Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Safe Personal Computing
Bruce Schneier BLOG ^ | December 13, 2004 | Bruce Schneier

Posted on 12/17/2004 6:37:05 AM PST by zeugma

Schneier on Security

A weblog covering security and security technology.

December 13, 2004

Safe Personal Computing

I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."

But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.

Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security.

General: Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.

Laptop security: Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data--including passwords and PINs--on PDAs than they do on laptops.

Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.

Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."

Applications: Limit the number of applications on your machine. If you don't need it, don't install it. If you no longer need it, uninstall it. Look into one of the free office suites as an alternative to Microsoft Office. Regularly check for updates to the applications you use and install them. Keeping your applications patched is important, but don't lose sleep over it.

Browsing: Don't use Microsoft Internet Explorer, period. Limit use of cookies and applets to those few sites that provide services you need. Set your browser to regularly delete cookies. Don't assume a Web site is what it claims to be, unless you've typed in the URL yourself. Make sure the address bar shows the exact address, not a near-miss.

Web sites: Secure Sockets Layer (SSL) encryption does not provide any assurance that the vendor is trustworthy or that its database of customer information is secure.

Think before you do business with a Web site. Limit the financial and personal data you send to Web sites--don't give out information unless you see a value to you. If you don't want to give out personal information, lie. Opt out of marketing notices. If the Web site gives you the option of not storing your information for later use, take it. Use a credit card for online purchases, not a debit card.

Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc.

Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly.

Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

E-mail : Turn off HTML e-mail. Don't automatically assume that any e-mail is from the "From" address.

Delete spam without reading it. Don't open messages with file attachments, unless you know what they contain; immediately delete them. Don't open cartoons, videos and similar "good for a laugh" files forwarded by your well-meaning friends; again, immediately delete them.

Never click links in e-mail unless you're sure about the e-mail; copy and paste the link into your browser instead. Don't use Outlook or Outlook Express. If you must use Microsoft Office, enable macro virus protection; in Office 2000, turn the security level to "high" and don't trust any received files unless you have to. If you're using Windows, turn off the "hide file extensions for known file types" option; it lets Trojan horses masquerade as other types of files. Uninstall the Windows Scripting Host if you can get along without it. If you can't, at least change your file associations, so that script files aren't automatically sent to the Scripting Host if you double-click them.

Antivirus and anti-spyware software : Use it--either a combined program or two separate programs. Download and install the updates, at least weekly and whenever you read about a new virus in the news. Some antivirus products automatically check for updates. Enable that feature and set it to "daily."

Firewall : Spend $50 for a Network Address Translator firewall device; it's likely to be good enough in default mode. On your laptop, use personal firewall software. If you can, hide your IP address. There's no reason to allow any incoming connections from anybody.

Encryption: Install an e-mail and file encryptor (like PGP). Encrypting all your e-mail or your entire hard drive is unrealistic, but some mail is too sensitive to send in the clear. Similarly, some files on your hard drive are too sensitive to leave unencrypted.

None of the measures I've described are foolproof. If the secret police wants to target your data or your communications, no countermeasure on this list will stop them. But these precautions are all good network-hygiene measures, and they'll make you a more difficult target than the computer next door. And even if you only follow a few basic measures, you're unlikely to have any problems.

I'm stuck using Microsoft Windows and Office, but I use Opera for Web browsing and Eudora for e-mail. I use Windows Update to automatically get patches and install other patches when I hear about them. My antivirus software updates itself regularly. I keep my computer relatively clean and delete applications that I don't need. I'm diligent about backing up my data and about storing data files that are no longer needed offline.

I'm suspicious to the point of near-paranoia about e-mail attachments and Web sites. I delete cookies and spyware. I watch URLs to make sure I know where I am, and I don't trust unsolicited e-mails. I don't care about low-security passwords, but try to have good passwords for accounts that involve money. I still don't do Internet banking. I have my firewall set to deny all incoming connections. And I turn my computer off when I'm not using it.

That's basically it. Really, it's not that hard. The hardest part is developing an intuition about e-mail and Web sites. But that just takes experience.


This essay previously appeared on CNet


TOPICS: Business/Economy; Culture/Society
KEYWORDS: computers; computersecurity; exploit; internetexploiter; lookoutexpress; lowqualitycrap; microsoft; patch; safecomputing; securityflaw; trojan; virus; windows; worm
Navigation: use the links below to view more comments.
first 1-5051-70 next last
As always, Bruce has some good thoughts here. A lot of it would seem to be common sense to me, but given the prevalence of spyware, viruses, and such, perhaps I'm just too much of a nerd to notice.

