Slashdot Mirror
Ask Slashdot: How Would You Secure Your Parents' PC?
New submitter StirlingArcher writes "I've always built/maintained my parents' PC's, but as Mum has got older her PC seems to develop problems more readily. I would love to switch her to Linux, but she struggles with change and wants to stay with Vista and MS Office. I've done the usual remove Admin rights, use a credible Internet Security package. Is there anything more dramatic that I could do, without changing the way she uses her PC or enforcing a new OS on her again? One idea was to use a Linux OS and then run Vista in a VM, which auto-boots and creates a backup image every so often. Thanks for any help!"
All you need. Click here.
Like email, browsing, and perhaps some photos and videos, get a tablet. I hate to add to the PC market shrinking (it is my main bread and butter), but a tab is typically simpler, and more than enough for many use cases.
Additionally, you can root and do a nandroid backup on initial setup as a quick imaging routine in case of problems.
Disclaimer, I wrote this on the commode with a nexus 7.
Silence is a state of mime.
Sell the PCs and get them iPads.
Problem solved.
I'm not joking.
Most people don't need the flexibility and attendant hassles of PCs anymore. Just give them an iPad or Nexus and be done with it.
and she took a few weeks to adapt, now she uses it (mostly) trouble-free. I also enabled Desktop sharing via VNC to avoid driving to her place every time she complains 'I had my icon here and now it's gone' or 'It does not behave as berfore' or 'The menu to send my mails is gone'.
Her grand-children also spend lots of time on this computer while she takes care of them, and I used to clean lots of malware after them... not anymore.
How about Windows 7? From what I remember about the steaming pile that was Vista, 7 looks very similar. Sure it's new, but if it looks the same that may be acceptable.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
My in-laws were having Windows XP issues, so I upgraded them to Mint. Zero support calls to me since then - and they like it...
Procrastination; I'll think of a sig tomorrow.
Freeze all system changes except saving into the the documents folder. There are a number of programs to do it, seems the most popular is Deep Freeze. It allows all system changes, but after reboot it is all gone. Some tweaking will allow making a few things persistent, such as the documents.
http://alternativeto.net/software/deep-freeze/
Build your own energy sources from scratch. http://otherpower.com/
Install Firefox, LibreOffice & Thunderbird. Insist that she use them. If she ignores your advice, tell her you can't/won't help her.
(Living on your own, doing your own laundry and being over age 25 adds necessary gravitas.)
"I don't know, therefore Aliens" Wafflebox1
My mom uses her Win7 machine as a User, and not as an Administrator.
You can avoid 99% of viruses, phishing, and other BS simply by taking away administrator rights.
No matter what you set up on a PC they will break it somehow. Trust me on this one. The best I.T. decision I ever made was giving my mother-in-law an ipad.
Good-bye
Bruce Wayne, is that you?
"He who can destroy a thing, controls a thing." --Paul Atreides, Dune
When I see comments like this, I am SOOOO grateful that mum bought a core duo imac 6 years ago, and it still is going strong....
If she already uses Firefox, great, if not, see if she can accept it. If she does, then add NoScript in and pre-configure it to only allow scripts from the sites she visits and their legit links and support sites. Basically, walk through her bookmarks and URL shortcuts and give just enough privileges to make the site load properly. That'll block a lot of the skeevy ads from appearing and protect against the vast majority of X-site scripting. You may still have to deal with new sites "not working" from time to time.
You may also want to install WOT (Web of Trust) if your existing security package doesn't block dangerous sites. That'll put a big warning screen up on any sites that are recognized as unsafe.
Also, if you can at least get her to upgrade to Win 7, that should stay in her comfort zone while giving you a few more generations of security updates.
Unless she absolutely needs it, uninstall Java.
And finally, since you have her off of Admin rights, I'm assuming you are doing all the administration-otherwise she'll forget some day and go out on the web when logged in as Admin. In that case, you'll have to go over there once a month to update Windows, Firefox, Adobe Flash+Reader and possibly Java. Or at least every three months.
