Build a free, multilayered security setup
Pile on the protection with a DIY security suite
By Matt Egan , PC Advisor UK , 09/03/2009

http://www.networkworld.com/news/2009/090309-build-a-free-multilayered-security.html

Build a free, multilayered security setup
Pile on the protection with a DIY security suite

I just have to wonder after how many layers does it become worth it to simply switch to Linux or MacOS X?

I just have to wonder after how many layers does it become worth it to simply switch to Linux or MacOS X?Most of this is overkill in a big way for anybody who's careful online. I use ONE firewall and ONE antivirus program and ONE halfway functioning brain. The last being the most important element.

Most of this is overkill in a big way for anybody who's careful online. I use ONE firewall and ONE antivirus program and ONE halfway functioning brain. The last being the most important element.Is your intent to insult people or give helpful advice? If the latter, I assume that you have some evidence you can cite other than your own opinion.

Normally , choosing what level of security to use should involve some sort of minimal cost benefit analysis. Certain types of malware infection may turn out to be as serious as or worse than hard disk failure, depending on the value and time value of the data to be protected. It one has a reliable and efficient system for automatic backup and fast, no-brainer, full system restore, then your assertion may or may not pass a cost-benefit analysis.

If you use Firefox or other Mozilla browser with NoScript extension (which apparently is NOT mentioned in the article), the fact of using NoScript, presumable as it is normally intended, would indicate that your reply concerning your "bare bones" security setup perhaps was not accurate. Using NoScript may be one of the most effective tools available to provide extra "layers of security". The fact of someone "going the extra mile" to use NoScript properly would seem to be inconsistent with an implied criticism of others who use different means, such as those mentioned in the article, to add layers of security.

If you were representing a plaintiff suing a company whose lax security had caused a loss to the plaintiff, perhaps your attitude would be different.

I just have to wonder after how many layers does it become worth it to simply switch to Linux or MacOS X?I am sure that you are aware that merely switching to another OS does not automatically protect one against problems of cookie privacy and phishing, for example. One still might well want to use measures (additonal layers) such as some Firefox extensions that mitigate these issues.

I am sure that you are aware that merely switching to another OS does not automatically protect one against problems of cookie privacy and phishing, for example.

I agree. And the measures that I go through to ensure security probably take about as much thought and effort as all those layers of security described in the article. And I'm aware that there is software that is only available on Windows that some people have to use. But every time I read about all the extras that people have to tack on to their system just to be able to have a chance at running Windows safely, and compare that to what I have to do running MacOS X and Linux and a few Windows programs once in a while in a virtual box, it reinforces the choices that I have made for myself. I would not claim that other choices don't make sense for other people who have a different set of tradeoffs. I'm just glad that my circumstances no longer require me to deal with Windows very much.

a few Windows programs once in a while in a virtual box, Just curious. I wonder how well a virtual box works for such apps as voice/video chat? Or do most of the popular voice chat apps also run natively on Linux: e.g. AIM, Yahoo, Paltalk, Inspeak, Skype, etc?

I'm guessing too that many of the cheaper web cams might not have drivers for Linux.

I wonder how well a virtual box works for such apps as voice/video chat?

I use my Macbook for chat so I haven't had to investigate the options under Linux and so far haven't found a Windows-only voice/video chat that I needed. Skype on the Mac works fine. iChat handles video and voice chat with people on GoogleTalk. I've done voice to folks on Yahoo using iChat and using the Mac version of Yahoo Messenger. I haven't had reason to try any others. The Macbook has a built in camera, so drivers are not a problem.

Not exactly the same thing, but perhaps a relevant data point, before the more recent versions of VLC were able to handle capturing certain streaming audio and video I was using Orbit Downloader and Orbit Grab++ running in Windows XP under VirtualBox on my Macbook. Since that worked, I wouldn't be totally surprised if voice and video chat would work too, with the big unknown being whether the camera would work.

