Slashdot Mirror
Ask Slashdot: How Would You Secure Your Parents' PC?
New submitter StirlingArcher writes "I've always built/maintained my parents' PC's, but as Mum has got older her PC seems to develop problems more readily. I would love to switch her to Linux, but she struggles with change and wants to stay with Vista and MS Office. I've done the usual remove Admin rights, use a credible Internet Security package. Is there anything more dramatic that I could do, without changing the way she uses her PC or enforcing a new OS on her again? One idea was to use a Linux OS and then run Vista in a VM, which auto-boots and creates a backup image every so often. Thanks for any help!"
Might wanna take out the CPU as well, just in case.
All you need. Click here.
Like email, browsing, and perhaps some photos and videos, get a tablet. I hate to add to the PC market shrinking (it is my main bread and butter), but a tab is typically simpler, and more than enough for many use cases.
Additionally, you can root and do a nandroid backup on initial setup as a quick imaging routine in case of problems.
Disclaimer, I wrote this on the commode with a nexus 7.
Silence is a state of mime.
Sell the PCs and get them iPads.
Problem solved.
I'm not joking.
Most people don't need the flexibility and attendant hassles of PCs anymore. Just give them an iPad or Nexus and be done with it.
and she took a few weeks to adapt, now she uses it (mostly) trouble-free. I also enabled Desktop sharing via VNC to avoid driving to her place every time she complains 'I had my icon here and now it's gone' or 'It does not behave as berfore' or 'The menu to send my mails is gone'.
Her grand-children also spend lots of time on this computer while she takes care of them, and I used to clean lots of malware after them... not anymore.
How about Windows 7? From what I remember about the steaming pile that was Vista, 7 looks very similar. Sure it's new, but if it looks the same that may be acceptable.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Just teach her how to use Ubuntu.
My in-laws were having Windows XP issues, so I upgraded them to Mint. Zero support calls to me since then - and they like it...
Procrastination; I'll think of a sig tomorrow.
Freeze all system changes except saving into the the documents folder. There are a number of programs to do it, seems the most popular is Deep Freeze. It allows all system changes, but after reboot it is all gone. Some tweaking will allow making a few things persistent, such as the documents.
http://alternativeto.net/software/deep-freeze/
Build your own energy sources from scratch. http://otherpower.com/
Install Firefox, LibreOffice & Thunderbird. Insist that she use them. If she ignores your advice, tell her you can't/won't help her.
(Living on your own, doing your own laundry and being over age 25 adds necessary gravitas.)
"I don't know, therefore Aliens" Wafflebox1
My mom uses her Win7 machine as a User, and not as an Administrator.
You can avoid 99% of viruses, phishing, and other BS simply by taking away administrator rights.
No matter what you set up on a PC they will break it somehow. Trust me on this one. The best I.T. decision I ever made was giving my mother-in-law an ipad.
Good-bye
Bruce Wayne, is that you?
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
kubuntu looks just like windows.. she won't feel much difference. you have to motivate her to use the new system. put some pretty wallpapers or flowers or red/fluffy theme.. kde has bunch of them. she is gonna love it.
Get a tablet, show them how to use google docs. Enough.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
When I see comments like this, I am SOOOO grateful that mum bought a core duo imac 6 years ago, and it still is going strong....
If she already uses Firefox, great, if not, see if she can accept it. If she does, then add NoScript in and pre-configure it to only allow scripts from the sites she visits and their legit links and support sites. Basically, walk through her bookmarks and URL shortcuts and give just enough privileges to make the site load properly. That'll block a lot of the skeevy ads from appearing and protect against the vast majority of X-site scripting. You may still have to deal with new sites "not working" from time to time.
You may also want to install WOT (Web of Trust) if your existing security package doesn't block dangerous sites. That'll put a big warning screen up on any sites that are recognized as unsafe.
Also, if you can at least get her to upgrade to Win 7, that should stay in her comfort zone while giving you a few more generations of security updates.
Unless she absolutely needs it, uninstall Java.
And finally, since you have her off of Admin rights, I'm assuming you are doing all the administration-otherwise she'll forget some day and go out on the web when logged in as Admin. In that case, you'll have to go over there once a month to update Windows, Firefox, Adobe Flash+Reader and possibly Java. Or at least every three months.
You, the OP, are a nerd. Your parents are not. Apple get "normal people". Do them a favour and get them something they won't hate.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
What type of problems? Is she installing a bunch of ad toolbars? So many install in the user folder, so no admin rights are necessary. Some of the pop-up malware doesn't need to have admin rights to infect the pc. They drop the executable in the appdata folder or a subfolder with a randomized name and start up from HKCU\software\microsoft\windows\start so it is all in the user's area. Try firefox (or chrome) with adblock and change the shortcut icon to the IE icon. Migrate bookmarks and few people will notice the difference.
Does she just hibernate the computer and rarely reboots, so you get slowness because of memory leaks?
I'll second the suggestion to upgrade from vista to 7. From a user's perspective they are practically identical in look and feel. Only a few icons have changed and I'll bet you can find a skin for 7 to make it look exactly like vista.
I like the tablet suggestions, but if the person is really change adverse, that can be a big shock. I hate to say it, but windows rt might be the best way to transition her to a tablet. If you like the idea of a tablet, try a Kindle as a cheap way to test the waters.
Right up to the point where she has to turn it on and use it. See, his mother knows where everything is in Vista and MS Office (prob 2000 or 2003). Can you set up a Chromebook to EXACTLY replicate where everything is and how everything works on a Chromebook? If not, then no amount of security in the world will stop her from complaining incessantly about not being able to find her stuff.
Is it just my observation, or are there way too many stupid people in the world?
without changing the way she uses her PC or enforcing a new OS on her again
systemd is Roko's Basilisk.
When the Old Man was alive, I set him up with SuSE Linux and locked it (mostly) down. He ran it for 5-6 years. It never crashed, got a virus or had any known breaches.
With the release of WIndows 8.1/8.2 which demands and tracks huge amounts of personal information, Microsoft's offering is contra-indicated.
I'll let better people than I argue about the details of which distro/browser combination to use...
*** Don't be dull.***
That which helped me the most with this issue was enforcing Firefox with Adblock and Noscript, and setting the AV to update daily without confirmation and run scans every other day. This has reduced the warnings / malware numbers from roughly 120 to 0 when I run the scans manually.
The only problem is that you need to make sure they don't simply click "allow scripts globally" every time something doesn't work.
Good luck.
With a hammer
I second this. I've moved people from Windows to Kubuntu telling them that it is Windows [7|8|9] and they love it. Just don't tell them what it is called.
Tips: Firefox instead of Rekonq, Lancelot instead of the default KDE menu, remove all desktop widgets and 'lock' the desktop and panel.
It is dangerous to be right when the government is wrong.
Simple as that, you don't, it's just not possible....