You, the OP, are a nerd. Your parents are not. Apple get "normal people". Do them a favour and get them something they won't hate.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Might wanna take out the CPU as well, just in case.
One might assume some 35 years after the advent of PC revolution, there are more than a few grey hairs running around like me with infinitely more knowledge on how to secure a computer than some smart mouth tweener. Having spent years securing their computers, I would not trust any child of mine to do a better job than I would and it's time to put the tired meme that kids know tech better than their parents to bed where it belongs.
That which helped me the most with this issue was enforcing Firefox with Adblock and Noscript, and setting the AV to update daily without confirmation and run scans every other day. This has reduced the warnings / malware numbers from roughly 120 to 0 when I run the scans manually.
The only problem is that you need to make sure they don't simply click "allow scripts globally" every time something doesn't work.
Good luck.
I second this. I've moved people from Windows to Kubuntu telling them that it is Windows [7|8|9] and they love it. Just don't tell them what it is called.
Tips: Firefox instead of Rekonq, Lancelot instead of the default KDE menu, remove all desktop widgets and 'lock' the desktop and panel.
It is dangerous to be right when the government is wrong.
Simple as that, you don't, it's just not possible....
I'd start with Avast, maybe Malwarebytes. Install Chrome, put it on their desktop and change the icon to Internet Explorer. Use SpyBot to blacklist sites. Setup everything to auto-update and auto-scan so they don't have to be bothered with any of it.
Then come back in a month, Secunda PSI and Qualys Browser give you a good way to keep track of what needs to be updated. Update it all. Registry doesn't really need to be cleaned these days, unless it gets really bad, I've found it actually does help performance a bit, CCleaner does a good job of this. Make sure everything is up to date and clean. Now go to the Control Panel, uninstall all the toolbars, uninstall Mcafee, etc.
Repeat this process every month... You can make things better, but you can't secure it.
I would secure my or any one's parents' PC by first installing a well supported and regarded Linux distribution, with a firewall, ClamAV to repel viruses that could infect a Windows computer to which e-Mails are sent, and a simple login authentication with password that they would easily remember, but could not be be easily guessed by anyone else.
Remind them never to click on any Bank or other business ad or e-mail for which they do no business, and that all their insurance and banking vendors would send important info by snail mail.
Nothing else in needed or required.
and installing Linux and configuring an IPTables firewall script that runs every time the PC boots up so i only have to visit once a week to check for software updates., all mom does is play various solitaire games and email a few family & friends, buy a few things on amazon and Linux does all those things quite nicely
Politics is Treachery, Religion is Brainwashing
Something like Faronics Deep Freeze might be useful, restoring the computer to a clean slate after each reboot. You still want your usual anti-virus and firewall to protect the machine when it's running, but at least your parents would know that if things break a restart should generally fix everything.
Leave My Documents and the browser profile unfrozen and set up a regular backup of files written there, taking precautions to make sure the backup isn't susceptible to encryption by ransomware.
I put my dad's PC up with Linux a few years ago. I have him set up with reduced user privileges so he cannot fuck anything up. He does very well with everything he needs to do, and I've not had to worry about anything that he's doing with that PC in just as much time.
Is it as bad a Symantec?
No. In fact, I can't really think of anything that is. Maybe there are a few viruses that are as bad.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Well, actually, if I were to accidentally bump my head or something, and suddenly found myself incapable of administering a computer, I do have one son whom I could trust. The other two are computer nitwits. Not computer illiterates, but nitwits. They KNOW that certain things are dangerous, but they just don't care. The smart mouth tweeners you mention, to be precise.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I bought my Mother an iPad 2 years ago. I didn't realize how profound the change over was for her until I saw her helping one of our other relatives with their new iPad. Not only had she mastered her iPad, it made her feel smart again.
