Disagreements with Bruce’s Home PC Advice
I disagree with several pieces of advice on Bruce Schneier’s latest posting, that makes some suggestions apparently targeted to everyday PC users.
In my opinion, some of these suggestions can cause more problems than they attempt to solve. As an IT calvalryman, I often get called in to help out in situations where users who know “just enough to be dangerous” (your self-professed “Power Users”) carry out practices like these and get hopelessly lost in the muddy waters of PC self-maintenance. Let me preface this by saying that I subscribe to Bruce’s blog, and appreciate a lot of what he has to say. It’s just that this particular entry raises my hackles, and I feel compelled to comment.
First of all, if you’re a home PC user without a sysadmin, I feel for you. I don’t think you have much of a chance of surviving without getting your computer infested with spyware. Still, some of these measures are a shot in the dark, and shots in the dark often hit unintended bystanders.
When Bruce says “purge unneeded files”, he doesn’t mean for you to go searching through your computer deleting DLL’s or directories that you don’t understand. It’s hard to keep track of everything useful on your PC, especially if you don’t keep track from the very beginning. If you don’t specifically know that something is harmful and isn’t there with your permission, you shouldn’t delete it. I’ve run into far too many people deleting DLL’s from SYSTEM32 and entire directories from Program Files\ without realizing the consequences of not using provided uninstallers. It can break your TCP/IP stack to the point of no return, it can prevent your machine from booting, etc. No offense, but if you don’t know exactly what you’re doing, don’t delete stuff.
This goes for COMMAND.COM and CMD.EXE as well. When you screw up your computer by deleting random stuff, these are the tools that professionals will use to help debug and fix it. Deleting them doesn’t make you any more secure, in my opinion.
Don’t put CD-R’s in your microwave or a document shredder. I don’t know why Bruce would expose himself to potential liability by advising something like that, but he did, and you shouldn’t. You can cause fires or permanently damage your shredder.
I agree that if you’re a home user, a Mac is probably going to require a lot less maintenance. If you need to use a PC, budget some money to get a knowledgeable friend to come and look at it once in a while, and take them out to lunch.
Most home users don’t even know what Internet Explorer is. So advising them not to use is it is pretty confusing. A better piece of advice is, if you don’t like popup windows, go and download the Google Toolbar at http://toolbar.google.com/. Better yet, if you understand fundamental browser concepts, go download Firefox at http://www.getfirefox.com, and set it as your default Internet Browser the first time it runs.
Passwords. Users don’t pick long, randomly generated passwords, then memorize them. It’s better to provide advice to include at least a two-digit number, along with two or three CamelCase words in their passwords.
If you know what SSL is, you’re ahead of the game. For the common user, though, never go to websites that are linked from email. There are bad people out there sending spam with fake websites that look all too real. Before you enter in your password somewhere, make sure that there’s a little “lock” icon in the bottom part of your browser.
On firewalls, I agree that everyone should own a little home broadband router that can act as a firewall. But they don’t come in the stores labeled as “Network Address Translation” devices. They’re marketed as Broadband Routers, and you should probably have an aforementioned nerd-friend help you out. If you’ve already bought them lunch, by them a beer next.
As far as I know, mentioning a “secret police” in the same paper that contains reasonable advice to home users is a little weird. Home user “best practices” should be separated from “security paranoia”.
Don’t find just any spyware-removal tools you can. Two in particular that nerds everywhere recommend are Lavasoft’s Ad-Aware, available at http://www.lavasoftusa.com/, and Spybot Search & Destroy, available at http://www.safer-networking.org/en/index.html.
A note about uninstalling applications. Please don’t uninstall everything on your computer. A lot of people see things like “Windows XP Hotfix (XP3418481047)” and think it looks suspicious. Again, if you don’t know that a program or file is specifically malicious, please don’t uninstall it. Ask someone who might know.
And now, a few of my own best practices that keep my own home computing safe and sound:
If you use your PC for work, don’t use it for play, or allow family members to use it for play. Personal experiences show that the most common ways viruses, spyware, and other bad stuff gets on people’s PC’s is through “play” stuff. This includes downloaded screensavers. Screensavers are NOT SAFE. This includes MP3 downloading programs, like Kazaa, Gator, and ALMOST ALL OTHERS. This includes “Joke” animations that friends appear to send to you. This basically includes almost anything you might consider doing for fun on the internet. That’s why it’s so hopeless to try to protect the average user - the authors of spyware, viruses, etc. know EXACTLY what most home users like to do, and then bundle their stuff along with the “Fun & Games” type of software. That’s why you never get popups after installing Turbotax.
