How Security Experts Are Protecting Their Own Data (siliconvalley.com) 217
Today the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data. An anonymous Slashdot reader writes:
The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...") He does regularly encrypt his e-mail, "but he doesn't recommend that average users scramble their email, because he thinks the encryption software is just too difficult to use."
The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
The newspaper also interviewed security expert Eugene Spafford, who rarely updates the operating system on one of his computers -- because it's not connected to the internet -- and sometimes even accesses his files with a virtual machine, which he then deletes when he's done. His home router is equipped with a firewall device, and "he's developed some tools in his research center that he uses to try to detect security problems," according to the article. "There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me."
Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
gotta stay paranoid.. (Score:1)
Hey, we were just wondering how you secure your data?
I don't have any data.... What is this "data"
Re: (Score:2)
This machine is used for Internet surfing only, and I re-load the OS every day from a secure thumb drive.
I
also sell bridges in Brooklyn, if you're interested!
Re: (Score:2)
All my data is stored on a CPM machine with no networking capability. I hand code all binaries in Assembly Language. Never had a breach.
For a long time, the GAO [wikipedia.org] ran all its internet-facing servers on Netware. I don't think they had a breach during those years. I've always thought that was a clever strategy, if only because the list of people who could hack on the Netware kernel was so small.
These days I'm not sure if there really is a platform you could make work in production but is so obscure that no one bothers developing exploits for it. Maybe a mainframe OS, now that the financials have left mainframes behind? But then, government-
AV only helps if you are bad (Score:5, Interesting)
Re: (Score:2, Interesting)
You don't run AV therefore you've never had a virus? The force is strong with this one.
Re: (Score:3)
Re:AV only helps if you are bad (Score:5, Interesting)
Profit in a visible virus; very little.
Profit in a virus that acts as a slave in a botnet and monitors your computer usage; a lot more.
Re: (Score:2)
If you can't tell whether you have a virus without an AV, then you are dumber than you look. I've cleaned many friend and family computer where they got a virus without an AV, then asked for help. Turns out it's quite easy to get a virus without an AV, and from my experience, not to hard to get one with.
I've had a lot of Windows machines that act "funny" without any virus involvement at all. Sometimes it's a failing piece of hardware that neither windows nor the hardware driver detects as being a problem. Sometimes Windows just f's itself up in weird ways, whether it's the registry, a bad windows update, both, or something else.
Re: (Score:3)
The trouble is, all of that remains true if you have anti-virus software installed. Your odds might be slightly better overall, but AV software doesn't catch everything. In a few cases, AV software has even opened additional vulnerabilities itself.
It's surprisingly difficult to be sure that you're only running what you think you're running in 2016 and that your data is safe and private. That's a real and serious problem regardless of which if any AV tools you run.
Re: (Score:2)
Re: AV only helps if you are bad (Score:5, Insightful)
Sometimes, but there are no guarantees these days. Once a system has been compromised, it is now almost impossible to make sure it's clean again no matter what you do to recover. In a world with the likes of UEFI and "hidden" secondary processors within CPUs, even wiping the hard drive and reinstalling from known good media isn't a reliable fix. It's all rather depressing, this so-called progress.
Re: (Score:2)
Re: (Score:2)
That's no better than reinstalling on a new hard drive. You still lose to any adversary who has direct firmware/CPU access and gets to run their code before you get to run yours.
Re: (Score:2)
The trouble is, all of that remains true if you have anti-virus software installed. Your odds might be slightly better overall, but AV software doesn't catch everything. ...
The advantage of AV is it will eventually catch the malware, unless you wipe and reinstall. Sure, it might have been on there for years but eventually you will get it. That's a little better at least than never catching it at all.
Exactly. Sooner or later, most viruses are found and their characteristics added into the AV software.
