"The Rules" - Basics of Personal Computing Security: Submit Your Rules

DrunkenSleipnir in his Gmail hacked from China IP thread wrote:

I follow the 'rules' - unique, hard passwords, safe browsing habits, etc. I even have java and flash disabled on all websites by default.

Some really cool guy wrote:

Speaking of which - is there anywhere out there that has a good, succinct list of "the rules" to share with normal end users?

If not, perhaps we should write one. Something simple, direct, and opinionated instead of generic and passive voiced.

Numerous people, paraphrased wrote:

Great idea, cool guy!

This is the thread where people submit their "rules" for safe personal computing, and we discuss them. The goal at the end of this is to have a list worthwhile of being handed to non-techie computer users and saying, "here, read this". As such, the focus on rules is to be simple, clear, brief, direct action items (do this, don't do that, rather than vague descriptions of security issues). Some rules will be broadly applicable and some will be OS-specific.

Because some good suggestions will inevitably be a bit beyond the scope of Grandma's computer ability, we'll have a "More Advanced Rules" list addendum at the end. When someone brings up NoScript, for example, that's where that will go.

The rules are to be opinionated. By that, I mean "use a good antivirus" is a bad rule, because it requires (a) knowing what software falls under "antivirus" and (b) being able to evaluate them to know which ones are good. Finding a consensus on opinions is what this thread is for. But since we've pretty much hammered out this one in previous threads, I'll make it the first rule submission:

* (Windows): Download and install Microsoft Security Essentials

-Keep your OS up to date with patches, set it to automatic unless you have a good reason not to.
-Scan your downloads, even if it's a "trusted source" as you don't know when they've been compromised

Use an OS that requires admin approval for system changes & program installations & other high level actions.

trueheart78 wrote:

Use an OS that requires admin approval for system changes & program installations & other high level actions.

The great UAC/admin rights debate.

My take on it is that MS still haven't got their stuff together on it, although my experience on Win7 with it is that I can't be bothered learning all the little hacks to get things to behave properly , so I decided it wasn't worth the payoff. To be fair, it's not so much MS's problem as 3rd party programs doing things in weird and wonderful ways, where in the past you could get away with it. The way I saw it exhibited was in weird things like drag and drop not working on winamp, now how is a inexperienced user going to see that? It worked in xp :\

It's all going to depend on how risky the 'environment' is, how knowledgeable the user is, and if things change a lot.

Backup, backup and backup.
I use windows home server for all that now. So I have full images I can revert all the PCs on my network to from the last 7 days, weekly for the last month or last 3 months.

Use a separate (or bootable OS image) PC for all your unsafe habits (porn, BitTorrent, etc) and opening those files for scanning before moving them onto the network.
Short of nuking from orbit, it's the only way to be safe.

Scratched wrote:

-Keep your OS up to date with patches, set it to automatic unless you have a good reason not to.

More specific for non power-users: NEVER ignore the little balloons next to the clock asking you to update Flash Player, Windows or MSE. Adapt advice on kind of balloons to specific OS (flag for Win7, the blue thingamajig for Vista, etc.)

Never send your login and password information to anyone who request it over email or a private messaging service. There's either a scammer or an incompetent admin on the receiving end.

If you get an email with a link asking you to log in on a service you use, don't click on it even if it looks perfectly legit. Get to the site on your own and log in from there instead.

Be aware of the programs installed on your computer and what they look like. Are you running Billy's 4th Grade programming project as your anti-virus? No? Then a legitimate virus warning would probably not be flashing red with multiple exclamation marks and grammar errors.

Rezzy wrote:

Be aware of the programs installed on your computer and what they look like. Are you running Billy's 4th Grade programming project as your anti-virus? No? Then a legitimate virus warning would probably not be flashing red with multiple exclamation marks and grammar errors.

I was actually a bit disappointed by Avast in this regard. My parents were running v4, and it put up an alert to say that v5 was out or that they needed to update their registration, except the alert looked exactly like any of the fake scare ads that they see online. When I saw it my paranoia kicked in (glad to say they were a bit paranoid about it too), but when I worked out it was legitimate my heart sunk a bit that a so-called professional AV company had made such an easily spoofed warning pop-up.

Anyone who responds to my comments, quotes me, PMs me, says my name, or implies my existence in any way that is noticeably less than unadulterated adulation, admiration, and sycophancy, automatically gets an undetectable virus-filled trojan-worm sent to their computer from a dynamic SSL encrypted VPN in any one of a thousand hidden locations in China that infects the MBR, boot ROM, CPU and heatsink and can only be destroyed by fire, cancer, and/or AIDS.

