Peter's Rules of Computer Hygiene
Maria sometimes calls me Peter Pedantic, and
she's right to do so (he said pedantically). But there
are areas where being pedantic is a Good Thing™,
including ophthalmic surgery, nuclear power station design, and
Over 30 years in the computer industry has taught me that
there are only two types of computer systems: those that
have already been compromised and those that have not yet been compromised.
And, yes, that includes Macs and Linux machines.
There is no way to completely protect a computer that is
connected to a network.
The number of attack vectors (i.e., how they get into your system)
is almost unlimited. You are not only up against guys who can't get
a date Saturday night, you are also dealing with real professionals,
including the Russian Mafia. (Yes, really.)
Security is not a single action that you can do once and
never worry about again. Security is a process, and it never
ends – not ever. The day you stop actively defending your system is the day
that your defenses start to erode.
You can ignore the following rules if, and only if,
- you don't care what happens to your hardware, software
or data, and
- you don't care what happens to the computers connected to
yours — meaning those owned by your friends, family or
ever open an email attachment you were not expecting. Period.
Doesn't matter whom it appears to be from, what type of
attachment it appears to be, which email reader you use or
what operating system you are running. Just Say No!
If you think it might be legitimate, but aren't sure, contact the
apparent sender and ask if they sent it and what it is.
If it is legitimate, save it to disk and scan it for
viruses — being legit does not mean it's not infected.
Special Note: I don't care how "official" a piece of email
looks, Microsoft will never send you email containing executable
"security fixes." This is because (a) they probably have no
idea what your email address is, and (b) if you are on their
security mailing list, as I am, you will receive only a URL (a
web link) to where the fix(es) live on their secure servers.
- Never, ever click a link
in an email that is not clearly from a well-known friend or colleague.
I know this sounds extreme, but email "phishing" is a much beloved
method of criminals all over the world. They want you to go to
the "login page" of (pick one) CitiBank, PayPal, Chase Manhattan, what-have-you,
and put in your user name and password. You are supposedly doing
this to verify something about your account (it was changed, suspended,
some unknown person just put money in it for you,
or something like that).
The link you click will take you to a page that looks exactly
like the real thing ... except it's not. You give your user name and
password and click Login.
You are then informed that something went wrong and
you are "returned" to the login page.
Except that (a) you just gave the
crooks critical account information, and (b) the page you were "returned" to
really is the login page for the related site. This time
when you give your user name and password they will work, and
you'll forget all about it. Until, that is, you notice strange charges
from Hanoi or Mumbai on your credit card.
Just recently my wife got one of these from "PayPal,"
saying someone had just sent her money.
She does have a PayPal account, but was not expecting anything
I looked at the headers of the email (stuff that is normally
hidden from the user because it is (a) irrelevant and (b) cryptic
in the extreme). The raw IP address of the sender (Internet equivalent
of Caller-ID) showed that the email came from Russia. I might
add that the Russian Mafia simply adores the Internet – they
can pillage your accounts all they want and there is no extradition
treaty between the U.S. and Russia.
- Do NOT use Microsoft Outlook or Outlook Express
for reading your email.
Period. Outlook is the single greatest security risk
in the entire computer industry. In security circles it is
known by names such as Outbreak Express or LookOut. Yes,
it is really that dangerous. I suggest some alternatives below.
- Do NOT use Microsoft's Internet Explorer (MSIE)
as your primary web browser.
If Outlook is a 10 on the Virus-Spreading Richter Scale (and it is),
then MSIE is at least in the 8's. But don't take my word for it,
CERT (the Computer Emergency
Readiness Team, part of the U.S. Department of Homeland Security) has
issued a Vulnerability
Note giving a detailed technical analysis of MSIE and ending with the
conclusion, 'Use a different web browser.'
And then there's this story:
Microsoft security chief uses Firefox. Does he know
something you don't?
More recently, there was this story in
the New York Times which said pretty much the same thing.
See below for my recommendations in this area.
- All local networks (including single, standalone machines)
must be separated from the Internet by a firewall.
don't understand why you need a firewall, then that is the
reason you need a firewall. The only computers that should be
directly connected to the Internet are "hardened" machines run
by paranoid system administrators. These machines will probably
be running a variant of the Unix or Linux operating systems.
DO NOT run any version of Windows (home, professional or server)
Naked On The Net. Period.
- Do not permit "writable file shares" between
Almost everyone who thinks they need to do this (a) does not
understand the danger (virus propagation) and (b) hasn't made
the case for why they actually need it. There are rare exceptions
to this rule, but you probably aren't one of them.
- Homemade CDs and thumb-drives brought in
from outside your network should immediately be checked for viruses.
They represent potential security threats.
Think of them like handkerchiefs:
if you just took it out of the wrapper, it's probably OK to
use it to blow your nose, but if you just picked it up off of
the floor of a railway station — eek!
