OSNews

While I keep mine more or less behind two firewalls, I still appreciate that you are willing to address methods to secure Windows instead of "throwing it away" in favor of Linux or Mac OS X or some BSD.

This is exactly what I thought when I saw the article: this is exactly the kind of things I'd love to see more here, and I love the fact that it's not about bashing something but instead trying to make the best out of whatever you have!

While Linux or BSD or [insert-your-favorite-here] might be a better or more secure choice than Windows the fact remains that they won't suit everyone and there's always bound to be someone who wants Windows. Thus it's better to show how to make Windows more secure and not just resort to forcing your own preferences on others.

Good work, and keep it up!

I would like to point out:
that firewall are needed, but over 80% of the attacks nowadays come from the browser/user/email, not over the network where the packet-filtering firewall lives.

True. That comes down to caution and common sense and perhaps some plugins that warn about sites, etc.

I would argue that Microsoft Security Essentials is more than sufficient for almost all end users - it does what it needs to do, it doesn't use weird kernel mode hooks, it scores well on the tests and when coupled with an alert and aware end user the experience can be secure and reliable with minimum fuss and bother.

I second that, it is great to see an article that isn't senselessly bashing Windows or some other operating system for that matter - the problem is that the bashers tend to be able to make wordy essays but none of it is based on reality - I'm gradually woking my way through a book on Windows 7 kernel changes and other low level system features, if the Windows critics read at least half the book I have I think their view of Windows would change dramatically.

I am with you there! I've been saying that for over a year (as others have). Some serious work has gone on, and is continuing.

Well, let's see if they got rid of the most obvious flaws : is a web browser still part of several GUI rendering operations (including that of critical control panel applications) ? Do applications still have absolute access to user files without asking ?

Browser engine/backend rendering some UI components, that is becoming more commonplace in most modern applications. That's not the same as hitting sites that host malware or what-not from a web browser application.

File protection can be tightened easily. The somewhat lax default settings are still a result of older dependencies that Microsoft has been slow to eliminate - the old "backwards compatibility" issues.

It's the old story of trying to move the platform forward without isolating a whole heap of customers - I only hope and dream that maybe Microsoft will put its foot down and make the changes even in the face of much protest from the unwashed masses. It bugs me something silly that an organisation who has a million dollar private jet consider upgrading a software title from an incompatible version to the latest one as 'not part of requirements for the core operations of the company'.

The big mistake was the compromise they made in Windows 2000; they should have forced upon the market an operating system with no compromises from day one and accepted that the transition would be slow than compromising for the sake of keeping a few whiners happy.

With that being said we can't go back in time and change history so Microsoft is doing their best to meet that balance - having given Windows 7 a go it is definitely the step in the right direction that will hopefully translate into a small evolutionary step forward with Windows 8 and future releases.

Edited 2010-09-07 07:45 UTC

They did, to a degree: UAC. Notice how everyone whined about it?
It's a good measure to tell people (and developers, directly or by proxy) that there's something wrong with their apps, so there's pressure on devs to minimize the problems that lead to UAC notices (and they did), while not breaking ancient, unmaintained legacy apps (they just get a tad annoying, hopefully pushing users to plan to migrate off of them eventually).
Windows 8 or 9 might do away with UAC, _finally_ breaking those ancient apps (or transparently pushing them in a sandbox - that already starts in Win7 with the namespace virtualization), while giving everyone a chance to fix things in the meantime.

That's what I like with Windows or Solaris: Their maintainers care about compatibility, while planning how to move forward with hacks like these to push people in the right direction. (Sadly on Solaris it's less so since they started with OpenSolaris)

On Linux, you simply get changes thrown at you, forcing you to cope _immediately_ with them (or lack new features because to update, you'd have to update libfoo, which requires udev no older than x.y, which requires you to switch the device detection mechanism, which ... and so on) - that model is good for 0.0.x versions, where experimentation happens, but I really despise it for "mature" systems (such as those I'd like to work with daily)

But the poor communication explaining UAC to the average user didn't help either; if the average user knew that the UAC could be avoided if the software vendor actually updated their software then you might see the end user putting the hard word on software by pestering them.



True, but even with Apple they're pretty fair with their transition; the only things I've seen broken on movement between different versions of Mac OS X are vendors using private frameworks that should never have been used in the first place.



Agreed; and worse comes when there is no smooth transition from one to the other; you can put in the older way of doing things but then a whole heap of interoperability problems rear their ugly head.

