Barefoot Security Anti Malware

I do get asked for security advice, but not that often these days. Often, much more often, I want to tell people, to SAVE them. Yes.
So this a worked-up version of an email I send out. It's how to keep control of your computer, your data and your passwords by preventing malware on your PC. I'm aiming at the ordinary PC/Windows user with occasional notes about Apple and Linux. It's in rough priority order, and it's mostly advice I follow myself (though it's not all of the paranoid steps I take.)
If you think I should have put AV software top of the list, you should remember that I am a security Expert. Yes, and I have business cards which say just that.

Keep your Thinking Cap Securely ON	Why on earth would you click on THAT? If the answer is "because THOSE sites are the ones I chiefly love looking at" then you need to pay close attention to the rest of this list. And if you say "because I'm human and I'm not 100% focussed 100% of the time" then you should read on too.
Backup your Files	Anything you care about should be on media which you don't leave plugged in. There are some nasty malware infections which are simplest to eradicate with a format and restore, so backups are essential. (And there's always fire, flood, technical failure and stupidity, if malware doesn't worry you!) It's a big topic. You need to think about having a regular system that will show you if copies get lost or aren't taken, about, testing your backups, satisfying any data protection obligations, encryption if you worry about people reading it, and keeping media out of the range of that fire/flood/whatever. It's a shame that it's a top priority as it's none too easy. If you're in doubt about how to do this, I suggest you set up with a UK online backup services, test their software, check their prices and get value out of their support line!
Don't do PC Work as an Administrator	This is really just for Windows users as Mac and Linux set it up correctly anyway. Windows 7 and Vista are better, but you should still arrange to work as a non-admin. In XP, go into the control panel and set up a new admin account. Then make your regular account into a limited user. Use the limited account for all browsing, email, word processing etc. Only use the admin account to install software, add new hardware, and set up users. This simple trick stops a proportion of Windows malware, when malware programmers are lazy and assume you haven't taken this precaution -- as most people haven't. Even though attackers are wising up now, and plenty of password stealers and others will now install without admin, it's still an important precaution because it stops rootkits, and ensures that installed malware is easier to clean off. The problem is that other programmers, especially games programmers, are just as lazy as malware authors so their stuff won't work. Software which insists on admin privileges to run (rather than to install) should be rejected as unfit. If you're stuck with it, investigate "run as".
Apply Security Fixes	Ensure that all security updates apply automatically. Malware uses unpatched vulnerabilities to install. Vulnerabilities are sometimes being exploited even before they are fixed, so ignore people who say you should wait a few days -- it's too complicated, and the risk of you forgetting or being exploited in those few days is much greater than that of a bad patch. In Windows take a moment to turn the software firewall on, as that setting is nearby.
Keep your Auxilliary Programs Up To Date	Make sure that all of the extra stuff you need for the full experience (Adobe Reader, Flash, Shockwave, Quicktime, Java) are up to date. Secunia Inspector is a good way to check. Most modern attacks arrive through these products. If you use Office, Photoshop or whatever make sure you get updates for that too.
Use a Less Common Browser	On Windows, don't use Internet Explorer (except for updates where it makes you do it.) On Mac, don't use Safari. Malware authors naturally target the common browsers. On Windows, install and use Google Chrome browser because it can update itself as a non-admin (unlike Firefox). If you must browse as an admin, install Firefox and learn to use it with NoScript. Also in Windows, take the time to keep IE up to date. Even if you think you're not using it, you don't want old versions on your PC.
Use AV Software	On Windows, Microsoft Security Essentials is good enough -- free, unobtrusive and good quality -- if you avoid admin browsing and email. Check that it is updating automatically. I confess I don't run AV myself, but it seems like a necessity for people who like to test animated cursors or other oddments.
Disable the Big Adobe Reader Mistakes	Adobe stuff needs special attention. There's just so much malware targeting it, and it's not easy to keep up with the updates. PDF used to be a handy document format, now it's a malware magnet. Reader X (10) is an improvement, but it's still a bore. You have to switch off the idiot features that Adobe added. Start the Adobe Reader and pull down Edit/Preferences… Select Trust Manager in the list and clear the checkbox marked "Allow opening of non-PDF file attachments with external applications" Select JavaScript and clear the checkbox marked "Enable Acrobat JavaScript" You need to repeat for every user account that uses Reader. There are equivalent settings in Acrobat if you use that -- you'll need to find them yourself.