Re:AV only helps if you are bad (Score:5, Insightful)
Same here. I hate AV software with a passion bcause it slows your computer to a crawl, gives a false sense of security and once it's on your computer it takes a complete reinstall of the OS to get it off again. The best AV practices are:
Never use MS software to browse the internet and read email
Use an ad blocker
Never even read email from unknown sources, let alone open attachments from there.
MAKE BACKUPS of your files.
Re: AV only helps if you are bad (Score:3, Funny)
I dont know. I think AV is a great deterrent against skiddies. I woul much rather get owned by new undetected malware than a decade old one.
Re: (Score:3)
Same here. I hate AV software with a passion bcause it slows your computer to a crawl, gives a false sense of security and once it's on your computer it takes a complete reinstall of the OS to get it off again.
Good AV software would have prevented you installing Symantec.
Re: (Score:3)
...The best AV practices are...Never use MS software to browse the internet and read email...
...which of course is great technical advice to act upon right away, and so easily accomplished for the average US corporation addicted to Microsoft products...
Re: (Score:2)
Guess what I use at work :)
Re: (Score:2)
Never even read email from unknown sources, let alone open attachments from there.
Or if you do, make sure all attachments are turned off. No auto-loading flash or linked images. There's nothing wrong with text-only email.
Re: (Score:3)
I've been reading Slashdot and the like for more than twenty years now and the relative amount of vulnerabilities reported for MS products, especially IE and Outlook is so significantly higher that not using that already makes a huge difference. Of course other software is also not without its faults but I could say that your approach of treating all software as equally bad is paranoia.
Now that we've both insulted each other I think I can safely say that we agree that you have to find software that gives t
Re: AV only helps if you are bad (Score:3)
Your arrogance in the belief that Microsoft products are more risky than others would be laughable if it wasn't so dangerous.
Actually, you have a point: it would be terrible - possibly even dangerous, I suppose - for microsoft, black hats and gov'ts everywhere if people were to truly grasp the risk of using Microsoft products, as they'd quickly switch to something else and all that insidiousness would have been for nothing...
Signed,
A Microsoft-Certified Systems Engineer with a far better grasp of reality than yourself... and/or simply not on the take, unlike yourself.
Re: (Score:2)
> the belief that Microsoft products are more risky than others
You've been correctly downmodded as troll, but I want to point out that he never said that MS products are more risky than others. What he said was:
"Never use MS software to browse the internet and read email"
This is good advice. Whether you believe that Microsoft products are shoddy and full of holes, or whether you believe they are targeted to an unbelievable and unprecedented degree, or a mix of the two, it's solid advice. I would say a
Re: AV only helps if you are bad (Score:2)
I haven't run Windows for over a decade. For all that time, and much more, folks have been writing exactly what you just wrote. I think you imagine that this is an iron-clad point: that the additional security I get from Linux and OS/X is somehow illusory because both are just about as vulnerable as Windows.
The truth is that Linux and OS/X are about as buggy or security-deficient as Windows. And they are also safer.
Re: (Score:2)
I hate AV software with a passion because it slows your computer to a crawl
Your either using 20 year old anti-virus software or a 20 year old computer, or both. No one has the problem you're describing. Newly written/modified files are scanned and then sometimes a weekly scan is done while you're sleeping. The load is essentially non-existent.
The GP is right, AV software can slow your computer to a crawl. But that only happens if it does a full system scan while you are actively using your computer.
For those of us who are stuck with anal-retentive IT departments who schedule full system scans at noon, we are stuck with that exact same problem. Their argument is that "nobody leaves their computer on overnight" so they "have no choice."
My response was to install Linux, run Win7 in a VM, and not put the VM on the domain. Since that's one less
Re: (Score:2)
I don't run anything that's untrusted. Worked out well so far.
Or you could run an OS that doesn't vehiculate viruses.
Re: (Score:2)
>> I don't run anything that's untrusted. Worked out well so far.
> Or you could run an OS that doesn't vehiculate viruses.
He said he doesn't run anything that's untrusted, so obviously he's not on Windows, geesh!
