I'm back to blogging! I meant to write this post yesterday, but opted for Rock Band instead (sorry). I should be posting at least weekly, but I'll shoot for bi-weekly. I'm still getting adjusted to living in Seattle, and I am a bit homesick, but I am enjoying the scenery out here.
X-Files: I Want to Believe
Full disclosure: I can't remember the last episode of this show that I saw, but it was probably the only one I've seen. This show was on when I was pretty easily scared of stuff in general so I never got into it. I'm sure it was a good show, it just wasn't my cup of tea and now I'm on to bigger and better shows (Burn Notice is currently rocking my socks).
The movie revolves around one big missing persons mystery (an FBI agent) and a psychic, so given the psychic's involvement the FBI have called on Dana Scully to call in Fox Mulder, who requires her to help if he's going to help. They've basically been going on with their own lives (Mulder's being as a recluse) so this is kind of a major reunion for them. The more I think about the story though, the more I have problems with it. I walked out of the theater feeling no better or worse than when I walked in, and the movie seemed pretty good but not amazing.
Let me start out with my issues. They had a psychic helping them and they called in Mulder because they were stuck. Anyone see a problem with that? They have a psychic, which is hard for them to believe naturally, but why does this mean they need to call on Mulder? It seems like he's been estranged by the FBI, so I don't see why they require his help. Even if you're ok with that though, I just never believe the chemistry between Mulder and Scully. Their reunion in the movie seems to have been after a long time and yet they weren't very affected by it. Their love story progression seemed like an after thought they clumsily wove into the movie, which is strange because I had heard in an interview that the movie was supposed to center on them. I also hate that we never connect with the antagonists at all, and the motive involved isn't all that compelling.
I don't know if fans really loved this movie. It seemed to drag on a bit. There wasn't a whole lot of thrill moments or action, and I never really got pulled in. Granted, I had no investment in this series and only went to see this movie in the first place because a friend wanted to, but I figured that it would be good. It could be that I'm dealing with a hangover from The Dark Knight and any movie I see will pale in comparison, but I watched Ratatouille the other night and still managed to enjoy it.
I definitely wouldn't say that the movie is bad though. I think it could've explained things better and tightening itself up a bit on time, but it was still entertaining. I think you should rent it if you're at all intrigued by the series or murder mysteries. It's definitely nothing out of the ordinary though (if you really want a great murder mystery just go rent Mystic River), and there are certainly better movies out there right now (obviously The Dark Knight, but I loved Wall-E and I've seen good reviews for Mamma Mia and Step Brothers). I give this movie a C-, because I can tell that they were trying to reach out to fans rather than people's wallets, but I think that they've probably just run out of ideas. It probably would've benefited from not being released right in the middle of a competitive summer for films.
The Dark Knight's $300m Dash
I counted on Box Office Mojo that The Dark Knight had topped 23 of their charts including biggest opening weekend ever, biggest second weekend ever, and biggest opening day gross. The one everyone is focusing on now though is that it is the fastest movie to hit $300 million (it's already at $315 million domestically, but over $350 million worldwide) with a record of 10 days. The third Pirates of the Caribbean movie had the title before at 16 days, and now people are predicting that The Dark Knight may beat Titanic's $600 million record for biggest total gross. I think that it can probably pull it off since it is past halfway there in its 2nd weekend. By the way, how the Hell did that movie make so much money? It wasn't a bad movie, but I saw it once and never want to see it again because it was so heavy and depressing. Anyway, this movie deserves the massive amount of money they're making. It seriously is a good time to be a nerd when something this phenomenal comes out that literally must seem like to many people, including myself, that it's straight out of their childhood fantasies. (I wasn't that dark as a child, but darkness always intrigued me)
Up-marketing Vista
In case you haven't noticed, Windows Vista has been taking a beating as far as publicity goes ever since its released because it didn't deliver on several of the promises that was made of it early in its development (always a fatal mistake). It took Microsoft far too long, but they're finally gearing up some positive marketing for Vista. They tested the waters by showing a "new OS" to people called Mojave and seeing how they liked it. In the end, it turned out that Mojave was Vista with the "Vista" name stripped from it and people were pretty shocked because most (or all) of them had the impression that Vista sucked. I'm personally glad about this because I'm freaking tired of having to defend my computer: it's a great machine and Vista works very well on it. It is no worse than XP and I admit that it sucks that you need a good computer to run it but if you do then the extra features (including the massively re-vamped search functionality) are pretty cool. The only problem I've had is that my downloading can sometimes impact my computer's overall performance, but I don't think that's necessarily Vista.