Get someone who works as a professional sysadmin as a friend. Treat them nicely and bribe them to come have a look at your PC every once in a while. They’re used to it, and the fact that you actually compensate for their time will be appreciated. Not all sysadmins are good, but they’re probably decent enough to know how to keep your PC relatively clean.
Software firewalls lead to a false sense of security, and often cause more harm than good. They often pop up unintelligible alerts that home users have no chance to understand, which leads to a lot of weird problems that are very tricky for your knowledgeable PC friends to help out. The first thing I often do when helping out is disable software firewalls anyway to try and establish root causes of connectivity problems. Get a hardware broadband router that also acts as a limited firewall. It’s a much better solution to the problem.
I hope Bruce doesn’t mind that I disagree with his advice on most of these things. It’s just that home users have a much greater chance of causing complete havoc when following some of these suggestions.
December 13th, 2004 at 9:45 am
Here’s another, really good, “twelve commandments”
Here’s how I’d reconcile Luky’s and Schneier’s advice:
December 13th, 2004 at 10:46 am
Re number 10 : I find that these 2 spyware detectors each regard the other as malware. Your remarks please?
FWIW: your Logo shows nonexistant dice; the opposite faces of a die add up to 7, so you can NEVER simultaneously see the 3 and the 4.
Stu Savory
December 13th, 2004 at 1:02 pm
Before you enter in your password somewhere, make sure that there’s a little “lock” icon in the bottom part of your browser.
I think you missed the point here. Having that little “lock” does not guarentee security, and that’s what Bruce was trying to get across. All it means is that the connection between the browser and the server is encrypted. It doesn’t mean the data will be secure after the server gets it.
I’ve personally applications that e-mailed credit card data in plaintext from our coloed web server to the person that would process the card number. We were running SSL, so our users expected the card data to be safe. Obviously, this wasn’t the case at all.
December 13th, 2004 at 2:54 pm
Since when are P2P file sharing programs Screensavers?
December 13th, 2004 at 3:28 pm
Thanks for coming by and reading my weblog.
Matthew: sorry for the poor paragraph structure. I listed three things that said “This includes…”, then explained something after each one. Hope that makes sense.
Timm: I agree. Good point.
Stu: I haven’t found that they regard each other as malware, but I will try to check that out when I get home. I tend to use those two to get ‘good coverage’ in most situations, and haven’t had any problems running them. I have had the ‘impossible dice logo’ thing pointed out to me a couple of times.
Thanks for the notice anyway.
To any visitors from Metafilter who believe I misread the audience: You may be right about those who subscribe to his RSS feed. Let’s look at how he addresses this post: “I am regularly asked what average Internet users can do to ensure their security.” Average Internet users are the ones for whom Microsoft now blocks read access to Windows system directories, the Program Files subdirectory, and more. When I think about average Internet users, I think about all the experiences i’ve had with people wandering their hard drives trying to delete random executables and dll’s they find, simply because they didn’t know what they were doing there. That’s the type of user i’m worried about, and also incidentally the type of people that everyone seems to want to show these instructions to.
December 13th, 2004 at 4:35 pm
Spybot S&D and AdAware do not regard eachother as malware.
December 13th, 2004 at 7:59 pm
I agree that Schneier’s advice was pretty much crap — its unorganized and assumes a great deal more technical knowledge than the average user has. Your reply is a bit odd,however, in that the sort of unsophisticated home user that you are talking about is never going to be reading Schneier’s site much less yours — you’re both talking to an audience that is busy wondering why their computer is running so slow after their teenager installed Kazaa.
The microwave part was stupid, but the shredder advice was sound. Note that he mentions “better shredder.” He should have been explicit, however, and told the user to check beforehand to make sure their shredder is rated for CDs and DVDs.
