Just How Paranoid Are You?

An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"

Physical access!

[BWJones]

The most critical item any computer security professional will tell you to take care of: Physical access. If you have a concern, this is your first line of defense and in fact, most top secret installations have considerable resources dedicated to physical access. Next down the line in terms of security risk will be issues related to physical access that again most top secret installations have resolved by disallowing any removable media in or around secured systems. After that comes any issues of network security because your greatest security risk is internal access.

You should not be carrying any sensitive work related items or data home, but if you have personal stuff (or a home business with IT critical information) you wish to secure, short of establishing a computer "vault" with limited access in your home (actually had one once for a project I was working on), you need to start with a secure OS. This does not mean Windows, unless you can afford a "hardened" version and are skilled at management. In fact, I would say from your question that all of the things you are already doing are the absolute minimum if you are using Windows. If you are truly this paranoid and keep sensitive info on your personal computer, and you obviously have a connection to the Internet, it should also mean, physically removing the Internet connection from your computer at times when you do not need it. Multi-casting OS capable machines like certain flavors *NIX are helpful here, so you dont have to deal with Windows network wizard every time you connect back up (if you use certain settings for your network). Wireless should be a no-no as well. IF you are really (read pathologically or are doing something quite illegal) paranoid, you could also build a Faraday cage around your room and charge it to reduce risk of TEMPEST related probes, but again if this is a concern, someone simply breaking in (again access) is often easier and cheaper.

When you are actually connected to the Internet, a hardware firewall is an absolute necessity. Network address translation will help limit some attacks. And aside from all the other things you are doing (strong passwords, encryption etc....), I would strongly urge you to constantly pay attention to your logs. Your most important data will be gleaned from the logs in terms of who is attacking, their strategies for attacking, when and where.

Re:Physical access!

[drinkypoo]

Hardware firewall? What, it's built all from gates and has no code on it? There's no such thing. A linksys befsr41 is a "hardware firewall" because it's a dedicated firewall appliance, right? It runs Linux. A PIX 520, that's a hardware firewall, yes? They cost a lot new and they come in a 4U case. Woops, it's an intel PC.

A firewall that's not on a trusted host, that's a necessity. It doesn't really matter if it's a Nokia box or monowall, what matters is that you configure it correctly and keep it updated. I'm thinking about setting up a transparent bridging firewall so my wall doesn't even have to have IP addresses.

Firey death to the intruders!

[xtermin8]

I pile my old computer hardware into a wall around the house, and from time to time pour gasoline and light it on fire. A hadware firewall. The neighbors don't appreciate it, but it gives me a lot of security

Re:Firey death to the intruders!

[dabigpaybackski]

Amen to that. Between burns, I've got mine locked down like Fort Knox: software firewall, SSH, hell, I even have a BIOS password.

That's right. The way that works is you have to enter a password when you start the computer or it won't boot into the OS. That means that nobody has a snowball's chance in HELL of getting onto my machine when I'm not around.

That's what I call secure.

Re:Firey death to the intruders!

[mejesster]

If they have physical access, they can just reset the BIOS... Plus you probably have floppy or CD set as boot first, in which case a simple bootable floppy or CD could circumvent all your elaborate security.

BIOS password - Sign of an imbecile

[infonography]

We had a so-called security expert put them on a bunch of my SUN systems at a job in 1999, Talked our PHB into buying into that. Took all of a week to get the jerk and his dumb idea out of our site. Once the power went out and the Junior who was on late shift couldn't start the systems. PCs are easy to get around and Suns are a evil to fix after that sort of nonsense.

Re:Firey death to the intruders!

[Thomas Shaddack]

but what I would do is open your box, get your hd out, mirror it with my other pc, then put it back in. and then you have NO IDEA that I just snaked all your data.

That's what the encrypted filesystem is there for; then you also have to acquire the key.

Other possibility is the ATA password, supported by more modern disks.

You can also query the SMART registers in the disk, and check the power-on counter; if there was a discrepancy, a disk powered up without you knowing about it, check why.

Yet another op

Re:Firey death to the intruders!

[Psychofreak]

I have a hasp built into my case to lock the computer shut. I even had a padlock on it for a while at school. The hasp is so flimsy that a friend with the same case twisted the lock off with his bare hands because the key got jammed.

Locks on cases are not very useful. The metal that the case is made of is not adequate. The lock is so much stronger than the case, the lock will break the case.

This is like the apartment that had the reinforced steel door. The thieves cut a hole in the drywall 32 inches

Re:Physical access!

[gunnk]

Generally, a "hardware firewire" simply means a device dedicated to working as a firewall whereas a "software firewall" means a program running on the computer to be protected. It does not imply that a hardware firewall does not have a software component.

I run both a hardware and a software firewall. If one is compromised the potential intruder finds yet another. My sensitive data is also all encrypted, so even if the intruder breaks the second one he/she isn't likely to get much of value.

Re:Physical access!

[brunson]

So I have a dual homed laptop that is doing nothing but NAT, port filtering and routing using IPTables under linux. Is that a hardware or a software firewall?

Re:Physical access!

[Reteo Varala]

If it's running nothing else but the firewall software, it's a hardware firewall... a particularly flexible one. (and one I like, because it can keep logs of any and everything going on in the box)

I have one myself. An old PII 466 working as a firewall/router for the LAN. Gentoo Linux, non-modular kernel, and shorewall with very few rules available, and a "no external access" policy in place.

As soon as I can grab another cheap computer, I will configure the logs on the server to simply be sent to the i

Re:Physical access!

[macdaddy]

Hardware firewall? What, it's built all from gates and has no code on it?

It's funny you should mention that. What you wrote reminded me of something that happened at a previous job. I'd been working there for about a 3 months as the campus netadm. Myself and another coworker had just gotten back from a trip to a peer campus to inspect their network and "get some pointers." (apparently they thought I needed to see how another campus did it so I'd know how...) The network I'd inherited was as flat as

Re:Physical access!

[crazyphilman]

When I think of "hardware firewall" I think of a device which stores its software and rules in static ROM which (hopefully) can't be flashed from the LAN side. This is more secure because A) it's not a machine you're actually working on, and B) there's nothing really THERE except for the operating software, and that would be kind of tricky to hack, C) it can be set up so that nobody can really initiate anything from the LAN port anyway.