That's just one component for their response to Apple's smarmy Mac vs. PC ads. They're not going to do the same thing in reverse to attack Apple, but they're going to stop being such a sleepy giant and try a pro-Vista message. Some have seen the ads and are already excited about it, but they have not yet been made public. For the record: I don't hate Apple or Microsoft, but I do hate Apple taking advantage of its underdog status to continually take low-blows at Microsoft. Their ads are often unfair and prey on stereotypes, which bothers me. I'll admit that they're clever, but they've gone on far too long.
Open Xbox
One more quick piece of Microsoft news: they've decided to open up the 360 platform! That means that you don't have to be a big studio to write your own Xbox 360 game and put it out on Live. Not everyone will be allowed to put their game on Live, but the fact that they're encouraging this is just a massive step in the right direction. I wish that Sony would do the same. It's just going to breed more competition and produce higher quality of games that rely more on just flashy graphics and big budgets to attract attentions.
Yahoo! Music Store Folds
In another giant stab to DRM, Yahoo has closed up shop in the digital music game. They are the second DRM music service to go down this year (MSN was first), but the difference is that in a couple of months their key servers are going offline! What does that mean? The what DRM music often works is that they're locked by a key (in the case of subscription based services, these keys usually need to be renewed monthly) and you need these keys to be able to open these tracks. If you transfer them to another computer, this computer asks the server for the appropriate keys using your login information and it obliges, but in Yahoo's case you can't move your songs to another computer so if your computer dies then so does your music. Lame, huh? That's why you should use Amazon MP3: I still personally thing that it's the best digital music around and something like this would never happen to its customers. I wonder if enough people used the service for this to impact Yahoo's image? I kind of hope so, because it's a pretty raw deal (MSN's key servers will only be up until 2011, so they're not much better).
Comments and CS Concepts
I just wanted to briefly mention a couple of articles that I liked. The first one is concise and talks about why comments in code are appropriate and why. It's a great read, even if you do use comments in your code.
The other one is a list of the top 10 concepts that all software engineers should know. With the exception maybe of layering, I think that your success in the IT industry is doomed without an understanding of these ideas and a willingness to flesh them out throughout your career.
Streaming Torrents
EZTV, a huge group for trafficking torrents, has started putting up content that can be streamed using Swarmplayer, which streams content using bittorrent technology to distribute it. This is an excellent idea and I think could seriously revolutionize how we stream multimedia online, if it's harnessed in legal uses. This would really cut a lot of overhead out of putting things like TV shows online because a media company would no longer need to keep them on a centralized server and pay for the bandwidth to deliver it but rather could just seed a show well (i.e. have a few powerful machines dedicated to serving up the shows) and let everyone watching the show upload the show to others as they watch it. Couldn't someone compete with Hulu if they harnessed this technology? I imagine that you could put out HD-quality content with this sort of infrastructure. Only time will tell (assuming that this technology does get picked up by someone big).
One-Liners
I have a couple more articles that I want to talk about but they're just one-liners:
Legendary hacker Kevin Mitnick was part of a panel recently at a hacking convention and told some great stories (including a live prank). He's probably the father of social engineering attacks (tricking you into giving up sensitive information or making yourself vulnerable).
CNN has a pretty good article on how to prepare yourself for the transition to digital TV. If you're on cable or satellite, then you're ok. Otherwise, read that article.
Rock Band
I just wanted to conclude by proclaiming that Rock Band is an incredible video game. As expensive as my 80 GB PS3 was, I'm really glad I got it. I'm excited to start buying Blu-ray movies (especially Iron Man and The Dark Knight), Metal Gear Solid 4 is beautiful, the Playstation Network store is just how things should've been on the PS2, and Rock Band is by far one of the coolest games I've played.
I never thought I'd like it that much because I never got into Guitar Hero, but it's definitely worth checking out. The closest any game has come to replicating the kind of co-operative play you get from this game is probably Wii Sports, but this game tops that. You really do feel like you're part of a band because when you play hard song it's rewarding and you start patting each other on the back and stuff. Also impressives are the nuances: the presentation is flawless. They had my band name (Elton and the Fun King Band) on a tour bus, on CD album covers, and in neon in the World Tour mode! Plus, the load screens are customized with your band! Any musicians will really be impressed with this game (or non-musicians), because I think that it handles guitar a lot better, as well.