It is relatively easy for home Internet users to stay virus and spyware free. Neither my wife nor I have had viruses or spyware on our machines in the 20 years we’ve been using computers. It just takes a little common sense to avoid 90% of the behaviors that lead to this (such as downloading screensavers or clicking on attachments).
December 13th, 2004 at 8:23 pm
Brian,
Thank you as well for your comments. I’m happy to see some actual real people posting comments, as opposed to all the spam I usually clear out with mt-blacklist. In any case, I understand why you and others feel that i’m talking to the wrong audience.
However, I believe that there are people of all sorts of skill levels out there. Those who take sensible precautions and have good habits, like yourself, won’t have massive spyware and virus problems. I have no doubt that there are virtually no “average Internet users” reading my blog, other than my friends.
The crowd i’m addressing are those people who might read Bruce’s directions, and put them into practice without being particularly careful or knowing what they’re doing. When I thought about the damage they could cause by following some of his instructions without the appropriate foresight or background knowledge, I felt compelled to write about why those directions might not be such a good idea, so that people who know “just enough to be dangerous” think twice before doing these things themselves, or even worse, start spreading this around those who are even less knowledgeable. Judging from the amount of people who immediately posted on metafilter about how they were going to print it out for their families, I fear I may have blogged in vain.
With respect to the shredder, he does suggest that it should be a some sort of heavy duty shredder. But in light of the ‘audience’ issue i mentioned above, the danger isn’t the people who have a heavy duty shredder, but those who are willing to try it on their shredder just to see if it works.
In any case, thanks for the comment! I’m happy to hear about why certain parts of my post misaddress the issue, or aren’t valid, or even how my dice on the logo are impossible.
December 14th, 2004 at 12:50 am
PC Security
Disagreements with Bruce’s Home PC Advice Bruce Schneier posted some well-meaning, but misleading advice on PC security. Gordon Luk follows it up with some compelling disagreements….
December 14th, 2004 at 4:15 am
Gordon,
Many thanks for a very useful and timely post. I had already recommeded Mr Schneier’s list on my own site, but have now put in an update so that my less-technically-able friends don’t charge in and start breaking things. I - and probably most reasonably technical people - read “if you no longer need it, uninstall it” as good sound advice to use the “Remove” part of “Add/Remove programs” as well as the “Add part”, but having been in front-line tech support roles at various times in my life I should have remembered that people are likely to read it as “delete everything you don’t understand”.
Cheers!
Giles
December 14th, 2004 at 4:20 am
Simple PC security precautions
Essential reading for anyone who owns a computer — especially those with broadband or other always-on connections — is Bruce Schneier’s list of security precautions. While I personally wouldn’t do everything he suggests (I use the cmd.exe f…
December 14th, 2004 at 10:57 pm
I have seen a fake paypal site that makes a realistic looking “lock” icon using images. To be safe one must type and address into the browser manually. Copying and pasting the address is generally safe.
December 15th, 2004 at 1:09 am
you nerd
December 15th, 2004 at 6:56 am
Just want to point out that Crypto-Gram readers are in general much like readers of this blog. The profile probably doesn’t include too many “average users” so I think the high-level advice Bruce gives is good. He doesn’t claim to give step-by-step instructions, but rather recommendations for overall security strategy. Of course we’re all free to choose, interpret, and implement as we see fit.
December 15th, 2004 at 7:08 am
Doesn’t anyone else see the irony in Bruce Schneier advising readers of an emailed newsletter full of web links not to click on web links in emails?
December 15th, 2004 at 10:45 am
microwaving CDs rocks! It’s better to do it with someone else’s microwave though.
December 15th, 2004 at 12:27 pm
For further irony, he recommends Mac or Linux if possible and then claims he is “stuck using Microsoft Windows and Office.” Really? I thought he started Counterpane, have they now dictated to him that he must use what he himself describes as one of the worst possibiliites for an OS? For as much time as he spends writing columns, giving talks, granting interviews, contributing tidbits to the occasional whitepaper, and appearing on line, it seems unlikely that he has any time, or inclination, to do anything that would require Windows.
December 15th, 2004 at 2:39 pm
Last I noticed it was a plain text newsletter. It’s your email reader that makes the URLs into clickable hyperlinks.
