Saturday, December 20, 2008

PC Security

A little history is in order here. I have had the opportunity to watch the Internet grow from the early days in 1992. I got my first email address that year with a BBS (Bulletin Board System) called the 0x0 Republic. Some of you are old enough to remember those days of the BBS, Compuserve and the 14.4k Modem.

Back then, I had a humble Amiga 500 and 3000 computer. No, it didn't run DOS, it ran the AmigaOS. As you can see from the screen shot for the Amiga 500, this didn't run Windows, either. The AmigaOS drew it's roots from Unix allowing for command line and GUI operation (windows and icons) of the computer. Their user interface was very advanced compared to the Mac and the PC at the time. Unfortunately, through their own management errors, the company eventually went into bankruptcy.

Around that time, computer security wasn't really an issue. Most personal computers were still single user, general purpose computers and apparently, only a few people bothered to write a virus for the Amiga.

Eventually I got an Apple PowerBook 140b. It was with this computer that I first got a taste of the World Wide Web around 1994-5. It was a slow, stodgy, black and white experience. But I used it to do my research at the time. Back then, Alta Vista was the search engine of choice and they were considered to be the fastest search engine of the time.

And then I got a Windows laptop in 1997. When I first saw the software available for Windows, I laughed and realized what I had been missing on the Mac. I found a nice dialup ISP to work with, too. From there, I started to really get a sense of what could be found on the Internet. For years, I went without antivirus, not completely oblivious to the dangers - but just being careful not to open attachments from strangers.

In 1999, I got a computer with Windows 2000 Professional. And then I moved into a place with cable access to the Internet. I went from a 56k modem to 1.5 Mbs in speed. I had taken some classes on Windows and learned something about the security built into it. I started to read the tech news every day and noticed that more and more, viruses and trojans were making the news. So I got some Antivirus software.

I started out with Norton Antivirus and eventually moved on to Eset's NOD32. I also figured out something that my Dad taught me in terms of strategy: no defense can anticipate all attacks. So I found a good combination of tools along the way. This combination is what I'd like to share with you. It is built from years of experience and through about 12 years of running Windows. Because of this training, learning and vigilance, I've only had to rebuild a computer once due to a virus.

Keep in mind also, that no software can stop you from doing something stupid. If you open an infected attachment, from someone you don't know, you're only asking for trouble. If you click on a link in a spam message that takes you to a site harbouring malicious software, you're likely to be toast, even with the best defense available. Such a site is just waiting for you.

First and foremost, if you're running Windows, you're likely to be running as an administrator. An administrator account can do *anything* to your computer, and that includes damaging it. On the other hand, you can also use a "limited" account. This is a regular user account that can do very little, if any damage to the computer. To put it simply, admin accounts should only be used for maintenance, upgrades and software installation/removal. Limited user accounts should be used for everything else. A limited user should only be used for your daily computing tasks: Internet access, email, writing correspondence, playing games, etc.

When you start Windows up for the first time, you're prompted to provide at least one user name and additional names for other people who might use the computer. Windows XP doesn't give you much of an explanation for the differences in user accounts, either. So, unless you're informed, you create one or more admin accounts to use on your computer.

As a rule, you should never be running as admin unless you need to install a printer, software, remove software and the like. For anything else, run as a limited user.

The reason for this is simple. Many of the latest viruses and trojans install on your computer silently. Virus writers realize that most people will trash emails with attachments from people they don't know. So they use stealth. When your computer is being attacked, you will get no clue that new software is being installed - when you are running as an admin. Windows Vista can help this in some ways, but Vista also has a very similar programming philosophy to XP: convenience over safety. Yes, you can still get warnings that a software is trying to install, but a determined piece of malware can work around that and trash your computer. You won't really notice much other than your computer is running a bit slower than before. Malware tends to change the computer for its own benefit at the expense of other functions.