So will these make you secure? Well, no; nothing will. But they will stop you from being a soft target. If you have secrets to keep, there's a whole other journey about understanding the settings on your accounts, encrypting data and the rest. But that is another post.

Paid-for Malware

I sometimes get asked what anti-virus software I recommend for use on the home PC. I've tried a number of possible answers but my heart isn't in any of them: I know McAfee is a pain; bouquets for Norton outweigh the complaints, but not by much, so I've been recommending Kapersky -- I know it works and and the price is closer to reasonable. So a story like this one is a bit disconcerting. What are the lessons?

1. Don't trust software more than you need to. We had all the warning we needed when McAfee pulled this same stunt on a bunch of system files a few years ago. Don't delete: Quarantine.
2. It's time to start getting more assertive about my true answer....

Which is this: I don't run AV software at home. I never have. I don't do stupid things, mostly, and I don't let the children or Mrs U have administrator accounts. I know how to use autoruns (though I've never needed it) and there are the web scanners. I've never had any trouble, even on Windows, and my truly personal computer runs Linux.

Even just writing that, I can see how eccentric and impossible it seems.... really I should just say that I've no useful advice to give.

Choice. I hate it.

I bought a new computer last night. Even though I'm not exactly Mr. Desktop I thought I would be able to make a sensible choice. In fact I was so overwhelmed, I nearly bought nothing.

First: supplier. I've bought from Morgan before and had a slightly patchy experience (but nothing unfair, and nothing that couldn't be resolved with my own skills.) This time I was going to avoid trouble by sticking to brand new stock -- retired from shops after going out of date. I liked the look of the HP media PCs with TV tuners and big plug-in HDs -- they were old enough to be packaged with XP Media centre (I really don't want that "which Vista edition" issue until SP1 --maybe not then), they were fully loaded with ports and the more expensive models had Intel dual cores, 2GB memory and GEForce 7600 with 256 MB. I didn't want a screen package because the more mad son has a history of headbutting flatscreens to death: CRTs are tougher and I have them already.

So I thought that was pretty cut and dried. But I can't resist a quick visit to Dell.

First impressions are low price -- Dell include VAT, and Morgan exclude it (which I think is a tad dodgy on consumer kit sold retail). Now I know that Dell charge a shameless £50 for delivery but it turns out it's free until the end of the month. Second thing is that XP is back on offer -- it was Vostro-only in September but now the consumer pages have it too. And it's XP Pro which is a big plus.

So into the configurator to be faced with all those tough choices. Many of the base builds lack 2GB and the prices start notching up as I make those tempting choices. Not all models let me configure "no screen" and if I'm having a screen maybe I should get the posh graphics as well.

I finally settle on a bearable heuristic. I'll only get factory fitted upgrades where I haven't upgraded myself successfully in the past.

I end up with PC Duo 6550, 2GB (I've had problems with dodgy 1GB parts), the base graphics (because no-name GEF8600 will be cheap and good in a years time), the base HD (definitely getting NAS ....) And a screen, which was too good to give up for £80 and I will put on the PC upstairs to keep the less mad son happy until he gets his laptop.

All that choosing left me emotionally committed to the Dell. I matched it to an HP package from Morgan and found it close (screen to placate LMS with graphics upgrade option in the future vs. no screen, and better but obsolete graphics now; no media centre tuner remote & wireless vs. XP pro and the confidence I wouldn't use that stuff; in stock vs two week delivery ouch) but a few pounds less.

So I bought the Dell. But it wasn't easy.

