Security consultant Howard Fosdick has contributed the latest entry in the 2008 OSNews Article Contest: a highly detailed examination of security and privacy on the Windows platform, and how to use free software tools and a little knowledge to protect your privacy online.
Post a Comment
Member since:
2008-05-01
Fans: 0
Member since:2006-05-04
Fans: 0
wrong tip,
RAM (in spite of general belief) can retain information for minutes/several days. With physical access to your machine it is possible to retrieve information from RAM.
Linux (UNIX in general) does exactly the same thing:
run
dd if=/dev/mem bs=1m count=[mem size] | strings | grep [whatever]
dump it
rather encrypt whole disk with AES-loop
When I was using windows boot/system partition was read-only (with registry fixes for some Adobe and MS programs) for users (cache/temp moved to another partition)
always used Run As (never logged as root), never used IE. Updates. firewall (OpenBSD/PF, and windows firewall)
for several years systems were clean (viruses/malware) with long uptimes
I am not saying that this is best way of protection, but worked for me.
Member since:
2005-07-07
Fans: 0
Member since:
2006-04-26
Fans: 0
But when your are able to following that from a technical point of view and don't absolutely need some application running natively under some Windows, well, why not installing Linux or .. GOSH ..even some *BSD?
To make my point more clear, what we have here is again one of the countless proposals to overcome the inherent deficiencies of common commercial software. Which is about layering layer after layer on top of another until it is getting so complex that its internals are not understandable anymore as a whole.
Other aspects of that are the here mentioned agendas of Adobe with Flash and Microsoft with its Silverlight. Apart from the managabiltity of that stack of layers upon layers, ever thougth about the systems one needs to comfortably running that?
You can see that from an ecological, or practical point of view. Ecological insofar as that more complex software wastes more wattage, practical insofar as that this model is impractical for the coming ultramobile devices and ambient network infrastructure.
So we have a whole other side of software and operating system development, which is free and does care about such matters, which is actually REFACTORING the best pieces of proven to be successful code into something which is getting better and better all the time, and is MORE managable.
Why not use it when you care about that at all?
Member since:2005-10-10
Fans: 0
Member since:2005-08-11
Fans: 7
RE[2]: Nice Summary of things that are wrong with that
Member since:2006-05-28
Fans: 0
Member since:
2005-07-12
Fans: 4
Good article, but it really does miss two key factors to not just protecting your privacy, but denying 99% of the viruses out there from even getting a foothold.
Don't use IE, don't use Outlook. Sure it talks about 'securing' IE, but that's more like relying on pulling out than wearing a raincoat.
For the majority of users a good deal of what the article talks about - deleted files not being 'deleted', tracking cookies, unique id's on office documents - REALLY don't matter on Grandma's computer. Sure if you are in a secure office environment working on critical stuff the competition would love to steal - that's a concern... If you are going nuts making purchases on non https websites that nobodys ever even heard of - that's a concern... If you don't want wifey seeing your porn - then it's a concern.
Apart from that, if you are doing anything that REALLY worries you that much about someone getting hold of it, you are probably doing something illicit, illegal and frankly should get what's coming to you.
Edited 2008-05-01 04:35 UTC
Member since:2005-11-10
Fans: 14
I fix three or four computers a day, at people's homes, day in - day out.
The /only/ way to avoid the plethora of malware on the Internet is to use /anything/ but IE. Firefox is the first port of call, and adBlock - adverts & flash are a major security risk now, don't think that they're not. I've seen it all first-hand over and over...
Member since:
2008-04-15
Fans: 0
Not too much anyone who's worked with windows shouldn't already know. For the less than capable user there are a few things that you must do when you build a pc for them.
Install an application based firewall in the background
block any network access to IE, windows messenger, outlook express and then install live messenger and block that too.
with a few more things mentioned in the article a pc that'd would have to be formatted every other week becomes set and forget.
Member since:2005-07-06
Fans: 13
For this case, why not install Linux then ?
I mean, you have crippled all the internet applications on that machine, therefore, for them to browse they have to use Firefox or Opera. But there is still some sites that will install Windows trojans when you open the site in FF and blindly click OK anyway, so visiting dodgy sites in an alternative browser on Windows is still unsafe if you have not got a clue what you are clicking on.
Also, you cannot do what you suggest to people's computers because it will break compatibility with applications that need a fully working internet explorer for the installation or operation.
Member since:2006-01-24
Fans: 3
raver31 wrote:
-"I mean, you have crippled all the internet applications on that machine, therefore, for them to browse they have to use Firefox or Opera. But there is still some sites that will install Windows trojans when you open the site in FF and blindly click OK anyway"
well, that depends. if you are crazy enough to browse the web logged in as administrator then yes you are certainly vulnerable to trojans should you encounter a site that eploits a bug in your browser.
however, installing and running Firefox, Opera etc under a unpriviledged account will make sure that although exploits may allow malicious code to be executed, the amount of damage that code can do is limited to the rights of unpriviledged account.
running IE is another matter though. since Microsoft chose to integrate it into the system there are likely possibilities for for exploits to compromise the system under the guise of IE which may give the malicious code further priviledges.
raver31 wrote:
-"Also, you cannot do what you suggest to people's computers because it will break compatibility with applications that need a fully working internet explorer for the installation or operation."
apart from when using windowsupdate.com, I haven't encountered situations or software where I need internet explorer.