I'd start with Avast, maybe Malwarebytes. Install Chrome, put it on their desktop and change the icon to Internet Explorer. Use SpyBot to blacklist sites. Setup everything to auto-update and auto-scan so they don't have to be bothered with any of it.
Then come back in a month, Secunda PSI and Qualys Browser give you a good way to keep track of what needs to be updated. Update it all. Registry doesn't really need to be cleaned these days, unless it gets really bad, I've found it actually does help performance a bit, CCleaner does a good job of this. Make sure everything is up to date and clean. Now go to the Control Panel, uninstall all the toolbars, uninstall Mcafee, etc.
Repeat this process every month... You can make things better, but you can't secure it.
To run browser(s)? If she is using web based email, then all her online actions are through Linux. I would think that would be more secure than Linux host/Windows guest. It doesn't necessarily need to be in seamless mode, but it might be more user friendly to her if it is.
If you could reason with religious people, there would be no religious people
I would secure my or any one's parents' PC by first installing a well supported and regarded Linux distribution, with a firewall, ClamAV to repel viruses that could infect a Windows computer to which e-Mails are sent, and a simple login authentication with password that they would easily remember, but could not be be easily guessed by anyone else.
Remind them never to click on any Bank or other business ad or e-mail for which they do no business, and that all their insurance and banking vendors would send important info by snail mail.
Nothing else in needed or required.
I ask since that's what we use in work. It's one of the things that makes my system really slow(since it scans my hard drive constantly.) yet I've seen at least 2 people here that have gotten viruses anyway over the few years I've been here. (Considering the site is less than 50 people that sucks as far as I'm concerned.)
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
and installing Linux and configuring an IPTables firewall script that runs every time the PC boots up so i only have to visit once a week to check for software updates., all mom does is play various solitaire games and email a few family & friends, buy a few things on amazon and Linux does all those things quite nicely
Politics is Treachery, Religion is Brainwashing
You can use Software Restriction Policies or AppLocker so that they can only run the whitelisted programs and not random .exe files and whatnot. You can set this up with various rules, like path or publisher (for signed software).
AppLocker is easier to setup, but not available for all Windows versions.
It might seem like a drastic measure, but at the end of the day your parents probably don't need to install new software themselves. Automatic updates for programs can still work, if you set it right (for example with publisher rules).
Other than that: don't install software unless absolutely required (such as Java), use a PDF reader with JS disabled, disable macros in Office (if possible) and some other stuff...
The OS is self healing and comes with a full keyboard. Your tech support calls will disappear.
Only the State obtains its revenue by coercion. - Murray Rothbard
Windows 7 and Chrome with Adblock+Ghostery
That's what I did and it hasn't worked out too bad yet.
I put my dad's PC up with Linux a few years ago. I have him set up with reduced user privileges so he cannot fuck anything up. He does very well with everything he needs to do, and I've not had to worry about anything that he's doing with that PC in just as much time.
I bought my Mother an iPad 2 years ago. I didn't realize how profound the change over was for her until I saw her helping one of our other relatives with their new iPad. Not only had she mastered her iPad, it made her feel smart again.
She still has her Vista desktop connected to a printer and uses it when she needs to print or fill out online forms. But that only happens a couple times a year. We even got her a little JBL dock so that she could listen to music last year and she fell in love with the iPad all over again. It's crazy.
But it was a good reminder for me. Technical people get caught up in different camps (i.e. Linux vs. Windows vs. Mac). We forget that good tech is good tech. And when you can watch your own tech-resistant parents become empowered by one device. It's good tech.
I specifically went with an iPad because of their walled app garden. Higher functioning users could probably be just fine with an android tablet but this was my Mother. A woman who gets very emotional when things don't work right. And now 90% of my extended family have iPads because of her.
So before you think about changing your Mother's desktop, change the way you're looking at the problem. Users will try to tell you what they think they need but *hopefully* most of us are smart enough to go back and ask them what the problem is (not what they think the solution should be).
As I said, we did keep her desktop but the tasks that would open her up to viruses (surfing) now happen on the iPad. I went from having to clean her machine 4 or 5 times a year to zero. Getting that time back was well worth the price of the iPad.
Create a host file in the OS you're giving them redirecting any http requests to known online shopping tv channels (QVC and the like), reverse mortgage companies, life insurance companies that prey on the elderly, etc. Maybe redirect to something to do negative reinforcement, like goatse.
In my experience virus infections happen most often by either clicking on suspect internet banners or P2P file sharing. I doubt your mommy is racking up the copyright notices, but she very well may be decieved by fraudulent banners; so my suggestions would be 1. get her to use firefox or chrome, install adblock plus and https everywhere addons 2. Use Microsoft Security Essentials - maybe not the greatest, but just fine protection generally. 3. make sure her computer is set to update automatically, as that should help mitigate some security vulnerabilities 4. as a secondary antivirus program, malwarebytes has in my experience, been very good. All the software i mentioned above is free, good luck brotato.
Folks hate change, but everybody loves something new. So instead of fixing their old crappy computers or installing Linux, I give them a new netbook/chromebook running some kind of Linux. They immediately start to use the new shiny one and I never get any support calls, since the machines just work and keep working, year after year.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Maybe try Zorin OS. It's linux, but looks like Windows.
People who are treated like children behave like them. Give her the responsibility to sort it out when it goes wrong, and she'll quickly become an adult and learn how it works.
I always thought "pear shaped" was a description of a catastrophe.
www.google.com/search?q=things+went+pear+shaped&oq=things+went+pear+shaped&aqs=chrome..69i57.3339j0j1&sourceid=chrome&ie=UTF-8
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Goodness. I make a fair bit of my salary from environments where people have such casual attitudes to security, and install a single tool as a "fixed all my problems".
Good security takes layers. Robust backups, proven recovery or rebuild procedures, good practices for sanitizing incoming data, procedures to transfer sensitive data securely, and ways to safely store seldom used passwords are all subjects requiring thought and consistency. Schedule some time with your parents to walk though their usage patterns with them, to help them have backup practices and recover procedures they can work with. Work with them on sound password practices.
Too many people, and companies, have too many environments where a single "fix" has been applied and all the other risks ignored. Too many such environments have one "fix" applied in one place, and another "fix" applied elsewhere, which between them make the environment twice as vulnerable because they leave a commonly used escalation path, being probed by script kiddies all the time.
"I think my computer has a virus."
"What makes you think that, Dad?"
"Well, it's been running slow lately. And once a website popped up a notice saying it had detected a virus on my machine."
"... It did?"
"Yeah. I downloaded and ran the program it suggested but it seems even worse now."
"You're right, Dad. Your computer has a virus. Better take it to the repair guy."
True story. I love my parents, but they're three hours away by car, I gave up on Windows years ago, and there's no way I can talk them through a de-lousing session over the phone. ("Open the control panel. Go to the start menu... No, the one in the lower-left. Now click on it. LEFT click. Press the button on the left side of the mouse, Dad...") Computer repair shops still exist, or in the worst case they can take it to the Geek Squad who at the very least can re-image the damned thing.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
They tend to last longer too... not sure about newer models but in the past they were better quality and the cost was worth it; but buying used on ebay helped.
