask Slashdot: What To Tell Non-Tech Savvy Family About Malware?
First time accepted submitter veganboyjosh writes "I got an instant message from an uncle the other day, asking me what was in the link I sent him. I hadn't sent him a link so I figured that his account had been hacked and he'd received a malicious link from some bot address with my name in the 'From' box. This was confirmed when he told me the address the link had come from. When I tried explaining what the link was, that his account had been hacked, and that he should change the password to his @aol.com email account, his response was 'No, I think your account was hacked, since the email came from you.' I went over it again, with a real-life analog of someone calling him on the phone and pretending to be me, but I'm not sure if that sunk in or not. This uncle is far from tech savvy. He's in his 60s, and uses Facebook several times a week. He knows I'm online much more and kind of know my way around. After his initial response, I didn't have it in me to get into the whole 'Never click a link from an unfamiliar email address' bit; to him, this wasn't an unfamiliar email address, it was mine. How do I explain this to him, and what else should I feel responsible for telling him?"
you've been compromised, and now you're spamming /.
Log into AOL's SMTP server with telnet and make an email that looks like it's coming from your uncle. Show him how easy it is to fake, and that the "to" field is actually incredibly untrustworthy.
In this case, let's say your uncle mails his letters by leaving them in his mailbox (I think some places let you do this) for the mailman to pick up. Now let's say a shady guy comes along and copies the names of people your uncle is mailing letters to, including yours, then sends him a letter purportedly from you asking him to loan you money by wiring it to a specific bank account or whatever.
Your NAME was involved but you had nothing to do with it, and the scammer found out your name from him.
I don't see why you think his account has been hacked.
Someone simply sent him email with your address as the "From" address. Doing that is trivial, and spammers do it all the time.
Post your uncle's email address and your email address, and thousands of us here will send you email with your uncle's email address as the origin.
Go ahead, post both addresses. You can trust me. I'm "Anonymous Coward", and you've seen millions of articles from me which show my wide variety of expertise.
Seriously. Show him a segment in the e-mail header and say that's proof his shit was hacked. He won't know the difference anyway.
This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.
If you want to get them a platform that won't be targeted by malware authors for quite some time, install Linux Mint on their PC. As a bonus, it won't cost anything extra (unless they have some shitty printer that has no Linux support, but a new Linux-compatible printer is much cheaper than a new Mac). As an extra bonus, you can install the KDE version of Linux Mint and assuming they're coming from XP or Win7, they won't even have to learn a whole new GUI paradigm.
Really, I can't think oi a good reason to presume that either account was actually hacked. What's evidently happened, however, is that both parties have had their email addresses harvested, using one (falsely) as a sender and the other as recipient.
File under 'M' for 'Manic ranting'
Most 'exploits' that get people these days are emails, etc, with fake notifications that get people to enter their login details for FaceBook, Gmail, etc. A Mac will not help for the majority of what gets people these days.
I consider myself pretty savvy, but I've been fooled a couple times by "fake" emails harvesting login credentials when I was tired and not thinking.
Both times I realized within minutes that I'd been had and went and changed the passwords immediately, but it's really easy to be fooled if you aren't paying attention.
The preferred solution is to not have a problem.
A person can ask for advice. They can act on it as they see fit. If your adult uncle ignores your advice, you are off the hook. Maybe you know what's best for him, but if he's asked you and doesn't believe you, there's nothing you can do. I know you wish you could help, but you can't. We sell computers to people who aren't IT admins with the implication that they don't need to be one in order to operate them. Sadly this isn't true, but it's beyond your duties as a nephew to try to disabuse him of this notion.
This answer is probably less than satisfactory, but the world is an imperfect place and our ability to change that is very limited.
Perhaps other Slashdotters have some Jedi mind tricks for you to try, but I'm not optimistic, based on personal experience.
I am not a crackpot.
Tell him that the "from" that shows up in emails is like the upper left corner of an envelope.
I could write a letter, address it, and in the upper left corner write
And you could mail the letter. And the letter might even be delivered. But that doesn't mean that the President really sent that letter. It just means that whoever sent it claimed to be someone else when they were sending it.