Not exactly the same thing, but perhaps a relevant data point, before the more recent versions of VLC Incidentally, one nice feature of VLC is that it will play ISO files, i.e. disk images of DVD's. For those with big HD's or drive stations, this is handy, since terabyte drives and such can hold hundreds of DVD's without much of a "sweat".

Is your intent to insult people or give helpful advice? If the latter, I assume that you have some evidence you can cite other than your own opinion.David, web security just isn't all that big a deal IF (and this is a BIG if) you are reasonably careful online (and no, actually, I don't use NoScript). I have been extremely active online for more than 20 years and have never, not once, had a virus or malware affect my machine except one time when I hooked up to a network that was supposed to have a firewall and didn't. My virus program caught it and quarantined the Windows program it affected; sum total down time none, time to fix, a minute to download and reinstall the unaffected program.

Security is critical for some people and some institutions. My bank bloody well better have excellent security. But most individual users aren't nearly the targets this sort of "get 8462 layers of web protection" stuff suggests.

I have to agree with Judy. If someone is aware of the threats and is careful, s/she likely will be ok. Someone who doesn't understand the risks and threats probably will need the extra protection, but may not understand how to set it up.

I have to agree with Judy. If someone is aware of the threats and is careful, s/she likely will be ok. Someone who doesn't understand the risks and threats probably will need the extra protection, but may not understand how to set it up.If somebody doesn't want to "roll their own", then why not buy a pay-for full blown security suite that provides for more than minimal protection? Some of the latest security suites offer significant cloud based, heuristics based, and behavior based malware detection.

Furthermore, I challenge you to explain how someone who is researching a topic in a field unfamiliar to them is supposed to decide whether to click on a search engine results link to a web site. Some of the better security suites and even some of the freeware security programs have search engine results "filters" that attempt to evaluate the risk of clicking on links based either on web crawling and testing or on live real time intrusion detection, rating them with colored icons to signal estimated risk. When there are hundreds of thousands of web sites infected with malicious scripts and sequel injection attacks, etc., how can eyeballing a couple lines of text accompanying a link in a search result reliably decide whether it's worth the risk to click on a link?

Furthermore I think it's unrealistic to assume that just because a web site is "famous" that all the 3rd party ads (e.g. Flash or other plug-ins that might attempt to "play" automatically) on it won't cause damage, even without clicking on the ads.

To me, it sounds like assuming that just because one's blood alcohol is within the legal limit of a particular state, that one's defensive driving ability is not impaired. I'd rather have a designated driver. And if the designated driver abandons me and decides to go home with somebody more better looking that me, THEN I'll drive myself or trust one of my imbibing buddies. It's called "defense in depth" or "multiple layers".

I don't believe that the article asserted that anyone who does not use ALL POSSIBLE layers of defense is a fool. Therefore I think you are setting up a "straw man".

Or , on the other hand, perhaps this is a religious/political argument and should be treated with that level of partisanship? :mad:

Security is critical for some people and some institutions. My bank bloody well better have excellent security. But most individual users aren't nearly the targets this sort of "get 8462 layers of web protection" stuff suggests. "8462". Wouldn't only one or two orders of magnitude of exaggeration have been enough. Why do you need three? Rhetorical questions.

If somebody doesn't want to "roll their own", then why not buy a pay-for full blown security suite that provides for more than minimal protection?
I think that's exactly what someone who hasn't learned the dangers, and/or doesn't want to roll his/her own should do. That person likely will be satisfied with the "out of the box" settings.

Furthermore, I challenge you to explain how someone who is researching a topic in a field unfamiliar to them is supposed to decide whether to click on a search engine results link to a web site.
Or a link in an email, or a link from a blogger's post, or....

By not just assuming every link is legitimate, and by using a bit of common sense.

I run NoScript and AdBlock, and I still use some healthy skepticism when deciding whether to click on a link, unless I have faith in the source. Links posted here by people I know, I tend to assume are safe. If a new member posted a link here, I would remain skeptical. I don't click on a tinyurl link unless I would click on any other unknown link provided by that source.