Now if you're running as a non-admin or limited user, and you click on a drive by download, you're going to get a message indicating that you do not have permissions to install this software - please contact your administrator! If, at this point, you were not planning on installing any new software, it's time to leave, quietly and never come back to that site. Ever.

So, if you have not done so already, create another admin account. Give it a password. Take the account that you're using now and turn it into a limited account. Whenever you need to add something to the computer or to do maintenance, log in to your admin account. For everything else, it's Visa, er, Vista, I mean...um...your limited account.

So that's the first step. Just changing the type of account you use for daily computing is a big step towards preventing infection from a virus or trojan.

Windows Update. Whatever you do, once a week, run it. Yes, they do make mistakes once in a blue moon, but I've never had any problems with their updates. Most malware is designed by reverse engineering the latest updates to find the security holes and then attacking there. Running updates for Windows on a regular basis, (and any other operating system for that matter) will further limit your chances of infection.

And now for antivirus. This is part of what is known as the Windows Tax. You pay for the license and then you pay for the antivirus and other security software. Most good antivirus suites are going to cost $40-60 for the first year, and 20-30 bucks thereafter for maintenance. The best antivirus will do a complete update of signatures without admin intervention. I heartily recommend Eset's NOD32 simply because the updates occur Automatically without you being an logged in as admin. Version upgrades will require admin access, but that is a fairly rare occurrence (once or twice a year).

I don't recommend Norton for a couple of reasons: they are a big, fat, complacent company with a huge market share. Try getting a hold of customer service there. On the other hand, Eset is hungry for your business. I can easily get a hold of their techs without cycling through their music on hold playlist.

Yes, there are others to consider, such as the free version from AVG. But you do, in a sense, get what you pay for. Caveat Emptor.

Remember what I said about how no defense can anticipate all attacks? Well, even NOD32 isn't perfect. So I strongly recommend antispyware as well. SuperAntiSpyware or AdAware are both great products that can find a lot of stuff just, you know, hanging around waiting for an innocent click to come by. They make a good complement to your antivirus software. It's worth noting here, that a fellow IT guy told me the following: Eset (NOD32) recommended SuperAntiSpyware as a complement to their own product. They acknowledged that their product won't catch *everything*. That is a very humble and honest statement to make, and heartening for me to hear. I've had similar experiences first-hand myself, so it's nice to hear it from someone else. That is why I like Eset.

So, we've covered the user accounts, the antivirus and the antispyware. You're also going to want a firewall. This is useful for software that is trying to call home, you know, to the Mother Ship. I have experience with two products for this purpose: ZoneAlarm and Eset's Security Suite w/NOD32. They are both highly recommended with full acknowledgement of other products out there.

They both provide security for those loose cannons known as "open ports". You can learn something about this, here. Gibson Research Corporation has helped me to understand the open ports issue and inspired me to try ZoneAlarm. Personal firewalls allow you to see when software is trying to call home and gives you a chance to block transmission of sensitive information to the Mother Ship!

There's another kind of firewall known as a router. You will know this as a device that allows you to share the Internet connection with more than one computer. Common brand names for routers include Linksys, Netgear, and D-Link. These are all top brands and they all provide an extra level of security. But that security only works if you enable it and configure it properly.

All routers require some form of administration to enable security. Nowadays, all consumer routers come with a CD you can run to walk you through the steps of configuring the router. This is especially important if you're using a wireless router. On any router, you want to make sure that remote administration of the router is disabled - this is usually the default setting. You will also want to reset the admin password which is "admin" usually, by default. If you do not reset the password, someone else can do it for you, as well as reconfigure the router to their liking rather than yours. Check the CD and the online manual for your router for details.

If you're using a wireless router, you must also set the passcode for access to your wireless network. Otherwise, your network will be "open" and anyone can freeload on your cable or DSL Internet access. They can also see your computer and the resources on it. It's important that you use very strong passwords to secure your devices and accounts. Words that are easy to remember are also subject to the dictionary attack on passwords. A strong password is a series of characters that doesn't make any sense. You should also use non-alphanumeric characters (i.e., !@#$%^&*(_+) as part of your very strong password.