December 15th, 2004 at 4:28 pm
In all fairness to Bruce, his list isn’t too bad and it at least better than I have put together myself so far. The information here does provide clarifications or a little more advice on certain issues but I wouldn’t say Bruce’s original article is bad.
A second note on the comment that says check for a lock icon in a corner of your browser. Good advice to a certain degree (someone else already pointed out why it might not be safe) but I also noticed that it shows up in Internet Explorer even when the site uses low-grade encryption which isn’t really safe enough, IMHO, to send my credit card number. Firefox will warn you about the use of low-grade encryption but the “average” use may not understand or may not pay attention to that warning. IE will of course not warn you about it, which is one of the reasons to use Firefox.
December 15th, 2004 at 4:54 pm
Unfortunately, as quite a lot of people have pointed out, many of Bruce’s points are either rather paranoid or too technical. I would like to go further with this in saying that while some sense of distrust of spam email and phishing web sites is good, you can go too far with this.
eCommerce depends on a couple of things working for everyone. One of these is SSL. While it is unusual to find a ISP that allows monitoring others communications, SSL is an important indication that you are talking to whom you think you are. Another item that is important is cookies. If you use the more rabid software firewalls or “privacy protectors” you will find that anything that tries to set a cookie is labelled as “bad”. Why? Well, some misuse of cookies has indeed occurred, but little of this really affects people. What does affect people directly is discovering that their bank uses cookies (a concept they’re none too familiar with) and so must be “bad”. Same thing with making online purchases - we need to make this safer and more convenient for people, not harder and more confusing.
Finally, a word about credit cards. Yes, if someone steals your credit card they can cause havoc - but none of it really affects the credit card holder. The regulated liability limit is $50, and I’ve never heard of that being pushed onto the cardholder. It is left to the merchants to suffer the penalties. The card company wants you to keep the card, so I’ve never heard of a fraudulent purchase being forced onto the consumer. Absolutely, do not use a debit card for online purchases as they have completely different rules with your money behind them. Similarly, any web site that will only accept an “eCheck” or debit card payment is telling you in advance that you won’t be happy and won’t be able to get your money back. If you’re happy with being unhappy, by all means continue.
Let’s just not throw the baby out with the bathwater.
December 15th, 2004 at 5:05 pm
I’m an “average” computer user who gets Bruce’s newsletter. Most of what he says about computer security is just common sense applied to the computer. But nuke a CD in the microwave? No way!! Bust them in pieces if you can or use a shredder rated for them.
YTAOS
December 15th, 2004 at 5:16 pm
The AdAware readfile does mention that it may alarm at the presence of other similar software. This is for the same reason that some virus scanners recognize other virus scanners as virii - signatures. The software contains a file or series of files that fit the “pattern” of bad stuff - and a virus or adware/spyware “pattern” might be good enough to fool another scanner…
December 16th, 2004 at 3:58 am
Why didn’t anybody list one of the most important Windows Security tips(neither Schneier nor anybody here - or did I read over it)
Do not work as the administrator. Create an unprivileged user. This is one of the most important things to do first after installing Windows.
December 17th, 2004 at 6:27 am
William,
Thanks for the comments. When I mentioned Turbotax, I was trying to think of the least fun application that usually gets installed by a home PC user during the year. Also, it’s one of those applications that you only will buy from a “trusted” vendor, i.e. Intuit (humor me here). People don’t go out searching for Turbotax or tax prep software at random internet websites whenever they buy a new computer. But average users have no qualms whatsoever with searching out “Smiley” packages, “free” games, “free” screensavers, and filesharing programs from anywhere they can get them, without verifying the legitimacy or claims of the vendors.
Maybe that helps explain things?
Btw, getluky.net is run on moveable type 2.6X. It’s a piece of blogging software that allows you to have comments on your blog, if you dare.
December 17th, 2004 at 1:54 pm
Dear Sir:
I would also add the following to Bruce’s list of computer security ideas:
Stay away if possible from computer applications that will not let you send the data they use or generate to an external storage medium such as a floppy drive or Zip drive or similar. Genealogy programs do this. There is no reason why all
software could not work this way for most users.
YTAOS
December 19th, 2004 at 8:39 am
Aaron, why would you want to stay away from programs that don’t allow you to send data to an external medium?