If I'm looking at a list of links provided by a search engine, I try to use common sense. If a search for "flux capacitors" yields fluxcapacitors.com, I'm not going to assume the site is benign, and I'll skip to the sites that I believe I can trust, at least with my AdBlocked and NoScripted browser.

Is your intent to insult people or give helpful advice? If the latter, I assume that you have some evidence you can cite other than your own opinion.

Normally , choosing what level of security to use should involve some sort of minimal cost benefit analysis. Certain types of malware infection may turn out to be as serious as or worse than hard disk failure, depending on the value and time value of the data to be protected. It one has a reliable and efficient system for automatic backup and fast, no-brainer, full system restore, then your assertion may or may not pass a cost-benefit analysis.

If you use Firefox or other Mozilla browser with NoScript extension (which apparently is NOT mentioned in the article), the fact of using NoScript, presumable as it is normally intended, would indicate that your reply concerning your "bare bones" security setup perhaps was not accurate. Using NoScript may be one of the most effective tools available to provide extra "layers of security". The fact of someone "going the extra mile" to use NoScript properly would seem to be inconsistent with an implied criticism of others who use different means, such as those mentioned in the article, to add layers of security.

If you were representing a plaintiff suing a company whose lax security had caused a loss to the plaintiff, perhaps your attitude would be different.

David,

IE security zones, NoScript, AdBlock are the main ones, but right now I'm using a different one called Policy Manager (Japan) in K-Meleon. A good way to run (or not run) Javascript mainly.


http://piro.sakura.ne.jp/xul/_policymanager.html.en

https://addons.mozilla.org/en-US/firefox/addons/versions/7066

David,

IE security zones, NoScript, AdBlock are the main ones, but right now I'm using a different one called Policy Manager (Japan) in K-Meleon. A good way to run (or not run) Javascript mainly.


http://piro.sakura.ne.jp/xul/_policymanager.html.en

https://addons.mozilla.org/en-US/firefox/addons/versions/7066I have used IE security zones a little bit in the past, but found it rather inconvenient in having to type in the domain names by hand. I have not used it in MS IE 8, so I don't know if the user interface is much different for zones in IE 8 or not.

The first link you gave seemed to be saying that there was an older version of policy manager for IE 7. But the most recent version of policy manager thre seemed to be only for Mozilla Firefox. I was thinking that it might be a useful addon for IE users, but maybe not if the IE version is "end of life"?

I would think that the current efforts by Microsoft to develop free anti-malware for Windows and the efforts by Google to develop Google Chrome as a secure browser both show how seriously these two heavy weights take the existing and probable future threats to legitimate online activity. I think their developments can make a lot of sense because it's as unrealistic to expect everyone to keep their computers in safe operating condition as it is to expect them to keep their houses, cars, or bodies in safe operating condition.

In the "old days" at least fidonet required account authentication for message sending because long distance calls were not free, etc.

Big brother is watching :rolleyes:

and by using a bit of common sense.

I try to use common sense.
I trust my "common sense" less.

I've been known to do some of the following:

1. click on a link while a page is loading and hit an adjacent link instead.

2. click the wrong link by accident when my glasses are dirty, I'm sleepy, or I've had more than one beer

3. go to a risky site because of impatience

I visited the web site of someone whom I trust and it had been infected with some kind of malware (according to a warning from Firefox itself apparently and not one of the extensions I have loaded). I wanted to download and view a short free video (WMV or MPG). I emailed him that the site was infected. When it wasn't cleaned up after a week or two, I went ahead and viewed the video anyway, hoping that Finjan Secure Browsing, Firekeeper IDS, and NoScript extensions of Firefox would CMA. (Possibly the web hosting company cleaned up the site later because the owner/webmaster was likely NOT a sys admin, or possibly the site had already had been cleaned up and the warning from Firefox was because of an earlier detection "left overs" in Google database somewhere.)

At second glance Policy Manager looks a little more complicated than NoScript.

About all that I do with NoScript is temporarily allow a doman or when there are too many domains doing scripting on a page I temporarily allow all out of impatience when I can't figure out which domains carry the essential scripting :(

Often times I turn off all plugins even on trusted sites with NoScript but enable them once in a while when I want to see a news video or clip on youtube.