Re: (Score:2)
Many of the comments miss your very valid point- that without a false sense of security granted by an AV, you are likely to NEVER run anything untrusted, because you know it could absolutely ruin you, and you have no reliable out. That's referenced in the story. And it's a fact that people adjust risk to match their perceived security- seat belts save lives, but not as many as they should, because people drive with less care when seatbelted (statistically- though probably everyone reading this does too).
Re: (Score:3)
Re: (Score:2)
Good point on the firewalls; compartmentalization is an important tool.
Personally, I use a little firewall (an Ubilquiti EdgeRouter X - $50) in my office to block access to my backup NAS from the remainder of my company, and to be able to do DPI on traffic coming to my machine.
As systems become more complicated and interconnected though, security gets very difficult. A good part of my workflow is now using Terminal Services/Remote Desktop, and I am limited in how I can protect myself from that side, beyond
Re:AV only helps if you are bad (Score:5, Interesting)
Most of them still use system call interposition. They're vulnerable to a whole raft of time-of-check to time-of-use errors, so the only part that actually catches things is the binary signature checking, and that requires you to install updates more frequently than malware authors release new versions - it's a losing battle.
They run some quite buggy code in high privilege. In the last year, all of the major AV vendors have had security vulnerabilities. My favourite one was Norton, which had a buffer overflow in their kernel-mode scanner. Providing crafted data to it allowed an attacker to get kernel privilege (higher than administrator privilege on Windows). You could send someone an email containing an image attachment and compromise their system as long as their mail client downloaded the image, even if they didn't open it. It's hard to argue that software that allows that makes your computer more secure.
Re: (Score:2)
That's cute, but logically it means you can never run anything, which doesn't make for very useful computers.
IT security is mostly about risk management, and probably always will be.
Re: (Score:2)
Re: (Score:2)
Sure, but that trust only extends as far as whoever implemented those security measures and signed those binaries. We live in an era when your own OS may well be spying on you, your new laptop may be shipped with vendor-installed spyware right out of the factory, your new PC's CPU almost certainly has secondary functionality built-in that you can't examine or control, any of those things potentially lead to not just privacy but also system control vulnerabilities, and that's just the threats your chosen com
Re: (Score:2)
Re: (Score:2)
But those organizations [...] aren't adversaries.
Unfortunately, I don't think that's a safe assumption any more. For example, my businesses can't use Windows 10, because installing it on anything that touches client/customer data would immediately contravene assorted contractual and statutory obligations we have regarding confidentiality and data protection. Microsoft's policies regarding telemetry and forced updates appear to mean using their new software is literally impossible for us.
Whether or not their intention is to use data collected via telemetry
Re: AV only helps if you are bad (Score:5, Funny)
Is he going for irony, here? (Score:5, Insightful)
By virtue of the fact that he has even mentioned that using Linux is part of his reason to not run antivirus software, wouldn't the fact that he is using Linux be considered to be lulling him into exactly the same sort of false sense of security that he is accusing antivirus software of creating?
Re:Is he going for irony, here? (Score:4, Insightful)
Yes.
I think my Linux is more secure than my Windows, but honestly it only takes one exploit.
If the spooks or large organized crime want in, they're in. Small fry *may* be kept out by best practices, but I wouldn't bet on it.
Anything secret shouldn't be on a computer, let alone a computer on the internet. But then there's the eternal trade-off between security and convenience.
Re:Is he going for irony, here? (Score:5, Interesting)
Then you're making an ignorant assumption.
Yes, you are.
Every other OS out there for server and end user use is more secure than Windows. Windows is flawed by design. Here's why: windows is built on top of an inverted security model that requires the process token to have all permissions required for every aspect of the program running, and then masks that token for child threads and processes. That means that any thread or child-process that has an exploit can automatically run at the highest security level of the process. Add to that the ability of almost any process to inject code into DLLs, and you see why pwning windows is almost trivial. I submit that windows will never be secure until they fix these 2 fundamental architectural mistakes.