What I do at my apartment is this:

I have a hardware firewall the size of a paperback book, a D-Link that's fully patched, with rules that won't allow any incoming traffic and which logs everything I didn't initiate and periodically emails me the logs when they fill up;

My computer is a mil-spec Panasonic CF-28 laptop, water resistant and shockproof, with an armored LCD and a silicone-mounted hard drive in a stainless steel caddy;

My operating system is Slackware Linux which I've hardened. It isn't running any services anyone can try to connect to, and it's running a paranoid iptables firewall which drops all packets I didn't specifically ask for, logging everything sneaky. It's fully patched, and I have different accounts I use for accessing the internet and doing other work (if I'm going to program or write, I disconnect the ethernet cable and log in with my other userid).

I use an up to date Mozilla or Firefox exclusively, and I have software installation disabled (I only enable it when I'm going to get something from the Mozilla site).

For mail, I use kmail, set up so it doesn't automatically display HTML -- I have to choose to view HTML if I know the sender.

I *think* I've thought about just about everything, but who knows? Of course, if something weird happens, I've got good backups so I can rebuild my system in an evening.

Re:Physical access!

[BWJones]

Oh, yeah......and I DO pay attention to my logs, so that dude at 67.13X.XXX.XX in Vancouver Washington who linked to my machine from Slashdot just now and is trying to get access, I am watching you as we speak . A little more work and I can have your GPS coordinates too. :-)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Physical access!

[robertjw]

Ohh. wait.. real life doesn't follow movie rules about what "hackers" can do?

Shhhh... don't tell people that!!! I like the all-consuming power I have as a computer geek.

Re:Physical access!

[bcmm]

Yeah, don't tell them. I love the way people respect and fear me just because I use bash and cmd.exe.

Seriously, some people are very impressed by CLIs. Especially green ones. Try "cat /dev/urandom" on a green terminal to make dummies think you are doing real work...

Re:Physical access!

[mcrbids]

Or for something equally cryptic and at least somewhat intelligible, try running "top"...

Then, when they ask, you can talk load averages, memory swap, cpu utilization, blah blah blah.

30 seconds of that will put many people right to sleep...

Re:Physical access!

[grassy_knoll]

Then you turn off his power, cut his phone line, and cause his gas oven to blow up. Ohh. wait.. real life doesn't follow movie rules about what "hackers" can do?

Quiet you! I'm busily hacking into the orbital defense satellite system to shoot a plasma cannon at the interloper.

No honey, it's not a pr0n site... that's just a slick facade the government uses to hide access to their weapons platform controls... yes, this will take a while...

NB: Not responsible for the reactions of the humor impaired.

Re:Physical access!

[Idarubicin]

Then you turn off his power, cut his phone line, and cause his gas oven to blow up.

Finally, someone explains what .NET is supposed to do.

Lock grandma in the closet!

[xtermin8]

Actually the above post illustrates a problem- giving highly technical advice to the masses. The above post is imformative, but I don't think it addresses the correct audience. What do you do for a family that does not include a security professional in the household? "Don't let your children's friends have unlimited access to the computer" might be more appropriate

My security system

[einhverfr]

Physical access is a concern. But I work from home and have my servers here (my business is currently home-based). So simple things like locking doors etc.

The first question is how you identify what threats you are protecting yourself from. My list includes viruses, script kiddiez, and the occasional person who has moderate resources and wants to break into my network. I am not too worried about tempest probes because the it would take a lot of time to get enough information off my systes this way to be of use, but I am more concerned about vandalism and damage.

So here are my mechanisms:

1) Keep door locked when not at home.
2) Hardware firewall on old Acer Advantage. Kernel does not support loadable kernel modules (which makes it a pain to change a network card, as the kernel must be recompiled). Firewall runs IPTables and logs most denied traffic.
3) Daily and monthly reports of firewall activity are sent to my inbox via cron and FWReport. FWReport leans towards false-positives, bit it gives you an idea of what "may" be happening.
4) Remote access requires SSH and public key authentication. Remote access is not possible via password.
5) Email servers run Qmail.
6) Most servers are jailed.
7) Most logs are set to "append only"
8) Servers run minimal configurations with a minimum of extensions. For example, Apache does not run any modules not currently required.
9) Windows is not generally allowed on the network.

Re:My security system

[einhverfr]

You've just given me, and everyone else, a detailed list of attacks which will not work against you (saves us time, thank you!), and presuming that you've given an exhaustive list, you've also told us what holes are in your methods and where they are. You've given us some hints as to your software packages (Qmail, FWReport, IPTables, Apache, mostly non-windows machines) so we can go look up bug reports and exploits for them...

Who says any of the rest of this information is not easy to determine?

lets see:

Apache is kept reasonably up to date.

FWReport is a report generator. Not directly exploitable. All it does is send me reports, and I wrote it and released it open source (as advertised on the web site), so you would expect me to be running it, right? I am sure you would expect Theo to be running OpenBSD too, right?

Qmail.... When was the last time there was an exploit in Qmail?

Look.... If you use Netcraft, you can see I am using Apache. Not saying so does not mean people can't find out. If you use Netcraft, you can even see I am running Linux.

Hmmm.... and if you check port 110, it is open and you can look up the welcome message to see I am in fact running Qmail. So I have saved you, what? 10 minutes online with Google and Netcraft by telling you this information? How hard is it to determine this information? How hard is it to obscure this information?

In essence, nothing I said is anything I could keep secret anyway from an attacker who would even do light recon.

Now.... Beyond the basics (here is where I won't tell you details but can tell you principles and design ideas):

1) If a program fails and is compromised, that should provide as little access to anything else as possible.

2) If I have to require passwords on one remotely accessible resource, these passwords should not be reusable on another group of such resources.

It is all about defence in depth and providing as many obstacles as possible to cause damage to me and my business, and containing the damage so that we can gracefully recover with a minimum of downtime. I won't share details. But I think we can all agree on the goals (these goals have been discussed in other whitepapers I have written, so again, this is public information).