One suggestion I'd add to his list: Install Linux

1 posted on 12/17/2004 6:37:06 AM PST by zeugma
[ Post Reply | Private Reply | View Replies]

To: rdb3; ShadowAce

Tech Ping


2 posted on 12/17/2004 6:37:44 AM PST by zeugma (Come to the Dark Side...... We have cookies!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

bttt


3 posted on 12/17/2004 6:39:47 AM PST by stainlessbanner
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

Don't use windows, don't use explorer, don't use office... I sense a theme here but I can't put my finger on it.


4 posted on 12/17/2004 6:41:04 AM PST by ChadsDad (If there must be trouble, let it be in my day, that my child may have peace.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

Don't use Outlook or Outlook Express....


5 posted on 12/17/2004 6:41:54 AM PST by ChadsDad (If there must be trouble, let it be in my day, that my child may have peace.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
And delete the files "command.com" and "cmd.exe."

Afterwards, Create them with Notepad but make them read-only

6 posted on 12/17/2004 6:42:41 AM PST by AppyPappy (If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ChadsDad

I have used Outlook for YEARS, and NEVER had a problem.


7 posted on 12/17/2004 6:47:17 AM PST by TexConfederate1861 (Sic Semper Tyrannis!)
[ Post Reply | Private Reply | To 5 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

Security Ping


8 posted on 12/17/2004 6:48:10 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TexConfederate1861

yeah, i'd say for the average user you're fine. the big buisness need to keep some of these process in mind. And they are going to have aditional network security to help cut down on hackers and other leaks.

Now if you started writing articles about how to secure your computer i have a funyn feeling you might single yourself out for an attack to test your theories ;)


9 posted on 12/17/2004 6:49:48 AM PST by tfecw (dolphins are the spawn of evil)
[ Post Reply | Private Reply | To 7 | View Replies]

To: zeugma
Install Linux

I do believe he mentioned that.

10 posted on 12/17/2004 6:50:08 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ChadsDad
Don't use Outlook or Outlook Express....

Thunderbird is go!


11 posted on 12/17/2004 6:52:28 AM PST by Bloody Sam Roberts (All I ask from livin' is to have no chains on me. All I ask from dyin' is to go naturally.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: zeugma
I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."

I'm grateful every time that I am.

12 posted on 12/17/2004 6:53:58 AM PST by Lazamataz ("Stay well - Stay safe - Stay armed - Yorktown" -- harpseal)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
There's one problem with leaving Windows: hardware support can get iffy very fast in the Linux environment, especially with today's modern multimedia hardware.

If you do continue to run Windows, you should do the following:

1. Make sure Windows is properly patched up to current levels. Check Windows Update at least 3-4 times a week for the latest updates.

2. Run a good firewall, whether hardware based or software based. For software firewalls, the current version of ZoneAlarm (5.5.062.004) is probably one of the best out there.

3. Have a good antivirus program constantly running. There are several good commercial antivirus programs, and there are also free antivirus programs out there, too. Don't forget to look for virus definition updates at least once a day.

4. Run a spyware remover at least three times a week. Programs such as Ad-Aware SE and SpyBot do excellent work, as does the new Yahoo! Toolbar for IE with its built-in spyware remover. Don't forget to get the latest definition updates for spyware removal at least every 3-4 days.

13 posted on 12/17/2004 6:56:02 AM PST by RayChuang88
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

It is possible to memorize high-strength passwords, so that doesn't hold, and DON'T WRITE YOUR PASSWORDS DOWN, especially if you plan to carry them in your wallet! All it takes is you losing your wallet, and not only does the finder have your credit cards and ATM, now they have your passwords too! And don't delete cmd.exe. That's the command-line interface for Windows. You need that now and then.


14 posted on 12/17/2004 6:57:04 AM PST by Little Pig (Is it time for "Cowboys and Muslims" yet?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

btt


15 posted on 12/17/2004 7:03:00 AM PST by lilmsdangrus
[ Post Reply | Private Reply | To 1 | View Replies]

FREE PC PROTECTION:
(Not an exhaustive list. Your results may vary. Void where prohibited. For entertainment purposes only. No wagering, please. Whattayawantfernuthin'.)
(Thanks, but "Buy a Mac" doesn't qualify as "FREE PC protection")

16 posted on 12/17/2004 7:04:32 AM PST by martin_fierro (Let's Droll!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Little Pig
And don't delete cmd.exe. That's the command-line interface for Windows. You need that now and then.

Rename it to something that can't be guessed.