Get them a Chromebook and save $1200+ off the price of the Mac and be done with it.
Just tell him email is very easy to forge. That's it.
You don't have to explain the technical details of exactly how it is forged, what headers are, how SMTP works, how malware mines personal data, or any of that. If he cared about the technical details, he'd read up on them, and then he wouldn't need you.
Keep it simple: "email is very easy to forge."
Cut that out, or I will ship you to Norilsk in a box.
You did what you needed to do, you let them know they had a problem.
You are done.
It is not just non-tech savvy people that have this problem. My brother is, or so I thought, knowledgeable in the area of malware. One day I get a spam message sent from him, actually from his previous email address. I recognized that the message was also sent to quite a few people in his address book. After receiving a few more, I did a reply all to one of the messages, copied to his current email address and included a message that I hope you are not doing any banking or on-line shopping with that computer. His response was to send out a message to his entire address book asking people to set up their spam filters to ignore any messages from his old address.
I tried, I'm done.
The good news is that I now know of some juicy stocks that are going to really run up in price and three or four places where I can order some V1agra. Also, I was able to do all of my holiday shopping an a really great Russian sex toy shop. They even gift wrap! Everyone is going to be so surprised this year!
Again, you are done, move on.
You can tell a kid a hundred times that the stove is hot, he won't believe you until he burned his hand.
Tell him, if he chooses to ignore you, don't press on. You offered help, he declined, everything's fine. Sorry, but if ignorant people choose to reject the information they get from people who know more than them about the matter, you have to let the kid burn his hand.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I think the first thing to tell your uncle is that he should get his tech advice from a more tech savvy relative who doesn't automatically assume that a forged email is done by hacking someone's account.
What he's getting at is that any OS on any computer is vulnerable to this sort of attack. Any OS at all that has a web browser: Windows, OSX, Linux, Android, iOS, *BSD, Solaris, whatever.
Once you click that link and enter your credentials, you are hacked. No resident virus required that has to hook your system via known attack vectors. Of course once you are hacked, it is much easier to get to that next step, if that's important to the attacker. But usually it's not, they're perfectly happy with your accounts.
Have you ever heard of backscatter spam?
Spammers use bots to browse the internet and scoop up email addresses. Then they send messages with one of those addresses in the "From" header and one in the "To" header. If the messages go through, one person receives spam. If they don't go through, the other person receives spam. Either way, someone gets spam.
None of this requires much technical knowledge. I can make backscatter spam by filling in a registration form on any website. I just put your address in the "email address" field, and the site sends you a confirmation email, typically from a no-reply@whatever.com email address. So it's basically impossible to stop.
Backscatter spam works because it looks like it came from someone it didn't. It's why web sites shouldn't provide alerts for messages that weren't delivered and why "out of office" messages or messages to confirm addresses are bad. Because any bot (or any person, too) can fill in a form and turn your website into a backscatter machine.
This used to be good advice, because Macs were such a small share of the market that the malware authors didn't bother with them. This isn't quite so true any more.
It is true that Macs are not (relatively) free from threats anymore, but damn, they sure have a lot fewer to deal with. No?
Not anymore. Remember that story posted not so long ago?
http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/
Apple is on that list twice (QuickTime and iTunes). Adobe is there a lot. No Microsoft products.
Feel free to bring the conspiracy/fraudulent research theories but really it's time people move on with old stuff.
lucm, indeed.
My dad got infected by some malware a while back. He had WinXP Pro. My brothers tried to help him to no avail. He doesn't do well with keeping his antivrus and malware stuff updated. The old guy also does stuff I've told him not to do too. So he got this malware infection that told him that the FBI had locked his computer and to send $200 to a site to unlock it. He freaked out. So I installed Linux Mint 13 KDE 32-bit on his computer. He hasn't had to worry since. He likes it because its also faster. My family thinks I'm free tech support and I was getting real tired of fixing their installations. Now my brothers and uncle have installed Mint also. Life is much simpler for me now. :-)
Oh, yeah! Wise guy, huh? Woob woob woob woob! Nyuk! Nyuk!