Edited 2010-09-07 10:56 UTC

Solution: Install a LTS (Long Term Support) Linux distribution with a back-ports repository.

Here are two candidates:
http://distrowatch.com/?newsid=06030

http://distrowatch.com/?newsid=05334

You will not then have to contend with any of the problems you claim, yet the installations will be supported (with security updates but not necessarily feature updates) for a long time into the future (at no cost other than a bit of Internet bandwidth).

PS: On Linux, you do not have to install updates immediately, or indeed at all if you do not want to.

http://ubuntuforums.org/showthread.php?t=541173


Edited 2010-09-07 11:44 UTC

Exactly.

That it has become common isn't an excuse for introducing this security flaw. Especially when we know that Microsoft started it all, in the Windows 98 days, as an attempt to keep IE bundled in their OS.

Having a web engine handling critical things is fundamentally a mistake, in my opinion. That's because as time passes, web standards get more and more bloat... complete, and just about nothing is ever removed. Consequently, web browsers become in turn more and more complex, which in developer's terms mean more lines of code. When you have security in mind, more lines of code means a less trusted program, because more exploitable flaws can be around here due to human error.

As IE keeps getting overtaxed with features, like any modern web browser, chances are higher that one day, we'll see the control panel asking us about administrator password in an unusual place. And the average Joe will give it. And disaster will occur.

Or am I wrong ?


So Microsoft has some plans for ditching the old user/admin paradigm and finally introducing some tightly sandboxed security model that doesn't let user files exposed to the first unprivileged malware which comes around ? If it's true, that's truly great ! I envisioned that as one of the killer features of my hobby OS, and am glad that 90% of the desktop/laptop computer market will get this major improvement in security too. Many thanks to Microsoft for planning to fix that hole !

Edited 2010-09-07 19:21 UTC

Tuishimi:

http://blog.linuxtoday.com/blog/2010/04/junk-cyber-crim.html

Werecatf:

In and of itself this is perfectly correct.

However, IMO, it is downright dishonest not to point out to people that virtually all the malware that exists targets only Windows, and that therefore any malware at all that one is ever likely to encounter will only be a threat to one's machine if one is running Windows.

Other OSes are way more secure, there is virtually no chance of one encountering any malware that can target other OSes, and using other OSes is just as easy (or as hard, for that matter) as Windows, and anything that an ordinary user might want to do with their machine can be done, and done well, by good programs available for no cost under other OSes.

Bill Shooter of Bul:

Oh yes, this is very very true. It takes ages to try to repair a compromised Windows system, it is a boatload of work and time, and quite often it is not successful.

This should be emphasised over and over. Only if one's time is worth nothing should you consider trying to re-instate a broken/compromised Windows installation. In comparison, booting a decent Linux distribution LiveCD and installing a full Linux desktop with a complete suite of applications takes only thirty minutes or so.

Edited 2010-09-07 07:12 UTC

Assuming 100% hardware support, which is not always the case.

Assuming 100% hardware support, which is not always the case. "

Indeed. Happily, it is exceedingly easy to test first before installing ... just boot a Linux LiveCD and check out that all the hardware works. It should for most systems.

If we are talking about refurbishing older computers, as is the subject of this thread, then if an older Windows machine has been compromised, and it is necessary to re-install the OS, then for most cases this will only be possible if one has available ALL of the original CDs for the machine itself (e.g. motherboard drivers CD), for the OS, for all of the peripherals (e.g. printers), and for all of the applications. Without all of those, re-installation is not possible.

Given the state of many home computers, in many cases, it is far more likely that installing Linux would be achievable, but re-installing Windows not.

Downloading drivers is not hard. The only times you have to look out for a difficult machine is Windows XP machines using SATA hard drives. Usually the motherboard is emulating IDE and XP will install from any disc, but in the case of Dells like this, the SATA drivers were slipstreamed into their custom XP disc.

Regardless, most OEM machines come with a hard drive recovery accessible via a special key before boot, and if the original MBR is gone, you can use GParted to set the boot flag on the hidden partition which forces the OEM recovery to run.

edit: In five years of full time repair work I have had to install Linux on a machine only once (a pirate copy of Windows with no way to repair the install). Any machine that came with Windows can run Windows. Statements like “Given the state of many home computers, in many cases, it is far more likely that installing Linux would be achievable, but re-installing Windows not.” are idiotic. Changing a system known to work on the machine to a foreign system that may yield compatibility (if not at least usability) problems is no good way to be reducing workload. The idea is to remove problems, not remove them and replace them with totally unrelated, new problems that keeps you coming back to the job week after week (I bought a webcam it doesn’t work. “I tried downloading Skype—Windows version—and it didn’t work”. I can’t find my files…).