Physical Insecurity

A frisson walking across the fields on my way home this evening -- that lively sound of bullets wheeling past my head. It wasn't a demented assassin emerging from my ugly past -- the faint red light gave it away as an incompetent lamper with a silenced rifle killing rabbits behind Forstal farm. He carried on firing as I walked out of danger even though I was shining my torch at his likely location. Once I'd got to the safety of the lane I walked along to find out what was going on, and encountered a man claiming to be Shay Harbour(?) He knew about the footpath, he said, and thought his line of fire would be OK.

Any more of that sort of thing, and I'm getting a 50mW green laser and a night vision scope -- after this shone down his bins he'd be hard put to tell up from down, let alone fire his weapon.

Desperate for a Wii

(This is my entrant for "most peurile reference to a Nintendo gaming console 2007".)

Now that the less mad son's eagerly desired birthday present has arrived from a reputable supplier (gamestation) I feel that it won't be tempting fate to describe what happens when you try and order from some other suppliers.

About ten days ago, Mrs U was desperately looking for a Wii. It launched months ago -- how could it possibly be in short supply now? The LMS was on a promise but there were none to be found with a fixed delivery date anywhere in the UK. Until she came across a site that magically was promising a five day delivery. Just time! So she shopped, waved her credit card, and waited.

No confirmation email: that's odd. Five days later, no Wii: that's a nightmare. Check the bank account: £2,500 debited by a restaurant in Surrey. Oooh.

Now I'm not naming the site because it's just possible that the cause of the trouble is actually this. But I don't think so.

The point to this sad story is that Mrs U is a competent shopper and competent security consumer. She declines to speak to the bank when they ring her up and ask her to confirm her identity. She knows what the padlock means. But as soon as she was a little bit needy, she was willing to deal with a site she'd never used before, without doing research that could have shown the slagging it got on Yahoo answers, she was willing to ignore the absence of a phone number, and she clicked straight through the warning from the self-signed certificate that was pointing to a "commerce" site hosted the Dear knows where. Education and common sense swept aside by need and "experience" of good shopping outcomes in the past.

It's worse for the restaurant: they've accepted a bad card without a PIN and that'll mean a monster charge back straight off their margin. Grief all round.

Education is supposed to be the key security tool, but it seems to me that the only education that works is to screw up.

Limited User? Limited programmer if you ask me.

Less mad son's birthday and the Wii hasn't turned up, so I had to fall back on an old promise to install Steam and pay for a copy of Garry's Mod. Whatever that is.

What it is, is an easy install, together with -- in Steam -- the crappiest LUA bug ever. Obviously it needs to be installed as an admin, and equally obviously, after a deplorable spyware incident, the less mad son is not an admin. So I installed it myself, tested, and then we flipped over to his account to run it there. Well, to cut a long story short, to run Steam as a non admin, all you have to do is make sure that BUILTIN\Users have read-write permission from the install directory (\Program Files\Steam) on down. That's a bit of a palaver on XP Home, as it's hard to get the security tab to show, and I ended up going nuclear with a copy of subinacl, but conceptually it's the simplest possible LUA bug -- the installer doesn't bother to set the right permissions.

I'm not a bigot. Steam runs on Linux as well, so I can see that creating local application settings might not be the right thing to do. But I don't think it was too much to ask the testers to check that files shared among users were permissioned to BUILTIN\Users. Not to BUILTIN\Administrators.

In my opinion, programmers who test code using administrator accounts should never be admins again.

Still, at least Steam is free. Matlab costs £2-12K depending on what you buy, and our unfortunate application packager is going to have to spend days figuring out what part of the machine registry it's writing user settings to before I will sign it off for use in the firm. Slimy negligent gouging incompetents.

Hospital Protocols

I spent last week in hospital with an infected joint; I've had to find out about StickyKeys, and I'm using the mouse wrong-handed. I didn't feel ill, I just had to be around for regular surgery and IV penicillin, so there was a lot of time to kill with no desk, no computer, no Internet and one or two compromised hands (you can't read when your hands hurt and you haven't got a desk).

