I follow the 'rules' - unique, hard passwords, safe browsing habits, etc. I even have java and flash disabled on all websites by default.
Speaking of which - is there anywhere out there that has a good, succinct list of "the rules" to share with normal end users?
If not, perhaps we should write one. Something simple, direct, and opinionated instead of generic and passive voiced.
Great idea, cool guy!
This is the thread where people submit their "rules" for safe personal computing, and we discuss them. The goal at the end of this is to have a list worthwhile of being handed to non-techie computer users and saying, "here, read this". As such, the focus on rules is to be simple, clear, brief, direct action items (do this, don't do that, rather than vague descriptions of security issues). Some rules will be broadly applicable and some will be OS-specific.
Because some good suggestions will inevitably be a bit beyond the scope of Grandma's computer ability, we'll have a "More Advanced Rules" list addendum at the end. When someone brings up NoScript, for example, that's where that will go.
The rules are to be opinionated. By that, I mean "use a good antivirus" is a bad rule, because it requires (a) knowing what software falls under "antivirus" and (b) being able to evaluate them to know which ones are good. Finding a consensus on opinions is what this thread is for. But since we've pretty much hammered out this one in previous threads, I'll make it the first rule submission:
* (Windows): Download and install Microsoft Security Essentials
-Keep your OS up to date with patches, set it to automatic unless you have a good reason not to.
-Scan your downloads, even if it's a "trusted source" as you don't know when they've been compromised
Use an OS that requires admin approval for system changes & program installations & other high level actions.
Use an OS that requires admin approval for system changes & program installations & other high level actions.
The great UAC/admin rights debate.
My take on it is that MS still haven't got their stuff together on it, although my experience on Win7 with it is that I can't be bothered learning all the little hacks to get things to behave properly , so I decided it wasn't worth the payoff. To be fair, it's not so much MS's problem as 3rd party programs doing things in weird and wonderful ways, where in the past you could get away with it. The way I saw it exhibited was in weird things like drag and drop not working on winamp, now how is a inexperienced user going to see that? It worked in xp :\
It's all going to depend on how risky the 'environment' is, how knowledgeable the user is, and if things change a lot.
Backup, backup and backup.
I use windows home server for all that now. So I have full images I can revert all the PCs on my network to from the last 7 days, weekly for the last month or last 3 months.
Use a separate (or bootable OS image) PC for all your unsafe habits (porn, BitTorrent, etc) and opening those files for scanning before moving them onto the network.
Short of nuking from orbit, it's the only way to be safe.
-Keep your OS up to date with patches, set it to automatic unless you have a good reason not to.
More specific for non power-users: NEVER ignore the little balloons next to the clock asking you to update Flash Player, Windows or MSE. Adapt advice on kind of balloons to specific OS (flag for Win7, the blue thingamajig for Vista, etc.)
Never send your login and password information to anyone who request it over email or a private messaging service. There's either a scammer or an incompetent admin on the receiving end.
If you get an email with a link asking you to log in on a service you use, don't click on it even if it looks perfectly legit. Get to the site on your own and log in from there instead.
Be aware of the programs installed on your computer and what they look like. Are you running Billy's 4th Grade programming project as your anti-virus? No? Then a legitimate virus warning would probably not be flashing red with multiple exclamation marks and grammar errors.
Be aware of the programs installed on your computer and what they look like. Are you running Billy's 4th Grade programming project as your anti-virus? No? Then a legitimate virus warning would probably not be flashing red with multiple exclamation marks and grammar errors.
I was actually a bit disappointed by Avast in this regard. My parents were running v4, and it put up an alert to say that v5 was out or that they needed to update their registration, except the alert looked exactly like any of the fake scare ads that they see online. When I saw it my paranoia kicked in (glad to say they were a bit paranoid about it too), but when I worked out it was legitimate my heart sunk a bit that a so-called professional AV company had made such an easily spoofed warning pop-up.
Anyone who responds to my comments, quotes me, PMs me, says my name, or implies my existence in any way that is noticeably less than unadulterated adulation, admiration, and sycophancy, automatically gets an undetectable virus-filled trojan-worm sent to their computer from a dynamic SSL encrypted VPN in any one of a thousand hidden locations in China that infects the MBR, boot ROM, CPU and heatsink and can only be destroyed by fire, cancer, and/or AIDS.