Browser hijacks and browser vulnerabilities are exactly that, and have little to do with which operating systems they are being run on. Phishing attempts work on any operating system. My own operating system has been one flavor or another of Linux for many years now, and I have to be cautious. Mac, Windows, Unix, Solaris, Linux, DRDOS, MSDOS 6.22, - it doesn't matter which you are using if the exploit is aimed at the browser.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
It has nothing to do with being tech savvy, smart, or old. This is the sort of news that people do NOT like hearing. You tell them their computer is infected and they get defensive because they don't want to hear they did something wrong. Even though we know it's very easy to get infected if you aren't paying attention and there are a lot of traps out there to get you, but most people do not know that.
And when you tell someone something they don't want to hear, what do they usually do? Yes, lash out at you in anger. Not unlike what the article person did, tried to turn it around and blame their friend.
Back in the early 90's, there was this local person that I did a bit a computer business with, so we knew each other decently. This one time I got a disk from him, and it was infected with the Stoned virus https://en.wikipedia.org/wiki/Stoned_(computer_virus). Well, it took me a bit to figure out what was going on, and that i infected a few other of my boot disks in the process (it was my first virus, how we never forget out first!). When i figured it all out and told him that I got a virus from him, he wigged out and swore that he never gave me a virus and blah blah blah. I was just warning him so he could check his disks, i wasn't blaming him for anything, yet his first reaction is to deny it happened.
You find this happens for most everything when there is a chance someone did something wrong.
Be seeing you...
And where, exactly, do you get paid money to buy a Chromebook?
MacBook Air starts at $999 for the 11" version, so in order to save 1200 bucks, you'd have to be given $201 when getting the Chromebook.
Sounds like a really bad deal for the manufacturer to be honest.
Hi there, you must be very pedantic and love to point out how utterly moronic everybody else is compared to you.
Welcome to Slashdot!
You will fit in quite nicely here.
Your logic seems a bit off here.
The usual scenario for hacked account spamming is as follows: Spammer takes control of account (either via phishing, malware, or more rarely social engineering) then sends spam message out to everyone on the account's contact list. It's a great way to spam since a) the people you are sending to are usually real people and b) they will be more likely to click through since the message is coming from someone they know.
What I have not seen before is a spammer gaining control an account, getting its contact list, then sending a *single* message to that very same account from someone on that contact list. What could possibly be the point when you can do the usual trick above? Spam is a numbers game for the most part, and what you're proposing has happened seems to be one of the worst possible ways to reach as many people as possible.
I'm not saying you're wrong, but just that it doesn't quite add up.
In my experience, switching people from Windows to Linux is a lot less work than switching them from Windows to Mac: pretty as it is, the Mac has just too many annoying differences and annoying little usability problems. My parents could never get used to global menus on the Mac, for example. And remote system management on the Mac is also harder (the best you can do is try and set up remote desktop access). And, of course, there is the obvious advantage that people using Linux can continue to use the hardware they are already used to.
(Besides, you seem to be off your Apple marketing script: I thought the party line among Mac folks was that Mac is UNIX but Linux is not.)
I'm surprised that no one's brought it up yet, but -- One of the most common spam email profiles that I get these days has the name of a Facebook friend in "From", my name in "Subject", and the body being just a single hyperlink. Pretty clearly, something is scooping up names of friends from Facebook (and recall email address is required there), so there's no need for any personal computer involved to be hacked. And I'm getting these things with the names of some friends I've never had any contact with except through Facebook, so it's easy to deduce that's the source. I would think.
We know where leadership by an anti-intellectual "strongman" who scapegoats minorities and likes boisterous rallies goes
Even when you explain it to them, most of them are too dumb to understand it.
If you are a programmer, you are part of the problem. The user isn't dumb, s/he just has better things to do than become a Software Engineer just to use what has become an everyday appliance. The problem here is bad design, period. Accept that and maybe we can move on.
You should have use Xubuntu, then she would not have pestered you at all.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Funny - my wife had little problem migrating to Linux, either.
She resisted initially. But, I talked her into trying it out. I explained that I didn't want to spend yet more money on a license to install an operating system, when I could install a free system on her existing hardware. So, she went along, and tried it out.
