Welcome to Inkbunny...
Allowed ratings
To view member-only content, create an account. ( Hide )
KichigaiKitsune

So, who here has no anti-virus?

Taking a break here at work to nibble at some homework, some stories, and post a quick journal. I love this - technology is so accessible and, well, cheap nowadays that I have my own little PAN set up here. Every device is a Samsung too... funny how that happened, it wasn't intentional.

My Galaxy S3 is providing internet access to my Samsung laptop and Galaxy Tab 2.0. So yeah, mobile computing at its best. Why am I carrying all of this? Well, actually, I just wanted to relax at work briefly. I'm blessed enough that I can do that...

Anyway. One thing that's come up a lot for me lately is the issue of people's shitty security practices on their computers, mobile devices, networks and online accounts. I've given the same lectures (in some cases I even got paid) to about five different people in the last two weeks, and it reminded me of myself.

I know there are people not operating with any form of anti-malware on their systems right now, reading this. Aldreyachan for one; yeah, I'm calling you out! >:3
It's something that people do, for a variety of reasons.

Older and younger people than I tend to not realize how important it is. People my own age don't recognize how far security suites have come, and mistake today's unobtrusive, lightning fast, intelligent software for the bloated, memory hogging, computer crashing "malware in disguise" it was ten years ago, so we just don't bother.

Now, I used to believe, as a lot of the latter group does, that "clever browsing habits" will protect you from malware. You won't get viruses if you don't do dumb stuff, like visit dark sites with ActiveX or Java enabled, open things from dodgy websites and emails, fall for (almost always brutally obvious) phishing...

That's not true. Okay? Let's just get that out there first.

Secondly, one day, my World of Warcraft account was full on cracked. In the end, it was a mild inconvenience, but the little fucker who did it only pissed me off because he placed my character in a spot that took 10 minutes to kill him so I could play.

Now, maybe you don't play WoW, but it serves as the perfect parable. I never played from possibly dangerous computers, such as kiosks, never in internet cafes, etc. I had a strong password, or so I thought. I had good browsing habits, so surely I never got a virus/keylogger. But I didn't have anything to be sure of that.

Bear in mind, at the time my WoW account was hacked, I was coincidentally studying IT security. So I knew everything was iffy, but the worst, most horrible flaw was what undermined all of that: "It'll never happen to me."

Yeah. Yeah it will. Whenever you operate without up-to-scratch security protocols (term used broadly) you're playing Russian roulette. You're basically just waiting until a bad-guy decides to target you next, and you will be targeted, because it's just random, sometimes automated, attacks. Also, bear in mind that even then I had significantly better online safety habits than, say, Aldreyachan, who hasn't been hacked yet - that's because it's a question of Russian roulette. So, yeah, it will happen to you; or rather, it could, so don't take the risk. It might not, but then again you "might not" crash your car, but you'd still wear your seatbelt and not drive drunk.

Operating without top-notch security habits is akin to not locking your door when you leave the house empty, assuming that burglars will just hit a different target in the neighborhood, but not you. "It'll never happen to me," but then it does, and oh, boy, do you feel like a dick.

So it's also important to note how easy your machines can be infected. Windows is particularly vulnerable, and malware infections can come from everywhere - hence the need for dedicated AV software. Meaning that even legitimate sites like Cracked, The Escapist, Facebook and eBay can infect your computer silently, often thanks to banner adverts. In fact, they're the biggest threat. You can also have loads of infections without even knowing it, harnessing your computer for a "bot-net" or just laying in wait. There is malware out there that even functions based on "carriers" and rootkits that provide minor harassments you might not recognize as malware infection.

Worse, there's actually a full on, no kidding, "cybermafia" out there. Okay, that sounds overly dramatic, but I didn't pick the phrase. It's true that there is organized crime revolving around using malware to steal information, using specific information to "phish" you (spear phishing), and they'll look around online to see what small business they can rip off and leave destroyed in their wake. Sometimes, they target the big guys, but it's mom-and-pop organizations that are most at risk.

Going back to WoW for a second; because I took so few serious precautions, I've never figured out what happened. Was my password simply cracked/guessed? Seems unlikely, but it wasn't as good as I know to make it now. Did I get a keylogger on my machine somehow? If so, what else did they take? I did play occasionally on a friend's computer - was that how it happened? He was hacked too, but months earlier.
The questions and worries were endless, all because I didn't have some free shit like Microsoft Security Essentials and a decent passphrase, and/or changed it every now and then.

Truth be told, I've never received a virus aside from a handful of odd cases, despite running no AV for years. I've had two rootkits that I removed instantly - I took a chance on some less-than-legit software, and got burned 100% of the time. I don't know what caused the WoW incident. As far as I can tell, never had anything else. But that's only as far as I could tell.
Yet still, there are millions of people who just get these viruses. Their computers get reamed in seconds - the scary statistic about an unprotected Windows XP machine getting riddled with viruses within moments of connecting to the internet is more or less true. So it can happen. I know now that I've just been lucky so far. It really is just one of those things were, hey, you'll prooobably be okay unless you're a dipshit, but just freakin' take the precautions, come on.