December 19th, 2004 at 7:44 pm
You misunderstood Bruce’s advice about passwords. His point was that any password that you can memorize is not good enough to resist cracking, so you should stop trying to memorize them: just accept the fact that if a password is important to you, you’re going to have to write it down, because if it doesn’t look like incoherent gibberish, then it isn’t worth anything. (Possibly this is too paranoid, but he would know better than me about the current state-of-the-art in crack software.)
December 27th, 2004 at 1:13 am
10 things to do this christmas break
Everyone has a list about how to make their computer more secure, so I thought it was about time I jumped on the bandwagon. What follows are my simple and easy to implement suggestions to make your computer more secure,…
December 27th, 2004 at 11:28 am
A comment about comments regarding the audience that Bruce’s and your writings are directed to: as an educator of adult computer users and wannabe’s, I constantly search the web, my library, blogs, local sources, etc, for information related to home computer security. I vet what I find, and weave it into the courses I teach and the books I write to support those courses (giving appropriate credit to authors, naturally). It is articles like Bruce’s, and the comments and cross-comments of writers like the ones on this page, that help me better prepare myself to DELIVER RELEVANT INFORMATION TO THE MASSES. So, you see, the more and better info that’s placed here will be digested, added to, and directed to an audience that both needs it (in an appropriate level of techno-speak, or plain-speak) and benefits from it to help insure their good experience via their computer and the internet.
December 28th, 2004 at 8:14 pm
Interesting comments, Gordon. I think you’re quite right in saying that a lot of Bruce’s suggestions would need interpretation before some users understood them. For example he suggests changing file associations for WSH files; this is way beyond even some “power users’” comprehension. But I think some of your criticisms are a little harsh. For example in point 1, you criticise Bruce for saying “purge unneeded files” — but he actually said “purge unneeded DATA files from your laptop” (my emphasis). Now it’s true some users might not know the difference between a data file and an application file or dll, but most do, and if it’s clearly explained, this is sound advice.
Another thing is people having a panic attack about microwaving CD-Rs. Until small office shredders rated for CDs became commercially available (only a couple of years ago), microwaving was the most practical method of rendering them unreadable, and a lot of folks do it in perfect safety. Evidently, most of those posting have never done it; it really isn’t particularly dangerous. In fact I would say it is significantly safer than smashing them with a hammer (they shatter almost like glass, spraying around a lot of surprisingly sharp edges). For that matter, I’d say it was even safer than microwaving donuts; donuts can catch fire, but the CDs don’t (although they emit a rather unpleasant stench if you leave them in longer than 4 or 5 seconds, so I would put more emphasis on “no longer than 5 s”).
As for passwords, part of Bruce’s point (admittedly not very clear here) is that passwords like two words in camel case + two digits are not strong enough anymore–and as the power of machines available to crackers increases, this situation will gradually become worse. The average user simply cannot memorise a password that is strong enough anymore. Worse is that it is fundamentally unsafe to use the same password on multiple websites, and no-one can memorise dozens of strong passwords. There are some complicated and expensive solutions available, but for an unsophisticated user, the best combination of safety and ease of use is choosing totally cryptic passwords–a different one per site–writing them down, and keeping the list in a very safe place. (Password cracking being much more common than wallet theft.)
The reference to “secret police” is also inside jargon that needs much more explanation before offering to a naive user. In some security circles, potential opponents are graded according to their relative capabilities. National intelligence agencies are used, somewhat humorously, as an example of an opponent so sophisticated that you probably can’t stop them. Bruce’s point here was that this list is not high security stuff, but just the basics.
December 29th, 2004 at 9:15 am
Simple Tips on Computer Security
Recently, it’s become fashionable to write an article on how to protect yourself from all the malware, phishing, spyware, viruses, spam, espionage and bad disk drives out there. Here’s some: [IBM], [Schneier], [GetLuky]. Unfortunately, most of them go …
December 31st, 2004 at 1:27 am
Bruce’s comments about SSL are completely valid. You link is encrypted, but what happens to the information at the other end. How secure is it ?.
Even if you get the padlock displayed, how many people verify the certificate is from who they say it is. This raises the issue of how do you know you can trust a certificate
December 31st, 2004 at 6:41 am
Al -
That’s a good point, and also one Timm made in the comments which I agreed with.