I'll admit to reusing passwords, most random websites all have the same not too terribly secure password. Anything that I tend to have personal information on have different passwords that are much harder to break, and anything that has lots of access has insanely strong passwords (LOL my old NannyMUD account, in which I was a wizard (who could break the server with bad code) had some insane password that included seveal symbols and a micture of lower and upper case caps. Sometime Random password generators can be your friend))

Chairman_Mao wrote:

Anyone who responds to my comments, quotes me, PMs me, says my name, or implies my existence in any way that is noticeably less than unadulterated adulation, admiration, and sycophancy, automatically gets an undetectable virus-filled trojan-worm sent to their computer from a dynamic SSL encrypted VPN in any one of a thousand hidden locations in China that infects the MBR, boot ROM, CPU and heatsink and can only be destroyed by fire, cancer, and/or AIDS.

Give it your best shot my IP is 127.0.0.1

Nosferatu wrote:

I'll admit to reusing passwords, most random websites all have the same not too terribly secure password.

KeePass FTW. Or one of those other similar apps, but KeePass(X) exists on Linux and OS X so it's the big winner in my eyes.

Give it your best shot my IP is 127.0.0.1

No way, so is mine!

*Legion* wrote:
Nosferatu wrote:

I'll admit to reusing passwords, most random websites all have the same not too terribly secure password.

KeePass FTW. Or one of those other similar apps, but KeePass(X) exists on Linux and OS X so it's the big winner in my eyes.

Give it your best shot my IP is 127.0.0.1

No way, so is mine!

*chuckle*

Some rules I follow are:

Use long non-dictionary complex passwords for everything. I can't remember what the minimum length is to defeat brute force hash cracking but I think it's somewhere over 15 characters? So, don't use a single word. Think of a sentence that includes a proper name and punctuation and you're covered. Also, if you need to write down your passwords, just write down the plaintext password but remember a wrapper that it goes in that only you know about (brackets, parentheses, asterisks, etc.) Strong, yet easy to remember, password = [Certisisawesome!]

If you can't ignore spam and other online solicitations, learn to and train yourself to always read alt text in email web links before clicking them. Oftentimes, the url text doesn't match the actual website that it links to and it redirects to Bad Things that spam your friends with more Bad Things. This helps you become part of the solution rather than part of the problem.

If you get email from a friend/relative/acquaintance that obviously isn't from them, (for example, solicitation from your cousin currently at your family reunion indicating that they're stuck in London on 'holiday' and need 300 'quid' to return to 'The States') immediately contact them using some other method than email to let them know to change their passwords for everything they do online, beginning with their email. Email is generally a vector that vendor services trust for resetting passwords and verifying identity. If you do any kind of online commerce, your email is the key to the kingdom. Protect it!

Sorry these aren't more compact. I find the object lessons drive the point home.

I'm going to add an advanced rule, in the face of the Firesheep issue:

* Install the HTTPS Everywhere extension in Firefox.

This extension forces HTTPS login for many popular sites that support it but hide that fact.

There's another extension called Force-TLS which does a similar thing but requires the user to input the sites that it should work on. For a simpler, fire-and-forget setup, I'm making HTTPS Everywhere the rule.

I use Lastpass, but unfortunately it doesn't play well with Keepass (they make it extremely hard to export your data in a compatible format.)

I read that since many web-based mail, banking, and other services have a mandatory lockout after 3-5 tries, that having a ridiculously long random password is actually detrimental to security, since you'll have a harder time remembering it, and a keylogger is way more likely to steal your data than a brute force hack. Presumably even with a basic password, at 3-5 tries a day, it would take years for someone to brute force hack your email account (assuming it's not something obvious like your name, birthday, etc.)

What's the consensus on that? It's not something I ever looked at from that perspective.

I'm assuming that for your Truecrypt drive or OS login, you would want a complex password you can actually remember.

Also, even if you use multiple dictionary words in your password, if it's of sufficient length, uses lowercase and capital letters, numbers, and symbols, then wouldn't it still take an absurdly long time to brute force crack your passwords?

unntrlaffinity wrote:

I read that since many web-based mail, banking, and other services have a mandatory lockout after 3-5 tries, that having a ridiculously long random password is actually detrimental to security, since you'll have a harder time remembering it, and a keylogger is way more likely to steal your data than a brute force hack.

Lockouts only happen when you go in the front door.

What sometimes happens instead is that sites get briefly compromised and the contents of their database are exposed. That contains not your password itself, but rather the hash of your password.

You want that hash as difficult to crack as possible. You *hope* that the site is using unique salts, but there's no guarantee that it's not just a straight MD5/SHA sum begging for a rainbow table attack.

Long random passwords are still something you definitely want.

I've been thinking of some novel ones.

Many pop-ups that style themselves as fake native-running software use the default Windows window decorations.

Perhaps "use a non-default theme" (with some explanation of what that is and why to do it) is something to consider? If you use the silver XP style, ones with the blue decorations stick out like a sore thumb.

Some more rules for discussion:

* Always run your broadband connection through a hardware router, never directly to your PC. Even if you only own one PC and don't need features like wifi, buy a hardware router to put between your Internet connection and your PC.

* In Firefox, enable the "master password" for unlocking your stored passwords. (Not sure of similar functionality in other browsers, will need to check)

* Web of Trust?
Discussion: what are your opinions on Web of Trust? I have little direct experience with WOT, but it seems like something I might consider recommending for less-savvy users. I do remember hearing it discussed on a podcast (Security Now? 2600? HPR?) about how it was easy to game for low-traffic sites, but that seems like a corner case that I wouldn't necessarily want to throw the entire thing out for.

* Do not install unsolicited software. Only install software that you have intended to take the action of installing. Otherwise, say no!
(probably of limited literal use, as most nastyware that has the ability to install itself won't ask, but goes to establishing a mentality to not just say "yes" to everything)

* Do not open unsolicited email attachments, even if the sender is someone you know.

* This is what Microsoft Security Essentials looks like when it finds a potential virus:
IMAGE(http://blogs.sitepointstatic.com/images/tech/172-ms-security-essentials-virus.jpg)
If *anything else* pops up claiming to have found a virus, it is a scam.
(Fake MSE alerts make me worry about this one, but users should definitely know to not trust anything other than the AV they're actually running)

* Establish a relationship with someone that knows computers well. Reach out to this person before doing things like buying random software from the Internet that you know nothing about. If you find one that truly knows what they're doing, treat them well and recognize that their time is valuable.
(As that person for a large portion of my social circle, I got tired of having to fix things that nobody bothered to consult me with first. It's a hassle, but it's easier to help someone get it right first than it is to have to clean up their mess after they've broken everything. My rule is becoming: first time you do stupid sh*t without consulting me first, it's a warning. Second time, have fun paying a bunch of money to Geek Squad dweebs that don't know how to fix anything either.)

* Do not download and install pirated software. It is very common for people distributing pirated software to include malware as a way to get people to unwittingly infect their own PCs.

* You don't want that damn browser toolbar. No, you don't.

* Do not leave your computer unattended while "logged in", especially in a public area.

* Do not conduct online banking or other sensitive operations from a public wifi network.

* Use an email service which automatically virus-scans incoming email attachments
(Not opinionated enough, but I don't know if the rule should flat-out be "Use Gmail". What is the virus-scanning situation like on other big email providers?)

* (Advanced) Use the AdBlock Plus extension in Firefox. Selectively whitelist websites whom you trust and wish to financially support with ad views.
(Banner ads tend to be inserted via JavaScript and can contain a bad payload. Happened on the New York Times' website last year)

* (Advanced) Use the NoScript and BetterPrivacy extensions in Firefox. Even if you enable scripting globally in NoScript, the extension still provides protection against clickjacking.

*Legion* wrote:

* You don't want that damn browser toolbar. No, you don't.

I like this one, but I don't think it gets to the root of the problem. Most of the users I deal with who have toolbars installed had them installed as part of another program. They didn't seek out the Yahoo!/Bing/Google toolbar, but they got it as part of an installation of Java or Flash. So, my rewording of the rule would be:

* Whenever a program you're installing asks if you'd like to install an additional, optional program, say no. This includes all browser toolbars, customer feedback programs, Google Desktop, and printing supply monitors.

Yes, I was definitely being a bit flippant with that one.

Are there any recommendations of easy-to-use software firewalls for Windows? For computing from home, I think a hardware NAT router plus the built-in Windows firewall is more than sufficient, but for laptops taken onto open wifi networks, there's no hardware separation between you and the rest of the network users. Is the Windows firewall enough?

As one of the "numerous people" in favor of this idea, I'm quietly subscribing to bask in the collected wisdom. Please continue.

I think the ease of which you can come up with so many rules is depressing about trying to teach someone computer security. That you can't have broad general rules, and that really you need to be all-or-nothing if you're trying to actually use a windows computer on the internet for more than the simplest tasks. Non-geeks aren't going to remember that lot, and providing them with a list like that means it's going to get buried the first time they some cool web address to check out from anywhere.

*Legion* wrote:

Are there any recommendations of easy-to-use software firewalls for Windows? For computing from home, I think a hardware NAT router plus the built-in Windows firewall is more than sufficient, but for laptops taken onto open wifi networks, there's no hardware separation between you and the rest of the network users. Is the Windows firewall enough?

I'm definitely a middle-of-the-road user. Not super technical, but not a newbie, either. And I view third-party firewall software the same way I view the UAC for novice users: eventually they get so tired of reading every pop-up that it ceases to mean anything. You'll click any pop-up that appears simply to get it to go away. And most firewalls are even worse than UAC in that regard.

A good rule of thumb for us basic users seems to be just use the internal (Windows 7) firewall, and simply choose "public" regardless of whether you're at home or not for every connection. Combined with your other advice on A/V and not clicking on every email/attachment/pop-up it should protect non-techies from most problems.

EDIT: Oops deleted my first paragraph. Now Expanded for my own amusement!
Use some discretion when hunting for someone 'good' with computers. There are three main types that I have run into and there may be variations on this theme: "Knows just enough to be Dangerous" -- Your computer is running slow? Download this registry file and delete everything ending in 'ing.' Your memory is probably full. The computer hides stuff so enable hidden files and settings and just delete a few of the bigger grayed out files. I have people that will go into Device Manager when their wireless isn't connecting right away.
"Budding Criminal/Elite Hardcore Gamer" -- No wonder you're having problems! You have to use the Alpha drivers posted on this usenet. I've installed a custom BIOS that lets you double the multiplier on your processor. It's getting hotter because the airflow is restricted by the fan casing, I removed it and increased the voltage so now it spins twice as fast. Normally this software costs $200 but this guy in China sells me keys for $10. All you have to do is download the Service-Pack and change the default region and language. Your drive is region-locked but I installed a custom firmware and now you can rip DVDs.
"Professional" -- Yeah, I COULD fix it, but honestly with a system that age you're better off just upgrading. I can help you move your stuff over and set you up with some decent security software.

AAAAAAAARRRRRGGGGGHHHH...
If you spill liquid into your laptop turn off the computer and remove the battery immediately!
Take it to someone you trust with computers and if their first step is to try to turn it on, punch them in the face.
True story:
Client: I spilled milk in my laptop. The display keeps flickering, I can't get on the network and printing doesn't seem to work. Please help!
Me: Accidents happen. Please turn the computer off immediately, remove the battery, and bring it to me as soon as you can. I will dry out the insides and make sure nothing was damaged.
Me: (two hours later): Hello?
Client: The network works now. When I spilled my cereal I immediately tipped the laptop to the side to pour the milk out. I checked the battery and the milk didn't get into the contacts. Hey, do you know how to connect to this groups file-share?

They finally brought it in around 4:30. As far as I could tell it had been running all day, baking the milk and crap into every nook and cranny. There was a pool of milk on the heat-sink plate, in the optical drive bay, in the keyboard..... so I cursed and swapped her hard-drive into another shell. I was struggling with my last reply to her. How do you impress on someone that they were immensely lucky not to have fried the internals (and probably have caused damage that just hasn't manifested yet) and even if everything turned out okay have coated the inside with a nasty disgusting caked on gunk that I will need to clean out with a toothbrush once I have a few hours... I hear Burger King is hiring.

Rezzy wrote:

text

It's posts like this that make me hesitate to try and fix PCs other than my own, even if I would get paid for it.

Are you interested in that Word File/Excel File/PowerPoint File/PDF File, but suspicious of it's origin? Use Google Docs to view it.

* (Advanced) Use the NoScript and BetterPrivacy extensions in Firefox. Even if you enable scripting globally in NoScript, the extension still provides protection against clickjacking.

Want to highlight this one. I've been using NoScript and selectively whitelisting sites for a long time. There is a lot of security to be had by doing this.

sheared wrote:

Are you interested in that Word File/Excel File/PowerPoint File/PDF File, but suspicious of it's origin? Use Google Docs to view it.

Nice. I like that suggestion.

DrunkenSleipnir wrote:

Want to highlight this one. I've been using NoScript and selectively whitelisting sites for a long time. There is a lot of security to be had by doing this.

NoScript also has this awesome feature: "Backup NoScript configuration to a bookmark"

It stores all of NoScript's config, blacklists/whitelists included, into a special bookmark.

Why is that awesome? Xmarks. Bookmark synchronization = NoScript config synchronization across your machines.

Scratched wrote:

I think the ease of which you can come up with so many rules is depressing about trying to teach someone computer security. That you can't have broad general rules, and that really you need to be all-or-nothing if you're trying to actually use a windows computer on the internet for more than the simplest tasks. Non-geeks aren't going to remember that lot, and providing them with a list like that means it's going to get buried the first time they some cool web address to check out from anywhere.

It is a lot (which is why I think we have to strip it down to very simple do's and don'ts), and some people definitely will ignore it at the first opportunity.

But the people I feel bad for are the ones that would absolutely listen to good advice if ever any could actually be put in front of them. There's so much crap out there that I don't know how an average person is supposed to have any clue. A long list of rules might be hard to digest and easy to forget, but if the info's good, it at least gives them a chance to learn.