Home TechBuddy.exe Peter's Rules Topics of Interest About Us Contact Us

Peter's Rules of Computer Hygiene

Maria sometimes calls me Peter Pedantic, and she's right to do so (he said pedantically). But there are areas where being pedantic is a Good Thing™, including ophthalmic surgery, nuclear power station design, and computer security.

Over 30 years in the computer industry has taught me that there are only two types of computer systems: those that have already been compromised and those that have not yet been compromised. And, yes, that includes Macs and Linux machines. There is no way to completely protect a computer that is connected to a network. The number of attack vectors (i.e., how they get into your system) is almost unlimited. You are not only up against guys who can't get a date Saturday night, you are also dealing with real professionals, including the Russian Mafia. (Yes, really.)

Security is not a single action that you can do once and never worry about again. Security is a process, and it never ends – not ever. The day you stop actively defending your system is the day that your defenses start to erode.

You can ignore the following rules if, and only if,

  • you don't care what happens to your hardware, software or data, and
  • you don't care what happens to the computers connected to yours — meaning those owned by your friends, family or business associates.

The Rules

  1. Never, ever open an email attachment you were not expecting. Period. Doesn't matter whom it appears to be from, what type of attachment it appears to be, which email reader you use or what operating system you are running. Just Say No!

    If you think it might be legitimate, but aren't sure, contact the apparent sender and ask if they sent it and what it is. If it is legitimate, save it to disk and scan it for viruses — being legit does not mean it's not infected.

    Special Note: I don't care how "official" a piece of email looks, Microsoft will never send you email containing executable "security fixes." This is because (a) they probably have no idea what your email address is, and (b) if you are on their security mailing list, as I am, you will receive only a URL (a web link) to where the fix(es) live on their secure servers.

  2. Never, ever click a link in an email that is not clearly from a well-known friend or colleague. I know this sounds extreme, but email "phishing" is a much beloved method of criminals all over the world. They want you to go to the "login page" of (pick one) CitiBank, PayPal, Chase Manhattan, what-have-you, and put in your user name and password. You are supposedly doing this to verify something about your account (it was changed, suspended, some unknown person just put money in it for you, or something like that).

    The link you click will take you to a page that looks exactly like the real thing ... except it's not. You give your user name and password and click Login. You are then informed that something went wrong and you are "returned" to the login page. Except that (a) you just gave the crooks critical account information, and (b) the page you were "returned" to really is the login page for the related site. This time when you give your user name and password they will work, and you'll forget all about it. Until, that is, you notice strange charges from Hanoi or Mumbai on your credit card.

    Just recently my wife got one of these from "PayPal," saying someone had just sent her money. She does have a PayPal account, but was not expecting anything from anyone. I looked at the headers of the email (stuff that is normally hidden from the user because it is (a) irrelevant and (b) cryptic in the extreme). The raw IP address of the sender (Internet equivalent of Caller-ID) showed that the email came from Russia. I might add that the Russian Mafia simply adores the Internet – they can pillage your accounts all they want and there is no extradition treaty between the U.S. and Russia.

  3. Do NOT use Microsoft Outlook or Outlook Express for reading your email. Period. Outlook is the single greatest security risk in the entire computer industry. In security circles it is known by names such as Outbreak Express or LookOut. Yes, it is really that dangerous. I suggest some alternatives below.

  4. Do NOT use Microsoft's Internet Explorer (MSIE) as your primary web browser. If Outlook is a 10 on the Virus-Spreading Richter Scale (and it is), then MSIE is at least in the 8's. But don't take my word for it, CERT (the Computer Emergency Readiness Team, part of the U.S. Department of Homeland Security) has issued a Vulnerability Note giving a detailed technical analysis of MSIE and ending with the conclusion, 'Use a different web browser.'

    And then there's this story: Microsoft security chief uses Firefox. Does he know something you don't?

    More recently, there was this story in the New York Times which said pretty much the same thing.

    See below for my recommendations in this area.

  5. All local networks (including single, standalone machines) must be separated from the Internet by a firewall. If you don't understand why you need a firewall, then that is the reason you need a firewall. The only computers that should be directly connected to the Internet are "hardened" machines run by paranoid system administrators. These machines will probably be running a variant of the Unix or Linux operating systems. DO NOT run any version of Windows (home, professional or server) Naked On The Net. Period.

  6. Do not permit "writable file shares" between Windows machines. Almost everyone who thinks they need to do this (a) does not understand the danger (virus propagation) and (b) hasn't made the case for why they actually need it. There are rare exceptions to this rule, but you probably aren't one of them.

  7. Homemade CDs and thumb-drives brought in from outside your network should immediately be checked for viruses. They represent potential security threats. Think of them like handkerchiefs: if you just took it out of the wrapper, it's probably OK to use it to blow your nose, but if you just picked it up off of the floor of a railway station — eek!