I know this stuff is hard to remember. Well, fear not. You can save your passwords in an encrypted file by using KeePassX. This is a portable, cross-platform password manager that uses very strong encryption to protect your passwords. The program uses a master password to provide access to the encrypted contents. Once the master password is set and the password file is opened, you can start to create a set of credentials for every website or application that you use.

I like to use at least a different password for every website that I go to that will involve finances. And I use a very strong password that is created by the password generator built into KeePassX. KeePassX also allows me to copy the username and password into a website. And it allows me to automatically enter the username and password into a website. Don't worry, KeePassX will automatically erase the contents of the Windows and Linux clipboards after 5 seconds for security.

Remember the news about how Sarah Palin's Yahoo account was hacked? She was hacked because she used answers to secret questions that were easy to guess by someone who knew her or her history. A secret question or security question is a question that only you know the answer to, so that if you forget your password, you can recover your password by answering the questions. So, instead of using the secret question to answer a question only you know, this is another chance to use a strong password to further secure your accounts if need be.

But I digress. Back to the router. Once you have set up the router, you will also want to set up DNS on the router, too. DNS is Domain Name Service, which is a service that translates the internet address you know, like www.google.com, into an IP Address, like 208.67.219.230 (verified with the ping command). DNS is part of the backbone of the Internet. Without this service, you would have to remember the IP address of all your favorite websites. This service creates the convenience of allowing us to use names rather than numbers.

Most computers set up your IP address and DNS automatically when they start up. They will get that information either from your ISP or from your router, depending on your setup. In Windows, it's fairly easy to setup your own DNS, too. And most routers will allow you to use another DNS other than the one provided by your cable company.

The alternative I like to use is OpenDNS. OpenDNS provides a great safety service for your Internet connection. OpenDNS does a lot of research to see where the malware is coming from and helps you to steer clear of it. I use the service so that if I should happen to type the wrong address, I can be safely routed away from rogue sites that are serving malware.

And now here is one of my favorite tools: The Netcraft Anti-Phishing Toolbar. This toolbar provides information on every website you visit. First, they give you a risk rating with a colored bar that indicates the risk associated with a website. If it's red, you'll want to go elsewhere. If it's green, then you should be fine. They also tell you how long the site has been there, the rank in terms of popularity. Along with that, you get the location by country with a nice little flag to denote the nation and the name of the hosting service where the site is maintained.

To give you an example of how this works, imagine for a moment that you've received an email from Bank of America. They're telling you that you need to update your account information because it has not been updated in a while and they're concerned about the accuracy. They kindly provide you with a link to their site. So you click on it. The Netcraft Toolbar reveals that the site is located in Russia and was only created a month ago. Hmmm. Time to close the browser.

I want to summarize all this by pointing out that I'm using layers of protection, with each layer providing protection in different ways. Here is a point list summary:

  • Never run as admin on your computer.
  • Install and maintain antivirus that updates without admin support.
  • Install and maintain some sort of anti-spyware.
  • Install and mainain a personal firewall.
  • Install and configure a router (not much maintenance is required for this).
  • Use a secured password manager to manage your passwords (don't leave them on pieces of paper or in a spreadsheet on your computer).
  • Use OpenDNS for a safer browsing experience.
  • Use the Netcraft Antiphising Toolbar so that you can find out if the site you're on is safe.
Here, I have 7 layers of security to prevent my computer and/or my identity from being compromised. You may want to implement a few or all of them depending on your security needs and desires.

If you are in the unfortunate position of having to reload Windows to your hard disk due to infection, then you will want to re-install Windows and image your hard drive. I'd like to expand upon that list with some of my own ideas in a future blog.

If you need help setting any of this up, call me. You can find my website for PC assistance here:

www.ezcomputercoach.com

Have a safe shopping experience while you prepare for Christmas. Be well.

