Linked by Howard Fosdick on Thu 1st May 2008 01:55 UTC
Privacy, Security, Encryption Security consultant Howard Fosdick has contributed the latest entry in the 2008 OSNews Article Contest: a highly detailed examination of security and privacy on the Windows platform, and how to use free software tools and a little knowledge to protect your privacy online.
Order by: Score:
v Simple Solution
by Devils_Advocate on Thu 1st May 2008 02:10 UTC
Use a Ramdisk
by Jerra on Thu 1st May 2008 02:55 UTC
Jerra
Member since:
2008-05-01

One tip is to create a ramdisk and redirect your browser cache's to there (and the relevant web site tracking index.dat file will also be created there). Once the PC is turned off all the data in it goes with it.

Reply Score: 1

RE: Use a Ramdisk
by broch on Thu 1st May 2008 13:58 UTC in reply to "Use a Ramdisk"
broch Member since:
2006-05-04

wrong tip,
RAM (in spite of general belief) can retain information for minutes/several days. With physical access to your machine it is possible to retrieve information from RAM.

Linux (UNIX in general) does exactly the same thing:
run
dd if=/dev/mem bs=1m count=[mem size] | strings | grep [whatever]

dump it

rather encrypt whole disk with AES-loop


When I was using windows boot/system partition was read-only (with registry fixes for some Adobe and MS programs) for users (cache/temp moved to another partition)
always used Run As (never logged as root), never used IE. Updates. firewall (OpenBSD/PF, and windows firewall)
for several years systems were clean (viruses/malware) with long uptimes

I am not saying that this is best way of protection, but worked for me.

Reply Score: 1

Hilarious
by Nehemoth on Thu 1st May 2008 04:19 UTC
Nehemoth
Member since:
2005-07-07

A really Excellent article.

Reply Score: 0

Sophotect
Member since:
2006-04-26

But when your are able to following that from a technical point of view and don't absolutely need some application running natively under some Windows, well, why not installing Linux or .. GOSH ..even some *BSD?
To make my point more clear, what we have here is again one of the countless proposals to overcome the inherent deficiencies of common commercial software. Which is about layering layer after layer on top of another until it is getting so complex that its internals are not understandable anymore as a whole.
Other aspects of that are the here mentioned agendas of Adobe with Flash and Microsoft with its Silverlight. Apart from the managabiltity of that stack of layers upon layers, ever thougth about the systems one needs to comfortably running that?
You can see that from an ecological, or practical point of view. Ecological insofar as that more complex software wastes more wattage, practical insofar as that this model is impractical for the coming ultramobile devices and ambient network infrastructure.
So we have a whole other side of software and operating system development, which is free and does care about such matters, which is actually REFACTORING the best pieces of proven to be successful code into something which is getting better and better all the time, and is MORE managable.

Why not use it when you care about that at all?

Reply Score: 0

RawMustard Member since:
2005-10-10

I have no idea why your comment was voted down, it made perfect sense to me and was not inflammatory or derogative in anyway.

I voted you back up because I fully agree with what you wrote!

I guess the astroturfers are in full flight tonight ;)

Reply Score: 1

BluenoseJake Member since:
2005-08-11

Perhaps you need to run Windows to run some apps that you use, perhaps you prefer it, perhaps you want to play games.

Don't presume your choices are good for everybody.

Reply Score: 5

Isolationist Member since:
2006-05-28

"well, why not installing Linux or .. GOSH ..even some *BSD?

Is GOSH some kind of new operating system? ;)

Reply Score: 2

Misses the 'big two' though
by deathshadow on Thu 1st May 2008 04:32 UTC
deathshadow
Member since:
2005-07-12

Good article, but it really does miss two key factors to not just protecting your privacy, but denying 99% of the viruses out there from even getting a foothold.

Don't use IE, don't use Outlook. Sure it talks about 'securing' IE, but that's more like relying on pulling out than wearing a raincoat.

For the majority of users a good deal of what the article talks about - deleted files not being 'deleted', tracking cookies, unique id's on office documents - REALLY don't matter on Grandma's computer. Sure if you are in a secure office environment working on critical stuff the competition would love to steal - that's a concern... If you are going nuts making purchases on non https websites that nobodys ever even heard of - that's a concern... If you don't want wifey seeing your porn - then it's a concern.

Apart from that, if you are doing anything that REALLY worries you that much about someone getting hold of it, you are probably doing something illicit, illegal and frankly should get what's coming to you.