Other relatives, it's linux + openbox. which has them still confused for certain things. one jumped ship already and is probably learning more new things with Windows 8 than if she just learned the parts of linux she had trouble with.
Democracy Now! - uncensored, anti-establishment news
it looks like vista. it runs better than vista. it's more secure than vista. and if your computer is able to run vista you should be a able to run windows 7. back up her data. tell her that you have to reinstall the operating system. install windows 7 instead. my mother hasn't noticed that i replaced her vista over a year ago despite the load up screen showing it's windows 7. the only thing she has noticed? her computer works better.
Greetings, As someone in the IT industry maybe I can give you some advice.
Since she is on Vista, you might want to look into Local Group Policies.
http://technet.microsoft.com/en-us/library/cc725970.aspx
You have much finer, granular control over many aspects of Windows through it. It can take some trial and error, but you can setup an environment where only specific applications run and nothing else. Or, you can do things like not allowing application to run from specific locations (E.G. C:\Users\\AppData or C:\Program Data). Doing this can greatly reduce the amount of Malware and Virus infections. You can also prevent changes to things like the Start Menu or task bar, etc. A lot can be done with Local GPOs that doesn't seem widely known to the standard Windows user, but they can really help lock a machine down.
No you fool. He's Britt Reid. Obviously.
Sleep your way to a whiter smile...date a dentist!
Depends on the level of hands off administration you want to do.
1) For geeks and mostly computer savvy folks an install of competent Anti-Virus, Firewall, and Anti-Malware Suite and about an hour of teaching them about safe computer usage practices will suffice. The percentage of people this applies to is still quite small.
2) For the non savvy user, the options are somewhat limited. The above will NOT work. It will only make you and them frustrated in the long run.
a) If you have the money and option, go with an iOS device - computer or tablet. This won't completely remove your IT duties for them, but it will drastically lessen them after they get over the initial learning curve.
b) In some cases, installing a distro of Linux will work. This is mainly for users who only want to do email and browser things and are not looking to do anything fancy such videos and social sites. It's not that the various flavors of Linux can't do that stuff, it just requires special attention to get it to work. But usually after it is setup it doesn't need to be messed with.
c) For the most typical case, ie the user who wants to use their existing computer, about the only option left is to quarantine them from the computer configuration. Couple ways to do this: either Virtual machine that restores the startup state on each restart, or a tool like Deep Freeze that effectively whitelists executables on the existing computer and blacklists any configuration/installation changes. For my ailing father, this was the only option, his mind was not up to doing anything else. He just wanted to look at pictures in the computer and a little bit of Internet stuff.
In all cases, a remote administration tool will help out when they have further questions. Team Viewer happens to be my particular poison in this area.
Why not go with a router that does packet inspection for everyone in the household. For computers that do not leave the household, this seems ideal. OpenWRT and DD-WRT provide some options. While Packet Protector issued and EOF in 2012 (http://en.wikipedia.org/wiki/PacketProtector), others exist.
Once it is up and running, I will refer my parents there, thanks in advance.
Gently reply
Always introduce them to free software before the switch to Linux. It's far too much of a change to do both at the same time, and they'll reject the change entirely. Once they get used to free software on Windows, they can use the same things in the same way on Linux.
Ask me about repetitive DNA
1 backup the data from the computer and wipe the computer ,teamviewer ,avast and whatever else you think they will need
2 install Win7 (you should be still able to get a LEGIT copy somewhere) DO NOT CONNECT TO THE NET
3 build on your computer a win7 and whichever MSO set of WSUSOffline patches and create a Ninite loader with Firefox/chrome,7zip, LO
4 run WSUSOffline and get the patches done (optional step install MSSE and upgrade MSIE)
5 run the Ninite Loader
6 FOR EACH OF [FIREFOX CHROME MSIE] WHERE INSTALLED =TRUE hit the adblock plus site and get it installed and configured.
7 setup Teamviewer and set a permanent password
8 set like EVERYTHING to auto update and "silent" mode where possible.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
In addition to some of the suggestions above, I would set their DNS servers to OpenDNS
No, no, no! apk's host file FTW!
Personally, I did switch my mom to Linux. She had no problem adjusting to a Gnome desktop. I put the icons for her favorite apps and the home folder on the desktop and made the desktop folder read-only and there are no problems really.
Twinstiq, game news
Run Carbon Black on her machine and you'll know absolutely everything that happens on the machine. Combine it with a good antivirus like ESET and you'll at least know definitively when the machine is infected.
Add to this a small server and setup her machine to do diskless network boot, and you're all set. Even if she gets infected, you know exactly what happened and all you need to do to fix it is reboot, and it will pull down a fresh uninfected image and boot that. See the howto here.
This is a really hard situation. Not least because the stress of provided continual tech support for a low-skills user ends up putting a lot of strain on otherwise good family relationships.
My solution, in the end, was to practically force my mother onto an Apple. Apple is a better basis than Windows for users who otherwise muck things up. Also, dunno if this is still available, but at the time the "geniuses" provided her with decent support for a pretty marginal annual fee - relieving me of a lot of the tech-support stuff (why can't I print? I can't get on the Internet! - usually something silly). This was a relief all around.
Failing that, why not Linux. Mint/Cinnamon can be made to look a lot like Windows. Assuming it's an older version of MS-Office, LibreOffice is nearly a plug-in replacement. If Email isn't already in the web, put it there. Browsers are browsers, and no one should be using IE anyway. Set up a Linux machine with three desktop icons: Browser, Email (link) and LibreOffice Writer. Make everything read-only except where documents are saved, uninstall everything else (or at least remove the obvious shortcuts).
Enjoy life! This is not a dress rehearsal.
Get them a chormebook and be done with it. Seriously, they are less the $500 at walmart. Make it a x-mas gift. :-)
Inevitably the children must parent their parents, especially as the elders increasingly lose their capabilities in the latter years. Start now by growing a spine and challenging them to get out of the computer dark ages for their own safety's sake. The solutions pitched here so far all deserve scrutiny, but frankly if the lynchpin is that your mother is an MS Office power user (macros, etc.) then you're stuck with the Windows platform so just fork out for a Windows 7 license and hope for the best. OTOH, if you find out that her dependence on MS Office is just psychological, switch her to a tablet or a Linux-based PC solution and be done with it. If she whines, you get to play back all the old tapes she indoctrinated you with during your childhood. Fair is fair. You're doing it for her own good, after all.
I deny that I have not avoided attaining the opposite of that which I do not want.
The great thing about buying Apple is you can always send them to the Apple store for support, once you determine you can't solve the problem via screen sharing.
Change to linux!!
Really, windows is just problems, not worthy the trouble.