Scott Dunn

Monday, December 08, 2008

The cost of individualism

Here in America, we tend to favor the individual rather than the collective in a philosophy known as individualism. We covet and admire the lifestyle of the self-made man, the millionaire who did it all himself, the Madonnas who created their independent fortunes and the rugged individualist. Few can attain such a status, fewer still can actually walk the talk for all their "independence."

So how has that been working out for us? Like many of us, I read the news everyday. Everyday, there is a new problem to be solved. But what is the source of the problem, individual or collective? Are individuals really capable of solving the problems we face, all by themselves?

There are three examples to explore today, in this blog: cyber-security, health care, and the environment. In each case, I attempt to demonstrate the cost of individualism vs. the collectivist culture.

I bring this idea up for several reasons. I had the good fortune to have visited Vietnam a little more than a year ago, twice. While I was there, I noticed something quite striking, in contrast to America: the Vietnamese value cooperation over competition. They seem to have recognized that although it's possible for one man or one woman to solve a problem or attain great achievements, everyone needs to get involved to overcome a challenge. What I hope to demonstrate here is that we need to heed the example of Vietnam and others like them.

In contrast to Vietnam, this country is in a state of hyper-competition. Everyone here is looking out for number one. Anyone who has taken the time to study the example of Microsoft will see that they are constantly at "war" with others. When Steve Ballmer does one of his pep-talks, he is literally boiling over with enthusiasm for his company, his products and his plans. There is nothing wrong with enthusiasm such as his. But many companies have partnered with Microsoft only to become the latest litigation carcass left over after Microsoft has accomplished their goal. Microsoft is the perfect example of competition at any cost as a corporation.

This one-man show, go-it-alone example doesn't do so well in the context of cyber-security. By now, some of you have heard of "botnets", a group of computers that have been infected by a virus or trojan and turned into a "zombie" computer. A botnet can contain hundreds of thousands of computers as a group commonly known as a herd. A zombie computer is a computer that, unbeknownst to the owner, has been turned into a servant of a secret network of computers. This network will send spam, distributed denial of service attacks and collect credit card and other personal information to be used for stealing money. All the known botnets run on Windows computers.

For many years, Bill Gates, one of the founders of Microsoft, has preached the virtues of proprietary code. Creating proprietary code requires a significant level of secrecy, and that requires independence. Yes, they are the biggest software firm in the world. And they have a nice chunk of liquid cash to prove it. But contrary to the image of independence they promote, they are supremely dependent on developers. So they create developer tools that increase dependence on Windows. And They create products that depend on Windows. A case in point is Silverlight, a competitor to the Adobe Flash software so commonly used in places like YouTube. Microsoft makes a point of making Silverlight only for Windows so that people will buy Windows. Yes, there is a version that will run on Mac and Linux (Moonlight), but as Steve Ballmer likes to say, it will run better on Windows.

Microsoft was basically asleep at the wheel when the Internet came up behind them and passed them by in the 1990s. Along came Netscape which scooped up 80% of the marketplace before Microsoft could blink. So what did Microsoft do? In order to buy time, they changed the programming interfaces for Windows without telling Netscape so that the Netscape browser wouldn't work properly on Windows. At the same time, Microsoft got to work building their Internet Explorer browser to compete with Netscape and gave Internet Explorer away for free with the operating system. Netscape is now only a shadow of what it once was. Netscape has been resurrected as open source software in products like SeaMonkey and Mozilla Firefox because the only way they could compete is as a free product.

As someone who works in IT, I've learned something about the "monoculture" in computers. Microsoft has created a huge monoculture of computers with a 95% market share for desktop computers. The weakness of a monoculture is that when all computers act the same, one weakness will affect all computers with the same program. This explains the success of viruses on Windows computers. And who is providing the updates to these computers? One lone source: Microsoft.