Edited 2008-05-01 04:35 UTC

Reply Score: 3

RE: Misses the 'big two' though
by Kroc on Thu 1st May 2008 06:32 UTC in reply to "Misses the 'big two' though"
Kroc Member since:
2005-11-10

I fix three or four computers a day, at people's homes, day in - day out.
The /only/ way to avoid the plethora of malware on the Internet is to use /anything/ but IE. Firefox is the first port of call, and adBlock - adverts & flash are a major security risk now, don't think that they're not. I've seen it all first-hand over and over...

Reply Score: 4

interesting-ish
by stabbyjones on Thu 1st May 2008 04:53 UTC
stabbyjones
Member since:
2008-04-15

Not too much anyone who's worked with windows shouldn't already know. For the less than capable user there are a few things that you must do when you build a pc for them.

Install an application based firewall in the background

block any network access to IE, windows messenger, outlook express and then install live messenger and block that too.

with a few more things mentioned in the article a pc that'd would have to be formatted every other week becomes set and forget.

Reply Score: 1

RE: interesting-ish
by raver31 on Thu 1st May 2008 06:00 UTC in reply to "interesting-ish"
raver31 Member since:
2005-07-06

For this case, why not install Linux then ?

I mean, you have crippled all the internet applications on that machine, therefore, for them to browse they have to use Firefox or Opera. But there is still some sites that will install Windows trojans when you open the site in FF and blindly click OK anyway, so visiting dodgy sites in an alternative browser on Windows is still unsafe if you have not got a clue what you are clicking on.

Also, you cannot do what you suggest to people's computers because it will break compatibility with applications that need a fully working internet explorer for the installation or operation.

Reply Score: 4

RE[2]: interesting-ish
by Valhalla on Thu 1st May 2008 12:51 UTC in reply to "RE: interesting-ish"
Valhalla Member since:
2006-01-24

raver31 wrote:
-"I mean, you have crippled all the internet applications on that machine, therefore, for them to browse they have to use Firefox or Opera. But there is still some sites that will install Windows trojans when you open the site in FF and blindly click OK anyway"

well, that depends. if you are crazy enough to browse the web logged in as administrator then yes you are certainly vulnerable to trojans should you encounter a site that eploits a bug in your browser.

however, installing and running Firefox, Opera etc under a unpriviledged account will make sure that although exploits may allow malicious code to be executed, the amount of damage that code can do is limited to the rights of unpriviledged account.

running IE is another matter though. since Microsoft chose to integrate it into the system there are likely possibilities for for exploits to compromise the system under the guise of IE which may give the malicious code further priviledges.

raver31 wrote:
-"Also, you cannot do what you suggest to people's computers because it will break compatibility with applications that need a fully working internet explorer for the installation or operation."

apart from when using windowsupdate.com, I haven't encountered situations or software where I need internet explorer.

Reply Score: 2

RE[3]: interesting-ish
by Adam S on Thu 1st May 2008 13:22 UTC in reply to "RE[2]: interesting-ish"
Adam S Member since:
2005-04-01

Windows Update is a standalone app in Vista and Server 2008 and you don't need IE for it.

Reply Score: 3

RE[4]: interesting-ish
by Valhalla on Thu 1st May 2008 14:20 UTC in reply to "RE[3]: interesting-ish"
Valhalla Member since:
2006-01-24

Adam S wrote:
-"Windows Update is a standalone app in Vista and Server 2008 and you don't need IE for it."

I was talking about the site, http://www.windowsupdate.com/

Reply Score: 2

RE[5]: interesting-ish
by Adam S on Thu 1st May 2008 14:23 UTC in reply to "RE[4]: interesting-ish"
Adam S Member since:
2005-04-01

You can't use that site in Vista or Server 2008. Windows Update is a standalone app, and the site will tell you so.

Reply Score: 2

RE[6]: interesting-ish
by Valhalla on Thu 1st May 2008 14:32 UTC in reply to "RE[5]: interesting-ish"
Valhalla Member since:
2006-01-24

Adam S wrote:
-"You can't use that site in Vista or Server 2008. Windows Update is a standalone app, and the site will tell you so."

ehh ok, sure. but I'm running Windows XP. and here it works with Internet Explorer, but not with Firefox or Opera (likely due to it relying on activex), so as I said in the earlier post, for me that is the only situation I've encountered where I need to use Internet Explorer.

where exactly are you going with this Adam?

Reply Score: 2

RE[7]: interesting-ish
by Adam S on Thu 1st May 2008 14:46 UTC in reply to "RE[6]: interesting-ish"
Adam S Member since:
2005-04-01

Windows does not require IE anymore for WU. As time goes on, you won't need IE, which is what the grandparent said, that he needed IE for WU. All I've been saying is that that restriction has been removed in all current versions (and, presumably, future versions) of Windows.