I migrate my father computer to linux, using Kubuntu.
Before the migration, already changed the email to thunderbird and the office to openoffice (now libreoffice), saving as odt, but teaching to export documents as PDF when sending to others (and solve the .doc/.odt support by others). Média player also setup to VLC and browser firefox.
After more than half year using windows and open applications and solved any difficulty encountered, i finally replaced windows by linux.
In linux, the apps are the same they used in windows, so the migration was easy. I just configured quick-launch icons for the needed apps, associate file extensions to the correct apps (mostly videos to vlc), saved authentications in main sites and main bookmarks in bookmark bar and setup digikam to import the pictures from the camera.
they only had 3 problems: using floppies ( yes, it was some years ago :) ,they didn't umount then all the times... solved by using a sync option for floppies. .exe files ... most of then are virus, so it IS a good thing they can't execute then. only once it was something useful, so i remotely setup the wine, so they could run the .exe and after that i disabled the wine ( i don't want then executing random things, even on wine).
Another problem was the
The final problem was the login page, i was ready to remove it, as they use only one account, but after some days they got used to it and i let it there.
My father uses today linux even better than what he could use windows. My mother only uses the browser on some sites (mostly banking) and have the same difficulties as in windows.
Right now the also have a tablet (BQ edison), that help the quick email check and browsing, making the PC less used.
So migrate to linux if they really need a full PC, install every app they need and configure everything. If not already, replace in windows everything you don't have in linux, to ease the migration (changing less things at same time is always better)
If they don't really need a PC, buy a tablet.
Higuita
I did Linux Mint and MS Office using Crossover as it meant that she could keep using the MS apps, but had a safer stable base to work from.
And - so my littlest sister couldn't keep installing her toolbar / chat app of the week on it - those caused more problems than anything else.
couldn't be bothered to support them with their Windows crap, so I installed Debian, configured the thing to email me interesting* stuff from the last run's system log on every boot, so I notice if something goes wrong. Didn't happen so far. (*) since it's hard to grep for interesting stuff, instead i cut away the known-noninterestnig stuff (from a file of a-priori known patterns)
CLI paste? paste.pr0.tips!
I dunno - AV-Test gave MSSE a "Must try harder" on it's last report card. http://www.av-test.org/en/tests/home-user/windows-7/mayjun-2013/
It gripped her hand gently. 'Regret is for humans,' it said.
I get asked this a lot whenever I fix someones computer. It's hard to deal with.
"Can't I just get an anti-virus program so I never have problems again? I thought I had Norton. Maybe it expired."
Non-technical folk seem to be under the impression that they can pretty much do whatever they want so long as they have an anti-virus software. Unfortunately, in the real world, you actually need to change your own behavior. In the case of having some sort of software that blocks potentially harmful scripts/programs/connections/whatever-else, an unfamiliar user is going to see that as annoying and just disable the whole thing. Worse yet, they still think they are protected and will continue digging into things they should not under those false expectations. Far too many times have I setup a proper security environment on a client's computer only to have them call me back again with problems and they admit they disabled everything because it was preventing them from accessing content they were curious about. Basically, even if your mother knows there is a virus hidden in this mysterious executable that was emailed to her, she really, really wants to see that cute kitten!
So, don't bother. You can try as much as you like to pound these things into their heads, but they will never listen. Get ready to always be there to fix their mistakes.
You can, however, try installing Comodo firewall, enable Firewall, Auto-sandbox, and HIPS. Make sure all the common software that will be used is working properly and not being blocked (probably 90% of it will be automatically detected as safe). It should, then, mostly stay out of the way while blocking unnecessary crap. Also install Malwarebytes, and have them run that any time they experience problems. That usually cleans up most common issues.
This doesn't really fit the OP's requirement of running MS Office (and being Vista...), but it really is a good option for many people who are tired of tech support calls from parents. We got one for my mom, and I don't think I've ever needed to "fix" it except for one time it lost the network configuration for some reason.
If you can't convince them, convict them.
Install Linux Mint 13 LTS. For remote administration, install SSH server & x11vnc, and forward SSH port to the LM13 machine. Done! I did this for my Dad and have had no complaints; he has Firefox, Chromium, LibreOffice and his DropBox contents. I log in on occasion and perform an "sudo apt-get update && sudo apt-get upgrade" to update his box.
The main thing is to get rid of Internet Explorer, which, on Windows 7, you can do.
If you lock down the browser hard enough, viruses stop being a problem, but some sites don't run. (This is sometimes amusing. I have Abine's Do Not Track Me installed, which blocks almost every tracking thing known, and I have third-party cookies blocked. As a result, if I watch a CBS TV show, I get the same commercials, over and over again.)
Seriously. Just get a refurbished iMac and put it in there.
I converted my parents a few years back and was so happy when I could finally stop cleaning up virus and malware laden crap. Even better, when I came to visit, I wasn't scared shitless that there were any key loggers or other unpleasantry installed. Yes, I know OS X isn't malware-proof, but it "feels" less vulnerable than what they had. The OS is set to automatically update along with their apps and everything is automagically backed up with Time Machine. My Dad still likes to play games in Windows; running Boot Camp and Deep Freeze keeps things happy there and when they want to surf, they just boot back into OS X.
No, really. Turn it into a terminal that connects back to something at your place. Then you can manage it for them, like a good child should be doing.
And no, i'm not talking a VT100 as some sort of 'age joke', but a modern graphical desktop type of terminal.
---- Booth was a patriot ----
I've done the VM on boot idea for a couple of people. Within Linux I put a script that will restore from the latest backup VM on demand. This works extraordinarily well.
My parents are a similar time away (by train). I didn't want them to have Ubuntu forced on them, but after the first lost weekend -- when I was about 19 -- I installed Ubuntu alongside Windows, and set the default to Windows.
The next time it broke, I told my dad how to boot Ubuntu over the phone, and asked if he could manage with that. He could for a while. (I also pointed out that my brother and sister never needed me to fix their computers, so maybe he could ask them to fix his, since they hadn't moved out yet.)
Securing a system for novice users isn't really that hard. The two most important steps are: (1) make sure they're running as a limited user, and (2) have them run a decent, but lightweight, anti-malware program. You've already indicated that you are doing this. For the user account, I strongly recommend not even giving them the admin password so they won't be tempted (or socially engineered) into using it. You should set up remote access so you can get in if they need help with something that legitimately requires it. For anti-virus, Microsoft Security Essentials works pretty well - it's lightweight and free. Not 100% perfect, but nothing is.
DO NOT install the Java Runtime unless it's absolutely necessary. Having this crap in the browser is the #1 vector of malware infections today! If the user absolutely needs it for one or several specific sites, use a whitelist. (Or, if it's for a non-web application, disable the web plugin using the control panel.)