Meanwhile, Linux, BSD, and other *nix OSes have a sane least permissions security where a token can be elevated upon authentication/authorization as needed. If a process manages to escape its code path via a buffer overflow, damage is limited to whatever permissions that thread has at that time. In *nix systems, that's usually very little. If you're still not convinced, try to modify a system library in *nix from your own program or some javascript in your browser via a drive by scenario. No fair using the Java plugin, as that shouldn't be installed on any browser.
Different protections for different threats, envir (Score:5, Informative)
If he did -nothing- about security, that would be true. That's not likely the case. More likely, he's using protective strategies that are appropriate for his environment and the threats most prevalent in that environment. The most common threats for Linux machines aren't viruses. Viruses specifically are more of a Windows thing. Not that there are no threats that affect Linux, they are -different- threats.
On Linux, he may use the firewall, Tripwire or another IDS, some form of IPS if only fail2ban, SELinux, etc. Also of course browser-specific things like an adblocker and NoScript. Linux has long had good support for good partition and file encryption, so he might use that, and scheduled offsite pull backups protect against ransomware.
ClamAV runs -on- Linux, but normally -for- Windows - you install on on your Linux mail server to remove viruses before your Windows clients download their mail, etc.
Re:Different protections for different threats, en (Score:5, Informative)
Just because Linux doesn't have as many viruses for it, doesn't mean it's immune to viruses. In fact, Linux probably a very popular carrier for viruses - Linux host gets broken in (usually via a PHP exploit) and some files are dropped onto it and files modified so whenever a Windows host accesses it, it obtains the payload and gets infected.
Linux may not be harmed by it, but it certainly is an active participant in the propagation of viruses. Mostly because the malware authors want to target users, and 90% of them run Windows. But they can't target Windows servers, because 75% of the servers out there run Linux. So they will exploit those Linux-running servers to plant some WIndows malware on there so the Linux host distributes the Windows malware to everyone.
Linux is a carrier, and perhaps having an anti-virus may be handy if nothing more than to ensure that you're not being part of the problem and serving up stuff that infects other users. The best part is, these scanners need not be intrusive since the host can be assumed to be free of malware, so you're really just looking for bad files.
Same thing on MacOS - there's no reason to have a antivirus scanner other than to make sure you're not serving up infected files, or to alert you in case you get an email that won't infect you, but may infect someone else if you forward it on or something.
Google, for example, scans emails and documents for viruses and other malware, not because they can infect Google, but to prevent spread.
Re: (Score:2)
Which means that for a normal user of Linux. Running anti-virus is useless.
You only run anti-virus on Linux mail servers.
Re: (Score:3)
That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software.
I run Linux, and I don't bother with AV software either, but it's not because I run Linux, it's because AV software is shit.
Re: (Score:2)
That's not my point.... the simple fact that he would even mention it as a contributing factor to not bother with AV software *IS* evidence that it is lulling him into the exact same sense of security that might happen with AV software.
I run Linux, and I don't bother with AV software either, but it's not because I run Linux, it's because AV software is shit.
No I think he mentions it because there ARE no anti-virus software FOR Linux, there AV software running on Linux but they are all against viruses targetting other platforms, primarily because while Linux get targetted by many different types of exploits, so far there haven't been any traditionally viruses.
Re: (Score:2)
Re: (Score:2)
so far there haven't been any traditionally viruses
What are these? [wikipedia.org]
Not what you think they are (Score:2)
> What are these?
The first one is an Intel processor instruction. Nothing really to do with either Linux or viruses.
The second points out that executables contain unused bytes. In theory,there is space for someone to add code without making the file bigger.
The third never existed in the wild, as far as I can tell.
The fourth is a legit virus.
The fifth is another research curiousity - it allows root to break files. It's supposed to demonstrate a concept for a trojan, but instead if makes them not run at al
Re:Is he going for irony, here? (Score:4, Insightful)
These security experts wouldn't recommend it, but they're relying on security through obscurity.