Edited 2010-09-07 10:18 UTC

Not so. Simply not so.

Every time I have been asked to re-instate a borked Windows machine, being a home machine belonging to an ordinary Windows user, said user has been unable to supply all of the installation CDs. Every single time.

In some cases, it has been possible to wipe the machine and get it working again with full drivers (via online downloads ... this takes ages and ages, and is fraught with error). In many cases, however, without the installation CDs, this has not been possible.

Testing the exact same set of machines with a Linux LiveCD has shown me that Linux works 100% on more machines than those on which Windows can be 100% restored.

So if you don't mind ... that makes my claim real-world-factual rather than idiotic.

In my experience (using Linux since 1995) a Windows machine that boots to Safe Mode is infinitely more useful than even the latest Ubunutu distro.

Linux is for servers. Forever.

How so? I use Ubuntu as my main OS and have bery few problems with it. I may just be lucky (most of my hardware happens to be reasonably well supported in Linux) but I actually find it less problematic than Windows, and certainly more usable than Windows booted in safe mode.

I can't agree. There is software in many cases that either is worse or just unavailable in Linux (for example). To be fair a lot of software is also better on Linux, that's why I use Linux as my primary operating system.

However, one has to appreciate that Windows has its uses. My co-workers predominantly use Windows, and I need to interoperate with them. This means I need to have Windows installed in a virtual-machine to do things involving Word, Powerpoint and Excel (OpenOffice tends to eat my work-mates spreadsheet files, so I kindly no longer inflict this on them ). Although highly subjective, I also find Powerpoint much easier and faster to use than the OOffice equivalent. Additionally, I release some cross-platform software for Windows now and again, so I have to test it.

Another point: a member of my family has the need to use some specialized tax software, which is unavailable for Linux. Linux for them would unquestionably cost them more time than it would save, so it is untrue to say that you should only repair/continue to use a Windows installation if you don't value your time.

One is always entitled to an opinion, but it helps if you can back it up with solid examples rather than just stating an unsupported opinion.

What you are talking about for Office software is actually format lock-in. Stated fairly, you actually mean that Windows is far less interoperable with other platforms than other platforms are interoperable with Windows ... Windows Office software chokes far worse over OpenDocument (ODF) files than OpenOffice in handling MS Office files. OpenOffice handles MS Office files far, far better than MS Office handles OpenOffice files.

Solution: if you need a group of workers collaborating and exchanging Office data, simply install OpenOffice on all machines. If you need a central collaboration repository, use Alfresco and not Sharepoint. Headache-free. Significantly cheaper, too.

http://en.wikipedia.org/wiki/Alfresco_%28software%29

As far as financial/accounting applications go, there are plenty of personal financial applications available for Linux. Moneydance is perhaps the best of them:

http://en.wikipedia.org/wiki/Moneydance
http://www.moneydance.com/features
http://moneydance.com/faq


Here is a more objective look (in that it has actual facts) at the various solutions for desktop financial/accounting applications:

http://en.wikipedia.org/wiki/Comparison_of_accounting_software

Anyway, once you have a TXF file exported from your personal finance application, you can use any browser in conjunction with TurboTax Online.

http://www.tax-preparation.com/


My bold.

Enjoy.

Edited 2010-09-07 10:43 UTC

OpenOffice deals with OpenOffice files better than MS Office. MS Office deals with MS Office files better than OpenOffice. That's a reason to use Windows if you have many MS Office files around. Telling everyone to switch to OpenOffice doesn't work in all cases (consider legacy documents). Again, unconvincing argument, sorry.



It's not even related to what I said. I said it would most certainly cost them more money than it would save to switch to another format. Your argumentation isn't even on the same topic, it even demonstrates you didn't read what I wrote.

Let me recap so you can maybe take another stab at this: format lock-in is a reason to use Windows.

You have every right to dislike this concept, but unless you can refute it you'll have to admit that there are reasons to use Windows.

It is indeed very often touted as a reason to use Windows. People without imagination or current knowledge of the capabilities of Linux desktop applications quite often believe that using Linux is not a viable alternative for them.

