Safe Personal Computing (was Re: CRYPTO-GRAM, December 15, 2004)
R.A. Hettinga
rah at shipwright.com
Wed Dec 15 05:21:33 PST 2004
At 11:41 PM -0600 12/14/04, Bruce Schneier wrote:
> Safe Personal Computing
>
>
><http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html>
>
>I am regularly asked what average Internet users can do to ensure their
>security. My first answer is usually, "Nothing--you're screwed."
>
>But that's not true, and the reality is more complicated. You're
>screwed if you do nothing to protect yourself, but there are many
>things you can do to increase your security on the Internet.
>
>Two years ago, I published a list of PC security recommendations. The
>idea was to give home users concrete actions they could take to improve
>security. This is an update of that list: a dozen things you can do to
>improve your security.
>
>General: Turn off the computer when you're not using it, especially if
>you have an "always on" Internet connection.
>
>Laptop security: Keep your laptop with you at all times when not at
>home; treat it as you would a wallet or purse. Regularly purge
>unneeded data files from your laptop. The same goes for PDAs. People
>tend to store more personal data--including passwords and PINs--on PDAs
>than they do on laptops.
>
>Backups: Back up regularly. Back up to disk, tape or CD-ROM. There's
>a lot you can't defend against; a recent backup will at least let you
>recover from an attack. Store at least one set of backups off-site (a
>safe-deposit box is a good place) and at least one set
>on-site. Remember to destroy old backups. The best way to destroy
>CD-Rs is to microwave them on high for five seconds. You can also
>break them in half or run them through better shredders.
>
>Operating systems: If possible, don't use Microsoft Windows. Buy a
>Macintosh or use Linux. If you must use Windows, set up Automatic
>Update so that you automatically receive security patches. And delete
>the files "command.com" and "cmd.exe."
>
>Applications: Limit the number of applications on your machine. If
>you don't need it, don't install it. If you no longer need it,
>uninstall it. Look into one of the free office suites as an
>alternative to Microsoft Office. Regularly check for updates to the
>applications you use and install them. Keeping your applications
>patched is important, but don't lose sleep over it.
>
>Browsing: Don't use Microsoft Internet Explorer, period. Limit use of
>cookies and applets to those few sites that provide services you
>need. Set your browser to regularly delete cookies. Don't assume a
>Web site is what it claims to be, unless you've typed in the URL
>yourself. Make sure the address bar shows the exact address, not a
>near-miss.
>
>Web sites: Secure Sockets Layer (SSL) encryption does not provide any
>assurance that the vendor is trustworthy or that its database of
>customer information is secure.
>
>Think before you do business with a Web site. Limit the financial and
>personal data you send to Web sites--don't give out information unless
>you see a value to you. If you don't want to give out personal
>information, lie. Opt out of marketing notices. If the Web site gives
>you the option of not storing your information for later use, take
>it. Use a credit card for online purchases, not a debit card.
>
>Passwords: You can't memorize good enough passwords any more, so don't
>bother. For high-security Web sites such as banks, create long random
>passwords and write them down. Guard them as you would your cash:
>i.e., store them in your wallet, etc.
>
>Never reuse a password for something you care about. (It's fine to
>have a single password for low-security sites, such as for newspaper
>archive access.) Assume that all PINs can be easily broken and plan
>accordingly.
>
>Never type a password you care about, such as for a bank account, into
>a non-SSL encrypted page. If your bank makes it possible to do that,
>complain to them. When they tell you that it is OK, don't believe
>them; they're wrong.
>
>E-mail: Turn off HTML e-mail. Don't automatically assume that any
>e-mail is from the "From" address.
>
>Delete spam without reading it. Don't open messages with file
>attachments, unless you know what they contain; immediately delete
>them. Don't open cartoons, videos and similar "good for a laugh" files
>forwarded by your well-meaning friends; again, immediately delete them.
>
>Never click links in e-mail unless you're sure about the e-mail; copy
>and paste the link into your browser instead. Don't use Outlook or
>Outlook Express. If you must use Microsoft Office, enable macro virus
>protection; in Office 2000, turn the security level to "high" and don't
>trust any received files unless you have to. If you're using Windows,
>turn off the "hide file extensions for known file types" option; it
>lets Trojan horses masquerade as other types of files. Uninstall the
>Windows Scripting Host if you can get along without it. If you can't,
>at least change your file associations, so that script files aren't
>automatically sent to the Scripting Host if you double-click them.
>
>Antivirus and anti-spyware software: Use it--either a combined program
>or two separate programs. Download and install the updates, at least
>weekly and whenever you read about a new virus in the news. Some
>antivirus products automatically check for updates. Enable that
>feature and set it to "daily."
>
>Firewall: Spend $50 for a Network Address Translator firewall device;
>it's likely to be good enough in default mode. On your laptop, use
>personal firewall software. If you can, hide your IP address. There's
>no reason to allow any incoming connections from anybody.
>
>Encryption: Install an e-mail and file encryptor (like
>PGP). Encrypting all your e-mail or your entire hard drive is
>unrealistic, but some mail is too sensitive to send in the
>clear. Similarly, some files on your hard drive are too sensitive to
>leave unencrypted.
>
>None of the measures I've described are foolproof. If the secret
>police wants to target your data or your communications, no
>countermeasure on this list will stop them. But these precautions are
>all good network-hygiene measures, and they'll make you a more
>difficult target than the computer next door. And even if you only
>follow a few basic measures, you're unlikely to have any problems.
>
>I'm stuck using Microsoft Windows and Office, but I use Opera for Web
>browsing and Eudora for e-mail. I use Windows Update to automatically
>get patches and install other patches when I hear about them. My
>antivirus software updates itself regularly. I keep my computer
>relatively clean and delete applications that I don't need. I'm
>diligent about backing up my data and about storing data files that are
>no longer needed offline.
>
>I'm suspicious to the point of near-paranoia about e-mail attachments
>and Web sites. I delete cookies and spyware. I watch URLs to make
>sure I know where I am, and I don't trust unsolicited e-mails. I don't
>care about low-security passwords, but try to have good passwords for
>accounts that involve money. I still don't do Internet banking. I
>have my firewall set to deny all incoming connections. And I turn my
>computer off when I'm not using it.
>
>That's basically it. Really, it's not that hard. The hardest part is
>developing an intuition about e-mail and Web sites. But that just
>takes experience.
>
>Others have disagreed with these recommendations:
><http://www.getluky.net/archives/000145.html>
><http://www.berylliumsphere.com/security_mentor/2004/12/heres-another-re
>ally-good-twelve.html> or <http://makeashorterlink.com/?Z3772560A>
>
>My original essay on the topic:
><http://www.schneier.com/crypto-gram-0105.html#8>
>
>This essay previously appeared on CNet:
><http://news.com.com/Who+says+safe+computing+must+remain+a+pipe+dream/20
>10-1071_3-5482340.html> or <http://makeashorterlink.com/?V6872560A>
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list