Unless you're a small business owner. In which case, do everything, do it very well, and do it now or you're taking a massive risk.

Here's all you have to do to more or less make your computer... at least up to scratch. This isn't aimed at the real geeks who know their stuff, I'm talking about the people out there who are blithely operating with craptastic passwords and no antivirus. You know who you are, don't try and tell me that you're not reading this.
I WILL END YOU. >:C

1. Install an antivirus suite.
You don't need a paid-for "internet security" suite. Free AV suites are pretty much all you need, as everything else can be achieved by good online habits (i.e., not being a dumbass) and browser addons.

Go and download: avast! at http://www.avast.com/
Or Google, then download: Microsoft Security Essentials, from Microsoft.
Ask around, if you don't like these options. I've got a few others that I recommend to people.

You have no reason not to do this step. Few if any AV suites cause ANY problems, and they're not a bother whatsoever. You basically fire-and-forget. Install, let it do its thing, forget about it, because it won't be obtrusive at all.

Seriously, the worst thing about avast! right now is just the cutesy voice telling you when the definitions have been updated...

2. Install a few other things.
Malware Bytes Anti Malware.
Spybot Search and Destroy.

Google them, install them. There's some overlap between these three suites, but that's okay, they don't conflict. Between the three of them, you'll probably be extremely fine, IF you remember to run regular scans. So do that.

3. Don't use shitty passwords.
"sexyprincess1" isn't a password. "password" isn't a password. "1234qwerty" isn't a password either. They're concentrated idiocy. Remember, there are two sides to cracking a password: the man and the machine.

This means they'll first use specific patterns, such as trying every single one of the top 1000 most common passwords (the human side), and various permutations thereof using the computer to modify them, such as "password" and "p@ssw0rd" (the machine. See: rainbow tables). Then they'll try personal information, with permutations thereof.

So your password cannot be your name. Your business. Your dog. Cat. Child. Partner. Birthyear. DON'T DO THAT.
Then they will try to brute-force your password. This technique is blunted HARD by longer passwords with spaces, symbols and numbers. So use a longer password with spaces and symbols and numbers.

But the man and machine side of things comes into play for you too - obviously, you want a password a computer can't methodically crack, but you gotta remember it. Try a passphrase.

"I like to eat tropical fish every 2nd Thursday!" is not easy to randomly crack. Neither is, "Bob Dole once raped a dolphin." You won't forget that, either!
You can get more creative too; instead of a regular passphrase, toss in some symbols, or write it in code!
Like, literally, encipher your passphrase somehow, or use a snippet of programming code. Just try to make it memorable.

The basic rule is: password/phrase be longer than 8 characters, contain a number, mixed capital/lowercase letters, and a symbol. But this often ends up being actually pretty easily cracked by computers, as because people make it memorable by basing them on real dictionary words. "P@ssw0rd1" for instance. That won't do.

So, either use a good passphrase, or get used to remembering crap like this: "ZPpf+\n$.Ny3"
Hey, don't forget mnemonics! "I like to wear fluffy hats on Easter!" can either be a passphrase itself, or to help you remember: "ILtW_fluffYhat5_oE!" :D

Remember: you can't realistically crack modern encryption, for instance. The weak point is the password. You've got unassailable walls a million miles tall (encryption that would take 13 million years to crack with the best computers of today), but a paper door ("pornstash1"). Make that door better.

(PS: don't write passwords down, don't leave them on your computer, and things like KeePass are no good if your device is taken from you; you'll never remember your passwords on your own, never recover them, and if you're blackmailed or requested to by the government you'll need to divulge your master-password; which gives them everything. REMEMBER them, don't count on stuff like KeePass for everything.)

4. Don't run as the administrator/superuser.

Make a second account on your new Windows machine. Make it a standard account. Give it a password. Go to your administrator account. Give it a better password.

Log in as your standard account. IF you need to do something administratorish, it will either prompt for the Admin password with User Account Control, or you can log in with the Admin account, do what you need to do, then get out. Don't browse the web as Admin unless you need to.

Advanced users: use batch/Powershell scripts and the "savecred"/"runas" features, or better still, make use of your Task Scheduler, to allow you to make shortcuts to running things as Admin with no UAC prompt, no password, etc. You can use your Task Scheduler to make a shortcut to open the Device Manager, for instance, as the admin, without you actually logging in as that account - just like sudo on Linux/BSD. It's super awesome. Look this stuff up. Great for shared computers.

Why? Because if your Admin account is compromised, your computer is three hundred times as fucked as if a standard account is. The typical Windows user runs as the system's administrator, which has FAR more power than your protracted porn-and-gaming sessions need, up-to-and-including the ability to fuck your own bootsector, breaking your computer almost completely, which is the kind of thing malware creators love. This is how you get rootkits.