She still has her Vista desktop connected to a printer and uses it when she needs to print or fill out online forms. But that only happens a couple times a year. We even got her a little JBL dock so that she could listen to music last year and she fell in love with the iPad all over again. It's crazy.
But it was a good reminder for me. Technical people get caught up in different camps (i.e. Linux vs. Windows vs. Mac). We forget that good tech is good tech. And when you can watch your own tech-resistant parents become empowered by one device. It's good tech.
I specifically went with an iPad because of their walled app garden. Higher functioning users could probably be just fine with an android tablet but this was my Mother. A woman who gets very emotional when things don't work right. And now 90% of my extended family have iPads because of her.
So before you think about changing your Mother's desktop, change the way you're looking at the problem. Users will try to tell you what they think they need but *hopefully* most of us are smart enough to go back and ask them what the problem is (not what they think the solution should be).
As I said, we did keep her desktop but the tasks that would open her up to viruses (surfing) now happen on the iPad. I went from having to clean her machine 4 or 5 times a year to zero. Getting that time back was well worth the price of the iPad.
Folks hate change, but everybody loves something new. So instead of fixing their old crappy computers or installing Linux, I give them a new netbook/chromebook running some kind of Linux. They immediately start to use the new shiny one and I never get any support calls, since the machines just work and keep working, year after year.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Goodness. I make a fair bit of my salary from environments where people have such casual attitudes to security, and install a single tool as a "fixed all my problems".
Good security takes layers. Robust backups, proven recovery or rebuild procedures, good practices for sanitizing incoming data, procedures to transfer sensitive data securely, and ways to safely store seldom used passwords are all subjects requiring thought and consistency. Schedule some time with your parents to walk though their usage patterns with them, to help them have backup practices and recover procedures they can work with. Work with them on sound password practices.
Too many people, and companies, have too many environments where a single "fix" has been applied and all the other risks ignored. Too many such environments have one "fix" applied in one place, and another "fix" applied elsewhere, which between them make the environment twice as vulnerable because they leave a commonly used escalation path, being probed by script kiddies all the time.
"I think my computer has a virus."
"What makes you think that, Dad?"
"Well, it's been running slow lately. And once a website popped up a notice saying it had detected a virus on my machine."
"... It did?"
"Yeah. I downloaded and ran the program it suggested but it seems even worse now."
"You're right, Dad. Your computer has a virus. Better take it to the repair guy."
True story. I love my parents, but they're three hours away by car, I gave up on Windows years ago, and there's no way I can talk them through a de-lousing session over the phone. ("Open the control panel. Go to the start menu... No, the one in the lower-left. Now click on it. LEFT click. Press the button on the left side of the mouse, Dad...") Computer repair shops still exist, or in the worst case they can take it to the Geek Squad who at the very least can re-image the damned thing.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Greetings, As someone in the IT industry maybe I can give you some advice.
Since she is on Vista, you might want to look into Local Group Policies.
http://technet.microsoft.com/en-us/library/cc725970.aspx
You have much finer, granular control over many aspects of Windows through it. It can take some trial and error, but you can setup an environment where only specific applications run and nothing else. Or, you can do things like not allowing application to run from specific locations (E.G. C:\Users\\AppData or C:\Program Data). Doing this can greatly reduce the amount of Malware and Virus infections. You can also prevent changes to things like the Start Menu or task bar, etc. A lot can be done with Local GPOs that doesn't seem widely known to the standard Windows user, but they can really help lock a machine down.
I've never encountered a virus that was more difficult to remove than Norton.
I've also never had as much damage from a virus as the damaged caused by simply running Norton.
I quite honestly treat Norton as malware.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
1 backup the data from the computer and wipe the computer ,teamviewer ,avast and whatever else you think they will need
2 install Win7 (you should be still able to get a LEGIT copy somewhere) DO NOT CONNECT TO THE NET
3 build on your computer a win7 and whichever MSO set of WSUSOffline patches and create a Ninite loader with Firefox/chrome,7zip, LO
4 run WSUSOffline and get the patches done (optional step install MSSE and upgrade MSIE)
5 run the Ninite Loader
6 FOR EACH OF [FIREFOX CHROME MSIE] WHERE INSTALLED =TRUE hit the adblock plus site and get it installed and configured.
7 setup Teamviewer and set a permanent password
8 set like EVERYTHING to auto update and "silent" mode where possible.