I know of companies where it is a Firing Offense to bring
in a disk from an outside machine and just plug it into your
desktop machine. They have standalone systems that are there
solely for the purpose of scanning for viruses.
And, please, do the scan as soon as you get the disk.
If you don't, you will forget to do it and then ..., well,
"I told you so" sounds so trite, but I told you so!
- Back up all important data.
If you obey the other rules, you
are unlikely to lose data as a result of outside mischief.
But there are still software failures (both applications and
operating systems), hardware failures, disgruntled employees,
power spikes, fire, theft, and flood.
How much effort should you put into backups? I don't know, it
all depends on the value of the data. Look at a file or a folder
and imagine the following scenario: It is now ten seconds after
that file/folder has been destroyed or corrupted. How much
would you pay to get it back? That will give you a feel for the
effort and expense you should invest in your backup system.
Photos of your cat will probably be less valuable than the
corporate General Ledger. How about term papers? The Great
American Novel? Your personal financial records?
For a much more detailed discussion of this, see our
page on Backing Up Your Computer.
Anti-virus software is not a panacea!
Do you need anti-virus software (AVS)? Yes, you do.
Is it all you need? No.
NOTE WELL: All AVS is reactionary;
it can only protect you against computer viruses it already knows about,
not new ones. There are over 100,000 200,000
known viruses and variants, with dozens
of new ones showing up every week. If you are in any way lax about
keeping your AVS's "virus signature database" up to date, you will rapidly
increase your vulnerability to the virus du jour.
Web browser and Mail programs
The best programs for web-browsing and email-reading come from the
This group rose from the ashes of Netscape,
the company that Microsoft ran out of
business and which was the reason that MS was found in violation
of U.S. anti-trust laws.
Netscape's bones were bought by AOL, who then
helped volunteers create the Mozilla Foundation, which then morphed into
the Mozilla Corporation.
The two primary programs from Mozilla are
Firefox, a web browser,
and Thunderbird, a
These are next-generation products and they have many, many
extensions you can add to them.
See my page on Setting up Firefox and Thunderbird
for instructions on migrating your bookmarks and email, plus a list
of some of the most useful extensions. It's all free and it's all good.
There are hardware firewalls and software firewalls.
I used to recommend using both, but people seem to get
into a fair amount of trouble using poorly-configured
software firewalls. The one that comes with MS Windows is OK,
but it's nothing for them to be proud of.
That leaves hardware firewalls.
Almost all consumer routers include firewalling as one of their functions.
Routers are sold by Linksys, Netgear, D-Link, and many others.
My recommendation is one of the
Linksys WRT54G family of routers.
They support wireless access, but even if you don't need that,
they are less expensive than most of the non-wireless routers out there.
(The wonders of economies of scale.)
Here is a whole page of them at Amazon.
IMPORTANT! All of these routers come with a default password
for the administrator. One of the very first things you should do after
plugging in the unit is to change the admin password! Let me say
that again: change the admin password!
IMPORTANT! If you buy a wireless router, turn on
the wireless security feature! There's more to know about this,
so I will have a Wireless Router Configuration Guide soon.
Note: Don't try to run more than one anti-virus package at a time.
Doing so can make your machine unstable or unusable.
Multiple packages can get into a dueling-banjos situation, so
make sure you completely disable one (or even uninstall it)
before you install and play with a different one.
I recommend AVG.
I use it on all of my machines and a large percentage
of my senior technical colleagues run it on theirs. It works, it
is fairly light-weight (i.e., it doesn't completely consume your
CPU or memory resources) and it comes in
($39 for a two-year subscription) versions.
These are some of the Good Guys™ on the net, so I
recommend supporting them by buying the Pro version.
I also like Kaspersky,
but it doesn't always install cleanly. In particular, I have
yet to get it to work on my own desktop machine. It does something
to disable networking and the only thing I can do to re-enable it
is to completely remove their product. This is a real shame, since
they have a very high virus-recognition score.
One other one I have played with recently is NOD32.
I played with the trial version and it installed cleanly, ran with
a light touch, and (most importantly) found viruses in incoming email.
Why don't I recommend Norton or McAfee? I find that they load your
system down with a lot of unnecessary crap, which can (and does) cause
erratic system operation, and, sometimes, they are the reason
your machine locks up. If you simply must install Norton,
do not install CleanSweep! It is complete garbage
and will give you endless grief.
I have also had a lot of problems with Norton's Firewall system.
Not only does it block your techbuddy from helping you,
it can keep you from sharing files and printers in your
own home. It's a complete PITA.
There are two here that are worth looking at. They seem to
work in slightly different ways and so I use both of them!
is a good, free spyware scanner.
They also have a Pro (i.e., $$) version.
Spybot - Search & Destroy
is a good (and free) spyware scanner.