Watch out for the Adobe junk, too - Flash Player and Adobe Reader are major malware vectors these days. Unfortunately, you can't usually skip Flash and PDF support entirely. Therefore, I suggest having the user use Chrome instead of IE. Chrome has its own version of Flash which is automatically kept up to date. And you don't need Adobe Reader, since there is a built-in PDF viewer in Chrome (which you can also associate with the .pdf file extension if you want). Install Adblock Plus for Chrome for some added peace of mind (not to mention a better browsing experience). Uninstall IE (or at least hide/remove the icon) so the user won't be tempted to run it.
Upgrade it to 7 you moron! Hardly any real difference except it's more secure and takes less system resources. And ofc take away admin rights, install chrome/ff etc etc
If you gave me a choice between a printer and a giraffe with explosive diarrhoea, i'll get my ladder and my raincoat
To the desk with lots of duct tape so it's harder for anyone to steal the computer.
Plus if you use more duct tape to stop the user from pressing on the keyboard or moving the mouse, it does wonders for preventing "drive by" website infections... :P
I do not fail; I succeed at finding out what does not work.
It is almost inevitable that I will have to provide them with a Windows machine. The *nix alternative is too weird and too much could go wrong in their hands.
(1) I would lock them out of any significant changes. They would not be capable of getting escalated permission (to install or uninstall software, to use administrative tools, etc.) without a special* password.
(2) * I would come up with some means of rewriting the admin password using PRNG and a given sequence. Each time Admin permission is given for installation of some program or another, it would advance the sequence and re-write the Admin password. I would keep track of how many times this has been done and always know which bunch of pseudo-random characters it is currently. I would probably be on the phone with them for awhile because in some cases you have to escalate two or three times to get something installed or changed.
(3) A sub-Admin account would exist but with severely curtailed privileges. Where "Adminstrator group" permissions are given for services or privileges, I would remove "Administrator group" and replace it with the name of the fully-powered Admin account, and only add the name of the sub-Admin account where it's needed. They would regularly use this sub-Admin account instead of a regular user account. This way they could plug-and-play printers, change windows services (SOME of them) and so on without needing to call me up for the mystery password.
(4) All remote access services would be shut down. They would be entirely on their own, no remote desktop or remote help. If they somehow heard about remote desktop or remote help and wanted to do that, I would tell them too bad, that if they don't want a secure computer we can do a fresh re-install and they can have the complete out of the box experience and damn the torpedoes, but that I would no longer consult with them on that computer. That would change things, if not right away, then certainly when they are swamped with viruses and getting hijacked down the road.
(5) I would demand no outside consultancy, just like I do with any windows box I "secure". If somebody I've helped comes back to me complaining that they went to somebody else and now everything I did was undone again, I cut them loose. There are too many people posing as "computer geeks" who seem to enjoy installing anti-malware that's pure slowdown and kicks and screams to stay on the system, "speed up" and "doctor" apps that are known to be shady, and other massively market-hyped crap. Since insisting on no outside consultancy, I've significantly decreased my stress and workload by ridding myself of chronically repeat clients. In fact, I don't do street computer work any more, at all. It's not worth it. I would be doing my "parents" a serious favor at the cost of a lot of stress and hassle in my life.
(6) I have never been satisfied with the auto-update experience of most applications. I would have to choose software for them that I feel is secure enough not to need updating, and to leave it at that. Windows Update is bad enough, and they are already going to be screaming at me over the phone on those days when there's a serious patch and it's in the news and Microsoft's update service is running slow or haltingly for several days.
Alternately:
I would just install something like SUSE and a virtual machine running their precious Windows. I would get my "parents" a really expensive laptop, two sets of wi fi keyboards and mice, two wi fi monitors, and set them up with SUSE giving them two simultaneous but separate experiences inside their Windows virtual machines. It would take me for fucking ever and would be complicated as shit, and would be really expensive. Then since they would want persistent Windows experiences, Windows itself is still there to be a total complete headache nightmare. So why go the convoluted "matrix reality" style virtual machines in a linux box when they can still screw up their persistent albeit virtual Windows experience? Yes there'd be this nice safe l
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Rename the Libre Office icons all to Microsoft Office and GIMP to Photoshop . It worked on my mother in law
with a Mac or an iPad.
cue the usual "but OS X is just as vulnerable" or "only until market share" bla bla bla trolls in 3... 2... 1...
The simple fact is that a) it works, b) it's available now, not theoretically or with enough work and c) it's supported by other people aside from yourself.
Assorted stuff I do sometimes: Lemuria.org
yeah but how long until Apple forces obsolescence of their Mac or iPad?
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
I gave my mother an iPad as "additional" device as a present. Soon afterwards, PC useage and resulting problems dropped by 80-90%. Very good investment...
Disclaimer: Not everything is perfect with an iPad for seniors (e.g. maximum font size is still too small, most apps ignore setting anyway). But even with 73 years she took to the device like a duch to water. A 13'' or even 15'' tablet would be a better choice for older people.
It's called the Depart of Reality where your mom is not an IT expert and you care enough about her not to give her a platform easily exploited.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Adblock plus to keep the ads out, Web of Trust (mywot.com) to keep them from clicking on garbage, and AutoHotKey to keep them from right clicking when they mean to left click and mess everything up. Old folks lose dexterity in their hands, and don't even realize they're right clicking. I fixed this issue with my Grandfather using AutoHotKey to make right click = left click, and then I mapped the + on his num pad to a right click so that the functionality is still there when needed. I detailed it here:
http://www.tidbitsfortechs.com/2013/10/using-autohotkey-to-assist-the-elderly-disabled-and-more/
Nobodies Prefect
Tidbits for Techs Technology Blog
If they can't make do with a tablet (and most parents can), then buy a Mac. You really do not need to run a virus checker all the time. If they use the App Store to by software that cures 99% of possible malware issues. Even if they download applications the default security restrictions are good enough they may not be able to run it without asking whereupon you can advise them if they really should...
But buying a Mac is also the best move for a very good reason; you spend more time with your family instead of with their computers.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Not being able to type on a tablet might have been a problem with the broken Bluetooth keyboard support in Android 4.3, but it's fixed in Android 4.4.
You may want to consider alternative DNS servers like OpenDNS on the router.
...at least upgrade her to Windows 7.
Better performance, more secure, still supported.
Btw. people are far better in handling/learning new things than they think they are... I've upgraded my father (80+) to OpenSuSE without any problems.
Don't expect them to learn Linux now - even if it is a better option. Security Essentials or Avast should help. It would be better to encourage them to use Google Chrome or, better, to use Firefox with NoScript, HTTPSEverywhere, though NoScript can be a bear to learn to use effectively (This, only because of recent concerns about Google's on-off relationship with the idea of having respect for users' privacy). Windows 7 or later should ensure they can quickly give new programs admin permissions if required, even if they are using an account with few privileges.
As a PC shop guy I run into this problem quite a lot and there are actually a few options. You can have a program like Paragon Backup and Recovery Free set to make daily/weekly/whatever disc images and then easily roll it back when they bone it (because if they are like most older folks no matter how many times you tell them "don't click on that" they will) but the problem with those is that you usually have to be the one to roll it back, too complex to restore from disk image for an old person.
So while this way is no longer supported on Win 8 and above (but since Win 8 is a bomb who cares) this is the way that I do it and it gets the "Hairyfeet seal of approval". This method scores damned near a 10 out of 10 in both keeping infections out and in fixing if they manage to bypass your security and infect it anyway. And yes that is a problem, as i have seen older folks actually turn OFF the AV because an email told them to. As a bonus it costs $0.00 and doesn't take more than an hour tops. Ready?
1.- Install Comodo AV Free and be DAMNED SURE to pick YES when it comes to installing Comodo Dragon, the why will be apparent in a moment. You can go ahead and uncheck geek buddy, that is your job, they don't need some guy at a helpdesk in India to tell them what to do. 2.- Go into Comodo AV after install and turn it to "paranoid mode" this will run everything in a sandbox by default and treat everything as suspect. Now for your not completely clueless you can leave it in clean PC mode, but for those that click the "punch the clown and win an iPad" types paranoid is safest. 3.- the final step is to download and install Comodo Time Machine and LOCK the first image, call it "clean PC" or something else that will be easy to tell grandma over the phone. A bit of warning when it comes to CTS, it dos NOT work on win 8, it does NOT work on dual boots, you should also set it to clean out old snapshots after say 30 days. That said if you want a PC that can recover from pretty much every bug out there? here ya go.
And that is it, stick a fork, there is no step 4. Of course this assumes you have already done the common sense things like set windows update to automatic but other than that you should now have a 100% clean PC that will stay that way. The browser is sandboxed and locked down, runs by default in low rights mode, the AV is watching everything like a hawk and if they manage to talk the old folks into bypassing the AV? Time machine has you covered. I have several users that would get more nasties than a Bangkok whore on coupon night and thanks to this little 3 step program their PCs are pretty much idiot proof. Oh and as a bonus if they screw anything up, uninstall a printer driver or just trash a program? it takes less than 10 minutes over the phone to restore with CTS. You tell them reboot, hit home key when they see the big clock, pick the day before (assuming you set it for daily or snapshot on boot) and leave it alone...and that is it, the CTS will set the machine back and it'll be like they never made the boo boo.
ACs don't waste your time replying, your posts are never seen by me.
There will be some whining, but swap in a new hard drive, keep the old one "in case they want to go back", and set up a VirtualBox Windows environment for iTunes and whatever other "Win-only" software they must have.
// have done this for friends, and they are still happy 3 years later.
You'll both be happier in the long run.
My father is brilliant, but he's not a computer person. So the last time a virus took out his system, I treated him like any other non technical user on my network. I limited his ability to do damage to himself and others. NT user permissions in Windows 7 are useful for this. You can adjust anyone's group permissions, be they on a single PC or an Active Directory. It's not difficult to learn how to use these things, if you're not a systems administrator; and my dad hasn't had a single problem with viruses since I set it up for him. Remember, when you're running any PC, a virus needs admin permissions to do real damage. Deprive your users of admin rights, and (while you may still have issues with viruses) you're not going to fry your PC.
This signature has Super Cow Powers
Usually this can be remedied using remote control (VNC et al). If remote control from Windows does not cut it, use remote control from a Linux boot disk/stick - next time you visit your parents bring one and configure the PC to boot from it when present. This gives you full access to the machine. Don't subject your parents to the whims of those 'computer repair shops' unless you know for sure that the shop they'll take it to is legitimate. Yes, it takes some time to help. No, you should not feel the need to do this for all your friends.
This also works for Android devices by the way, handy to know in case they decide to get a tablet and manage to mess that up. Just connect the thing to the PC and access it through adb and/or a remote control program like teamviewer.
My parents live in another country yet I still manage to help them from the midst of the Swedish forests...
--frank[at]unternet.org
Everything I've learned tells me you're going in the wrong direction. You'll stick them on something that they're going to hate. Get the old folks Macs. Sucks because they're more expensive, but in my experience the technologically challenged should generally be on them.
i'd get them a chomebook.
easier to use. minimal risk. minimal cost. simple to replace.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
Who became the lead developer after Bond killed him? And wasn't Zorin more of a hardware guy?
http://www.opendns.com/
My mother(88) is using Linux. She has no idea that she is using Linux. My mother in law is getting a chromebook and will have no idea what she is using. Interestingly both of their demands and security are being met quite well. My mother surfs a bit, she watches youtube a bit, but she mostly types documents to print(OpenOffice), and emails on gmail. So Linux is quite nice in that with a tiny bit of security her machine is well locked down from the predations of both the evils of the internet along with the destructiveness of various descendants.
My mother-in-law only gmails and that is it. So a chromebook is perfect. (Tablets are out due to the lack of keyboard or the fiddly keyboards) plus for the same price as an 8 inch tablet she gets an 11.6 inch screen.
But the dealbreaker for linux is often an iPhone. Yes you can hook up an iPhone to Linux but it is a pain in the ass along with things like the backups not being very good at all. iCloud can take care of quite a bit so that is becoming less important.
But for me the best bit with recommending Linux is that even the Raspberry Pi can run a fairly robust Linux. So old crap hardware can meet basic internet needs quite nicely.
But back to the original question. The security of a basic locked down linux set up is fairly good. With windows my problem was fixing all the stupid plugins and downloaders that various people would install. Now they can't install or alter much beyond things like bookmarks.
Mac or Linux - doenst even hae to be a new mac, probbaly be better to run snow leopard or lion over mavericks. Either that or Linux.
Being PC comptible is obvverated in the non-techie/retired generation. Most do email facebooks, some surfing and some light word processing. If they do thier own accounting then it would be the Mac as it has quicken/quickbooks.
But for most folks Linux would do the job. Both OSs are less suceptible to malware and do a great job for the jobs most older gernation would put it to.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Let google maintain it for you.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
I swear, read the fucking summary before commenting! Changing OS is not an option, changing platform (and therefore "the way the computer is used") is not an option, abandoning MS Office is not an option and OP is not asking for recommendations on an Internet Security package.
(Also, NoScript is really problematic for "normal people", so stop recommending it. AdBlock takes away most nasty things anyway)
I hear what you're saying. I'm at the age where before long I'll be an old guy. The new kids will probably think I don't know anything about some new thing X, only to find out that I helped write X.
My mother was a pioneer who helped bring major companies into the digital age. She's taught programming, database architecture, etc. and was a top ranking information systems executive for Fortune 100 companies. I learned a lot from her. It would be accurate to say she's forgotten more than most Slashdotters ever knew. That's one reason she calls me for help - because she's forgotten. The other day I mentioned a principle she taught me and she didn't know what I was talking about, having been away from it for 15 years.
The other reason she calls me is because while she could patch a Unix BINARY by manually editing the machine code, Windows 8 is a new, foreign land. She had a Vista machine before this Windows 8 laptop, but she's much more comfortable with Solaris or System 7, or any environment that runs Cobol.
I greatly respect her knowledge and experience, especially her deep understanding of timeless principles. She recognizes that today's systems and today's threats are not the same as the 8080 powered systems she wrote assembler for.
I've been programming interactive web sites since 1997. Recently my wife, who is ten years younger than I, taught me a bit about Facebook.
Each of us has strengths and weaknesses. In general, as we mature we synthesize random knowledge into principles - broadly applicable statements that reflect deeper understanding than feature X and product Y. When we're younger, we're interested in each new version of product Y, the new performance feature and this new security feature.
The foolish young person might think that the "old guy" is out of date. The wise person who has seen some things realizes that the new kid actually DOES have something we could benefit from - the PFY often knows that the virus scanner we've loved for 20 years hasn't kept up, and he knows the new, improved tools.
When I want to know relational calculus or how to bid a job without requirements, I'll ask the old guy. When I want to know how to uninvite someone from a Facebook event, I'll ask that kid over there who is building the Facebook app.
Explain that they have options which are pretty secure, but different from the exact UI they are used to (Chromebook, Windows RT, iOS). Then there is OSX, which does run MS Office and is sort of secure, but still lets you shoot yourself in the foot if you go to some length. Or they can stick with x86 Windows and hope for the best. Then be honest about your own time commitment in fixing any messes.
Then let them make a choice like adults. Hopefully they modeled all of the above steps during your formative years.
If a virus cannot get into the Windows registry, it's not going to be able to be a persistent problem. The only way it can get into the registry AFAIK is via administrative prileges (or a privilege escalation exploit). Any simple file downloads will be blocked by the virus scanner. Obviously, keep the computer patched so that privilege escalation exploits are limited.
If a virus does get into the registry, the only way to be sure it's gone is to reset the computer. This pearl of wisdom comes from tedious experience.
Just give them a standard account on the computer, keep the administrator account password to yourself.
Also - it's very helpful to keep their computer behind a router which provides their WiFi. The router gets probed all day long and stays mute, and the nasties never get to strike up a conversation with the operating systems behind it.
Fantastic, That'll be nice and handy for me at least once in the future.
Thankyou.
Life is like a box of chocolates, you never know when your gonna get food poisoning.
Ok, I'm going to try to try to actually answer OPs question. On Windows 7/Vista, a set-it-and-forget-it configuration that is secure. (I'm not going to give an alternate OS or a setup that will confuse grandma)
Use Chrome Browser. It has its own built-in sandboxing and is generally less prone to viruses than all other browsers. Configure plugins as click-to-play (chrome://chrome/settings/content). Disable all plugins except "Adobe Flash Player", "Chrome PDF Player", and "Google Update" (at chrome://plugins/). Disable Internet Explorer to prevent her from going back to her old ways. Set Chrome as your default PDF viewer.
Install an Anti-virus suite. No, not MSSE. You need more than just anti-virus. She needs a suite like Avast, AVG, or ESET. You need something that scans web sites, scans email, checks if software is up-to-date, and sandboxes scary downloads. Personally, I like Avast. If you use Avast, configure all the non-critical popups to only last 1 second, and turn off all non-critical sounds. It's free, but the Pro version is slightly better.
Set windows to "Always notify" on system changes. Viruses have gotten around Windows security to install into the system.
Set up a Standard User for her, rather than the default Administrative User that Windows defaults to. This will prevent viruses from installing into the system. It will also prevent her from installing system applications. She'll still be able to install some user-level applications, however.
Install Dropbox and tell her to always save her documents in the Dropbox folder. So, if the worst happens, she won't lose her work files. Dropbox also has a versioning feature, so she can recover old copies of files (in case of something like CryptoLocker).
Install BufferZone Pro. This will automatically sandbox Internet applications, like Outlook, Skype, etc. I like to exclude CHROME.EXE as Chrome has it's own sandbox.
OK, I haven't actually taken this approach with either my parents or my wife's mom :-) My parents bought a Mac back in ~1987, and continued to upgrade Macs occasionally. My mom's Mac is currently secured by the fact that it's a Mac, and she only uses dial-up internet because that's good enough for email and she doesn't see well enough to use the web unless she really needs to. (And my siblings all grumble about not having decent internet access when we visit, but she really doesn't want to bother upgrading, even though she did finally get cable TV when the digital transition broke her ability to receive the PBS station she likes via broadcast.)
We got my wife's mom a generic Windows PC when she retired, with AOL. It let her chat with her friends, keep up on the celebrity news, and generally stay connected to the world when she was getting less mobile. "Computer security" for her system meant occasionally formatting the disk, reinstalling Windows from scratch, reinstalling a new free AOL coaster, and having her log in to AOL, because she kept everything she cared about in the cloud rather than on her PC.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
You are most welcome and if you haven't heard of them before let old Hairy turn you on to a couple of other "shop guy tricks", specifically WSUS Offline and Ninite.
These two little life savers can take the time from starting a windows install to finished and ready to go from several hours to less than an hour and a half. You use WSUS Offline to download all the updates, service packs, as well as DirectX,IE, and .NET updates and then just slap that sucker onto a USB drive (or in the case of the shop a share drive on the LAN) and let it go, takes all the hassle out of taking a Windows system from fresh install to ready to go. Works on XP- Win 8.1 so it doesn't matter which one you are using either.
And Ninite? Ohhh you are gonna love Ninite, he is the PC fixit guy's best buddy. With ninite all your major third party software is taken care of, you've got browsers and codecs and media players and antivirus and IMs and pretty much all of the stuff your average person wants, with Ninite you just check the boxes and go. oh and NO TOOLBARS, no extras, none of the crap that so many programs drag along these days, just a clean unattended install of the latest version of whatever you picked. As an added bonus if you need to update and aren't sure if your software is out of date? just check the boxes and run it, Ninite will only install if you have the older version.
So there ya have it, with that and the little 3 step I posted earlier you can take a PC from bare metal to grandma proof in no time flat, enjoy!
ACs don't waste your time replying, your posts are never seen by me.
Got my parents a Mac mini years ago, never looked back :)
If it's a Win7+ machine, the built-in backup solution works just fine. It's also simple in case you don't have/want to use the software to restore: Files are in zip archives, the system image is a vhd which can be booted in a virtual - you can actually "test" your backup images by booting them in microsoft's virtualization software. It rolls over for hdd space and all, and run effectively maintenance free (in fact, don't touch it). I can't remember if vista had a built-in backup solution.
Take a look at this article
basically, set software restriction policies such as PATH RULE
C:\Users\ DISALLOW
Or better yet, set to DISALLOW by default. And whitelist specific system directories, including the default allowed directories.
Only allow installed software to run, and software in C:\Windows c:\program files c:\program files (x86) etc.
