Taking a break here at work to nibble at some homework, some stories, and post a quick journal. I love this - technology is so accessible and, well, cheap nowadays that I have my own little PAN set up here. Every device is a Samsung too... funny how that happened, it wasn't intentional.
My Galaxy S3 is providing internet access to my Samsung laptop and Galaxy Tab 2.0. So yeah, mobile computing at its best. Why am I carrying all of this? Well, actually, I just wanted to relax at work briefly. I'm blessed enough that I can do that...
Anyway. One thing that's come up a lot for me lately is the issue of people's shitty security practices on their computers, mobile devices, networks and online accounts. I've given the same lectures (in some cases I even got paid) to about five different people in the last two weeks, and it reminded me of myself.
I know there are people not operating with any form of anti-malware on their systems right now, reading this. Aldreyachan for one; yeah, I'm calling you out! >:3 It's something that people do, for a variety of reasons.
Older and younger people than I tend to not realize how important it is. People my own age don't recognize how far security suites have come, and mistake today's unobtrusive, lightning fast, intelligent software for the bloated, memory hogging, computer crashing "malware in disguise" it was ten years ago, so we just don't bother.
Now, I used to believe, as a lot of the latter group does, that "clever browsing habits" will protect you from malware. You won't get viruses if you don't do dumb stuff, like visit dark sites with ActiveX or Java enabled, open things from dodgy websites and emails, fall for (almost always brutally obvious) phishing...
That's not true. Okay? Let's just get that out there first.
Secondly, one day, my World of Warcraft account was full on cracked. In the end, it was a mild inconvenience, but the little fucker who did it only pissed me off because he placed my character in a spot that took 10 minutes to kill him so I could play.
Now, maybe you don't play WoW, but it serves as the perfect parable. I never played from possibly dangerous computers, such as kiosks, never in internet cafes, etc. I had a strong password, or so I thought. I had good browsing habits, so surely I never got a virus/keylogger. But I didn't have anything to be sure of that.
Bear in mind, at the time my WoW account was hacked, I was coincidentally studying IT security. So I knew everything was iffy, but the worst, most horrible flaw was what undermined all of that: "It'll never happen to me."
Yeah. Yeah it will. Whenever you operate without up-to-scratch security protocols (term used broadly) you're playing Russian roulette. You're basically just waiting until a bad-guy decides to target you next, and you will be targeted, because it's just random, sometimes automated, attacks. Also, bear in mind that even then I had significantly better online safety habits than, say, Aldreyachan, who hasn't been hacked yet - that's because it's a question of Russian roulette. So, yeah, it will happen to you; or rather, it could, so don't take the risk. It might not, but then again you "might not" crash your car, but you'd still wear your seatbelt and not drive drunk.
Operating without top-notch security habits is akin to not locking your door when you leave the house empty, assuming that burglars will just hit a different target in the neighborhood, but not you. "It'll never happen to me," but then it does, and oh, boy, do you feel like a dick.
So it's also important to note how easy your machines can be infected. Windows is particularly vulnerable, and malware infections can come from everywhere - hence the need for dedicated AV software. Meaning that even legitimate sites like Cracked, The Escapist, Facebook and eBay can infect your computer silently, often thanks to banner adverts. In fact, they're the biggest threat. You can also have loads of infections without even knowing it, harnessing your computer for a "bot-net" or just laying in wait. There is malware out there that even functions based on "carriers" and rootkits that provide minor harassments you might not recognize as malware infection.
Worse, there's actually a full on, no kidding, "cybermafia" out there. Okay, that sounds overly dramatic, but I didn't pick the phrase. It's true that there is organized crime revolving around using malware to steal information, using specific information to "phish" you (spear phishing), and they'll look around online to see what small business they can rip off and leave destroyed in their wake. Sometimes, they target the big guys, but it's mom-and-pop organizations that are most at risk.
Going back to WoW for a second; because I took so few serious precautions, I've never figured out what happened. Was my password simply cracked/guessed? Seems unlikely, but it wasn't as good as I know to make it now. Did I get a keylogger on my machine somehow? If so, what else did they take? I did play occasionally on a friend's computer - was that how it happened? He was hacked too, but months earlier. The questions and worries were endless, all because I didn't have some free shit like Microsoft Security Essentials and a decent passphrase, and/or changed it every now and then.
Truth be told, I've never received a virus aside from a handful of odd cases, despite running no AV for years. I've had two rootkits that I removed instantly - I took a chance on some less-than-legit software, and got burned 100% of the time. I don't know what caused the WoW incident. As far as I can tell, never had anything else. But that's only as far as I could tell. Yet still, there are millions of people who just get these viruses. Their computers get reamed in seconds - the scary statistic about an unprotected Windows XP machine getting riddled with viruses within moments of connecting to the internet is more or less true. So it can happen. I know now that I've just been lucky so far. It really is just one of those things were, hey, you'll prooobably be okay unless you're a dipshit, but just freakin' take the precautions, come on.
Unless you're a small business owner. In which case, do everything, do it very well, and do it now or you're taking a massive risk.
Here's all you have to do to more or less make your computer... at least up to scratch. This isn't aimed at the real geeks who know their stuff, I'm talking about the people out there who are blithely operating with craptastic passwords and no antivirus. You know who you are, don't try and tell me that you're not reading this. I WILL END YOU. >:C
1. Install an antivirus suite. You don't need a paid-for "internet security" suite. Free AV suites are pretty much all you need, as everything else can be achieved by good online habits (i.e., not being a dumbass) and browser addons.
Go and download: avast! at http://www.avast.com/ Or Google, then download: Microsoft Security Essentials, from Microsoft. Ask around, if you don't like these options. I've got a few others that I recommend to people.
You have no reason not to do this step. Few if any AV suites cause ANY problems, and they're not a bother whatsoever. You basically fire-and-forget. Install, let it do its thing, forget about it, because it won't be obtrusive at all.
Seriously, the worst thing about avast! right now is just the cutesy voice telling you when the definitions have been updated...
2. Install a few other things. Malware Bytes Anti Malware. Spybot Search and Destroy.
Google them, install them. There's some overlap between these three suites, but that's okay, they don't conflict. Between the three of them, you'll probably be extremely fine, IF you remember to run regular scans. So do that.
3. Don't use shitty passwords. "sexyprincess1" isn't a password. "password" isn't a password. "1234qwerty" isn't a password either. They're concentrated idiocy. Remember, there are two sides to cracking a password: the man and the machine.
This means they'll first use specific patterns, such as trying every single one of the top 1000 most common passwords (the human side), and various permutations thereof using the computer to modify them, such as "password" and "p@ssw0rd" (the machine. See: rainbow tables). Then they'll try personal information, with permutations thereof.
So your password cannot be your name. Your business. Your dog. Cat. Child. Partner. Birthyear. DON'T DO THAT. Then they will try to brute-force your password. This technique is blunted HARD by longer passwords with spaces, symbols and numbers. So use a longer password with spaces and symbols and numbers.
But the man and machine side of things comes into play for you too - obviously, you want a password a computer can't methodically crack, but you gotta remember it. Try a passphrase.
"I like to eat tropical fish every 2nd Thursday!" is not easy to randomly crack. Neither is, "Bob Dole once raped a dolphin." You won't forget that, either! You can get more creative too; instead of a regular passphrase, toss in some symbols, or write it in code! Like, literally, encipher your passphrase somehow, or use a snippet of programming code. Just try to make it memorable.
The basic rule is: password/phrase be longer than 8 characters, contain a number, mixed capital/lowercase letters, and a symbol. But this often ends up being actually pretty easily cracked by computers, as because people make it memorable by basing them on real dictionary words. "P@ssw0rd1" for instance. That won't do.
So, either use a good passphrase, or get used to remembering crap like this: "ZPpf+\n$.Ny3" Hey, don't forget mnemonics! "I like to wear fluffy hats on Easter!" can either be a passphrase itself, or to help you remember: "ILtW_fluffYhat5_oE!" :D
Remember: you can't realistically crack modern encryption, for instance. The weak point is the password. You've got unassailable walls a million miles tall (encryption that would take 13 million years to crack with the best computers of today), but a paper door ("pornstash1"). Make that door better.
(PS: don't write passwords down, don't leave them on your computer, and things like KeePass are no good if your device is taken from you; you'll never remember your passwords on your own, never recover them, and if you're blackmailed or requested to by the government you'll need to divulge your master-password; which gives them everything. REMEMBER them, don't count on stuff like KeePass for everything.)
4. Don't run as the administrator/superuser.
Make a second account on your new Windows machine. Make it a standard account. Give it a password. Go to your administrator account. Give it a better password.
Log in as your standard account. IF you need to do something administratorish, it will either prompt for the Admin password with User Account Control, or you can log in with the Admin account, do what you need to do, then get out. Don't browse the web as Admin unless you need to.
Advanced users: use batch/Powershell scripts and the "savecred"/"runas" features, or better still, make use of your Task Scheduler, to allow you to make shortcuts to running things as Admin with no UAC prompt, no password, etc. You can use your Task Scheduler to make a shortcut to open the Device Manager, for instance, as the admin, without you actually logging in as that account - just like sudo on Linux/BSD. It's super awesome. Look this stuff up. Great for shared computers.
Why? Because if your Admin account is compromised, your computer is three hundred times as fucked as if a standard account is. The typical Windows user runs as the system's administrator, which has FAR more power than your protracted porn-and-gaming sessions need, up-to-and-including the ability to fuck your own bootsector, breaking your computer almost completely, which is the kind of thing malware creators love. This is how you get rootkits.
I know UAC is a pain in the tail, but just do it. It's not as annoying as it used to be in Vista.
5. Your mobile devices. Protect them!
Get avast! Mobile. Get the anti-theft module installed. Your device now cannot be infected, cannot be stolen and resold even if wiped and new SIM cards installed, and can be tracked using its GPS.
There are other alternatives, so look for them. The point is: this level of security and theft prevention exists. It's free and unobtrusive. Why don't you have it? What, are you dumb? HUH?! >:C
No, I know you're not dumb. But sometimes people don't really know what they should be doing, or they don't bother. Many of my online accounts have godawful passwords I ain't changed in years. Nobody's perfect, blah-blah. But if you just consistently follow SOME of the advice here, you'll make yourself a tougher target for random malware infections and directed, deliberate attacks too.
I'm not a security expert. You don't have to be a security expert. This stuff is actually really easy, and that's the point: this isn't expert-level. This is basic level. If you're not doing these things... you're not even up to par. You're taking unnecessary risks. You're leaving the house empty with the doors open, documents and money lying around instead of in safes.