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Obviously you have not used McAfee.
The great thing about buying Apple is you can always send them to the Apple store for support, once you determine you can't solve the problem via screen sharing.
One might assume some 35 years after the advent of PC revolution, there are more than a few grey hairs running around like me with infinitely more knowledge on how to secure a computer than some smart mouth tweener. Having spent years securing their computers, I would not trust any child of mine to do a better job than I would and it's time to put the tired meme that kids know tech better than their parents to bed where it belongs.
Yep. Just like kids with cars are (long since) no longer all shade tree mechanics, kids who like playing with tech are not all techies. Not by a LONG shot.
Securing a system for novice users isn't really that hard. The two most important steps are: (1) make sure they're running as a limited user, and (2) have them run a decent, but lightweight, anti-malware program. You've already indicated that you are doing this. For the user account, I strongly recommend not even giving them the admin password so they won't be tempted (or socially engineered) into using it. You should set up remote access so you can get in if they need help with something that legitimately requires it. For anti-virus, Microsoft Security Essentials works pretty well - it's lightweight and free. Not 100% perfect, but nothing is.
DO NOT install the Java Runtime unless it's absolutely necessary. Having this crap in the browser is the #1 vector of malware infections today! If the user absolutely needs it for one or several specific sites, use a whitelist. (Or, if it's for a non-web application, disable the web plugin using the control panel.)
Watch out for the Adobe junk, too - Flash Player and Adobe Reader are major malware vectors these days. Unfortunately, you can't usually skip Flash and PDF support entirely. Therefore, I suggest having the user use Chrome instead of IE. Chrome has its own version of Flash which is automatically kept up to date. And you don't need Adobe Reader, since there is a built-in PDF viewer in Chrome (which you can also associate with the .pdf file extension if you want). Install Adblock Plus for Chrome for some added peace of mind (not to mention a better browsing experience). Uninstall IE (or at least hide/remove the icon) so the user won't be tempted to run it.
It is almost inevitable that I will have to provide them with a Windows machine. The *nix alternative is too weird and too much could go wrong in their hands.
(1) I would lock them out of any significant changes. They would not be capable of getting escalated permission (to install or uninstall software, to use administrative tools, etc.) without a special* password.
(2) * I would come up with some means of rewriting the admin password using PRNG and a given sequence. Each time Admin permission is given for installation of some program or another, it would advance the sequence and re-write the Admin password. I would keep track of how many times this has been done and always know which bunch of pseudo-random characters it is currently. I would probably be on the phone with them for awhile because in some cases you have to escalate two or three times to get something installed or changed.
(3) A sub-Admin account would exist but with severely curtailed privileges. Where "Adminstrator group" permissions are given for services or privileges, I would remove "Administrator group" and replace it with the name of the fully-powered Admin account, and only add the name of the sub-Admin account where it's needed. They would regularly use this sub-Admin account instead of a regular user account. This way they could plug-and-play printers, change windows services (SOME of them) and so on without needing to call me up for the mystery password.
(4) All remote access services would be shut down. They would be entirely on their own, no remote desktop or remote help. If they somehow heard about remote desktop or remote help and wanted to do that, I would tell them too bad, that if they don't want a secure computer we can do a fresh re-install and they can have the complete out of the box experience and damn the torpedoes, but that I would no longer consult with them on that computer. That would change things, if not right away, then certainly when they are swamped with viruses and getting hijacked down the road.