I'll admit to reusing passwords, most random websites all have the same not too terribly secure password. Anything that I tend to have personal information on have different passwords that are much harder to break, and anything that has lots of access has insanely strong passwords (LOL my old NannyMUD account, in which I was a wizard (who could break the server with bad code) had some insane password that included seveal symbols and a micture of lower and upper case caps. Sometime Random password generators can be your friend))
Anyone who responds to my comments, quotes me, PMs me, says my name, or implies my existence in any way that is noticeably less than unadulterated adulation, admiration, and sycophancy, automatically gets an undetectable virus-filled trojan-worm sent to their computer from a dynamic SSL encrypted VPN in any one of a thousand hidden locations in China that infects the MBR, boot ROM, CPU and heatsink and can only be destroyed by fire, cancer, and/or AIDS.
Give it your best shot my IP is 127.0.0.1
Nosferatu wrote:I'll admit to reusing passwords, most random websites all have the same not too terribly secure password.
KeePass FTW. Or one of those other similar apps, but KeePass(X) exists on Linux and OS X so it's the big winner in my eyes.
Give it your best shot my IP is 127.0.0.1No way, so is mine!
*chuckle*
Some rules I follow are:
Use long non-dictionary complex passwords for everything. I can't remember what the minimum length is to defeat brute force hash cracking but I think it's somewhere over 15 characters? So, don't use a single word. Think of a sentence that includes a proper name and punctuation and you're covered. Also, if you need to write down your passwords, just write down the plaintext password but remember a wrapper that it goes in that only you know about (brackets, parentheses, asterisks, etc.) Strong, yet easy to remember, password = [Certisisawesome!]
If you can't ignore spam and other online solicitations, learn to and train yourself to always read alt text in email web links before clicking them. Oftentimes, the url text doesn't match the actual website that it links to and it redirects to Bad Things that spam your friends with more Bad Things. This helps you become part of the solution rather than part of the problem.
If you get email from a friend/relative/acquaintance that obviously isn't from them, (for example, solicitation from your cousin currently at your family reunion indicating that they're stuck in London on 'holiday' and need 300 'quid' to return to 'The States') immediately contact them using some other method than email to let them know to change their passwords for everything they do online, beginning with their email. Email is generally a vector that vendor services trust for resetting passwords and verifying identity. If you do any kind of online commerce, your email is the key to the kingdom. Protect it!
Sorry these aren't more compact. I find the object lessons drive the point home.
I use Lastpass, but unfortunately it doesn't play well with Keepass (they make it extremely hard to export your data in a compatible format.)
I read that since many web-based mail, banking, and other services have a mandatory lockout after 3-5 tries, that having a ridiculously long random password is actually detrimental to security, since you'll have a harder time remembering it, and a keylogger is way more likely to steal your data than a brute force hack. Presumably even with a basic password, at 3-5 tries a day, it would take years for someone to brute force hack your email account (assuming it's not something obvious like your name, birthday, etc.)
What's the consensus on that? It's not something I ever looked at from that perspective.
I'm assuming that for your Truecrypt drive or OS login, you would want a complex password you can actually remember.
Also, even if you use multiple dictionary words in your password, if it's of sufficient length, uses lowercase and capital letters, numbers, and symbols, then wouldn't it still take an absurdly long time to brute force crack your passwords?
* You don't want that damn browser toolbar. No, you don't.
I like this one, but I don't think it gets to the root of the problem. Most of the users I deal with who have toolbars installed had them installed as part of another program. They didn't seek out the Yahoo!/Bing/Google toolbar, but they got it as part of an installation of Java or Flash. So, my rewording of the rule would be:
* Whenever a program you're installing asks if you'd like to install an additional, optional program, say no. This includes all browser toolbars, customer feedback programs, Google Desktop, and printing supply monitors.
As one of the "numerous people" in favor of this idea, I'm quietly subscribing to bask in the collected wisdom. Please continue.
I think the ease of which you can come up with so many rules is depressing about trying to teach someone computer security. That you can't have broad general rules, and that really you need to be all-or-nothing if you're trying to actually use a windows computer on the internet for more than the simplest tasks. Non-geeks aren't going to remember that lot, and providing them with a list like that means it's going to get buried the first time they some cool web address to check out from anywhere.
Are there any recommendations of easy-to-use software firewalls for Windows? For computing from home, I think a hardware NAT router plus the built-in Windows firewall is more than sufficient, but for laptops taken onto open wifi networks, there's no hardware separation between you and the rest of the network users. Is the Windows firewall enough?
I'm definitely a middle-of-the-road user. Not super technical, but not a newbie, either. And I view third-party firewall software the same way I view the UAC for novice users: eventually they get so tired of reading every pop-up that it ceases to mean anything. You'll click any pop-up that appears simply to get it to go away. And most firewalls are even worse than UAC in that regard.
A good rule of thumb for us basic users seems to be just use the internal (Windows 7) firewall, and simply choose "public" regardless of whether you're at home or not for every connection. Combined with your other advice on A/V and not clicking on every email/attachment/pop-up it should protect non-techies from most problems.
EDIT: Oops deleted my first paragraph. Now Expanded for my own amusement!
Use some discretion when hunting for someone 'good' with computers. There are three main types that I have run into and there may be variations on this theme: "Knows just enough to be Dangerous" -- Your computer is running slow? Download this registry file and delete everything ending in 'ing.' Your memory is probably full. The computer hides stuff so enable hidden files and settings and just delete a few of the bigger grayed out files. I have people that will go into Device Manager when their wireless isn't connecting right away.
"Budding Criminal/Elite Hardcore Gamer" -- No wonder you're having problems! You have to use the Alpha drivers posted on this usenet. I've installed a custom BIOS that lets you double the multiplier on your processor. It's getting hotter because the airflow is restricted by the fan casing, I removed it and increased the voltage so now it spins twice as fast. Normally this software costs $200 but this guy in China sells me keys for $10. All you have to do is download the Service-Pack and change the default region and language. Your drive is region-locked but I installed a custom firmware and now you can rip DVDs.
"Professional" -- Yeah, I COULD fix it, but honestly with a system that age you're better off just upgrading. I can help you move your stuff over and set you up with some decent security software.
AAAAAAAARRRRRGGGGGHHHH...
If you spill liquid into your laptop turn off the computer and remove the battery immediately!
Take it to someone you trust with computers and if their first step is to try to turn it on, punch them in the face.
True story:
Client: I spilled milk in my laptop. The display keeps flickering, I can't get on the network and printing doesn't seem to work. Please help!
Me: Accidents happen. Please turn the computer off immediately, remove the battery, and bring it to me as soon as you can. I will dry out the insides and make sure nothing was damaged.
Me: (two hours later): Hello?
Client: The network works now. When I spilled my cereal I immediately tipped the laptop to the side to pour the milk out. I checked the battery and the milk didn't get into the contacts. Hey, do you know how to connect to this groups file-share?
They finally brought it in around 4:30. As far as I could tell it had been running all day, baking the milk and crap into every nook and cranny. There was a pool of milk on the heat-sink plate, in the optical drive bay, in the keyboard..... so I cursed and swapped her hard-drive into another shell. I was struggling with my last reply to her. How do you impress on someone that they were immensely lucky not to have fried the internals (and probably have caused damage that just hasn't manifested yet) and even if everything turned out okay have coated the inside with a nasty disgusting caked on gunk that I will need to clean out with a toothbrush once I have a few hours... I hear Burger King is hiring.
text
It's posts like this that make me hesitate to try and fix PCs other than my own, even if I would get paid for it.
Are you interested in that Word File/Excel File/PowerPoint File/PDF File, but suspicious of it's origin? Use Google Docs to view it.
* (Advanced) Use the NoScript and BetterPrivacy extensions in Firefox. Even if you enable scripting globally in NoScript, the extension still provides protection against clickjacking.
Want to highlight this one. I've been using NoScript and selectively whitelisting sites for a long time. There is a lot of security to be had by doing this.
Are you interested in that Word File/Excel File/PowerPoint File/PDF File, but suspicious of it's origin? Use Google Docs to view it.
Nice. I like that suggestion.
Pages