Reply Score: 1

RE[2]: interesting-ish
by Adam S on Thu 1st May 2008 13:21 UTC in reply to "RE: interesting-ish"
Adam S Member since:
2005-04-01

I always wonder if people like the parent have actually tried this in real life.

What happens when this person - your client - buys a game and can't play it? What happens when they try to download some software and can't run it? What happens when they buy some exotic hardware - like an iPod - and it doesn't work right? What happens when they want to buy something from the iTMS and they can't access it?

Linux is great, don't get me wrong, but it's not the solution for everybody. When are people going to realize that Linux is NOT a panacea, and you can't just slap it onto someone's PC when they ask for your help?

Reply Score: 4

RE[3]: interesting-ish
by Sophotect on Thu 1st May 2008 13:44 UTC in reply to "RE[2]: interesting-ish"
Sophotect Member since:
2006-04-26

I can perfectly understand your reasoning about Linux not being the cure for the average user. But as i said elsewhere, if you are not dependant on running some Windowsapplication natively, it may be. In my experience the need to use Windows is an illusion. It wasn't once, but it is now. For exactly the same reasons which are mentioned in the article. Because these measures are way over the top of what an "average user" can or is willing to manage and understand why he has to do that. Of course some peripherals do not work, or do it less than optimal. But one can perfectly circumvent that problem by choosing them accordingly. And have less stress that way.

Edited 2008-05-01 13:50 UTC

Reply Score: 1

RE[4]: interesting-ish
by Adam S on Thu 1st May 2008 13:57 UTC in reply to "RE[3]: interesting-ish"
Adam S Member since:
2005-04-01

Having actually moved people from Windows to Linux, I can tell you that in real life, this only works maybe 50% of the time.

People are generally not happy when they don't understand that Linux is not Windows, and that not all hardware will work out of the box, no drivers on disks will work, the software that came with their CD Labeler, or their new scanner, or their new camera, etc will not work.

Yes, sometimes Linux can be a great answer. But many times, it just doesn't work for the user to switch without the will.

Reply Score: 3

RE[5]: interesting-ish
by Sophotect on Thu 1st May 2008 14:12 UTC in reply to "RE[4]: interesting-ish"
Sophotect Member since:
2006-04-26

Having actually moved people from Windows to Linux i can understand that they are not happy in some cases, but it is less hassle for me. To the driver discs which don't work, as of now this is a myth because for most common hardware you don't need them anymore. If they have problems with the limits which are outweighed by other factors then they may harass somebody else. It is as simple as that.

*shrug*

Edited 2008-05-01 14:25 UTC

Reply Score: 1

RE[6]: interesting-ish
by Adam S on Thu 1st May 2008 14:21 UTC in reply to "RE[5]: interesting-ish"
Adam S Member since:
2005-04-01

I understand what you're saying, I really do. But I tire of people who say things like "if they do it that way then forget them." That's precisely why Linux continues to struggle to make significant inroads, because it's "my way or the highway" too often.

This is like when I said "businesses use HTML email, get used to it," and people had the GALL to say "Well, I wouldn't do business with them."

Good for you. If, by some slim chance, you got some interest from a multi-million dollar company and chose to turn them away on some silly principal, good for you and your principals. But your loss, I'd say.

Same thing here. If you ran a small business and refused to support people who chose to stay on Windows for no good reason other than they were familiar with it and wanted it, good on you. I hope you have enough business to not need those customers. But back in the real world, we have to deal with TODAY. And most people aren't ready to make that commitment, including power users, until THEY chose to make it, because it comes with a STEEP learning curve. 90% of desktop users can't install Flash or Java into a Linux distro without assistance. They aren't much interested in the politically-motivated "switch or die" opinion of their IT-for-hire repair guy, who arrogantly tells them that they need to use Linux or not be supported.