(5) I would demand no outside consultancy, just like I do with any windows box I "secure". If somebody I've helped comes back to me complaining that they went to somebody else and now everything I did was undone again, I cut them loose. There are too many people posing as "computer geeks" who seem to enjoy installing anti-malware that's pure slowdown and kicks and screams to stay on the system, "speed up" and "doctor" apps that are known to be shady, and other massively market-hyped crap. Since insisting on no outside consultancy, I've significantly decreased my stress and workload by ridding myself of chronically repeat clients. In fact, I don't do street computer work any more, at all. It's not worth it. I would be doing my "parents" a serious favor at the cost of a lot of stress and hassle in my life.
(6) I have never been satisfied with the auto-update experience of most applications. I would have to choose software for them that I feel is secure enough not to need updating, and to leave it at that. Windows Update is bad enough, and they are already going to be screaming at me over the phone on those days when there's a serious patch and it's in the news and Microsoft's update service is running slow or haltingly for several days.
Alternately:
I would just install something like SUSE and a virtual machine running their precious Windows. I would get my "parents" a really expensive laptop, two sets of wi fi keyboards and mice, two wi fi monitors, and set them up with SUSE giving them two simultaneous but separate experiences inside their Windows virtual machines. It would take me for fucking ever and would be complicated as shit, and would be really expensive. Then since they would want persistent Windows experiences, Windows itself is still there to be a total complete headache nightmare. So why go the convoluted "matrix reality" style virtual machines in a linux box when they can still screw up their persistent albeit virtual Windows experience? Yes there'd be this nice safe l
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
As a PC shop guy I run into this problem quite a lot and there are actually a few options. You can have a program like Paragon Backup and Recovery Free set to make daily/weekly/whatever disc images and then easily roll it back when they bone it (because if they are like most older folks no matter how many times you tell them "don't click on that" they will) but the problem with those is that you usually have to be the one to roll it back, too complex to restore from disk image for an old person.
So while this way is no longer supported on Win 8 and above (but since Win 8 is a bomb who cares) this is the way that I do it and it gets the "Hairyfeet seal of approval". This method scores damned near a 10 out of 10 in both keeping infections out and in fixing if they manage to bypass your security and infect it anyway. And yes that is a problem, as i have seen older folks actually turn OFF the AV because an email told them to. As a bonus it costs $0.00 and doesn't take more than an hour tops. Ready?
1.- Install Comodo AV Free and be DAMNED SURE to pick YES when it comes to installing Comodo Dragon, the why will be apparent in a moment. You can go ahead and uncheck geek buddy, that is your job, they don't need some guy at a helpdesk in India to tell them what to do. 2.- Go into Comodo AV after install and turn it to "paranoid mode" this will run everything in a sandbox by default and treat everything as suspect. Now for your not completely clueless you can leave it in clean PC mode, but for those that click the "punch the clown and win an iPad" types paranoid is safest. 3.- the final step is to download and install Comodo Time Machine and LOCK the first image, call it "clean PC" or something else that will be easy to tell grandma over the phone. A bit of warning when it comes to CTS, it dos NOT work on win 8, it does NOT work on dual boots, you should also set it to clean out old snapshots after say 30 days. That said if you want a PC that can recover from pretty much every bug out there? here ya go.
And that is it, stick a fork, there is no step 4. Of course this assumes you have already done the common sense things like set windows update to automatic but other than that you should now have a 100% clean PC that will stay that way. The browser is sandboxed and locked down, runs by default in low rights mode, the AV is watching everything like a hawk and if they manage to talk the old folks into bypassing the AV? Time machine has you covered. I have several users that would get more nasties than a Bangkok whore on coupon night and thanks to this little 3 step program their PCs are pretty much idiot proof. Oh and as a bonus if they screw anything up, uninstall a printer driver or just trash a program? it takes less than 10 minutes over the phone to restore with CTS. You tell them reboot, hit home key when they see the big clock, pick the day before (assuming you set it for daily or snapshot on boot) and leave it alone...and that is it, the CTS will set the machine back and it'll be like they never made the boo boo.