I know UAC is a pain in the tail, but just do it. It's not as annoying as it used to be in Vista.

5. Your mobile devices. Protect them!

Get avast! Mobile. Get the anti-theft module installed. Your device now cannot be infected, cannot be stolen and resold even if wiped and new SIM cards installed, and can be tracked using its GPS.

There are other alternatives, so look for them. The point is: this level of security and theft prevention exists. It's free and unobtrusive. Why don't you have it? What, are you dumb? HUH?! >:C



No, I know you're not dumb. But sometimes people don't really know what they should be doing, or they don't bother. Many of my online accounts have godawful passwords I ain't changed in years. Nobody's perfect, blah-blah. But if you just consistently follow SOME of the advice here, you'll make yourself a tougher target for random malware infections and directed, deliberate attacks too.

I'm not a security expert. You don't have to be a security expert. This stuff is actually really easy, and that's the point: this isn't expert-level. This is basic level. If you're not doing these things... you're not even up to par. You're taking unnecessary risks. You're leaving the house empty with the doors open, documents and money lying around instead of in safes.

Just tossing this out there. Because. Reasons.
Viewed: 55 times
Added: 5 years, 3 months ago
 
Winterimage
5 years, 3 months ago
On my old computer, I got by for years without any anti-virus/malware programs. I did run no-script and adblocker and such nifty little things, but the AV ate so much computer power that it became almost unusable. Every now and then I'd download some free AV and run it, and it would pick off some or other adware (usually from Microsoft), but other than that I had no problems.

My new computer came fully equipped, and I probably will renew the AV when it expires, unless it's horrendously expensive, even though I do tend to think that the virus fears are mostly paranoia combined with smart marketing from the AV-suppliers themselves. Though I admit that it has been a few years since I surfed unsafe, and maybe back then it was okay as long as you stayed off any suspect sites.

As for my passwords, they should be more or less unhackable. I'm not using anything that resembles words or identifiable sequences, and I have my own ways to remember them. Anyone who can hack them would have hacked pretty much anything, anyway.
Alfador
5 years, 2 months ago
AV: Windows Security Essentials. I had some problems with other free antiviruses giving too many false positives for things like Steam games and WoW patches, so I looked and found that hey, the free Microsoft stuff doesn't suck in this instance. Boom.

Anti-malware-via-banner-ads: I use NoScript for Firefox, which is a pain when some site uses three or four different domain scripts just to play a video or fill a form, but it means that sites like, say, Facebook, never get a chance to run potentially dangerous JavaScript.

WoW: I have an authenticator.

Passwords: Admittedly this is probably one of the weaker points--though I've gotten more secure passwords over the years (putting numbers and symbols in the middle of a password rather than the end, using patterns of characters that don't match up to English words or misspelled English words), there are better ways. For example, some (moronic) systems do not allow you to use anything but letters and numbers in a password. The best solution is probably to have a passphrase, as you said, a long sentence that you can remember... but some sites limit the size of your password, too!! It's kinda crazy how many different restrictions on password strength sites have just to save a few bytes per field in their database... and then they wonder why people's passwords end up getting cracked.

http://xkcd.com/936/
For added benefit, shift your hands one key to the right or left when you type in a common-word passphrase like that. Unless crackers try that in their rainbow tables now, too... just how inexpensive IS the kind of hard drive space that would take to pull off??
KichigaiKitsune
5 years, 2 months ago
Haha, I was gonna point to that comic, but I didn't see much reason - I was also gonna mention just shifting your typing one key to the right, something my friends and I find hilarious whenever we're typing drunk. But it can sometimes be hard to replicate if you use a different keyboard, and sometimes you have to fight your own muscle memory to do it, especially if you're like me. I type using muscle memory without using the home-row as my "base." So trying to shift things one key over and typing normally like that is borderline impossible for me.

It's like how I have to stop and think when I want to make deliberate grammar and punctuation mistakes. I just can't do it!

Yeah, browser extensions were outside the scope of what I wanted to say here. I run... about 20 different privacy/security related extensions on Firefox, but because people often use Chrome or IE instead, I didn't want to bother talking about it. But everyone can benefit from good passwords. Or by switching to a better browser. *cough*

And as for password size restrictions... yeah, some people are asses. But on the bright side, this shouldn't be a problem for most online accounts and user accounts, so I don't mention it.

... Hrm. I was playing around with BackTrack awhile ago. All I'll say for rainbow tables is: they're freakin' massive. I wouldn't want to double their size like that.
DestructiveImpulse
5 years, 2 months ago
" Taking a break here at work to nibble at some homework, some stories, and post a quick journal

BULLSHIT

That was not a quick journal. It took me forever to read
New Comment:
Move reply box to top
Log in or create an account to comment.