This monoculture might explain the problems discussed in this article, which states we are losing big-time in the cyber war against the rest of the world. Windows is turning out to be our biggest liability when it comes to security in government and corporate infrastructure. There is a long and rich history to explain why this is that I can't get into it here, but if you'd like to read more on the subject, go here (scroll down to Security for more).

On the other hand, with Linux, there are many distributions of Linux. Many features of Linux actually comes from Unix. It was created in 1969 by AT&T with the notion that no single user should be able to destroy the work of another user on the same machine. Security was baked in from the start. That is one reason why you won't see many viruses running on Linux. For a virus on Linux, propagation is very difficult, and death is very quick. This not to say that Linux is impervious to virii. Linux is just a lot harder to break.

All software comes from source code. When a programmer writes source code for software, he will include notes in the source that provide documentation on the action of a section of code. When the programmer is ready to test, run or distribute the software, he will run the code through something called a compiler. This strips out the documentation known as comments, and converts the source code into binary code that the computer can understand and run. This binary file is what you get with Microsoft. With Linux, you get the source code and the binary, free and open source software (FOSS).

Instead of being developed by one company, Linux is developed by volunteers all over the world. Instead of closing the source code for the software, as Microsoft does, the source code for Linux is free for all to see and licensed under the General Public License. Everyone, including programmers, is free to run the software for any purpose they desire. They can also look for bugs and fix bugs and to make improvements. They are also free to distribute the binary code as long as they make the source code available to the community. This sharing of the code is what makes Linux so powerful.

As Eric S. Raymond said, "A thousand eyes makes all bugs shallow."

I offer this example to show the contrast between competition, as embodied by Microsoft and cooperation, as embodied by Linux. Microsoft tries to feign independence while mooching off of the rest of world for support of it's operating system and while charging for it. Free software communities acknowledge the complexities of the software and the need for collective review, repair and upgrades of the same software. Their effort to create better software is shared. The result is used like a utility. It is any wonder that the fastest computers in the world are running Linux?

Now lets turn to healthcare.

We're in the worst recession in 75 years and we're fervently looking for a way out of the mess we created. 5 years of war, a bass-ackward tax policy going strong for eight years, and lax regulation of securities have contributed to the mess. All of them are based on the premise that the individual is more important than the collective. We did the war, essentially alone (sorry, England doesn't count), prompted by little or no evidence that the war was necessary. The tax policy was based on the idea that rich individuals would spend money rather than hoard it. And the lax regulation of securities (securitized mortgages, credit default swaps, etc.) was based on the notion that the securities industry would regulate itself. On all of these fronts, we have been proved wrong.

I saw this very interesting opinion article in BusinessWeek. The statistics cited in the article are disquieting if not downright alarming. Here's a sample from the article:
  • The country (US) spends a world-beating 16% of gross domestic product on health, yet in international comparisons it lags behind a number of key measures.
  • The U.S. ranks 29th in infant mortality and 48th in life expectancy.
  • The number of people without health insurance was 38 million in 2007, and that number is guaranteed to have risen in the meantime with the recession that began a year ago.
A lot of this stems from severe mismanagement of the insurance companies. Take AIG, for example. The excesses of that company has been well documented with their lavish parties and executive bonuses. Were they thinking of their customers? Probably not. Perhaps they were a bit too focused on the next tax cut. Evidently, the largest insurance company in the world was busy making insurance more expensive for the rest of us. And that includes health insurance.

The health insurance industry is so focused on profits that the list of pre-existing conditions will only grow longer. As more and more people are excluded from health insurance due to pre-existing conditions, the cost will continue to increase for those that can participate. And so on as more and more people are excluded on costs alone. I thought that the whole point of insurance was to distribute risk among a large population.

Worse still, a recent study suggests that about half of all doctors would quit their practice given the chance for an alternative. This is symptomatic of insurance and government policies driven to cut short-term financial costs of health care. Paperwork is being used to exclude treatments in the same way that pre-existing conditions are being used to exclude people from access to health care. It seems that not only are people being encouraged to go it alone, they are being forced to do so.