17 posted on 12/17/2004 7:05:54 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 14 | View Replies]

To: martin_fierro
Check out Outpost as a free firewall as well.

You may want to add that to your list.

18 posted on 12/17/2004 7:07:13 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 16 | View Replies]

To: ShadowAce

It only appears to be free for 30 days.


19 posted on 12/17/2004 7:09:23 AM PST by martin_fierro (Let's Droll!)
[ Post Reply | Private Reply | To 18 | View Replies]

To: martin_fierro

No--you can download the previous version totally free.


20 posted on 12/17/2004 7:11:27 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 19 | View Replies]

To: zeugma

bttttttttt


21 posted on 12/17/2004 7:13:54 AM PST by dennisw (Help put the "Ch" back in Chanukah)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro
The tools I have on my Windows 2000 Professional system are Spybot S&D 1.3.1, AVG Antivirus 7.0 (Free Edition), and ZoneAlarm 5.5.062.004. Works for me!
22 posted on 12/17/2004 7:19:36 AM PST by RayChuang88
[ Post Reply | Private Reply | To 16 | View Replies]

To: Swordmaker

Security Ping...


23 posted on 12/17/2004 7:19:49 AM PST by tubebender (If I had know I would live this long I would have taken better care of myself...)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro

Love these.....

ZoneAlarm
AdAware
Spybot
AVG
WinPatrol (shows you running tasks, cookies, start up tasks and alerts you when something new wants to run, this one is great)


24 posted on 12/17/2004 7:20:36 AM PST by WestCoastGal (66 DAYS TO DAYTONA"Winning isn't the 1 with the fastest car..it's the 1 who refuses to lose " E.Sr.)
[ Post Reply | Private Reply | To 16 | View Replies]

To: martin_fierro

You should check into Pivx's Qwik Fix. It hardens Windows at the source of vulnerabilities and exploits rather than addressing problems after the fact. Then there's Protowall, a sort of IP packet filter software that runs in tandem with a firewall. With the companion Blocklist Manager, you can import blocklists of hostile Trojans, Spyware Ads and Porn Scam websites into it so they can never connect to your computer. And get a good Hosts file and make it read-only as another measure of protection against someone trying to take over your Internet settings. No defense will stop professionals from getting into a computer if they want but 99% of the time it will keep one safe by making attackers look for weaker targets of opportunity. And that's all one needs to stay out of trouble while online.


25 posted on 12/17/2004 7:26:50 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 16 | View Replies]

To: AppyPappy
Actually, I'd have advised to renamed the files, rather than outright deleting them. Call them "command1.com" or "mycmd.exe". It has the same effect, and leaves them there for you to use when/if you need them.
26 posted on 12/17/2004 7:27:36 AM PST by zeugma (Come to the Dark Side...... We have cookies!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: ShadowAce
I do believe he mentioned that.

But it bears repeating, does it not? ;-)

27 posted on 12/17/2004 7:28:42 AM PST by zeugma (Come to the Dark Side...... We have cookies!)
[ Post Reply | Private Reply | To 10 | View Replies]

To: zeugma

OK. You got me there. :)


28 posted on 12/17/2004 7:29:18 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 27 | View Replies]

To: martin_fierro

Thanks for the list. I tried the firewall test at DSL reports and came back with "healthy setup". I feel much better. I am behind a router plus I am using the XP Pro firewall so all seems well.


29 posted on 12/17/2004 7:32:13 AM PST by engrpat
[ Post Reply | Private Reply | To 16 | View Replies]

To: zeugma

Yeah but if a virus gets in, it can create copies of them. If you create read-only text files, it can't overwrite them.


30 posted on 12/17/2004 7:33:56 AM PST by AppyPappy (If You're Not A Part Of The Solution, There's Good Money To Be Made In Prolonging The Problem.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: sneakers

bump!


31 posted on 12/17/2004 7:34:29 AM PST by sneakers
[ Post Reply | Private Reply | To 16 | View Replies]

To: zeugma

just how DO you hide your IP address while online.....


32 posted on 12/17/2004 7:34:45 AM PST by mo
[ Post Reply | Private Reply | To 1 | View Replies]

To: tfecw

Well, I am an A+ Net+ Certified Tech with 15 years experience....Microsoft is certainly more prone to viruses, but I do have a firewall, anti-virus, etc......
I take all the usual precautions.


33 posted on 12/17/2004 7:35:03 AM PST by TexConfederate1861 (Sic Semper Tyrannis!)
[ Post Reply | Private Reply | To 9 | View Replies]

To: mo

Join an anonymous browsing service. These work by displaying a proxy ID to the world while your surf online. No one knows your real location unless you choose to reveal it.