And perhaps some temporary directories
For web browsers such as Chrome, I suggest you should use "Chrome for business" installed globally, instead of installed in the individual user's directory.
You may need to allow some programs to execute from some temporary directories of the user profile to allow automatic updates running as the user instead of admin.
My mother is 60 years old, I switched my family to Xubuntu a few months after I switched in October 2012. To say that older people are set in their ways and would much rather use Windows is silly. My family used Windows as long as I have, about 15 years, and didn't have a problem adjusting. In fact, once 7 hit the market with the new taskbar and the 8 with it's radical changes; you're going to have to learn a new OS anyway so why not go to one that's more secure and doesn't suffer all the flaws that Windows has. Not to mention my family doesn't have to go through the hassle of installing drivers on Linux, it's truly Plug and Play.
Fact of the matter is this: My 60 year old computer illiterate mother, two brothers, my 59 year old friend across town and myself have no issues using Linux. If you do, you're doing it wrong.
Install Ad Block. I'm sure a lot of the crapware comes from sponsored ads. If they don't appear she can't click them.
Or some kind of VM genn'd off a server image and transported to a thin client.
computer security ... in bed, meme :)
I agree the stereotype is dated. Most people started getting home computers in the 80's. If you were a teen then you'd now be in your mid to late 40's. You'll probably know more about hardware than most people that are younger and almost certainly more than the "javascript weenies" that just hunt down an existing script and plug it into something.
Next up the OP's question: it is broken they want security but they want to stay with an obsolete OS: not going to happen. You don't have to like change but if you don't change you'll be using something that is easily exploitable.Chances are fairly good that these Office and browser type computer users would be completely fine on the latest windows/mac/linux offering. The browser will be the same or close enough and unless they are power users of office the basic type an invoice functionality isn't affected by the "new" Office ribbon to any meaningful extent. Probably 90% of users of Office could get away with a free offering (the remaining 10% are writing macros/using plugins someone else has made that they need/already know how to do in VBA).
Install a router, or something running something like tomato, that can run a composite block-list that is automatically updated. Sure they could still screw up settings and maybe install something they don't want, but this makes it nearly impossible to get anything malicious and resolves 80% of the problem.
I wish I were exagerating, but Windows PC builds that don't allow installs last a lot longer than those that do. Install the basics like Flash and Java (although, don't install Java unless she really needs it. Avoid if you can). After that, lock it down so that her account can't install anything. Also, hide the Internet Explorer Icon and have her use Firefox.
Well...what is going wrong? Anything? Are you sure it's worth the effort?
My parents are still using the same ancient Dell laptop they bought when my brother and I were still in highschool (I graduated college two years ago; he's now working on his PhD). It's unpatched Windows XP, and the only real security software on there is Avast! free antivirus. Other than re-registering Avast! every couple months when I'm home, I have never had to touch that system. And now they're mostly switching over to tablets and such.
Are your parents REALLY doing anything so risky that they need such a high level of protection? For casual browsing and such you really shouldn't need any more than a decent anti-virus tool. If they need more, find and plug the holes and move on.
Hell my parents don't even get backups -- because frankly, anything essential is already "in the cloud." Should there be some catastrophe I can't recover from (which has never occurred), the worst-case is I restore from the backup I took last time I had their computer (months ago) and tell my dad I lost part of his music collection (most of which he isn't even aware he has -- it's a few hundred gigs at this point). Everything truly critical they have on there is based on some sort of online service, so it's all safely "in the cloud" where I don't have to deal with it.
Although I will say one of the best things I ever did was move my mom from directly accessing her Comcast email through Outlook to placing gmail in there as a middle-man. She still uses the Comcast address, but her now multiple devices stay in sync, and in an emergency I can help her login to the web interface from anywhere.
i know the OP posited windows as a requirement,
but there's also a hybrid approach.
my primary goal was to protect my mom from serious financial fraud - ie bank account stuff.
mom uses windows for photoshop & other SW that won't go on a tablet,
and also makes heavy use of some windows-only apps which keep her away from OSX.
so, i got her a tiny HP laptop and put Linux (mint) on it,
with the strict instructions that all banking is done on the Linux machine,
and *only* banking is done on the Linux machine. no shopping, no surfing.
shopping i figure is fine on the windows machine: the credit card is secured against fraud,
and shopping itself is risk enough that it doesn't belong on the banking machine.
I suspect she's not actually following this advice, because she hasn't asked for help w/ the Linux box,
but that's probably also a failing on my part for not following up.
BitDefender Free - Automated, quiet, self-maintaining, and much better detection stats than MS Security Essentials - switch today
Malwarebytes Antimalware Pro - One time fee, adds even better protection for people likely to click on malicious links
Secunia PSI - Automatically updates software with vulnerabilities without user interaction - the most often missed crucial piece in a secure PC. Old Flash and Java installs make giving your parents' non-admin accounts pointless - malware will just use those to elevate privilege. PSI will keep everything up to date, without anyone having to do anything manually.
CrashPlan - Install it and point it at your computer. After the one-time setup, all your parents' data will be backed up to your PC. Off-site, automated backup for free. Far superior to a simple backup external drive that is vulnerable to malware running on their system.
Setup the PC to save personal data to a separate volume, and boot the pc up into the same 'clean' image every time. That way, they can screw it up all they like, but on reboot, it is back to normal.
My thoughts exactly, DD-WRT, OpenWRT, or Tomato firmware running on a supported firewall/router and most issues are non-issues. Great post.
Block lists are like blacklists dude, they just don't work. Too many legit sites get pwned every single day for block lists to be useful for anything except maybe making file sharers feel safer (protip:they aren't) by blocking known trolls like mediadefender.
It may help keep grandpa off porn sites but for actual security? Like i told APK with the HOSTS files its just not able to keep up with the thousands of new threats coming daily. With my method the system is running in low rights modes with default deny, a MUCH safer way to access the net IMHO.
ACs don't waste your time replying, your posts are never seen by me.
Not using hosts, dns poisoning. They work, with pr0n and all.
Its still the same principle dude, a list maintained by some guy/s somewhere that is supposed to magically keep up with the 10,000+ websites pwned every single day and as I pointed out to the Linux "Just give us the source and we'll maintain it" the math just doesn't work. You've got MAYBE 50 guys working on that DNS list, you have several BILLION websites, and you have legitimate websites getting pwned all the time. in just the past few months we've seen everyone from wordpress to Google serve malware and you HONESTLY think that a text file is gonna save you?
You might as tape a rabbit's foot to the router for all the good you are doing, magical thinking just doesn't work. if it did? You'd see routers sold by default with easy to switch blocklists. the reason they don't is because you end up blocking legit sites that have been cleaned while letting in sites that have been freshly pwned, the math just isn't on your side, like blacklists you are playing an arms race with the world and you WILL lose, the only question is how long it takes.
ACs don't waste your time replying, your posts are never seen by me.