There were some questions over the first few days. Fewer questions as the first weeks went by. Almost no questions over the next several months.
Today, I find her doing stuff that I NEVER told her about. Believe me, she is NOT a techy. She has little idea how any of the components in her machine work. She is NOT the person you want to choose new hardware. But, she has learned her way around Linux pretty well, with little pain. Occasionally, I even see a terminal open on her desktop. Do I pry? No way. Let the old girl do whatever pleases her - just like I do on my own computer!
Of course, most of what pleases her is Pogo games and watching soap operas. Silly waste of resource, if you ask me, LMAO
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
It's very hard to get fooled if you always think by default "it's a fake" and only revise that opinion after having convinced yourself that the mail is legit. Then the worst thing you might do when tired is to not react on a legitimate mail.
The Tao of math: The numbers you can count are not the real numbers.
what else should I feel responsible for telling him?
Nothing.
Tech enthusiasts often get satisfaction from helping others in this way. But you should always understand that you are not responsible for doing so, and they should understand that too. If they are difficult or unappreciative, well it's not your problem. If they don't follow your advice, it's not your problem. Your goal in doing it is because it's a nice and helpful i.e. good thing to do; when it stops feeling like that then you're not achieving the goal, it's not really nice and helpful no matter what your intentions, how right you may be or how much safer they might be for following it.
If your uncle knew a lot about cars and you were going to buy one, would you consider that he was obliged to find you a good runner and teach you how to drive? Would he even go into lots of detail or just give a handful of key general points? Would you definitely follow his advice to the letter or would you take it on board and do what you want to do?
The best advice I've given is that if there's any kind of account then you do not use links in emails, go to the site normally. Seeing as he went about asking you what the link was, perhaps that might already have sunk in.
FYI an email with your address in the "from" and his in the "to" field doesn't offer any clue which has been compromised, or if anyone has. One possibility would be if anyone has sent one of those stupid "forward 1000 times and Bill Gates donates $1b to charity" with both of your email addresses.
Unless he is willing to be full time 24/7 tech support that would be a BAD idea. Just look at the serious guttings that have happened to Linux in just the last 5 years, ALSA for Pulse, Gnome 2 for GnomeShell then this funky ass hybrid of the 2, KDE 3 to KDE 4 (which was frankly shoved out in alpha quality at best by ALL the "user friendly" distros) and finally the changes in the wireless networking that has made USB wireless hit or miss, usually miss.
Frankly if you know what you are doing you can set up an "idiot proof" Windows that short of the old guy clicking "Why yes, I DO want to get infected, STFU and let me get infected!" then nothing is gonna happen. With this system I've had customers that picked up more bugs than a Bangkok whore on coupon day and they are squeaky clean. Everybody ready? Here we go..
You start by doing the most obvious thing, that is making sure all their software is up to date. Once that is finished you get their ass OFF IE onto something that doesn't have a giant bullseye on it, personally I prefer Comodo Dragon as not only does it have low rights mode like Chrome, but it also has Privalert, which will block all the tracking crap (you can of course whitelist any page with a single click, even grandma could do it) and you have the option of Comodo DNS which in this case i would say YES, use it, as it blocks many malware pages from loading. Once its installed go ahead and add ABP, in less he likes ads bugging the shit out of him, and I usually install ForecastFox as its nice to have the 5 day forecast and the radar right there.
Next you install Paragon Backup and Recovery Free as this will let you not only make a hidden backup capsule (think OEM restore partition, only custom made by you and up to date) but you can set it to any kind of schedule you like, including differential, daily, weekly, whatever. I used to use Comodo Time Machine as it allows you to restore even if they hosed the boot image but its not supported on Windows 8. if you are running 7 might want to check it out. Next you install FileHippo Update Checker and tell it to ignore beta releases. the reason you do this is to keep the old guy for falling for the "you need the latest flash, just download "Iz_Not_Bug_Iz_Flash.exe" right now!". you tell him if the little Hippo don't say there is an update there is NO update, period.
