"The Rules" - Basics of Personal Computing Security: Submit Your Rules

sheared wrote:

Are you interested in that Word File/Excel File/PowerPoint File/PDF File, but suspicious of it's origin? Use Google Docs to view it.

Something I was asking in another thread: is there an easy way to do an "open this document in Google Docs" from the Windows desktop? I think we determined the answer was "no", and I'm quite surprised that that's the case.

Tagging thread! Some great advice.. I know I get lazy with fresh builds, so this is a great reminder to get those Firefox extensions added.

Rezzy wrote:

Use some discretion when hunting for someone 'good' with computers.

This is SO true and I'd love to leave the "know someone good with computers" part off the list entirely because of it, except for the fact that actually knowing someone that legitimately knows what they're doing is the best possible thing a non-techie can have.

I've thought about, "where would my family turn to for tech stuff if they didn't have me?", and the options are scary. Other than my younger brother, whose tech skills (by his own admission) are entirely a byproduct of being raised in the same household as me, I don't know of anyone my family could turn to that wouldn't be disaster city.

The worst part is that you can't even necessarily trust someone who makes their living in "computers". My brother-in-law, your standard California central valley redneck, went and got an A.S. from the local area technical college, and is now teaching there. We haven't received any virus blasts that have gone to his entire Outlook address book lately, so I guess that's improvement. I wouldn't let him near any system I cared about, though.

It's hard to assess if a repair shop knows what the hell they're doing, too. I'd love to be able to direct people to a place and say, "here, take your stuff there. They will take care of it right and what you pay will be worth what you get". But I don't think I've ever seen such a place. I know they exist, and they tend to be local places, but it's hard to glance at them and tell the difference between awesome tech dude local place, and moron shop. Parallax was doing a 2-man shop thing up there in Canadia for a while, and if he had been a local shop and I didn't know him from GWJ and Twitter, would I have any way to "read" him and know he's not just some Geek Squad reject? I probably would have just seen 2 guys on their own and thought "nope, the moron probability is just too high to risk it".

Another one for the "advanced" list:

* Create an alter ego for signing up for stuff

Everything you sign up for wants name, DOB, and other information that they don't really need. It's easy to fill that stuff in with junk, but then it's hard to remember what you put in for each one.

The simple solution is to invent a fake person. Fake name, DOB, answers to security questions like "mother's maiden name" and "high school mascot", and use that to sign up for everything that doesn't require your REAL information.

I have such a "person" whose life is stored in a little text file. Pick a name you can get the Gmail address for, and pick something that amuses you. I won't post mine but it always makes me smile (if you know something about guitars).

Then, to manage this separate "person" with his own Gmail address, I use the Gmail Manager extension in Firefox, which lets me open each account by clicking on their name in the status bar, without having to re-type my login credentials for each. Very handy.

*Legion* wrote:

Another one for the "advanced" list:

* Create an alter ego for signing up for stuff

Everything you sign up for wants name, DOB, and other information that they don't really need. It's easy to fill that stuff in with junk, but then it's hard to remember what you put in for each one.

The simple solution is to invent a fake person. Fake name, DOB, answers to security questions like "mother's maiden name" and "high school mascot", and use that to sign up for everything that doesn't require your REAL information.

I have such a "person" whose life is stored in a little text file. Pick a name you can get the Gmail address for, and pick something that amuses you. I won't post mine but it always makes me smile (if you know something about guitars).

Then, to manage this separate "person" with his own Gmail address, I use the Gmail Manager extension in Firefox, which lets me open each account by clicking on their name in the status bar, without having to re-type my login credentials for each. Very handy.

I like to use data from a favorite, historically well-known, person.

I mean, it's not as secure as a completely artificial identity (since presumably the data is "out there"), but it's also handy because I don't need to have the stuff written down anywhere. And since the last hundred years could have any number of authors, directors, artists, or really anyone who I admire, you'd have to be really in my head to figure out which one in particular I'm using.

Of course, in that case it helps not to have "I LOVE HEINLEIN AND WANTS TO HAVE HIS CLONE BABIES!!!!" written on your Facebook interests (he's not actually the person I use, just so you know.)

*Legion* wrote:

Another one for the "advanced" list:

* Create an alter ego for signing up for stuff.

Funny story along these lines.

I was downloading a common program from a site that required I fill in some personal info prior to download. So I tried registering using the email eatsh*[email protected]

The response: This email has already been taken.

GioClark wrote:
*Legion* wrote:

Another one for the "advanced" list:

* Create an alter ego for signing up for stuff.

Funny story along these lines.

I was downloading a common program from a site that required I fill in some personal info prior to download. So I tried registering using the email eatsh*[email protected]

The response: This email has already been taken.

That was me.

*Legion* wrote:
sheared wrote:

Are you interested in that Word File/Excel File/PowerPoint File/PDF File, but suspicious of it's origin? Use Google Docs to view it.