My point is that this is changing. Legacy MS Office documents and application installations cannot seamlessly interoperate with current versions and formats of MS Office. The current .docx format is not a standard (requirement for interoperability) of any kind (it is NOT ISO 29500), and it is next to useless for interoperability.

http://en.wikipedia.org/wiki/ISO_29500


A single-platform, single-vendor format-lock-in application is the very worst choice imaginable for any kind of Office interoperability/collaboration ... even insofar as interoperability with legacy and touted future versions of the same product.

Save yourself and your company an absolute fortune, both now and for future (incompatible) upgrades, get off the Office treadmill, and install OpenOffice everywhere.

It is, after all, fully supported by some very heavy hitters in the IT industry, and many large organisations have already saved millions by using it in preference to MS Office ...

http://ulyssesonline.com/2009/09/14/ibm-replaces-microsoft-office/

http://www.lostintechnology.com/how-to/replace-your-office-suite-wi...

http://technocrat.net/d/2006/8/31/7344/

http://www.ilovefreesoftware.com/16/windows/business/office/ibm-lot...

http://www.zdnet.co.uk/news/desktop-apps/2005/06/23/indian-openoffi...

http://www.zdnet.co.uk/news/application-development/2005/01/19/fren...

http://computerworld.co.nz/news.nsf/news/FE73A77E2BB96F21CC25742500...

http://www.israelnationalnews.com/News/News.aspx/55243

http://tech.blorge.com/Structure:%20/2008/10/25/openoffice-v30-...

http://www.guardian.co.uk/technology/blog/2010/aug/26/local-governm...

(These are just a ver few recent examples).

OpenOffice has over 20% installed base measured in some markets. That is no small beans.

Format lock-in is an excuse for some frightened IT staff (who know nothing but MS software) to continue to recommend MS office to their organisations, but organisations in the know are already starting to move to OpenOffice in large numbers. Very large numbers. Savings of millions can be made, ongoing year after year savings, and that is a very powerful motivator indeed.

For reasons of sovereignty over their digital data, some governments around the world have begun to mandate OpenDocument format, and this is also a trend that is starting to gain significant moment. (Proprietary formats mean that governments do not really have control over digital data stored in such formats, and governments can become beholden to a sole-source supplier. For most governments, a sole-source foreign supplier at that. They don't like that at all).



Au contraire, I showed that there exist perfectly viable options on Linux for every single use case that you explicitly mentioned, including Office files interoperability and collaboration, and tax lodgement software.

Edited 2010-09-07 13:31 UTC

You just did it again. I'm saying that SOME people use Windows because it hosts the programs that are able to best read their data, which cannot be transformed in a satisfactory way to another format.

The world is a big place, sometimes people can use Linux to great effect, sometimes not. Vice-versa for Windows. There is a place for both, and people make their own choice to use Windows if they want, possibly for very good reasons.

My personal choice of OS is Linux, but I place no judgement on such individuals who use Windows, as it would be incredibly arrogant of me to do so.

Of course. My point is that on many occasions Windows is chosen not for good reasons but through ignorance of any alternative. This is particularly the case in the "refurbished PC" scenario with ordinary users use cases.



I make no judgement of people also. Not everyone is in a position to make the best choice for themselves. Because information about real, viable and perfectly cost-effective alternatives to Windows (particularly in the arena of refurbished PCs) is very difficult for most people to become aware of, it is beholden of us who know about potential alternatives to point them out.

Hence my point that Linux is a perfectly viable, usable, secure, cost-effective solution (particularly in the arena of refurbished PCs) in far, far more cases than most people realise.

It is just that people in general don't know much about Linux.

The right thing to do then is tell them, so that they realise they do have a choice other than Windows.

Edited 2010-09-07 14:04 UTC

OpenOffice has between 10% and 20% installed base. "Legacy documents" and indeed "Office files" include OpenDocument files.

You are correct ins saying that: (a) OpenOffice deals with OpenOffice files better than MS Office, and (b) MS Office deals with MS Office files better than OpenOffice, but you omit mention of the fact that (c) OpenOffice deals with MS Office files much better than MS Office deals with OpenOffice files.

Given that OpenOffice has between 10% and 20% installed base (depending on the market), point (c) is very much a serious flaw in MS Office that is only a minor problem in OpenOffice.

Do indeed consider legacy documents vs current versions of MS Office and OpenOffice, and also consider legacy versions of MS Office vs current formats of MS Office and OpenOffice ... OpenOffice supports interoperability better.

Edited 2010-09-07 13:53 UTC

I wouldn't advise a normal person to hit a machine with Combofix. The tools great but it can very easily mess a machine up

That's cool, thanks for that!

Spybot s&d (in the article) will add almost 15,000 entries to your hosts file.

That is if you let it.

If you do that, you will have issues with DHCP and performance due to every site needing to be looked up in a huge file.

Don't add the entries to the HOSTS file. DNS changes instantly, and this will not protect you against the fast-flux attacks that are so popular these days. Also, for this protection to be effective, you'd need to update daily and have 200,000+ domains.

What if you have to blacklist entire IP ranges? HOSTS fails here. DNS does not.

Configuring a DNS sinkhole service on a local DNS server, however, is a much more scalable and efficient option that will work once for your network, and will be updated at least daily!

Here's a PDF on how to do it, step by step:

http://www.whitehats.ca/downloads/sinkhole/DNS_Sinkhole_installatio...

Or use OpenDNS. You can configure it to block malware sites, spyware sites, adware sites, even gambling or pr0n if you wish.

I can recommend it!

Nonsense.

I know, isn't proprietary software silly?

Huh?? What are you smoking? Of course you can transfer the license, and in fact OEM licenses are transferable, as they go with the machine they came with, not a specific person. Volume licenses are different of course, but both Retail and OEM are transferable.

Yeah, sure. Tell it to the judge... Or just read the EULA.

According to the EULA, you can. The Judges have already proven that in courts.

What happened with Ernie Ball was multiple instances of the same software installed, not transferring it. Different scenario than what you had claimed.

http://news.cnet.com/2008-1082_3-5065859.html

Old news, and one company that did the right thing when they got pooched by Micro$haft.

Wait, what are you saying? That it is possible to run a successful and internationally respected business without MS products? Heresy! We all know that you can't do business without MS Office, Exchange and Windows. Right? Right??
Clearly this is some kind of OSS zealot conspiracy to end capitalism.

Do I detect a note of sarcasm here?

http://www.dailyfreshnews.info/1672/google-replace-windows-with-lin...

http://www.technewsworld.com/rsstory/68441.html?wlc=1283843958

http://www.neoseeker.com/news/5436-ibm-will-not-use-windows-vista-b...

I guess my sarcasm detector wasn't broken (and I knew the original poster was being sarcastic).

My post here is only to make the sarcasm clear to people who may not have picked up on it, and who may have thought the original comment was serious.

Dude, I _am_ serious.
I unrar enough files that the proprietary rar is a basic neccessity for me, and I have flash on one machine.
Other than that, I'm 100% free software, to my knowledge.
I just can't abide restrictive licensing terms. I own this computer, I don't want to rent software.

www.7-zip.org will extract rar.

Reliably? And those with passwords?
I've not had good luck with free extractors in the past, but only with the .rar format.
I'm not saying you're wrong, not at all, just making sure. I use an all-archive-formats extractor front-end called atool (aunpack is all I've had great luck with, apack seems less reliable) but I'm sure I could hack it into working with 7zip as an unrar program.

Not MS's fault if the IT staff doesn't know the difference between an OEM license and a normal license...

...and if you change out the mobo it's considered a new computer.
If you change out enough components, I think MS considers it another machine.
Wasn't it an issue with at least Vista that a main HD change constituted a 'new computer' by their licensing terms and WGA would kick in and shout at you?
...or did I dream that last bit.
I do know the first is true, absolutely.

I have done what the article talks about countless times. Sometimes successful, sometimes not successful. Its a lot of work. A lot. It really stinks to spend 12+ hours trying to do this and fail becuase the viruses are more exotic than you think. THe antivirus that does remove it won't work on the os. The updates to the os service pack won't work becasue it conflicts with an existing app/ crashes with the mother board. Like I said, I've doen this many many times. I'm sick of wasting all of that time.

New procedure:

1) Try installing ubuntu/fedora depending on which one installs. use that.
2) If not, then reinstall windows if possible.
3) If that fails, remove usable parts for other computers ( hard drive, memory, video card, ethernet card, network card, ect) and send to recycling center.

12 Hours?

I fix consumer’s PCs for a job. The average job is 2 hours—in, cleaned up, secured, done. I have it down to a fine art.

Windows computers is all that’s being sold in shops for the price range and that’s not going to change. Especially now that all machines are coming with Windows 7 the problems are greatly minimised.