Member since:2005-04-01
Fans: 16
Member since:2006-01-24
Fans: 3
Adam S wrote:
-"Windows Update is a standalone app in Vista and Server 2008 and you don't need IE for it."
I was talking about the site, http://www.windowsupdate.com/
Member since:2005-04-01
Fans: 16
I always wonder if people like the parent have actually tried this in real life.
What happens when this person - your client - buys a game and can't play it? What happens when they try to download some software and can't run it? What happens when they buy some exotic hardware - like an iPod - and it doesn't work right? What happens when they want to buy something from the iTMS and they can't access it?
Linux is great, don't get me wrong, but it's not the solution for everybody. When are people going to realize that Linux is NOT a panacea, and you can't just slap it onto someone's PC when they ask for your help?
Member since:2006-04-26
Fans: 0
I can perfectly understand your reasoning about Linux not being the cure for the average user. But as i said elsewhere, if you are not dependant on running some Windowsapplication natively, it may be. In my experience the need to use Windows is an illusion. It wasn't once, but it is now. For exactly the same reasons which are mentioned in the article. Because these measures are way over the top of what an "average user" can or is willing to manage and understand why he has to do that. Of course some peripherals do not work, or do it less than optimal. But one can perfectly circumvent that problem by choosing them accordingly. And have less stress that way.
Edited 2008-05-01 13:50 UTC
Member since:2005-04-01
Fans: 16
Having actually moved people from Windows to Linux, I can tell you that in real life, this only works maybe 50% of the time.
People are generally not happy when they don't understand that Linux is not Windows, and that not all hardware will work out of the box, no drivers on disks will work, the software that came with their CD Labeler, or their new scanner, or their new camera, etc will not work.
Yes, sometimes Linux can be a great answer. But many times, it just doesn't work for the user to switch without the will.
Member since:2005-07-06
Fans: 13
Exotic hardware like an ipod ? You are aware that ipods and linux work seamlessly ? Rythmbox, Amarok, gpodder etc etc
anyway, you are right, most people cannot use Linux, but my initial response was to the parent post, where someone locked down a Windows box so tight that Linux would actually work better.
Member since:2005-04-01
Fans: 16
Member since:2008-04-15
Fans: 0
i'm not saying it's perfect but it's a step towards stopping people with no idea destroying their pc.
i don't run windows myself anymore (debian) but convincing other people to make the switch when they're used to their ways is hard.
most people with a low pc skill use webmail not outlook and while it's sitting there it's useless and a possible threat.
if you force people to use opera or firefox (which is my point in blocking IE) you can can block scripts and ads and even though there are still vulnerabilities there is less chance of someone with a low skill level destroying the system after you've set it up.
if anything needs IE you can always allow connections from IE temporarily. it's blocked by a firewall and not removed from the system. so functionality isn't reduced
this doesn't change anything in the system itself and is more of a simple lockdown. i much prefer getting a call saying an application isn't working rather than the whole system is shagged.
Member since:2007-04-12
Fans: 2
Member since:
2005-08-27
Fans: 1
Excellent article indeed. However, what about WGA and the known backdoors plus the applications and services harvesting user data?:
http://tinyurl.com/2ptclh
I hardly boot Windows XP, because I feel very uncomfortable with the idea "someone is spying at me".
I feel Microsoft has crossed the line here of what is ethical acceptable.
Member since:
2006-01-04
Fans: 0
Somebody able to attack it will find it anyway and in addition you open up a new attact vector.
Basically somebody can jam your network and set up a new unencrypted with the same name and your windows box will just connect without notifying you that the network changed. This is a pretty recent finding .. i only know a good german article about it, but even Microsoft has a fairly good one:
http://technet.microsoft.com/de-de/library/bb726942
Basically keeping Windows secure is VERY hard. At the moment it is way simpler to just use Linux or Mac and keep them updated.
( GERMAN: http://www.heise.de/security/Drahtlos-Einbruch-trotz-WPA-dank-WLAN-... )
Edited 2008-05-01 08:50 UTC
Member since:
2005-07-06
Fans: 0
That's the question I asked once on discussion forum where I hang out...
Discussion that followed: http://forums.murc.ws/showthread.php?t=58810 (no point in copy&paste, I guess)
Suffice to say I don't run any, not even the one built into Windows. And no problems because of that...
If I'll _really_ want a firewall, I'll use pfsense or m0n0wall
PS. Before anybody brings out again the only good sounding argument for software firewalls - if you need software firewall to know that your machine has been compromised by some malware, you've already lost.
Member since:
2007-04-12
Fans: 2
1. I recommend to avoid Commodo firewall. Not for the firewall itself, but for its broken uninstaller. I do not know if they fixed it already, but I tried it about month ago and it was disastrous.
2. Have two firewalls running at once do not make any harm? I don't think so.