"8462". Wouldn't only one or two orders of magnitude of exaggeration have been enough. Why do you need three? Rhetorical questions.I think you're reacting a bit defensively here. The simple fact is, most individuals who are careful online simply don't require layer upon layer of protection.

I think you're reacting a bit defensively here.
Exactly. And intentionally so.
I resent your attitude of sitting on your high horse and looking down your nose at people who don't have 20 years of experience online or may not be as intelligent and sophisticated as you.

Do you have a problem with poor people and stupid people and octogenarians using the internet? Personally, I would hope that the internet would level the playing field a little bit to make it harder for crooks to cheat some poor people, but I'm not sure the exact opposite may not be happening with all the new scams.

People who act as their own attorney may have client who is a fool. But it might also be true that they are in a tough legal situation and are too poor so that they try to roll their own case anyway. That might be comparable to a DIY security roll your own.

Furthermore there are millions of Internet users in poor countries. I would think that it would be morally preferable for them to learn how to roll their own free security than to pirate McAfee or Symantec or TrendMicro security suites. And maybe their English is not good enough to detect grammar and spelling errors or other English faux pas that might be a give-away to college educated native speakers of American or UK English. There are some learned professors and PhD's and other scholars in the world who don't speak, read, or write English well, but nevertheless might wish to tackle some web article in English.

Furthermore, even the free AV programs (e.g. AVG , Avast, etc.) are not plain vanilla signature based AV anymore. They have added additional layers of protection.

I predict that any commercial security vendor who does not offer multiple layers of protection will not stay in business long.

Welcome to Roundtable Law College
one of the world's leading non-academic law colleges

About the college

Roundtable Law College was established by a prolife suicide prevention Christian prayer ministry in Cairns on the 23rd March 2002 at a public meeting at the RSL Club Function Room in Cairns attended by about 50 people. This included a 2hr address by the founding non-academic Principal, and a short address by a leading practicing Cairns Barrister.
What does non-academic mean?

Non-academic law college means non-lawyers do their best to explain to other non-lawyers how the legal system works using plain non - lawyer language and explanations. There are no form of certificates of competency issued, nor is there anyone qualified to issue them.

In a nutshell – Roundtable Law College attempts to make it as quick and easy as possible to access the most authoritative, practical and affordable information possible ASAP. Eg. our library (we believe) is Australia's #1 non-academic law library for non-lawyers & those representing themselves. (under construction)
http://golaw.com.au/

Why was the college established?

The ministry has been a stakeholder in Australia's justice system since 1993. It is within the scope of the ministry's activities to assist distressed clients to deal with the causal factors of whatever stress is affecting them.

Unfortunately in the past, when the direct causal factor in client stress has been of a legal nature, the ministry has had nowhere to refer clients to if they cannot afford the services of a solicitor and have been denied or are ineligible for legal aid. (The sad truth is most people always have been and always be ineligible for legal aid when having to deal with very stressful and important legal matters. Eg. WA Legal Aid; - the situation in WA is very similar in every state, territory and jurisdiction in Australia.)

Whenever this situation occurs now, it has Roundtable Law College to use instead of simply having nowhere to refer distressed (and often suicidal) clients to, and simply turning them away, as happens with other stakeholders in the legal system including solicitors, barristers and unresourced and under-resourced legal aid services.

The ministry passionately believes... it is simply unacceptable for a system to call itself a justice system, if 100% of those who want to know how the justice system can work for them, or who need to use and rely on the justice system, have no affordable and timely access to the information needed, and have no practical means of relying on the justice system to achieve a timely, just, equitable, and low-cost outcome.

I suppose that one might claim that I should be sued for causing mental stress to innocent computer users by referring them to an article that recommends them making a DIY free security suite, because undoubtedly it would cause some mental stress. That's one of the resultant purposes of computers :( For anyone who does sue me, I hope they later are a victim of identity theft and also have to reformat their HD to clean some stubborn malware :mad:

Or maybe everybody in this forum is so sophisticated and rich that the idea of a DIY free security suite is a faux pas :o

I don't click on a tinyurl link unless I would click on any other unknown link provided by that source.