Don't forget the neighbors...

[boodaman]

I have quite a bit of I.T. value in my home...software, hardware, and data. One thing I take extra care to do is make sure none of my neighbors have any clue just what I have.

For example, when I bought my house and moved in, every single piece of computer gear was put in an anonymous box without labels before being carried in. The boxes were unpacked out of view of any windows, and I arranged my shelving and desk in such a way that nothing is viewable from a window or door.

I also made sure to warn my neig

Physical security is the only important security

[Gordonjcp]

I don't even bother with passwords on most of my machines, not even for root.

Re:Physical security is the only important securit

[gunnk]

Anyone without a strong root password is likely to have a strong root password provided for them by an "outside consultant". :-)

Re:Geek Humor

[xtermin8]

"Anyone without a strong root password is likely to have a strong root password provided for them by an 'outside consultant'" That would be funnier if it didn't follow:"Yes, of course it's the right cable [le0: NO CARRIER]" "Outside consultants" usually don't care about machines with no network access- even if they can break in and get it.

Re:Physical access!

[Knights who say 'INT]

Hmmm. You do know that in Windows you can just unplug the network cable and plug it back whenever you want, and things will Just Work -- no need to reach for "ifconfig eth0 up", right?

Re:Physical access!

[jhagler]

Easy.

Right-click on the network icon in the system tray then select "Disable". Seems easier to me than having to bring up a console, enter 25 characters, and hit return.

I'm no Microsoft fan but come on, ya gotta pick your battles a little better than this.

Re:Physical access!

[FuzzyBad-Mofo]

You right click on the connection's system tray icon and click disable.

OK, now perform that action in a shell script.

/smartass

Re:Physical access!

[jakupovic]

Ok, I'm gonna bite how about http://www.ntcompatible.com/thread29224-1.html

basically "netsh interface set interface name="Local Area Connection" admin=DISABLED"

Re:Physical access!

[Atzanteol]

Any idea how to bring UP an interface under Windows without assigning it an IP address? I've been trying to figure out how to do this lately.

The equivilent of "ifconfig eth0 up" (no IP assigned).

Re:Physical access!

[BenEnglishAtHome]

The problem with stressing physical access is that physical access is the one thing you can't protect if some evil guvment TLA agency gets you in their sights.

The massive encryption key you keep on the flash drive hanging around your neck will be seized when you get hauled in for questioning. The computers you use will be examined, cloned, and examined some more.

What the truly paranoid need is a way to protect data under the assumption that the data storage medium absolutely WILL fall into the wrong hand

Re:Physical access!

[akadruid]

The key with evil TLAs is invisibilty, deniability, then security. If they ever see you, you've lost 1 line, so you better be very sure of the second line, because on that 3rd line you are playing a David vs Goliath game.

To keep yourself invisible is easy. Keep your nose clean, and don't do anything to attract attention.

If you must make yourself visible, make sure everything is deniable. Cover your tracks, and put out bait to cover you. For example, encode your sensitive data within borderline pornogr

Re:Physical access!

[dynamo]

i could break a DES key given sufficient time, but i could not torture you because you are an anonymous coward. Disproven.

Re:Physical access!

[dpilot]

I'm not at all concerned about physical access to my computers, for two reasons:
1: I just don't have any data THAT critical on them, and plan to keep it that way.
2: If anyone is attempting to gain physical access to my computers, that means they're IN MY HOUSE, and in that situation, I'm much more concerned about my family. The computers then are simply somewhere in a line of physical possessions I'm less concerned about than my wife and kids.

Perspective. I guess if I kept valuable company data at home, I'

Re:Physical access!

[BWJones]

Ok, how many admins out there who take backup tapes home as your offsite solution?

This may be modded as funny, but is actually quite interesting. I know of a number (at least I know they used to) of sysadmins whose offsite backup was at home. This included some organizations with fairly substantial interests in limiting the access to their information. It should be company policy to properly pay for and establish a secure off site location for backups that are not in insecure locations like peoples homes. This should include any company that backs up information related to personnel information like SS#'s and such. For lots of companies or research institutions with just research info that is not sensitive, backups at home can be wholy appropriate.

BBC's "Micro Live" TV series

[jd]

The people who you would most expect to be smarter than the average idiot, well, turned out not to be. Perhaps their best physical access blunder was to keep the backup tapes of their website in the same room as their BBS server. I'm not sure if they ever found out who stole the computer, but they walked off with the backups as well.

Of course, that's not the only blunder. A cracker under the name "The Cheshire Catalyst" broke into a network service they were demonstrating, and started piping songs onto the computer screen in the TV studio.

These security breaches got the kind of publicity few crackers could ever hope to achieve today. A live television audience of maybe 7-8 million, and next to zero chance that the camera is going to pull away?

One important lesson I learned, over these incidents, is that security is rarely accidental. Nor is it something you can consider seperately from the rest of the design. Designing something to be consistant and uniform means that errors will stick out like a sore thumb. In terms of security, or reliability, elegence is everything.

Re:Physical access!

[david duncan scott]

Hell, I once worked at a company (call it "Major Corporate Industry") in Pentagon City where the backups were taken home by the backup admin, who was, in fact, a contractor, not even a regular employee.

We were developing a backup plan that involved cross-backups between the two buildings where this particular part of the company was housed. What were the odds, we figured, of something bad happening to both buildings at the same time?

On 9/11, watching the smoke from the Pentagon, we reconsidered that posit

Yeah, right

[Anonymous Coward]

Like I'm going to discuss that here on Slashdot! You know who might be reading.

Exactly why I don't post AC

[SuperKendall]

They look much harder at AC posts then us rambling registered users who normally have nothing interesting to say...

There is no saftey in anonymity, only mediocrity. People are always looking to see who hides behind the mask even as they step over the unwashed masses. :-)

Re:Yeah, right

[WormholeFiend]

That's what they want you to THINK!!! 8-I

Paranoid? Not much...