Finally you have the AV, here you can use either Avast free or Comodo IS, I prefer the latter as its not as "chatty" and has built in sandboxing by default but some folks like chatty, both are VERY good at stop malware pages before load and Comodo IS sandboxing means if the old guy does try to run something nasty it'll minimize the risk.
so there you have it, it looks more complex than it actually is, takes about an hour all told depending on how out of date the software on the system is. Once its done that's it, just leave them be, they'll be safe as houses. The browser is sandboxed and in low rights mode, you have the AV scanning every page before load, the browser is blocking ads (one of the biggest attack vectors) and tracking crap, and to top it all off the OS has a hidden encrypted partition with a backup image so if they by some miracle ever do figure out how to break something you can have it back up in under 30 minutes, no problem.
ACs don't waste your time replying, your posts are never seen by me.
I would have said the reverse. The menu bar being at the top creates modality that makes it easy to discover which windows belonging to a given application. In the Windows/X11 world, trying to figure out which application a particular window came from can be a usability nightmare... except for apps that are designed so that all of your windows are subwindows of one big window, which makes your second monitor useless.
Or SSH or iChat/Messages screen sharing. The latter makes more sense for home use, IMO.
Unless it is ancient hardware with a PS/2 mouse and keyboard, you can usually just plug their existing hardware into a Mac and use it. People aren't used to the box on their desk; they're used to the peripherals and the OS, and you're changing the OS either way.
Check out my sci-fi/humor trilogy at PatriotsBooks.
None of the ten in your list are holes in operating systems; Oracle features prominently. The question is, how many trojans and viruses are there in the wild for the various OSes?
I'll believe MS is concerned with user security when they stop hiding extensions and stop mixing data and code.
Free Martian Whores!
People like you are the real problem.
You mean people who recognize that others have better things to do than waste their time learning a needlessly complex device? People like you are the reason Apple and Google are worth billions and you aren't because they understand design and you pretty clearly do not.
Computers are working tools, and manipulating a tool is something that must be learned.
So we should make tools intentionally difficult to use? I should have to learn a programming language to adjust the temperature on my thermostat? If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. That is 100% the fault of the designer. While there is a learning curve to everything, it is a question of degrees. A tool that is unnecessarily hard to learn just because the designer could not be bothered to make it simpler is a bad tool. (and the designer of that tool is bad at design) Just because you can figure it out with sufficient effort doesn't mean it is a useful application of time and effort to do so.
Many people seem to be strongly opposed to trying to understand how a computer works to use it, but sorry, that's just the way things work.
So you know everything about how how an airplane works? You know enough to do all your own home repairs, no matter how complex? You know everything about engine repair and never need a mechanic? Of course you don't. Computers are tools and you can get useful work out of a tool without knowing all the details about how it works. In fact it would be a HUGE waste of money, brains and time for you to try to learn all of that.
People not trained in the use of machine tools are not allowed to use them, it should arguably be the same thing for computers.
I run a manufacturing company that uses machine tools. Very few of our employees know how to use even most of the features of them and yet they are able to do their jobs and do them well. They are trained on the bits that apply to their job and we try to keep those as simple as possible. They don't care about all the arcane details of the tools and they don't need to. If someone cannot be trained to do a simple task quickly with a tool then the tool is badly designed. Computers are no exception.
People don't usually care what "application" a window belongs to; the fact that you care on the Mac is a holdover from the Mac's single tasking heritage (where the entire menu bar paradigm originated). What people do care about is that the menu entry they select operates on the document they are working on, and people get confused about that relationship on the Mac.
SSH isn't a good option because OSX command line administration is extremely obscure. iChat is mac specific.That points out another problem with switching to Mac: if you switch your parents, you really have to buy another Mac for yourself and set up Apple-related accounts and infrastructure everywhere. You can't maintain a Mac if you don't use one yourself, it is just too different.
I went down that road; bought a Mac for my parents and a MacBook and desktop for myself. It was a lot of work. In the end, the small benefits of OS X over Windows just didn't justify the big expense and work. A couple of machine generations later, my parents are on Linux, I'm back on Windows and Linux, and we're all a lot happier.