ACs don't waste your time replying, your posts are never seen by me.
i'd get them a chomebook.
easier to use. minimal risk. minimal cost. simple to replace.
My God can beat up your God. Just kidding...don't take offense. I know there's no God.
I hear what you're saying. I'm at the age where before long I'll be an old guy. The new kids will probably think I don't know anything about some new thing X, only to find out that I helped write X.
My mother was a pioneer who helped bring major companies into the digital age. She's taught programming, database architecture, etc. and was a top ranking information systems executive for Fortune 100 companies. I learned a lot from her. It would be accurate to say she's forgotten more than most Slashdotters ever knew. That's one reason she calls me for help - because she's forgotten. The other day I mentioned a principle she taught me and she didn't know what I was talking about, having been away from it for 15 years.
The other reason she calls me is because while she could patch a Unix BINARY by manually editing the machine code, Windows 8 is a new, foreign land. She had a Vista machine before this Windows 8 laptop, but she's much more comfortable with Solaris or System 7, or any environment that runs Cobol.
I greatly respect her knowledge and experience, especially her deep understanding of timeless principles. She recognizes that today's systems and today's threats are not the same as the 8080 powered systems she wrote assembler for.
I've been programming interactive web sites since 1997. Recently my wife, who is ten years younger than I, taught me a bit about Facebook.
Each of us has strengths and weaknesses. In general, as we mature we synthesize random knowledge into principles - broadly applicable statements that reflect deeper understanding than feature X and product Y. When we're younger, we're interested in each new version of product Y, the new performance feature and this new security feature.
The foolish young person might think that the "old guy" is out of date. The wise person who has seen some things realizes that the new kid actually DOES have something we could benefit from - the PFY often knows that the virus scanner we've loved for 20 years hasn't kept up, and he knows the new, improved tools.
When I want to know relational calculus or how to bid a job without requirements, I'll ask the old guy. When I want to know how to uninvite someone from a Facebook event, I'll ask that kid over there who is building the Facebook app.
I added some RAM and reformatted some aging work machines a few years ago, and they were running amazingly fast (compared to before the format). Then I re-installed Norton and they became unbearably slow immediately. I never knew before that just how bad Norton had become (having not used it personally since ~2000). With forced version changes, Norton makes entry-range computers unusable within a few years, in my experience. I can't believe they willingly produce such a system-crippling product. It is really shocking.
You are most welcome and if you haven't heard of them before let old Hairy turn you on to a couple of other "shop guy tricks", specifically WSUS Offline and Ninite.
These two little life savers can take the time from starting a windows install to finished and ready to go from several hours to less than an hour and a half. You use WSUS Offline to download all the updates, service packs, as well as DirectX,IE, and .NET updates and then just slap that sucker onto a USB drive (or in the case of the shop a share drive on the LAN) and let it go, takes all the hassle out of taking a Windows system from fresh install to ready to go. Works on XP- Win 8.1 so it doesn't matter which one you are using either.
And Ninite? Ohhh you are gonna love Ninite, he is the PC fixit guy's best buddy. With ninite all your major third party software is taken care of, you've got browsers and codecs and media players and antivirus and IMs and pretty much all of the stuff your average person wants, with Ninite you just check the boxes and go. oh and NO TOOLBARS, no extras, none of the crap that so many programs drag along these days, just a clean unattended install of the latest version of whatever you picked. As an added bonus if you need to update and aren't sure if your software is out of date? just check the boxes and run it, Ninite will only install if you have the older version.
So there ya have it, with that and the little 3 step I posted earlier you can take a PC from bare metal to grandma proof in no time flat, enjoy!
ACs don't waste your time replying, your posts are never seen by me.
My mother is 65+, retired, and used a computer at work everyday from the 80s until she retired {from the DMV} a couple years ago. She may not know how to repair the hardware but does fine keeping her PC/Software/AV up to date, staying off of questionable sites, not opening unexpected unknown attachments in her email, setting up a new printer, new wireless router, not installing random adware/malware garbage.