[grub]

I have OpenBSD on my firewall and main work machine. Encrypted partitions too. GPG everything. My Windows 2000 game machine is locked tight and on a DMZ without IE being used. My monitor is wrapped in tinfoil, naturally, with a small cutout just large enough to have a 640x480 window viewable. I wrapped my mouse in tinfoil but that made it hard to use so I cut a hole in the bottom which allowed the light to hit the desk surface. Problem there was the desk was wrapped in tinfoil, too. So I made my own mousepad because I don't trust the ones made by The Man. It's made from a dead rabbit I found on the street. I flattened it out and dehydrated it. When I need a random number I pinch some fur and pull. however many strands of fur I get in that pull is the random number I use. Of course I need a new mousepad every few weeks as I never reuse the same tuft of fur twice. Never trust the PRNG in any OS, even OpenBSD. Theo is watching. Speaking of that, the other day I was installing OpenBSD 3.6 on a new machine and then I realized... CDs are a form of RFID tag. The unique bit patterns on them can be detected from space. So I wrap my CDs in tinfoil when not in use. Speaking of tinfoil, I find it best to buy the cheapest stuff from dollar stores. They don't usually use the UPC barcoding at those places. Just "$1.. $1.. $1..". Barcode readers don't use OpenBSD but I think Theo is trying to get in there. Speaking of barcodes, the other day I pulled a package of gum from my pocket and the person I was with said "Ohh... Spearmint!" I ran away. He obviously has a remote UPC scanner and knew that I had spearmint gum. He says the wrapper was in plain site but I think that's just an excuse.

Re:Paranoid? Not much...

[squidfood]

"Six to base. He picked up the rabbit we left. We have access. Repeat. We have access."

Re:Paranoid? Not much...

[Qzukk]

Thats what They want you to think.

Why should I be paranoid?

[Dagny Taggert]

After all, doesn't everyone have my best interests at heart? Why, just the other day, a nice Nigerian man sent me an e-mail about a wonderful offer, and I don't even know him!

Hellooooo, Mr. Government Man!

Just don't use windows encrypted folders....

[DigitalCrackPipe]

If you're really trying to keep things secure, ensure your encryption isn't made by microsoft. Their encrypted folders use AES (IIRC) but since they're open and decrypted when you're logged on the protection is compromised.

My computer

[AtariAmarok]

My computer is encased in Carbonite, and it is stored in a file cabinet in the basement with a sign on the door "Beware of Leopard". The password? I tore it to bits, put bacon grease on it, and fed it to the dog. However, these measures are not enough for security: the machine itself happens to be one of those cardboard replica PCs you find on furniture in the back of "Staples". No WAY you gonna hack this sucker!

This far

[js3]

I lock the door to my house when I leave home

So paranoid

[suso]

that I'm not going to tell people on slashdot what I do.

"all remotely personal information"

[GillBates0]

Yeah, yeah...we all know that's just a fancy-schmancy secret word for pr0n. Shhh...sorry.

Now, how about posting some torrents here, so we can all admire your l33t security models and stuff.

Fingerprint access.

[crovira]

I require that the user have physical access to the fingerprint reader under my keyboard.

My data is locked up? Hell yeah!

Big Brother...

[djsmiley]

Is there any point in trying to protect against BIG Brother really? I mean, if they WANT to get in, they could just storm your house and take away your PC. If the want they could slience you too. So why go so over the top?

Another idea is to make sure any sensitive infomation doesn't have any means of escape, hell build a machine with no network, and no floppy drive or cd writer. Take out the usb slots too, then maybe a passer by wont be able to access it.

30char password? Whats the point? I mean you can still brute force it, and even without doing this, theres still methods such as removing the hdd drive, mounting it under anther computer and 99% time, you got instant access to everything.

People need to learn, senstive data is only protected in ONE place, inside our minds.
Keep it there and no one can snoop it.

Re:Big Brother...

[Beetle B.]

You seem to be missing perhaps the most fundamental aspect of security: "Make your data secure enough such that it is not worth anyone's time to get past the security measures".

Note that this does not mean make your data as humanly secure as possible. If it takes six months of brute force time to break my encryption, I don't mind. I don't have anything that is worth the trouble. So I'm not going to create hurdles for myself by securing it further.

If you have more valuable data, then make it as much harder to get to it. Going overboard will not gain you anything, other than a hassle.

Yes, big brother can storm my house, and torture the information out of me. But it's not worth their trouble. It perhaps would be worth it if I had no security measures and conducted all my Internet transactions in plain text. So I just use a few simple measures to make sure it's not that easy.

Re:Big Brother...

[swilver]

Ah, I found a way around that. Everything on my linux machines of value is heavily encrypted. It uses a password of 30 characters for this encryption. The password is unknown to me, but I can find it by opening my computer case and reading it on a set of 30 dice I have stored inside it.

The idea is that if you turn the machine off, and move it (and you're not VERY careful moving it), the dice will fall and the password will be lost forever. That oughta show Big Brother when they try take my stuff by fo

Re:Brute force what?

[dexterpexter]

The problem with the 30 character password in this case is that (a little known fact) Windows actually breaks it into seven or eight character passwords and then encrypts those. So, your 30 character password is only as good as four or five passwords...which are even further compromised if any of those blocks resemble a dictionary word.

Jack the Ripper (for physical access) or Cain & Abel (over the network) can grab most seven-character passwords in seconds.

Yes, long passwords are better in theory, so

Bad Mojo...

[danielrm26]

"
I have OpenBSD on my firewall and main work machine. "

It's not the same box is it?

I have

[A beautiful mind]

a h/w firewall (openbsd), im running debian sid, to login i need a keychain + p/w. I use loop-aes to encrypt everything including the root partition. I run all services (that is apache and sshd) in jailed environments, im subscribed to bugtraq and lkml to know about the issues that could arise, i got my kernel patched with grsec+pax. I run my system most of the time as a non-priviledged user. Hm. I may be a bit average in paranoidness, but i learnt a lot while making this system work like this.

I am so worried....

[jmcmunn]

I run only knoppix Live CD, and I incinerate my RAM after I am done just to be sure there's nothing left on that RamDisk. Kingston loves me now!

I would tell you...

[harks]

but I'm far to paranoid to describe my security methods in public like this.