Interesting point. I think I remember that tiny offers a way for a recipient to preview the link. What does that do?

- Jeff

I think I remember that tiny offers a way for a recipient to preview the link. What does that do?

The preview feature causes the tinyurl link to take you to a page on tinyurl.com that shows you the URL that it will take you to so you can decide based on the URL whether to click on it. It doesn't give you any more than if the link had not been obscured by tinyurl in the first place, i.e., it doesn't prefetch the page to show you a thumbnail preview or anything like that.

You can set a cookie to make that behavior the default by going to http://tinyurl.com/preview.php or you can convert any tinyurl URL into the preview form by changing it into http://preview.tinyurl.com/...

Unfortunately that doesn't help when people use one of the many alternative URL shortening services.

At second glance Policy Manager looks a little more complicated than NoScript.

About all that I do with NoScript is temporarily allow a doman or when there are too many domains doing scripting on a page I temporarily allow all out of impatience when I can't figure out which domains carry the essential scripting :(

Often times I turn off all plugins even on trusted sites with NoScript but enable them once in a while when I want to see a news video or clip on youtube.

David,

From my perspective, as a user of K-Meleon (KM), the official version is of use only with IE or FF... I use the macro version designed for KM with a hotkey (Ctrl Alt P) and have two types of sites defined: Dangerous Sites and Trusted Sites. Policy Manager for KM allows me to define as many sites as I want with either of the two default settings and if that is not precise enough, you can always add a new rule specifically for a difficult site that you have to go to even though you hate the site design.

Unfortunately that doesn't help when people use one of the many alternative URL shortening services.
Indeed. And some URLs that don't have the appearance of one of those services still can redirect to a rogue site. While I mentioned tinyurl by name, my comments apply to all of the services.

I don't have the time or energy to try to determine the ultimate destination of any link I click, so I use the same philosophy on all links: if I trust the person who posted it and I believe I'm interested in the content there, then I may click the link.

I resent your attitude of sitting on your high horse and looking down your nose at people who don't have 20 years of experience online or may not be as intelligent and sophisticated as you.For pete's sake, calm down. All I said was, internet security for individual users doesn't have to be such a big damned thing. And it doesn't. It does take a working brain, something I believe everyone here has. You included. So chill.

Often times I turn off all plugins even on trusted sites with NoScript but enable them once in a while when I want to see a news video or clip on youtube.

David,

In K-Meleon, if you use the Privacy Toolbar, there is a toggle icon for Javascript. Often I surf with it turned off and only turn it on if there is something that requires it. One of the advantages of having it turned off is the Mozilla Flash Plugin doesn't work in KM if javascript is turned off.

Security, it seems, is often better if you surf without JavaScript. FWIW, I almost never turn on Java. And in KM, you have a flashblock option, which allows you to load up a page and if there is a flash component, a little "F" icon shows up in place of the actual flash component. If you hover the mouse over the "F" you'll see what the text name of that particular element is and if you click on it, it will then run; otherwise it won't load and your page will then run much faster. That is my preferred way of browsing when I'm using K-Meleon as my browser. (It's different with FireFox 3.5.3.)

FWIW, I almost never turn on Java.
About the only time I use Java is on http://radar.weather.gov

To see how far away are the rain storms and which direction they're moving.

About the only time I use Java is on http://radar.weather.gov

To see how far away are the rain storms and which direction they're moving.

David,

I can't recall the last time I had to use Java for anything. I use Weatherunderground for my weather and radar and thank goodness, it doesn't require Java. In K-Meleon (KM), you have something called the Privacy Bar and you can toggle almost everything including Java, so I leave it toggled off and don't worry about it at all...

I have NoScript and AdBlock in KM, but do not use them, as to my mind, they conflict with each other and as ads change all the time, I don't wish to have to try and modify settings depending upon shifting tides.