Think about it, but don't actually think about *it* because that might endanger the security experts.
Re:Is he going for irony, here? (Score:5, Informative)
In terms of Linux, it's not classical security through obscurity, it's security through diversity. One of the reasons Slammer was so painful a decade ago was that most institutions had a Windows monoculture. The time between one machine being infected on your network and every machine on your network being infected was about 10 minutes (a fresh Windows install on the network was compromised before it finished running Windows Update for the first time). If you'd had a network that was 50% Windows and 50% something else, then it would only have infected half of your infrastructure and you'd have been able to pull the plug on the Windows machines and start recovery. It's possible to write cross-platform malware, but it's a lot harder (though there's some fun stuff out of one of the recent DARPA programs writing exploit code that is valid x86 and ARM code, relying on encodings that are nops in one and valid in the other, interspersed with the converse). Writing malware that can attack half a dozen combinations of OS and application software is difficult.
This is why Verisign's root DNS runs 50% Linux, 50% FreeBSD and of those they run two or three userland DNS servers, so an attack on a particular OS or particular DNS server will only take out (at most) half of the machines. Even an attack on an OS combined with an independent attack on the DNS server will still leave them with about a quarter functional, which will result in a bit more latency for Internet users, but leave them functioning.
Re: (Score:3, Interesting)
These security experts wouldn't recommend it, but they're relying on security through obscurity.
The wouldn't recommend that obscurity be your only security, but I think they would all agree that obscurity can be a useful component of a comprehensive security plan.
For example, if you run a web server, everyone knows it. Controlling the server signature to not obscure the specific version or modules that server runs means an attacker can not target known version-specific vulnerabilities, but has to try a bunch of them. This gives the server the opportunity to detect multiple exploit attempts and ban t
Re: (Score:3)
They aren't relying on the secrecy of their implementations as their main method of providing security, therefore they are not using security through obscurity.
I'd recommend you read up on what security through obscurity really is.
Re: (Score:2)
These security experts wouldn't recommend it, but they're relying on security through obscurity.
Yes, it's an acknowledgement that obscurity IS an additional layer to security. It's not the means to security, it's just an additional roadblock to throw up. When discouraging hacking, if your target is hard or obscure, most people will look elsewhere. Sure, it won't dissuade the truly dedicated who are looking to take you in particular down, but some obscurity is better than no obscurity.
Re: (Score:2)
There is a difference by making a targeted attack (slightly) harder and using obscure means to hope for security.
Re: (Score:2)
Yes. No. Have you seen the success rates of current Anti-virus? It's a bit like preventing STDs by asking potential mates to submit to a screen after sex and keeping a set of drugs in the fridge to treat a few of the diseases we share.
Anti-virus despite coming pre-installed on every out of the box machine and being present on every corporate network has really done little to actually stem the spread of viruses on computers.
Re:Is he going for irony, here? (Score:4, Insightful)
The icing on the cake is that several of them (notably Bruce) basically saying security by obscurity really is a thing (well at least if you're famous)
The reason why Schneier is a target (Score:2)
It's common knowledge that if you knock out Chuck Norris with a roundhouse kick you become the new Chuck Norris.
Similarly, if you manage to steal Bruce Schneier's identity, you become the new Bruce Schneier. [schneierfacts.com]
No wonder he's a target. Everybody wants to be him.
My personal favorite Bruce Schneier Fact [schneierfacts.com]: "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."
Re:The reason why Schneier is a target (Score:4, Funny)
Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."
That's amazing. I've got the same security for my luggage.
Re: (Score:2)
Sounds more like he's using the old "security through obscurity" fallacy.
You mean passwords?
I am afraid you don't understand what "security through obscurity" means.
I keep my data... (Score:4, Funny)
Someone once made it to the lock-box, but... I just didn't have to feed the sharks that day.
I even have a sign posted: Do not look at sharks with remaining good eye.