Thanks for the info

[yack0]

Thanks for letting us know you have a 30 character password. That'll be much easier to crack than having to deal with 1 - 29 and 31 - infinity length password.

password...

[Black Perl]

My password's set to my dog's name.

My dog's name is currently 4$ter*Zf1, but I change it every 90 days.

Security against 'Big Brother' is a myth

[sisukapalli1]

Security against 'Big Brother' is a myth, especially given that it is very easy for authorities all over the world to label someone a "terrorist", or a "person of interest", and lock him/her up for years without any oversight.

S

Nerd guards

[kneecarrot]

I keep a bunch of nerds surrounding my house for security. I feed them doritos and keep them motivated by issuing fake Duke Nukem Forever press releases. When I see them becoming too docile, I toss Windows Magazine at them to get them all riled up.

The usual stuff

[upside]

- Home server(s) on a DMZ - Ntop on the router/fw to keep track of network usage - Filter outbound connections, too - Mixture of *BSD and Linux on network and server equipment. - Peerguardian when using P2P software. - Up to date virus scan. - Don't use IE or Outlook Express.

Relocate serve to DMZ

[AtariAmarok]

"Home server(s) on a DMZ"

Never thought of effecting security by relocating my home server to the no-man's-land in the middle of the Korean peninsula. I think you may be on to something. No one would ever think to check there!

Re:Relocate serve to DMZ

[Lodragandraoidh]

In firewall terms a DMZ is a subnet off the firewall that will allow traffic to enter your network from the outside. This is the best way to provide services to external entities without compromising the rest of your network.

See this faq to learn more about how firewalls work [interhack.net].

"Just How Paranoid Are You?"

[Wordsmith]

Who wants to know?

How much truely private stuff do you have?

[syousef]

The only things I really consider private on my computer are financial information. Receipts, credit card numbers etc. So yes I do go to some trouble protecting that, but for the most part I couldn't care less if my information was read illegally. There's just nothing of consequence there.

If someone actually compromised and trashed my PC on the other hand, I'd lose time in rebuilding it. HoweverI do back up my information regularly, so that's no issue either except being annoyed at the loss of time. (If someone made subtle changes to the information I'd still have older backups, so it would be painful but not unrecoverable).

If you truely need a private information store, it may be worth buying a PC that isn't net connected and that is physically secured. For the average person unless you're doing something illegal or have sensitive work material at home (arguably not a good idea anyway), why would you need a super-unbreakable encrypted PC?

Careful with swap and temp files

[homer_ca]

"and all remotely personal information stored on a 256bit AES encrypted volume."

Windows will leave temp files all over the place and your pagefile could have any data that was kept in RAM. The superparanoid run Linux w/ an encrypted root partition and Windows inside a VM from an encrypted disk image.

Re:Careful with swap and temp files

[theLOUDroom]

Windows will leave temp files all over the place and your pagefile could have any data that was kept in RAM. The superparanoid run Linux w/ an encrypted root partition and Windows inside a VM from an encrypted disk image.

Amazingly, this is the first post I've noticed that points out this obovious flaw.

256 bit AES is silly if those encrypted files are being read normally on a computer with an unencrypted swap file.

It's like going out, buying the most expensive lock you can get, and putting it on a ca

Re:Careful with swap and temp files

[homer_ca]

Besides the temp files that might be written outside of $HOME (/var/tmp?), an encrypted root helps against some attacks, for example mounting the root partition from a boot CD and inserting trojans like a keylogger, backdoor or rootkit. With an encrypted root you still have an unencrypted /boot partition that could also be subverted with a trojaned kernel or initrd, but that's not nearly as straightforward. Also, for the truly paranoid, you could use a removable boot CD or floppy instead of a /boot partitio

Erased my brain

[snuf23]

I made an end run on this whole problem. With some carefully executed electro shock therapy, I erased all of my personal information from my own brain!
Just try your evil identity theft tricks now!

Weak, Until Wireless Intruder :(

[kannibal_klown]

I had weak security on my desktops at home. I would share out a lot of folders since I bouce around like 3 PC's (and a Mac) when doing stuff for work or just roaming around wirelessly with my laptop.

That is, until the other week. I live in a suburban area with a fairly big lawn. I have wireless on and some weak security on the wireless router since I figured nobody lived close enough to my house that was computer literate. Security through geography.

Then I noticed someone had accessed some files; a computer name that wasn't any of mine or anyone else in the house. I wasn't happy. I found out a neighbor someone reached my wireless router from across the street and accessed some files (didn't check to see if they browsed the internet on my dime).

Since then, I've been more security-aware. I still have wireless on (for the convenience) but have a white-list set up and 128bit encryption.

I shared fewer folders, and kicked it up a notch; explicitly saying which user's could access the files.

I turned on File Valut (or whatever) on my PowerBook just in case.

I'm not that tight security wise, but my neighbor ain't getting through now.

As for the regular stuff to watch out for: I constantly scan for viruses and run ad-aware for spy ware. I sit behind my router's firewall and a software firewall of some sort (either the OS's or 3rd party for my work laptop).

I'm not paranoid enough....

[Sefert]

My girlfriend read my email recently. Found out I told a friend she was lousy in bed.

Turns out bad sex is better than no sex. I'll have to be more grateful for what I get with the next girlfriend.

Re:I'm not paranoid enough....

[Lispy]

Or more careful: Don't post inside bed info on ./ for starters. At least, don't log in. ;-)

Re:I'm not paranoid enough....

[808140]

I know this is a joke, but if any girlfriend of mine ever had the balls to read my e-mail, she'd be out the door.

There isn't anything that I wouldn't want her to see in there, either. It's the principle of the thing. Relationships are based on trust, and when someone is reading your personal correspondence behind your back, trust is lacking.

I'm a pretty laid back guy, but I don't play games with my privacy.

I think...

[Short Circuit]

...this is just a trick post to lure me out.

Paranoia quotes

[dazedNconfuzed]

Paranoia Quotes

I was walking home one night and a guy hammering on a roof called me a paranoid little weirdo. In morse code. -Emo Phillips

No matter how paranoid I get, it's never enough to keep up.

The question is not whether I'm paranoid, it's whether I'm paranoid enough.