I've never really been a big fan of socialized medicine. I see the "other people" gorging themselves to oblivion on fast food, alcohol and tobacco. I see them raising my insurance rates, even though I try to take good care of myself. Why should I have to pay for their stupidity?

Some of you have probably heard of NASE. They have a very interesting concept: allow the premiums to accumulate as savings for each subscriber. When they turn 65, refund the balance after subtracting the costs for service. This is a great idea, since it encourages people to take good care of themselves so that they have a nice retirement fund when the time comes. But in practice, it hasn't worked so well for the company, probably also due to poor management. There have been some horror stories that paint an unflattering picture of the company. In an ideal world, I'd like to see something like this really work.

So, unfortunately, the facts do not bear out any clear successes for capitalist style health care in terms of distribution. Sure, we have the best health care in the world, but who can really afford it? Socialist countries seem to be getting along fine with lower mortality rates and lower customer costs for care. A recent New York Times op-ed article is making a very strong case for Universal Health Care where no one is denied and everyone pays in one way or another. This guarantees complete distribution of risk and funding at the same time. And there appears to be a way to reduce the paperwork by focusing on preventive treatment rather than exclusion.

Health is inextricably tied to the environment. Some of you might be old enough to remember that President Nixon of the Republican Party proposed and helped to create the Environmental Protection Agency. But for some reason, over time, two Republican presidents surnamed Bush, have lost their way and tried to emasculate the EPA. Our current president has done the most damage by restricting or eliminating the power of the EPA. Apparently the neo-cons forgot that they are stewards of the earth, and their creator may not look so kindly upon their achievements. In the last few years, I have read of their second thoughts about passing legislation that would limit or remove power from the EPA.

It's easy to see the schizophrenia of the Republican Party these days when it comes to the environment. They want to gut the EPA and let the market decide how to care for the environment. The market on the other hand, is not satisfied by a clean environment, it's satisfied by money. Obviously, polluted land doesn't have much value, even if you live in Palos Verdes, California. Since the neo-cons took control of the Republican Party, they seem bent on consuming and destroying as much of the natural resources as possible, you know, before the second coming.

For the last eight years, the United States has been loathe to sign any treaties that would help the environment, in particular, the Kyoto Protocol, citing potential for serious harm to the economy of the United States. Here again, the economy rules supreme above the environment. Apparently, there was no discussion of the green collar jobs that would be created given the constraints of the Kyoto Protocol.

And now there is a new treaty designed to replace the Kyoto Protocol. And again, the United States will not participate, yet. It appears that with a new administration on the way, there could be significant change in attitude and action. As a nation, we have an opportunity to demonstrate leadership in protecting the environment, despite what other countries do.

As the world looks to us for leadership, they must be wondering aloud as to what we're thinking. Three countries, the US, China and India produce the majority of greenhouse gases. The US by itself uses 25% of the energy produced worldwide. And under the guidance of the Bush Administration, the US has proven to be unwilling to cooperate with other nations to limit greenhouse gases.

Global Warming and the consequences thereof, whether induced by man or not, is a problem we all face. The US cannot hope to solve the problem on their own without cooperation from other nations, and vice versa. Going it alone is not an option, particularly when we look at the amount of landmass we stand to lose from rising sea levels.


In the realms of cybersecurity, healthcare and the environment, we will need to work together to solve our common problems. I offer the foregoing as examples and incentive to work with each other, and to reason things out. We must work with others internationally, nationally, and locally to solve the problems we face.

Whether it's capitalism, communism or soclialism, no system seems to work perfectly for everyone. But one thing is certain: so long as we continue the idea that it's "every man for himself" and that men and women continue to pursue advantages and control over one another, no system will work. Under those conditions, people will continually game the system to assert an advantage or to attain a sense of security.

As soon as we realize and live as if we're all in it together, then we can solve all the problems we experience together. It is my hope that under the new administration, cooperation will be valued over competition.