Better people than I am would have done something useful with all this time. I just wished it was finished. But I saw a lot of security protocols:

• When you are prepped for a local anaesthetic, it's the same as for general: eight hours starvation. For why? So you can be conveniently be put right under when it all goes tits.
• Every single person who planned to do anything substantial at all asked me whether I was allergic to anything. Every time. I was the second longest term resident on the ward at the end, and the nurse who'd infused the same prescription all week still asked the same question every time.
• Everybody asks your name and date of birth, and then checks the band on your wrist. Every time.

I got pretty sick of this and I was brewing up some smart answers. Until the porters turned up to collect the appendectomy next to me. He was starving and ready to go. They asked his name. Wrong guy. I love security protocols.

I Want a Video Server

There's a device I want to buy:

• On the input side, composite video and sound -- at least four inputs capable of handling the feed from security cameras. Not digital, not USB -- just cheap cameras.
• Processing: Support for video motion detection would be good.
• And output: a stream server for live-ish video and automatic upload of motion-detecting images to a remote SFTP server. Email/text alerting driven off the motion detection makes it useful.

One of these in the attic with some strategically placed cameras would provide some worthwhile security.

It's essentially just the works from an IP camera -- it should be a few hundred pounds at Maplin. But it doesn't seem to exist. Bummer.

Adsense

Running Adsense is more interesting than you would expect:

• I can speak freely, because I know that no-one -- literally nobody except me -- is reading this. That's not a gloomy observation based on absense of comments and feedback: It's hard fact taken from from the excellent hit records that Adsense provides. If I had a website (I don't), and I was lazy (I am) I'd put up an Adsense block just to get free analytics.
• The algorithm used to target ads is excellent. I know this because I keep wanting to click on them. In the same way that cannibalism ought to be the best diet, the adsense Ads on one's own blog ought to be consistently enticing, and they are (though I could do with a bit more hedging/forestry). It's really quite frustrating (Adsense subscribers know why).
  

That Google Account

Has anyone noticed how useful Google Docs has got lately? Obviously it's not Office 2003, nor Open Office 2, nor even Office 97. But I'm more and more finding it to be the natural home for my reference documents, drafts and other oddments. The collaboration features look interesting, and probably work well for all I know, but for me what counts is the accessibility from any of about half a dozen computers. Content search and tagging isn't a huge deal at the moment, but I know it'll save my bacon when the volume goes up, or when I upload all that stuff I used to keep on my Palm.

The limitations and problems are more and more obviously the consequence of hosting it in HTML. The tables reek (I do a lot of things in tables) but HTML tables do reek. Layout for paper is actually useless -- but I'm blaming the browsers.

And really, I find that there's a large slice of what I do where rough and ready is OK -- almost anything is OK -- if I can rely on getting at it from the computer I'm working on. That plan I'm working on in odd moments can only be a Google spreadsheet. I don't need a fair printable version of my CV, but I do need to be able to keep the copy up to date. And Blogger is a terrible place to hold draft articles like this one.

The security angle ought to be obvious. I set up my Google account so I could customise my searches, or something, and the password was some old joe job. (It isn't UMACF24, but you get the idea). By stages, stealthily, that same rotten password now defends:

• My email, calendar, and the management of my domain (Google Apps for Your Domain)
• A bunch of documents and plans (Google Docs)
• My Blog
• And probably other stuff I've forgotten.

I can change that. I'll have to allocate a "public site -- reputation/convenience" password now -- that's just one stage short of Paypal/banking. But, unfortunately, it's still just a password. And If I want to get the full benefit from Google, I'll have to use it on untrusted, bugged machines.

So, "Hey Google: It's time for a second factor!".

Christmas

Today I paid

UKL 50

to the cleaner

UKL 100

to the rat catcher

UKL 80

on a new gardening coat for Mrs U (Christmas present)

UKL 50

on Felco secateurs for Mrs U (Christmas present)

UKL 40

on petrol

UKL 20

as petty cash for Mrs U and a carer to take the darlings on an outing which they did not enjoy -- Mrs U will have paid a further UKL 60 to get in

Yesterday I paid UKL 600 for 1600 litres of heating oil.