The truly paraniod are rarely conned.

Doesn't matter if I'm paranoid - they're still after me.

I sincerely believe people talk about me. Mine would be a pretty meaningless existance if they didn't.

Why are some people terrified of "black helicopters" and don't even notice that they are being monitored almost constantly by the whole network of obvious surveilance cameras, credit cards, ATMs, EZpass, company ID/access cards, magazine subscriptions, SSNs, taxes, fees, video rentals, Internet firewall recording, 'cookies', ... ?

Paranoia: the belief that someone cares.

Paranoia is the belief in a hidden order behind the visible.

When everyone is out to get you, paranoia is only good thinking.

"Paranoia is knowing all the facts." - Woody Allen

"Paranoia is just another word for longevity." - Laurell K. Hamilton, The Laughing Corpse

"Perfect paranoia is perfect awareness."

"Paranoia is reality seen on a finer scale." - Philo Gant, Strange Days

"The issue is not whether you are paranoid, the issue is whether you are paranoid enough." - Max, Strange Days

"Why are you so paranoid, Mulder?"
"Oh, I don't know. Maybe it's because I find it hard to trust anybody." - Scully & Mulder, The X-Files, "Ascension"

Paranoia strikes deep / Into your life it will creep / It starts when you're / always afraid. You step out / of line, the man come and / take you away.

"I don't agonize over decisions as much these days. The criteria of what's important to me is clear. The insecurity that you feel, and the paranoia that you feel, have been around for a long time -- you know it's a liar because it's been lying to you all along -- every time you start something new. You get used to it, and you sort of go, 'Oh, you're showing up again, well f*** you.'" - John Cusack

Freedom is just a hallucination created by a pathological lack of paranoia.

Paranoia doesn't mean the whole world really isn't out to get you.

If you ever wanted to know what a person with acute paranoia looks like, just keep watching.

I have the power to channel my imagination into ever-soaring levels of suspicion and paranoia.

Paranoia is heightened awareness.

Paranoia is a social disease--you get it from screwing other people.

"Paranoia is the delusion that your enemies are organized." - Arthur D. Hlavaty.

"This is the Nineties, Bubba, and there is no such thing as Paranoia. It's all true." - Hunter S Thompson

"There are two kinds of paranoia: Total, and insufficient. I am both, because if you think you are sufficiently paranoid, you're not." - Guildenstern, Rosencrantz and Guildenstern are Dead

"The truly paranoid are clever enough to not *act* paranoid." - Q, Star Trek: The Next Generation

"When everyone _is_ out to get to you, being paranoid isn't going to help." - Q, Star Trek: The Next Generation

"When did you get so paranoid?"
"When they started plotting against me." - The Paper

"Paranoia is only the leading edge of the discovery that everything in the world is connected." - `The Illuminatus Trilogy'

When you've been through everything I have, paranoia is merely a precaution!

Paranoia is not the belief that everybody's out to get you -- they are. Paranoia is the belief that everybody's conspiring to get you.

The greater the concentration of power, the greater the paranoia it generates about its need to destroy everything outside itself.

I love this job. Nothing like paranoia and neurosis. Who needs a Coke habit? I've got journalism!!

There's something inherently American about paranoia. Given the i

Re:Paranoia quotes

[Goo.cc]

>Paranoia is the belief in a hidden order behind the visible.

Wow, I would have labeled that as religion.

Just how paranoid are you? Translation:

[venom600]

How far will you go to protect your pr0n collection from your wife's prying, suspicious eyes? :)

doctors? lawyers?

[coyote-san]

Why do you think only "corporate" (which seem to be big iron since you contrast it to "personal computers") have sensitive data?

What about doctors? Lawyers? Accountants? Schools? Bookstores? etc.

If you've been paying attention to the news you'll know that every so often somebody buys a used computer disk and finds the results of STD tests (including AIDS) for tens of thousands of people. Or the name, address and credit card information for thousands of customers.

The loss of this information may not cause the DJIA to drop 10%, but it can be devastating to the people involved. But security is often lax since it's "only" a PC and it never occurs to these people that their computers may be stolen precisely because of the confidential information on the disk.

Even home users can face a difficult situation if they take their work home. They have a duty to protect that information... then they work on those files on virus-ridden systems. Today's viruses seem to focus on spam and stealing credit card numbers, but it's not hard to imagine more sophisticated attackers looking for other information.

Keyloggers

[GoofyBoy]

>I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume.

Call me ignorant but wouldn't one simple phishing/keylogging software to get your password and its all for nothing?

You would have to get the software on your machine first, but there are loads of way it could be done (even on linux and especially if its hooked up to the Internet) but its well worth the trouble for a person.

Re:Keyloggers

[wfberg]

I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume.

Call me ignorant but wouldn't one simple phishing/keylogging software to get your password and its all for nothing?

Or go one better; install the keyghost [keyghost.com] keystroke-logging keyboard-dongle (other brands are available).

Note that storing your information on an encrypted partition does fuck all to protect you from virusses or spyware that choose to spam X:\goatporn.jpg

You call *that* secure?

[ukleafer]

I keep my data on a proprietary system of my own devising - the gibbon/pigeonhole arrangement:

Deep inside my personal mountain lair is my own manually operated paperbased datacentre housing a colony of approximately 6,000 intricately trained gibbons who perform the day to day roles of system administration and data archiving.

When I access my partitions from windows in the comfort of my home, I'm not browsing local hard drives, oh no. I have had one of my gibbons integrate his brain into the windows kernel so that he is at one with my filesystems. I call him Ook. When I read/write to the partitions, Ook interprets the commands and passes them on to a waiting messenger gibbon, using a custom developed encrypted adaptation of the gibbon language, unintelligible to other gibbons in case big brother trains some gibbons of his own and infiltrates my workforce.

Anyway, the messenger gibbons (who are hand picked in a rigorous training scheme for their incredible memories) scamper off to my mountain datacentre, passing through retinal, palm, and voice identification scans, before entering a 128bit hexadecimal password (case sensitive) into a keyboard that is not QWERTY in format, but is made up of blocks in the ground which must be jumped on to enter each character. The blocks aren't labelled as such, but are cryptically imprinted with pictorial representations of the alphanumeric characters they represent (eg: picture of toast, rhymes with ghost, ghosts are scary, scary rhymes with hairy, hairy has five letres, thereforce that block represents the number 5, see?).