What some are simply not willing to accept is that Windows does the job well enough for the majority and can be secure with the simplest of software—user caution given.

All a Windows machine needs is:

a) Decrapify the craplets
b) MSSE
c) Firefox + AdBlock, Foxit Reader

That’s it. The user’s router will have a firewall and the Windows firewall will suffice. Since after Blaster32, I have never seen a machine infected through the firewall. 80%+ of infections are coming through Flash+PDF. Wake up people times have changed.

You see, both of use have some valuable points. It's true that the terrible Windows XP malware-infested computers are gone to some extent, but there are new problems which you probobly already know of if you read IT security news:

1. DLL loading problem / vulnerability
2. Windows 'link' vulnerability
3. flash vulnerabilities

and so forth. Most of them have critical status which means that the end user is almost completely helpless. No matter what security mechanism/software he's using on his Windows machine - he will probobly get infected anyway - sooner or later, but it will be there eventually.

So yes, the times have changed, but I'm affraid it's a change for bad, not for good. MS Windows - as the biggest target - gets $@#$%# all the time and now it's easier than ever before to get infected and robbed out of your data.

Nope 12 hours. I 've spent 12 hours trying to decrapify/ repair some pcs. (Note these were pcs that were really in the wild at internet cafes in third world countries, but I've spent a n equal amount of time on donated computers as well. Sometimes the most difficult malware, is the coperate installed malware.

Its that first step "Decrapify" that takes the longest. You really are naive, if you've never met a virus you couldn't remove with anti-virus of any kind ( much less free anti-virus tools, they seem to be worth what you pay for them).

I’ve met every worst nightmare of a rootkit you can imagine. Granted, I did say that average job is 2 hours. If ComboFix can’t scrape the rootkit out then I just format and re-install which still takes the same amount of time as a decrapify.

If I understand well, he needs 12 hours because he tries not to wipe Windows out of the disk. A noble task, actually. Didn't knew it was even possible.

The last rootkit I had to remove manually took about 5 hours (lots of NTFSDOS and rebooting), so yes, it’s far from practical compared to wiping and installing Linux. I however personally feel that replacing Windows with Linux just changes the problem, rather than solving it. Fixing someone’s car by replacing it with a tank does solve the problem, sure, but now they have to learn how to drive a tank.

Permit me to fix that car analogy for you

(Otherwise, I agree with you, though once the learning problem has been overcome, people generally feel more at ease in their new tank *AND* don't have the parking issue anymore. Then, as others pointed out in this thread, comes the hellish update issue...)

Edited 2010-09-07 20:26 UTC

I consider it like requiring those with a Drunk driving charge to check their Blood alcohol levels before being allowed to drive again.

Their needs are 1) web browsing and 2) document creation/editing. Linux does that very well and pretty easily while preventing them from harming themselves or others.

Edited 2010-09-07 20:53 UTC

While my job no longer entails anything to do with end users, I agree with you 100%.

On my own windows machines at home I just add MSE and ensure the firewall is turned on. I also use foxit reader - not for security but because Adobe sucks. Hard.

Actually Adobe is the shining example of previously functional software that is now so bloated that anything is better. And their security sucks.

Morglum

The article says

Is it not the "MSE" you are referring to?

Except for on Windows 7 where the default UAC level means that any non-elevated exploit can instantly elevate without prompt.

Agreed. It was a surprise to me that he didn;t go into that in much more detail. Part of my deinfestation process of infected PCs is setting up a limited user account and then educating the user on its use (and non-use of the Administrator account). Everyone I've done that for has remained malware-free since.

He also mentions setting an Administrator password, but leaving it blank can be an option on a 1-user PC, as this automatically disables network access to that account.

In my opinion, education is a mandatory step when improving the security of computers. The sole thing we can do is reducing the amount of data which the user has to learn.

There will still be some people who look for all-technological solutions to the security issue, of course, and this is fine because it can make the teacher's life easier. But do not except this to ever block basic phishing attacks if you didn't teached the user to check security certificates when they are on a "dangerous" website (e.g. banking)

Edited 2010-09-08 07:09 UTC

I still want to try this on Linux, I think it would work.

Have a home-directory and possible /tmp without execute permissions (mount with noexec).

I didn't have a reason to do that yet, Linux has been pretty resiliant. But it would be good to lock things down.

I also use luks encryption for my root and /home partitions.

My non-executable home partition was more an idea where non-technical users would not be able to run a script they just downloaded from the internet.