Something I was asking in another thread: is there an easy way to do an "open this document in Google Docs" from the Windows desktop? I think we determined the answer was "no", and I'm quite surprised that that's the case.

I saw that they have drag-and-drop pictures for Gmail, so I imagine it's only a matter of time before Google Docs has it also.

For me, the cure is worse than the disease. So many exploits are Flash or Java based. And they use porn to lure people in. No porn? Risk a virus? Pay for porn?

I only mean this semi-jokingly. It is the functionality of the web that we all want and need that is exploited-our desire to see video, play games, listen to music.

Some of my big ones-no hyper links in your mail client. Do not click links without checking the status bar.

Do not open mail from people you do not know.

Limit the people who know your address and password.

One I am bad with, change your password often.

Another one I am bad with, do not have your Administrator user be the Main user. You should create yourself a sub account.

If you think the person is of a more sophisticated capability get them on Firefox, running a script blocker. You need to take an extra step on Youtube, but you are safer.

*Legion* wrote:
sheared wrote:

Are you interested in that Word File/Excel File/PowerPoint File/PDF File, but suspicious of it's origin? Use Google Docs to view it.

Something I was asking in another thread: is there an easy way to do an "open this document in Google Docs" from the Windows desktop? I think we determined the answer was "no", and I'm quite surprised that that's the case.

http://code.google.com/p/google-gdata/

The DocListUploader installer gives you an app that can add a "Send to Google Docs" in the Windows right click context menu, if I recall.

I think it also supports drag-n-drop into the app itself.

Tyrian wrote:

The DocListUploader installer gives you an app that can add a "Send to Google Docs" in the Windows right click context menu, if I recall.

That's exactly the sort of thing I was talking about. Superb.

KingGorilla wrote:

For me, the cure is worse than the disease. So many exploits are Flash or Java based. And they use porn to lure people in. No porn? Risk a virus? Pay for porn?

I only mean this semi-jokingly. It is the functionality of the web that we all want and need that is exploited-our desire to see video, play games, listen to music.

Some of my big ones-no hyper links in your mail client. Do not click links without checking the status bar.

Do not open mail from people you do not know.

Limit the people who know your address and password.

One I am bad with, change your password often.

Another one I am bad with, do not have your Administrator user be the Main user. You should create yourself a sub account.

If you think the person is of a more sophisticated capability get them on Firefox, running a script blocker. You need to take an extra step on Youtube, but you are safer.

I think another problem with this is for uneducated users, the people this list is for, it's hard to see why these things are necessary.

It's like a Tiklabang stick. "If you don't have your stick then you'll be eaten by Tiklabangs. You haven't seen any Tiklabangs? That's because the stick is working." Except for computers there's about 100 sticks, and new species of Tiklabangs crop up all the time. Or that driving from A to B, you have to stay in second gear and have to make sure all the driving functions like your wipers and lights work every five minutes, because you never know...

For example the Adobe stuff was just things you installed to view PDFs and watch silly animations, until a little while ago and now you need to keep it up to date the moment there's a new version, and limit what you use it for.

I don't think there's any other piece of consumer electronics that you have to be so paranoid around, and because computing is such a cess pool it's developed it's own bunch of old wives' tales that are just accepted. I try not to overhype things, this is one thing where I feel confident saying the sooner windows dies or gets an overhaul unlike anything in it's history, the better for everyone on the internet.

Tagging, since I'm that local guy that knows computers and I've already seen a few good tips in here.

"Knows just enough to be Dangerous" -- Your computer is running slow? Download this registry file and delete everything ending in 'ing.' Your memory is probably full. The computer hides stuff so enable hidden files and settings and just delete a few of the bigger grayed out files. I have people that will go into Device Manager when their wireless isn't connecting right away.

Heh, that's kind of me. Although I've learned to be cautious.

*Legion* wrote:
DrunkenSleipnir wrote:

Want to highlight this one. I've been using NoScript and selectively whitelisting sites for a long time. There is a lot of security to be had by doing this.

NoScript also has this awesome feature: "Backup NoScript configuration to a bookmark"

It stores all of NoScript's config, blacklists/whitelists included, into a special bookmark.

Why is that awesome? Xmarks. Bookmark synchronization = NoScript config synchronization across your machines.

Xmarks is dead now. Should still work for Firefox Sync though. That's great, doing it right now.

MrDeVil909 wrote:

Xmarks is dead now. :(

You haven't read their blog lately, I take it.

But with multiple offers on the table we’re pretty confident that Xmarks will continue on with no service interruption.
*Legion* wrote:
MrDeVil909 wrote:

Xmarks is dead now. :(

You haven't read their blog lately, I take it.

But with multiple offers on the table we’re pretty confident that Xmarks will continue on with no service interruption.

Ah correct, haven't seen anything since the announcement that they were shutting down. I've switched to Sync anyway and it's working great.

I had forgotten what a PITA NoScript is though. Sure it's secure, but so is using a 64 digit code to secure your belt. Doesn't help when you need a pee.