Re: (Score:2)
One of these days team A is going to dive down there with anti-shark enclosure and anti-shark weaponry wearing diving suits with laser-proof Googles,
and haul the box away to be dissected.
Re: (Score:2)
One look at the crusty penis scanner should scare most people away.
Re: (Score:2)
Was going to ask... (Score:2)
Was going to ask...how do you make use of it, but then I figured out it was connected to your open wireless router.
I don't run AV and I tell people I don't run AV (Score:3, Interesting)
...but I still install AV on every single system which I set up for other people, and I recommend that they keep using AV. Why? Because it would be considered negligent to omit it. If they get infected, which they inevitably do, then not installing AV would put me in an indefensible position. Asking a professional how they protect their data is a useless endeavor. It doesn't teach you how to keep your data secure, because you don't know all the other things they know which stop them from doing stupid things.
Moron Monday (Score:2, Insightful)
Re: (Score:2)
Putting quote marks around something that wasn't said is dishonest.
Nobody said they didn't take precautions.
What one person said, referring to anti-malware software on his Linux computer:
"I don't like to get complacent and rely on it in any way,"
Do you buckle up? (Score:3)
And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag? Most likely not. Your car is still a wreck if you crash.
The same applies to malware. I do have an AV kit running. But I also know that it ain't no silver bullet. It's not my first but my last line of defense, another layer of security that is there in case everything else failed. Treating it any different is dumb (and yes, I know, there are people out there who go by the logic that they can turn their brains off now that they turned their AV kit on), but simply saying that you don't need it because it gives you a false sense of security isn't too smart either.
Re: (Score:3)
And if so, do you drive more reckless now that you know that you're more likely to survive a crash because of seatbelt and airbag? Most likely not. Your car is still a wreck if you crash.
Actually, several studies have shown that the number of accidents and fatalities tend to drop when new safety equipment is made mandatory, but starts to rise again a while later, when people get complacent.
For instance, when ABS brakes were introduced on a significant number of new cars sold, the accident rate dropped because people were still driving as if they didn't have ABS. Some years later, everyone had gotten used to the shorter stopping distances and started driving much close to the cars in front,
Re: (Score:3)
ABS brakes are a different kind of beast because they do make drivers actually get more reckless due to them noticing they can get away with it. It's different with equipment that only engages once you already wrecked your car.
Re: (Score:2)
I've been a skydiver for many years, and this is absolutely true in the sport. The gear is much safer than it used to be and is continually improving, but the fatality and injury rate remains fairly steady. People absolutely take bigger risks knowing their gear is safer, which cancels it improvements in safety. It's called Booth's law.
Short answer: They do esoteric things (Score:2)
And replicating what they do like monkey-see-monkey-do is not an advised way to protect yourself, even if you learned what they aren't telling you.
You can do things differently and recognize/avoid risks other people would not be
able to avoid, when you're the security guy.
Protecting an organization's endpoints and servers, OR someone else's computers against themself... is very different than protecting your own computer that nobody else is allowed to touch (although you might put it on a hostile network).
Don't get complacent (Score:2)
The EFF's chief technologist revealed that he doesn't run an anti-virus program, partly because he's using Linux, and partly because he feels anti-virus software creates a false sense of security. ("I don't like to get complacent and rely on it in any way...")
He's quite right. We lull ourselves into a false sense of security all the time. I try to avoid it, complacency is a killer.
I drive at night without any lights on, because then if I'm in an accident it will probably be my fault. This keeps me wide awake and aware of all possible hazards.
During the day this doesn't work of course. Hence I have to drive in bare feet, so if there is an accident I'm not going to get very far trying to run away.
Security isn't hard (Score:4, Interesting)
Probably about 95% of malware comes through malicious websites. Solution: use tools like NoScript and an adblocker. Also use SELinux/AppArmor/grsecurity etc. to make sure that whatever slips by cannot do anything that your browser doesn't have permission to do. If you want to be really safe, only run your browser in a virtual machine (this is the premise of Qubes OS, by the way).