    I know of companies where it is a Firing Offense to bring in a disk from an outside machine and just plug it into your desktop machine. They have standalone systems that are there solely for the purpose of scanning for viruses.

    And, please, do the scan as soon as you get the disk. If you don't, you will forget to do it and then ..., well, "I told you so" sounds so trite, but I told you so!

  8. Back up all important data. If you obey the other rules, you are unlikely to lose data as a result of outside mischief. But there are still software failures (both applications and operating systems), hardware failures, disgruntled employees, power spikes, fire, theft, and flood.

    How much effort should you put into backups? I don't know, it all depends on the value of the data. Look at a file or a folder and imagine the following scenario: It is now ten seconds after that file/folder has been destroyed or corrupted. How much would you pay to get it back? That will give you a feel for the effort and expense you should invest in your backup system. Photos of your cat will probably be less valuable than the corporate General Ledger. How about term papers? The Great American Novel? Your personal financial records?

    For a much more detailed discussion of this, see our page on Backing Up Your Computer.

Anti-virus software is not a panacea!

Do you need anti-virus software (AVS)? Yes, you do.
Is it all you need? No.

NOTE WELL: All AVS is reactionary; it can only protect you against computer viruses it already knows about, not new ones. There are over 100,000 200,000 known viruses and variants, with dozens of new ones showing up every week. If you are in any way lax about keeping your AVS's "virus signature database" up to date, you will rapidly increase your vulnerability to the virus du jour.

Peter's Recommendations

Web browser and Mail programs

The best programs for web-browsing and email-reading come from the Mozilla Corporation. This group rose from the ashes of Netscape, the company that Microsoft ran out of business and which was the reason that MS was found in violation of U.S. anti-trust laws. Netscape's bones were bought by AOL, who then helped volunteers create the Mozilla Foundation, which then morphed into the Mozilla Corporation.

The two primary programs from Mozilla are Firefox, a web browser, and Thunderbird, a mail reader. These are next-generation products and they have many, many extensions you can add to them.

See my page on Setting up Firefox and Thunderbird for instructions on migrating your bookmarks and email, plus a list of some of the most useful extensions. It's all free and it's all good.

Firewalls

There are hardware firewalls and software firewalls. I used to recommend using both, but people seem to get into a fair amount of trouble using poorly-configured software firewalls. The one that comes with MS Windows is OK, but it's nothing for them to be proud of.

That leaves hardware firewalls. Almost all consumer routers include firewalling as one of their functions. Routers are sold by Linksys, Netgear, D-Link, and many others. My recommendation is one of the Linksys WRT54G family of routers. They support wireless access, but even if you don't need that, they are less expensive than most of the non-wireless routers out there. (The wonders of economies of scale.) Here is a whole page of them at Amazon.

IMPORTANT! All of these routers come with a default password for the administrator. One of the very first things you should do after plugging in the unit is to change the admin password! Let me say that again: change the admin password!

IMPORTANT! If you buy a wireless router, turn on the wireless security feature! There's more to know about this, so I will have a Wireless Router Configuration Guide soon.

Antivirus programs

Note: Don't try to run more than one anti-virus package at a time. Doing so can make your machine unstable or unusable. Multiple packages can get into a dueling-banjos situation, so make sure you completely disable one (or even uninstall it) before you install and play with a different one.

I recommend AVG. I use it on all of my machines and a large percentage of my senior technical colleagues run it on theirs. It works, it is fairly light-weight (i.e., it doesn't completely consume your CPU or memory resources) and it comes in Free and Pro ($39 for a two-year subscription) versions. These are some of the Good Guys™ on the net, so I recommend supporting them by buying the Pro version.

I also like Kaspersky, but it doesn't always install cleanly. In particular, I have yet to get it to work on my own desktop machine. It does something to disable networking and the only thing I can do to re-enable it is to completely remove their product. This is a real shame, since they have a very high virus-recognition score.

One other one I have played with recently is NOD32. I played with the trial version and it installed cleanly, ran with a light touch, and (most importantly) found viruses in incoming email.

Why don't I recommend Norton or McAfee? I find that they load your system down with a lot of unnecessary crap, which can (and does) cause slow startups, erratic system operation, and, sometimes, they are the reason your machine locks up. If you simply must install Norton, do not install CleanSweep! It is complete garbage and will give you endless grief. I have also had a lot of problems with Norton's Firewall system. Not only does it block your techbuddy from helping you, it can keep you from sharing files and printers in your own home. It's a complete PITA.

Anti-spyware programs

There are two here that are worth looking at. They seem to work in slightly different ways and so I use both of them!

Adaware is a good, free spyware scanner. They also have a Pro (i.e., $$) version.

Spybot - Search & Destroy is a good (and free) spyware scanner.

  Last modified: 2013.02.18 02:00 UTC                          © 2007-2013 TechBuddy.us
Designed by Coy Design Group | Hosted by WebFaction