So anyhow, once the messenger gibbon enters the secure area of my datacentre, he passes the message on to one of the worker gibbons, light in build and superb gymnasts, who moves to the appropriate pigeon hole in a 2D array laid out on a rock wall measuring more or less 1km square in surface area. Each 5cm^2 pigeon hole houses a piece of paper, on which is written a 32bit binary word. The worker gibbons are trained to encrypt and decrypt the binary strings, as the binary is not regular binary, but is instead shuffled according to a complex mathematical hashing algorithm. Once the gibbon has decrypted and either memorised or modified and re-encrypted the binary, he scampers back to the messenger gibbon and using a proprietary gibbon dance, reports either a fail or a sucess in the operation, along with any data requested for a read operation.

This all comes back up the chain to Ook, who has windows tell me that everything is fine.

I'm sure you can't deny that it's as secure as all get out, and it's pretty much transparent apart from the half hour access times, which makes playing counter strike quite the bitch, but for your everyday Word and Email, it's perfect.

Your information can be too secure

[DDumitru]

This type of discussion really worries me for "single owner" systems.

You have setup a system that will keep people away from the data unless you and only you try to access this. What happens if something happens to you. Your family might need your account numbers if you die, have a stroke, etc.

If you are protecting your child porn stash, then maybe this is the best solution. For things like credit card numbers, on-line banking, etc. you should "escrow" your passwords somewhere so that others can get to them if needed. This could be as simple as a printout of your passwords/accounts in your safe deposit box to having information kept by your lawyer.

Remember that bad things can happen beyond just hackers trying to get data.

And I am not just trolling for karma. My wife just had a friend die suddenly and one of the first questions from the family was "how do we get his laptops password". My anser was, "it depends, if he really secured it well, you are pretty much out of luck".

Precautions have to fit threats

[redelm]

Paranoia is a very unpleasant disease that leave sufferers permanently anxious. I won't live like that. There is no "absolute security". However I will take precautions:

Who are the threats? {family, boss, cybercrooks, burglars, fire}

What is the threat? Discovery, use or loss?

What is the cheapest/easiest precaution?

Multiple user accounts, removeable media, doorlocks, backups and selective crypto are all I bother with.

Knoppix STD

[Bruzer]

Good topic. I wish there were more serious posts so the rest of us could gleam some knowledge from the replies instead of the geeks trying to be funny.

We had a couple people leave work recently and they had some data in the computer that we needed to get ahold of. Since my company requires passwords and restrictive permissions on all Windows systems my team was worried that we might never get the docs off the systems.

A co-worker got out the Knoppix security tools distribution ( http://www.knoppix-std.org/ [knoppix-std.org] ) CD and was able to bypass the Windows passwords very easily. And it read the hard drive ignoring windows permissions.

If someone wanted a secure system. The Knoppix STD CD could be a good tool to use. Try and see if you or a trusted friend could get in to your PC.

- Bruzer (trying to be constructive)

Simple Practices

[thed00d]

Here are some simple policies I practice:
1. Unless currently being used, the computer remains at an "off" state.
2. Change your passwords often - how often is up to you, but be reasonable. I suggest 30 to 60 days for medium/low security, and 7 days for higher security. Remember, however, that any password can be breeched - it's just a matter of time.
3. Segregate your network (if you have one) into zones. For Instance - You should not put your wireless access point straight off your network, instead, come off of your firewall in a new "wireless" zone. Terminate all wireless connection into your firewall via ipsec. Do not rely on WEP/WPA.
4. Block all outbound and inbound ports on your firewall, until you need them. I.E, don't just open up port 80 because you /think/ that you /might/ just run a web server.
5. Virus scanner.
6. Password protect /does not/ imply encrypt.
Anyway, these are just some basic concepts that are OS independent, and if your average user followed some of these guidelines, we'd all be in a better position.

Paranoid Vs. Smart.

[jellomizer]

Being smart is knowing if you leave your system unprotected it will get broken into by a virus or hacker, worm... But you don't go crazy for every little thing. This is akin to Locking your door at night and leaving a light on in the hallway. This will stop most probles.

Being Smart:

• Having an external dedicated firewall, with all the ports closed, unless you need them.
• Except for Windows use an other OS. OS X, Linux, xBSD. This may not be possible due to the need of additional software
• Dont use IE when possible and espectilly when you are browsing untrusted sites.
• If you are using windows get some good anti-virus software and anti-spyware software.
• Choose what services you really need on your OS and disable the ones you don't need
• Run the software firewall too. Besides the extra level of protection (say a virus from an other system on your intranet) it helps keep extrainious network data flowing over your network.
• Use SSH SFTP when possible, as well https whenever you are entering data you don't want to be read.
• Backup your data incase of a problem
• Keep your software up to date

Being paranoid is making your system as close as unusable as possible because of all the security turned off. This is like living in a fortres with Steal walls, doors, and bars over the windows and every type of lock possible. Going to crazy could lead to a false sience of security. As well as making yourself more of a target for people who see all the security setup and figure if it is that tight something good must be inside. If you are that afraid of hackers turn your computer off unplug it and put in a safe you are probably better off that way.

30 characters, omg

[l3v1]

30 character password

Now, that;s not paranoid, just plain stupid. Just imagine, early in the morning, quickly checking mail before tumbling out the door going to work, and I mistype 1 character: bamm, type again, mistype 1 character again: bamm, type again, ... [later:] bamm, fracking puter lands on the sidewalk.

Why would someone do such a thing to oneself, being sane to a very minimal extent ? Buy a darn iris scanner, or fingerprint authentication stuff, whatever floats your boat. But 30 chars to type just to get into your spyware-house ? Get a life.

Regarding the main question, i.e. being paranoid: one can efficiently and effectively protect even a Windows PC without becoming, well, posessed.

Yorkshireman....