34 posted on 12/17/2004 7:36:53 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 32 | View Replies]

To: goldstategop

thanks..!


35 posted on 12/17/2004 7:37:27 AM PST by mo
[ Post Reply | Private Reply | To 34 | View Replies]

To: goldstategop

thanks..!


36 posted on 12/17/2004 7:37:36 AM PST by mo
[ Post Reply | Private Reply | To 34 | View Replies]

To: Swordmaker
Operating systems: If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux.

Get a Mac Ping....

37 posted on 12/17/2004 7:38:20 AM PST by CheneyChick (Proud to be an OEF Vet!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mo
just how DO you hide your IP address while online.....

Well, that depends upon exactly what you mean by this. My PC's IP address is a non-routable address behind a NATed firewall. The IP of the outward facing firewall can't be hidden. When you go to a website, your external IP is logged. THere is no way to prevent that.

38 posted on 12/17/2004 7:48:47 AM PST by zeugma (Come to the Dark Side...... We have cookies!)
[ Post Reply | Private Reply | To 32 | View Replies]

To: zeugma

No - but you can get a fake ID address and let people think you're someplace else. Its no one's business to find out where you really are.


39 posted on 12/17/2004 7:51:44 AM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 38 | View Replies]

To: zeugma
THere is no way to prevent that.

Not necessarily. There are other services as well.

40 posted on 12/17/2004 8:06:18 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 38 | View Replies]

To: Temple Owl

ping


41 posted on 12/17/2004 8:22:26 AM PST by Tribune7
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

Can someone suggest a good free office suite for my new laptop? I've always preferred WordPerfect over Microsoft Word, and used to use freeware from some of the WP creators but can no longer find it.


42 posted on 12/17/2004 8:27:21 AM PST by Sisku Hanne (Deprogramming the left, one truth at a time.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sisku Hanne
Openoffice.org
43 posted on 12/17/2004 8:28:03 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 42 | View Replies]

To: zeugma

bump for later read


44 posted on 12/17/2004 8:30:25 AM PST by power2 (JMJ)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

EXCELLENT! THX!


45 posted on 12/17/2004 8:40:09 AM PST by Quix (5having a form of godliness but denying its power. I TIM 3:5)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma
Use XP and feel safe....

With Anti-Virus software updated daily.
A good Firewall device
Windows Update ON and USED
Do not use IE
Do not use Express
If you use Outlook, turn the security settings to "High"

Do not install freeware or toolbars, cute monkeys or smiley's. I you are not absoluteltly sure of the safety and cleanliness of the software, you do not need it.

Do not open emails or attachments unless you are sure, knowing the sender means nothing, the next virus will likely come from a friend.

I use Firefox, Thunderbird (and Outlook with the Company Exchange Server) and Norton Anti-Virus.

46 posted on 12/17/2004 9:07:22 AM PST by CyberCowboy777 (Zip it Hippie! - http://www.casualconservative.com/)
[ Post Reply | Private Reply | To 1 | View Replies]

To: zeugma

Funny, just yesterday I was thinking I never hear of PGP anymore. And this article mentions using it.
I never have. Wonder how many do.


47 posted on 12/17/2004 2:02:19 PM PST by Vinnie
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Thanks for the tip...looks like a really comprehensive suite.

I'm having an issue here...just downloaded & installed the newest Zone Alarm, which has a totally different interface than the version I had on my desktop (that one had a Programs tab where I could hand select which programs went online or were allowed to pass the internet lock).
Now I can't seem to get anywhere online except Google.....it just sits there forever trying to load the page...no error messages or anything. I had to shut ZA down to get on FR and Yahoo. Is there something I need to change somewhere in the default settings?
TIA.

48 posted on 12/17/2004 4:38:13 PM PST by Sisku Hanne (Deprogramming the left, one truth at a time.)
[ Post Reply | Private Reply | To 43 | View Replies]

To: Vinnie
I never have. Wonder how many do.

I do. So do others. It's a shame more don't.

49 posted on 12/17/2004 6:40:47 PM PST by zeugma (Come to the Dark Side...... We have cookies!)
[ Post Reply | Private Reply | To 47 | View Replies]

To: zeugma
One suggestion I'd add to his list: Intall Linux

My ex-boyfriend swears by Linux but does legal work for Microsoft. Uses his Linux OS computer to prepare the MS documents. heh heh

50 posted on 12/17/2004 6:45:42 PM PST by arasina (So there.)
[ Post Reply | Private Reply | To 1 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-70 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson