Jesper,
Thanks for the reply. I agree with several of your points - use AV
software - keep everything updated/patched - I've used FF for a long time,
not too happy w/2.0 - I've had no issue with IE7 in XP - I've used OE for
email/news groups forever, no complaints - I will use Vista's mail reader
when installed (had experience with it in Beta - works fine for me).
I plan to dual boot to current XP Home SP2 and Vista Ultimate Full Edition -
separate drives. I currently use Acronis True Image 10 to back up my
complete XP disk, and will do likewise w/Vista. This gives me a very nice
safety net.
Thank you again for your reply. I'll just keep on doing what I've been
doing - no problems yet
BChat
I'm not at all convinced I buy all the suggestions of Safe-Hex wholesale.
1. Use AV software - Yep, for most computers, that is generally a good idea.
I see no reason to put it on most servers, but that is fairly obvious
2. Patch your stuff - Absolutely essential. In Vista, click the "Keep my
computer up to date by automatically installing security updates" button and
you'll be fine on the OS side. Applications are FAR more troublesome. The
more you add, the harder it is to keep them patched. How many people here
have installed the patch for the extremely critical vuln in Adobe Acrobat
that was patched this week? How many people routinely ensure that iTunes is
reinstalled to protect it against the equally critical vulnerabilities it
has
had?
3. Consider using alternative web browsers and e-mail software - On Vista
you would expose yourself far MORE today if you used an alternative web
browser. IE runs with extremely low privileges on Vista. Firefox, Opera, and
crew, do not; at least not yet. All of them have had their fair share of
vulns too. The brand new Firefox 2.x has had two so far, one of which is
pretty serious. Version 1.x has at least 39. IE 7, by contrast, have had
three, but they are all low impact issues. The alternative browsers are just
as targeted as IE is today. Keep in mind too that if you compare vuln counts
in browsers, The folks keeping track tend to skew the results against MS.
For
instance, the recent VML vulnerability is tagged against IE 7, but has
nothing to do with IE 7, and it does not impact Vista at all. Mail readers
are a similar situation. There have been vulns in all the mail readers,
probably about the same number in recent years. Consider which one does what
you want, and how you are going to keep it update. A mail reader that has a
few less vulns, but that is never updated is far more exposed than one with
more vulns but that keeps itself patched.
4. Be cautious with e-mail attachments and downloading files - If you follow
this advice the majority of the security problem actually goes away. I have
not had an AV program alarm for a virus on my computer since 1990 (and that
one was on a Macintosh). If you don't expose yourself to undue risk, you
will
have far fewer problems, no matter what programs you use.
5. Stop using DOCs - This is just plain silly. First, there is no way anyone
can ensure that a document is in RTF versus DOC format, regardless of the
extension. Word ignores the extension on the document. It is used only by
the
OS to decide which app opens the document, and even there it is ignored in
some circumstances. Second, DOC files have a number of features you cannot
get in RTF, such as versioning and revision tracking, and better control
over
your documents. Third, macro security in Word is really not the problem
today
that it once was. Yes, in Word 4.0, 95, and 97, macro security was an issue.
Those programs, designed in the early 1990s, were designed on the assumption
that nobody would ever want to harm you. If you still use those, and are
subject to their problems, you need to upgrade. The problem in Word today is
in file parsers, including the built-in one. Word, and Excel and PowerPoint,
are horribly complicated file formats and even Microsoft has had a very hard
time getting them right. I have seen people advocate using compatible
third-party programs instead. If Microsoft, which wrote the spec for the
file
format, cannot get the parser right, what is the likelihood that a third
party, which does not have access to the spec, can do it? Finally, if you
simply practice a bit more caution before opening documents sent to you a
lot
of the security problems go away. If someone you know sends you an
unsolicited Word doc, or PowerPoint presentation, ask if they meant to send
it to you. If they sent you a PPS PowerPoint Show because "this is just so
hilarious, you gotta see it" delete the entire e-mail message without
opening
it. If you don't invite the attackers, they'll have a much harder time
getting in.
6. Configure your operating system properly - Personally, I want to see
extensions, but configuring the OS to show extensions does not actually mean
you will see all of them, nor that they are actually meaningful. Large
portions of the OS, including IE, and add-on applications, such as Word,
will
infer file types based on content, not file extensions.
The remaining instructions in this section are quite reasonable, although if
you simply let the built-in firewall do its job, you have pretty much
blocked
network traffic anyway.
7. Preserving your privacy - The first advice, about never using the
"unsubscribe" feature is sage.
The second advice, about not using the stored usernames and passwords, is
not. If this is your computer, and you practice safe computing, it is
generally quite safe to store your username and password for web sites. The
biggest problem with passwords is not the passwords, it is the people that
use them, and the fact that human beings suck at remembering passwords. If
we
used technologies such as the one the Chinese invented about 3000 years ago:
paper, to store our passwords we would have a much better chance of
remembering them. That means we could use different passwords for different
things, which is all general goodness.
The rest of the advice in 7 is quite wise.
8. Misc. - This is a bit odd. backing up is good. Using the Windows Firewall
in Vista is good. Changing the boot sequence makes very little sense and I
fail to see what it actually does. Multiple extensions have been used, but I
haven't seen any for a while.
9. If you get hit - It is quite true that users often do more damage than
the virus. In fact, many users do more damage trying to protect themselves
than the attack would. I've seen networks of tens of thousands of computers
turn into tens of thousands of piles of electronics, unusable for anything
other than boat anchors, because some "security expert" advised that they
make a particular configuration change to protect themselves against a
threat
that said "security expert" was not able to articulate. Do not try to block
nebulous threats that you cannot justify. Risk should be considered as the
probability of a threat, multiplied by the damage caused by that threat
*minus* the cost of the mitigation *minus* the probability of side-effects
of
the mitigation multiplied by the cost of those side-effects. Do not
disregard
what the mitigation costs you.
One thing worth keeping in mind, though, is that if your computer does
actually get infected, you may be able to successfully clean that infection.
However, you can never guarantee that all traces of the attack are gone. One
attack often invites another. This is particularly true of spyware. The only
clean system is one that has not been attacked.