What Security Angle?

We're just starting a weekly reward scheme for the less mad son -- he gets a trip to the pool or the pictures, guaranteed, if the week's Kumon has been done without too much pain. So we went to see Cars.

It's good. Better than Nemo or The Incredibles As good as Monsters Inc. or Toy Story II though less dense than either, and perhaps that's just total confidence peeping through after fifteen or twenty years.

I'm a simple person, and I loved the jokes -- the scenery, the governor of California (was that a cameo?), casting Jeremy Clarkson as the odious Harv, and I suspect I missed a bunch of stuff in race organisation and commentary. And the story was heartwarming if somewhat daft -- my heart is perennially cold and I like it warmed up.

One thing that struck me was that the animators are just showing off now. There's a logical next step coming, though I don't know if Pixar will take it. Somebody's going to make a movie where animation is a detail of the production -- not chosen to create a fantasy world or to let the characters do impossible things, but simply because they can't be arsed to deal with real actors and locations, and the audience won't notice the difference. I wonder what it'll be? (Hope it's not porn -- that would be sad.)

Ten Presents.

Comedy Dave is nine today. He's still a bit vague about age, but he has definitely grasped the concept of presents.

Starting about a month ago, with "One Present -- Piccadilly Line DVD" he has built up a gruffly declarative recitation which reached a climax of "12 Presents....". I think he genuinely began to wonder whether he had over-reached himself, anyway it stabilised at ten and he committed it to a printed list.

David being David, it was mostly driver's eye train videos and train sets. What he did put in was some Leap Pad books. He's had them for years, he's completely destroyed the printed templates, but he still plays the cartridges, placing the stylus from memory. He's so skillful, but he's well aware that the experience is missing something and he wants it back.

This has been the most consistently intentful communication that the more mad son has ever made. We got him everything possible. We've rewarded his communication -- and taught him pester power.

Apparently he was a bit shocked to discover that some presents weren't on the list, and the list itself wasn't entirely fulfilled. But he kept his composure, and settled down with the Flying Scotsman.

Party -- another surprising request -- tomorrow.

Memories

Less mad son wanted some company at bedtime this evening. He was in tears thinking about lost opportunities and moral failings in the past -- truly hideous unforgiveable errors:

• Two years ago: Leaving a teddy bear -- originally his mother's -- to be chewed by the dog. (It was rescued. It was in bed with him as we spoke.)
• Four years ago: Losing some plastic sandals on the beach at Paignton
• Five years ago: Deliberately crushing snails while riding his bike
• Six years ago: Losing a ballon inadequately tied to his pushchair

These are the things he remembers. Key points are a) There are no people in any of them, and b) someone (less mad son, me or his mother) got a little het up. So we talked about learning from errors, being kind to animals and not worrying about minor stuff that can't be changed and he was a little consoled.

He says he's been having these thoughts for a few days, but I think the real reason for this evening is that he dropped and broke his plasma ball lamp this afternoon. He was so frightened about what his mother would say that he ran outside to find me so that we could hide the evidence before she found out -- which we did.

Memo to self: go easy on warning less mad son of hideous consequences of leaving CDs out for Comedy Dave to find. 1) He knows, and 2) he's already torturing himself about it.

Infiltration

I finally got frustrated with the speakers on the attic PC, so I dug around in the garage to find an old Altec Lansing set -- two desktop speakers, and a floor-mounted powered subwoofer. It all smelled a bit mousy, but everything in that shed does. Got it indoors, wiped it down and set it up. The sound was no better, but the smell began to get much, much worse.

To cut a long story short, they were in the power supply. There were just the two corpses, and I think the rat poison got to them long before I powered it up, but piss, decay fluids, oak leaves, shredded rag and half eaten acorns made a fine combination. The sound tubes were a convenient mousy route in and out. I opened the box, cleaned it out with meths and an air duster, put it all back together with sticky pads to replace the anti-rattle composition and the smell is much better now.

Still have to fix the audio quality.