Scratched wrote:

I think another problem with this is for uneducated users, the people this list is for, it's hard to see why these things are necessary.

It's like a Tiklabang stick. "If you don't have your stick then you'll be eaten by Tiklabangs. You haven't seen any Tiklabangs? That's because the stick is working." Except for computers there's about 100 sticks, and new species of Tiklabangs crop up all the time. Or that driving from A to B, you have to stay in second gear and have to make sure all the driving functions like your wipers and lights work every five minutes, because you never know...

One big difference: the uneducated user of a Windows PC probably has had their system owned by viruses/spyware at some point in the past.

Granted, some people are oblivious to cause and effect, but you can only help the ones with their heads screwed on straight.

I try not to overhype things, this is one thing where I feel confident saying the sooner windows dies or gets an overhaul unlike anything in it's history, the better for everyone on the internet.

I like to bash Windows as much as the next UNIX junkie, but as long as users are able to install arbitrary code on any system, there will be a constant security threat.

UNIX definitely has an overall better security model, but a user with the privileges to install software is a user with the privileges to install malicious software.

This is part of the impetus for the App Store-ification of desktop computing.

MrDeVil909 wrote:

I had forgotten what a PITA NoScript is though. Sure it's secure, but so is using a 64 digit code to secure your belt. Doesn't help when you need a pee.

At the very least, as I said above, install it and allow global scripting. It will still protect against XSS and clickjacking.

I do this on my parents' PCs. They'll never be able to manage site-by-site scripting whitelisting, but even removing that protection, they're still safer than they are without NoScript.

There's a lot of good ideas in this thread, I'm glad it was started. I've got a little mantra I try to go by, there's versions of this floating around.

If you don't need it, don't install it.
If you use it, keep it up to date.

Use ctrl alt del then taskmanager to close unsolicited popups when they occur. Then immediately run a malware scan if you get one.

Run a full system malware scan asap if you find that you hear your hd paging a lot when you aren't really doing much of anything.

Run a full system scan when you get more spam than usual or the spam type changes.

Have another account to log into that has no other purpose other than to run malware scans for malware that hides in your profile.

Use patience when browsing. Impatient over-clicking will only cause you to click on those virus filled adds.

Mix in the phone keypad to spell out words for login and passwords.

Type in passwords out of order or in part reverse, part forward order.

*Legion* wrote:

* You don't want that damn browser toolbar. No, you don't.

You don't want that screensaver, either.

I used to use 'bugoff at leavemealone.com' as a non-email for registration, but then I found out that the guy who runs leavemealone has a catchall and gets a LOT of mail that way. Poor bastard. So I switched to 'leavemealone.bla'.

fangblackbone wrote:

Use ctrl alt del then taskmanager...

ctrl shift esc opens taskmanager directly.

Prozac wrote:
fangblackbone wrote:

Use ctrl alt del then taskmanager...

ctrl shift esc opens taskmanager directly.

Now that's a pro-tip.

If it's a work computer, keep it a work computer. Don't let teenagers near it.

Do not install unsolicited software. Only install software that you have intended to take the action of installing. Otherwise, say no!

Doesn't this kinda conflict with "do not ignore the software upgrade balloons/widgets"? I mean, how can someone who has no idea tell the difference?

I wish there was a way to tell a good local repair shop from a bad local shop. I've been lucky so far, but that can't possibly last. I only need a repair shop when something goes really, really wrong, and that only happens every couple of years, and these places are rarely around longer than that.

Can I use something like LastPass confidently? I don't really know, but I do because otherwise I'd be ready to kill someone every time I wanted to do anything online.

jlaakso wrote:

Can I use something like LastPass confidently?

As long as it stores your data in an encrypted file that requires something from you to decrypt, yes.

KeePass does. My KeePass requires both a password and a key file to decrypt.

I have Firefox save passwords, which get encrypted because I set a master password in Firefox.

My saved bookmarks and passwords get shared between browsers through Xmarks. Bookmarks are transmitted encrypted because I set encryption to "encrypt all". Passwords are encrypted because Xmarks requires that anyway, and makes you set a password (PIN) which is used to encrypt before sending to the Xmarks servers.

If it's a work computer, keep it a work computer. Don't let teenagers near it.

This is so important.

I can't tell you the number of laptops that have crossed my desk infested with malware. The user claims they do nothing but work on it yet, they have their college football team themed toolbar and some fantasy sports ticker or links in their favorites to tv streaming websites.

When I send back their cleaned machine, they wonder why all their extraneous crap is broken. *hint* its because that crap is loaded with spyware and adware and a conduit for malware.

Perhaps someone more intelligent and alive than I needs to create an executable image that will automatically reinstall the OS in a clean state and then proceed to install the relevant free apps and browser extensions (with the necessary black/white lists, and maybe even bookmarks to safe free porn sites) required to maximize one's safety. When it is done, it would then automatically print out an easy to follow list of the top 10 tips from this topic thread that even CD-ROM coffee holder types can follow. I'm pretty sure my parents could use something like that.