Also apply SELinux (or whatever you're using) to any programs that have listening Internet ports, like SSH and CUPS.
If you use a local email client instead of webmail, don't be dumb and allow your client to auto-execute JavaScript or attachments in emails. Also, don't be dumb and mount random peoples' portable drives without some precautions.
Re: (Score:2)
You can also use something like firejail (https://firejail.wordpress.com/) for this. I'm not involved in the project but, it's very simple to use compared to something like SELinux. It comes with a number of pre-configured profiles for major pieces of software and, by default, things like Firefox can only see a limited view of the filesystem. For example, by default, Firefox can see ~/Downloads but not ~/Documents. I haven't noticed any performance or stability issues with it so, it has been a welcome e
Lol, really? (Score:2)
"the San Jose Mercury News asked several prominent security experts which security products they were actually using for their own data."
And while you're at it, tell us where you hide your cash and other valuables...
Never do anything on the actual computer (Score:3)
Do everything Internet-related in a guest VM.
I learned this from Joanna Rutkowska; you have at least 3 virtual machines.
One is 'green' and you only ever use it for very sensitive things like online banking.
One is 'yellow' and you only ever use it for semi-sensitive things like social media.
One is 'red' and you do this for random web browsing, searching etc. This one gets re-imaged or reverted to snapshot regularly.
If you like (and have the system resources for it) you can have multiple 'yellow' VMs for multiple social network sites or email accounts.
You can set these VMs up on separate networks with routers/firewalls between them. You can use egress filtering on the green VM so that literally the only sites it can possibly reach are your online banking sites.
You NEVER EVER read email in your green VM or on your host. You NEVER use a web browser in your host.
The basic red,yellow,green VM setup is very very easy to build, doesn't take a lot of skills. Modern PC's and laptops are quite capable of running these 3 VMs.
Re: (Score:3)
I did exactly this, using Qubes at home. It took a little getting used to, but once you get the hang of it, it makes sense. It greatly reduces the risk of things like XSS and browser exploits leaking banking or other important information. I don't particularly consider myself the enemy of any state, but the increasing number of drive-by exploits targeting Joe Nobody for the purpose of extracting money (whether ransomware, stealing card numbers, whatever) makes this a reasonable course of action even for p
Re: (Score:2)
One of many guides for it that I've read [reddit.com] using a second video card and monitor hookup with the card itself assigned to a VM using IOMMU with something like 97% benchmark performance of bare metal, but I don't have a second video card to try it with, so I'm stuck with playing 2D games in a window.
Re: (Score:2)
Or, you know, you can stop being paranoid....
Just because you are paranoid doesn't mean they aren't out to get you.
Re: (Score:2)
If it costs 10 cents to run an ad that infects your computer and captures your bank account information, then as long as your bank account has 11 cents in it, they turned a profit.
Surf fully sandboxed (Score:2)
Re: (Score:2)
> what browser exploits are there that don't target Java, Flash, or a Microsoft browser?
Anything that exploits Javascript on Chrome (or Firefox, or blah blah blah)...
Just Ctrl+F here for "javascript":
https://www.cvedetails.com/vul... [cvedetails.com]
The one and only reason to run AV (Score:2)
There is exactly one reason to run Anti Virus software: To be able to say you did, if something bad happens. E.g. your bank account gets hacked. Your bank will ask whether you were running AV software. Even it the software is crap, you have to run it otherwise they will try to put the blame on you. Same with your work computer: Somebody in the intranet (not necessarily you) catches a virus. The admin will check whether everybody runs AV. If you don't, you will be blamed. Even if the admin knows that AV is m
Autoruns - Windows Sysinternals (Score:2)
It won't stop malware from being installed but it will sure show you where it's at (root-kits iffy).
https://technet.microsoft.com/... [microsoft.com]
If you use a Mail reader like Forte Agent: Options unhide Microsoft entries, and save resources by disabling all of MS's email sub systems (and there are many).
It will also show any files missing (mostly Codec's),
But well worth running (as admin) often.