Reply Score: 1

RE[7]: interesting-ish
by Sophotect on Thu 1st May 2008 14:44 UTC in reply to "RE[6]: interesting-ish"
Sophotect Member since:
2006-04-26

Yah ;-) For exact these reasons i'm not in the ICT-Field anymore. Because in most cases it's a waste of time and energy, a moving target, sysiphus work. So, when i do this in private, in my spare time, as a favor, i feel perfectly legitimated to act like this.
And i don't do this out of the blue. I say in advance that they can't do this and that but they don't have to do this and that anymore and show them how it could look. Or my Wife shows them, or her Mother which has some Taxstuff running under Wine, or her Brother which is an Electrician and has some of his needed Businessapplications running under Wine. All have differnet desktops, toolkits, layouts, programs and whatnot else. And guess what? Most people are happy. Because it works, and they don't need to buy expensive new machines. Really, i couldn't care less for some Multibillion$-Company showing interest :-)

Reply Score: 1

RE[3]: interesting-ish
by raver31 on Fri 2nd May 2008 10:51 UTC in reply to "RE[2]: interesting-ish"
raver31 Member since:
2005-07-06

Exotic hardware like an ipod ? You are aware that ipods and linux work seamlessly ? Rythmbox, Amarok, gpodder etc etc

anyway, you are right, most people cannot use Linux, but my initial response was to the parent post, where someone locked down a Windows box so tight that Linux would actually work better.

Reply Score: 2

RE[4]: interesting-ish
by Adam S on Fri 2nd May 2008 11:19 UTC in reply to "RE[3]: interesting-ish"
Adam S Member since:
2005-04-01

I do realize iPods work seamlessly, but not all associated stuff does. Obviously, no iTMS. iTunes. No iPhone.

Reply Score: 1

RE[2]: interesting-ish
by stabbyjones on Fri 2nd May 2008 00:17 UTC in reply to "RE: interesting-ish"
stabbyjones Member since:
2008-04-15

i'm not saying it's perfect but it's a step towards stopping people with no idea destroying their pc.

i don't run windows myself anymore (debian) but convincing other people to make the switch when they're used to their ways is hard.

most people with a low pc skill use webmail not outlook and while it's sitting there it's useless and a possible threat.

if you force people to use opera or firefox (which is my point in blocking IE) you can can block scripts and ads and even though there are still vulnerabilities there is less chance of someone with a low skill level destroying the system after you've set it up.

if anything needs IE you can always allow connections from IE temporarily. it's blocked by a firewall and not removed from the system. so functionality isn't reduced

this doesn't change anything in the system itself and is more of a simple lockdown. i much prefer getting a call saying an application isn't working rather than the whole system is shagged.

Reply Score: 1

RE[2]: interesting-ish
by autumnlover on Mon 5th May 2008 15:59 UTC in reply to "RE: interesting-ish"
autumnlover Member since:
2007-04-12

why not? Because Linux is not "safe version of Windows". Period.

Reply Score: 2

What about WGA and backdoors?
by ml2mst on Thu 1st May 2008 07:39 UTC
ml2mst
Member since:
2005-08-27

Excellent article indeed. However, what about WGA and the known backdoors plus the applications and services harvesting user data?:

http://tinyurl.com/2ptclh

I hardly boot Windows XP, because I feel very uncomfortable with the idea "someone is spying at me".

I feel Microsoft has crossed the line here of what is ethical acceptable.

Reply Score: 4

Hiding your SSID is not more secure
by kragil on Thu 1st May 2008 08:40 UTC
kragil
Member since:
2006-01-04

Somebody able to attack it will find it anyway and in addition you open up a new attact vector.
Basically somebody can jam your network and set up a new unencrypted with the same name and your windows box will just connect without notifying you that the network changed. This is a pretty recent finding .. i only know a good german article about it, but even Microsoft has a fairly good one:

http://technet.microsoft.com/de-de/library/bb726942


Basically keeping Windows secure is VERY hard. At the moment it is way simpler to just use Linux or Mac and keep them updated.

( GERMAN: http://www.heise.de/security/Drahtlos-Einbruch-trotz-WPA-dank-WLAN-... )

Edited 2008-05-01 08:50 UTC

Reply Score: 2

Are personal firewalls snake oil?
by zima on Sun 4th May 2008 01:06 UTC
zima
Member since:
2005-07-06

That's the question I asked once on discussion forum where I hang out...

Discussion that followed: http://forums.murc.ws/showthread.php?t=58810 (no point in copy&paste, I guess)

Suffice to say I don't run any, not even the one built into Windows. And no problems because of that...

If I'll _really_ want a firewall, I'll use pfsense or m0n0wall

PS. Before anybody brings out again the only good sounding argument for software firewalls - if you need software firewall to know that your machine has been compromised by some malware, you've already lost.

Reply Score: 2

my two cents:
by autumnlover on Mon 5th May 2008 16:03 UTC
autumnlover
Member since:
2007-04-12

1. I recommend to avoid Commodo firewall. Not for the firewall itself, but for its broken uninstaller. I do not know if they fixed it already, but I tried it about month ago and it was disastrous.

2. Have two firewalls running at once do not make any harm? I don't think so.

Reply Score: 2