[lxt]

"I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"

You call that security? I have my computer rigged up to some C4, that's set to detonate you type in and incorrect password, all of my files are translated into swahili before being encrypted in 512bit encryption, before it's all put onto a hardrive enclosed in tin foil so the commies can't scan it using their radar (cos RADAR KNOWS EVERYTHING, cos I saw some film about it once), and if I ever need to print something out I print it in white ink so nobody can see it, and don't even get me started on software...

Man, you have it easy - call that security?

Removable media.

[blanks]

What the author did was serious overkill.

The simple solution (for personal computers) is removeable media like a external USB harddrive. Connect it to your PC when you need to access sensitive information. Yes this dosent help if your system is all ready compromised, but if this has all ready happened chances are your fucked either way.

This also works well with portable computers, but using memory sticks. if your in a insecure area (cafe) and need to leave your laptop for a few moments, just take the stick with you.

It sounds like the author focused on securing his data only while hes not accessing it, like the encrypted data and silly long passord, but when hes all ready logged in, and the data is decrypted, your security is lossed. And the fact that most people leave their machines on (while logged in) this dosen't help in anyway.

His computer is only secured while he is logged out, and his computer is turned off, but still not physicaly secure.

Chances are if your in an enviorment that is not secure, this is your first mistake, and really if you have information that is this important, why the hell are you connecting that machine to the internet anyways.

HINT:

[dougnaka]

If you're posting details about your "paranoid" security mechanisms, you're not really paranoid.

Paranoid?? used to be.

[Lumpy]

Back in my ol' hacking days I had 1 laptop that never EVER was in my house that all hacking was done with. it never had anything on it that could attach me to it (yes, I used gloves when handling it ALWAYS) and never EVER used floppies to store any of the information on it. Zenith minisport, it used 2 inch floppies so it was impossible to get more of them anyways.

All my 'Sploits were on that machine and I never used it or hacked from in the town I lived in.

This was all back when I was a wee one, and is my distant past. but I learned from some of the best (a friend was a 414 member) and one thing that was instilled in me was to be insanely paranoid.

to the point that where I had the laptop stored I had ways of detecting if someone had been there.

if it looked like someone was there abandon it and never EVER return.

His father was Ex-CIA and he was one of the very few that were not nabbed when they took 414 down. no I never knew his real name and no I do not know where he is or have had any contact with him for over 20 years now.

basically his help in telling me to be insanely paranoid kept me out of the law's hands until I finally grew out of it and left the illigitmate stuff for the other newbs. (note social engineering is far more fun and will nab you LEGITIMATE access to things, and it's a key talent that will get you very far in the corperate and business world... the ultimate hack is getting the sysadmin to give you an account.)

things like installing back to back modems in offices you find access to their phone closet, (Man I had to have at least 8 of those around) tapping lines and installing outside line access and YES even making rubber handset couplers to couple a pair of payphones together for some 1200bps goodness that would make tracing you harder than hell. (put the modems in a box make the box cut power to both modems when it is opened so you know when someone discovers your redirect, that is a first warning that they are tracing you, telephone guys are clumsy and will start poking around back then, they never had any FBI agents that were well versed in telephone equipment until recently.. Using a telephone gear box to conceal your modems works best, and makiing it look like 10-11 phone lines enter that box also makes it more tempting to open it first.)

SO basically, acting pretty much like a spy would, expecting danger at every turn and NEVER giving others information, espically not friends that od the same thing, is as paranoid as I was.

it kept me from getting caught and out of Jail. although I never did anything illegal, nothing at all, I was a perfect student that did not even own a computer!

I also have no idea who reprogrammed the Altairs in the computer lab to flash their led's in a cylon eye sweep!

but oh man it looked so fricking cool!

OpenBSD server

[alan_dershowitz]

I have a box dedicated to file storage only. I secure it in the following manner (well, in the process of doing so.)

1. I run OpenBSD and know how to admin it. It runs ONLY SSH and Samba. It's behind a software router, runs pf.
2. Samba will only be accessible on the loopback interface.
3. Connections to the machine are made via SSH, you must have both a password and a PK authentication. The client has to port forward the appropriate ports for Samba to work.
4. Firewall scrubs packets (prevents some potential TCP/IP exploit tricks)and only allows connections to and from my internal network and my machine at work from the outside.

And that's it. I don't think this would work with more than one machine serving files via Samba, because of port forwarding. I haven't gotten the Samba attached to the local interface yet, right now samba is just limited to the single client I access files from via the firewall. I'd be curious if anyone has issues with the security of this setup. Basically, I want Samba, but with the stronger authentication and encryption of SSH.

Latest corporate directives

[Mantorp]

"Please install these Kensington laptop locks and use them at all times." said the memo to all laptop users.
I google for 2 minutes and find a great instructional video on how to open said laptop lock with a piece of paper and some tape.

A few days go by, a new directive: "Please keep your laptop locked away in a drawer when you leave for the day."

I'm Safe, not Paranoid/Insane

[dghcasp]

My computer is a 286 and runs a 1988 version of SCO Xenix. I feel reasonable sure nobody is targeting viruses at me.

When I'm not using my computer, I pour 15,000 lbs of concrete over it. Granted, this makes it hard to just "sit down and hack." Last week, my dad called and said "Read your email, I sent you something important." My stupid upstairs neighbour called the cops over the sound of the jackhammer at 2 AM. Stupid neighbour.

My internet connection is a 110 baud modem. It's not connected to my computer, but rather to a teletype, which prints out the incoming packets. I manually enter the packets using an old morse code key (long=0, short=1). I have the same setup attached to my computer. I am now up to 75 bps in two-handed morse-code-binary transcription.

The password to my computer is set to the winning numbers in next week's lottery. Unfortunately, this means I can only log in within one hour after the lottery draw, because that's the only time I know the pastword. One of my friends suggested I instead use the fact that my computer is predicting the winning numbers to enter the lottery, but that would be revealing my password. Stupid friend.

Re:Esay easy easy

[fimbulvetr]

Oh yeah, guess all those security vulnerabilites listed on securityfocus are just bogus, eh?
How about unpublished exploits? All those take care of too?

Re:Esay easy easy

[pclminion]

In other words, you rely on obscurity.