I haven't run an AV in ages, I put a lot of trust in my HOSTS file, and autoruns just to keep check.
Email encryption and the damn network effect (Score:2)
How on earth do you use encrypted mail unless all your recipients also do the same, i.e. have public/private keys of their own that are configured in their email clients? He probably does communicate with other security minded folk who also use encryption, but the vast majority of ordinary people neither know nor care about these th
Re: (Score:1)
They're only doing their job if you have a reason to use them. If you spend your time avoiding visiting unsavoury websites and have the knowledge not to downloading/open questionable files, then they're just costing you space on your PC (or in your wallet).
Also, sometimes they break.
This completely ignores the fact that sometimes (often?) advertising networks are used to spread viruses on completely legit sites. [arstechnica.com] Or those sites could be exploited themselves [arstechnica.com] and start spreading malware. [arstechnica.com]
Just because you only check your email and read the news doesn't make you completely safe. Safer, sure. But not completely safe.
#1 source of malware is ads on mainstream sites (Score:5, Insightful)
> If you spend your time avoiding visiting unsavoury websites and have the knowledge not to downloading/open questionable files
The number 1 source of infections is compromised ads on mainstream sites like Slashdot. Avoiding "unsavoury websites" isn't protecting you. Noscript and an ad blocker would provide much more protection, along with automated offsite backups in a pull configuration (your computer must not be able to delete/overwrite the backups, for ransomware protection).
Re: (Score:2)
You also want a hosts file that blocks all the usual ad services.
The only time I ever had malware on a system when we had a worm at work - and it only infected my Windows VM.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
You do realize that spamming the same message won't get you noticed more don't you?
Also, since I have technically disproved numerous parts of your spam, does that mean you have to change your spam?
Re: (Score:2)
Um, it is spam, you posted it 3 times because you were down modded. That is spamming, and it is spam also because you are advertising a commercial product when people are not requesting your advertisement. Spam is defined as "Unsolicited commercial advertisement", so can you show how your posts are not spam? Spam can also be the process of sending numerous duplicate messages, which is also what you are doing here, how is this series of posts not spam?
Have you figured out a addon for Chrome we can run to
Re: (Score:2)
No, that post specifically proves that I don't. If I was the one down modding you, as soon as I posted as me, the mods would disappear. Your ignorance does not imply me cheating anything.
I don't need to down mod you, plenty of others down mod your offtopic trolling shit on their own.
Re: (Score:2)
Re: (Score:2)
Exactly this. You can tell how little someone knows about actual security by how they trot out the old 'security by obscurity' meme.
Re: (Score:2)
"There are some additional things I do," Spafford added, telling the reporter that "I'm not going to give details of all of them, because that doesn't help me." Bruce Schneier had a similar answer. When the reporter asked how he protected his data, Schneier wouldn't tell them, adding "I'm kind of a target..."
So... security by obscurity is apparently highly regarded by the pros. Good to know.
That's not so-called "security through obscurity." Typically, that term refers to taking the same (ineffective) measures as everyone else so that you don't stick out. On the contrary, he's saying that he does take special measures but chooses not to disclose them.
Re: (Score:2)
> It means you use secret crypto algorithms, instead of openly-tested ones with a secret key.
Right, but even then you can make a case for it. What would be more secure:
> Your encrypted drive exists as encrypted.hc. You load encrypted.hc with Veracrypt, and it uses AES, Twofish, and Serpent.
> Your encrypted drive exists as encrypted2.hc. You load encrypted2.hc with Veracrypt, and it uses AES, Twofish, and Serpent. Inside the mounted encrypted2.hc is encrypted.hc. You load the encrypted.hc with
Re: (Score:2)
Re: (Score:2)
> So... security by obscurity is apparently highly regarded by the pros. Good to know.
Security by obscurity is fine. The problem is relying on it primarily or exclusively, or executing it in a way that diminishes or eliminates standard security, which are all common issues.