*deep breath* Ok, enough of that. I'm going to go read Salem's Lot for a bit. Have a great week, everyone!
Sunday, July 27, 2008
Saturday, July 19, 2008
The Dark Knight
Hiatus is Ending
I've been on hiatus for quite a while now, but it's almost over! I've spent the last week getting moved into my apartment and I'm quite pleased with how it has turned out. The furniture is classy but not really expensive, I love having my new HD TV, this DVR thing is ridiculous (especially with HBO + Showtime), and I'm having a lot of fun with my PS3 + Rock Band (especially while my brother and sister-in-law are here). I start work on Monday (finally) so I'll be back into a routine by Wednesday. By then I'll be much more homesick though with all my family gone (even my cousin who lives here and her family are out of the country). By the end of next week you should start to get back your regular dose of tech news with probably a dribble of some other stuff (we'll see).
The Dark Knight
I'm going to be keeping this spoiler-free, so don't be afraid to keep reading. I hate it when reviewers give away key plot details, it really hurts the movie experience. Speaking of which: you need to see this movie in IMAX if it all possible. It's worth the extra few bucks, trust me. Christopher Nolan shot 6 scenes in the movie using IMAX cameras, and it shows.
In case you've been living under a rock: this movie is a direct sequel to Batman Begins and is not at all related to the prior Batman films. The main premise is that the organized crime in Gotham, under siege from Batman, turn to The Joker for help and, naturally, chaos ensues. This movie is hands-down the best comic book movie ever made. It took my high expectations and just shattered them. This movie doesn't just blow away Iron Man, it really outshines Batman Begins in its dialogue, pacing, and action scenes. This is Batman the way it was meant to be experienced and really combines the elements that make Batman my favorite comic book/animated series.
There's so much to love about this movie that I'm not sure where I should start. I think I'll go with the acting: Heath Ledger steals the show as Joker among an already incredible cast. He doesn't just portray the Joker, but for 2 and a half hours he is the Joker. I can't think of the last time I saw an actor nail a role so well that I couldn't even believe it was them in the role. I'm not saying I thought he was a bad actor before, but just the voice and makeup and everything transforms him into a completely different person. He's so good that I'm sure Jack Nicholson will see it and say, "Damn, he was good!" If you go to this movie for no other reason it should be to see Ledger in his best role ever. It's so sad to know that he can't come back in a future Batman film or any film at all. If you ever doubted his abilities as an actor, this movie will embarrass you.
The rest of the cast doesn't disappoint either. Christian Bale is an even better Bruce Wayne than before and really takes on a darker, grittier Batman. This movie is really dark, and Bale doesn't shy away from this. Michael Caine is, well, Alfred. he was in the first movie and he is here also. If you've seen the first one (which you really should before walking into this one) then you know what to expect here. Maggie Gyllenhaal really steals Rachel Dawes from Katie Holmes because it will amaze you that Katie Holmes ever could have been Rachel Dawes. I always felt that Gyllenhaal was underrated and it shows in this film. Aaron Eckhart was the perfect man to play Harvey Dent. The concept of a DA with a passion for justice is not lost on Eckhart. He starts off as being not bad and then progressively just gets deeper and deeper into the role. Morgan Freeman's character is given more screen time in this one and while I would've loved to have seen his character fleshed out a little more I appreciate their time restrictions also.
Speaking of which: the worst thing you can drudge up about this movie is how dense it is. It's 2 and a half hours long and a lot happens, but I feel like it's paced well enough so that you'll always want to know what happens next and you can't possibly be bored. You probably will laugh, cry, and jump in your seat (or squirm) during this movie, it's just that powerful. I love the dark humor because I love dark humor in general, and the delivery is always impeccable. The dialogue in this movie is decidedly more mature when compared to its predecessor, which I think is saying a lot (probably because David Goyer was not a part of writing this one). Getting back to my point though: there are several plots throughout this movie that do all tie together but can get confusing if you don't pay attention. Of course, I just look at this as giving more re-watch value to the film. There's so many little details to appreciate and the cinematography is so spot-on that you can't help but want to watch certain scenes again and again. The special effects are never too heavy and are always just welcome inclusions.
This movie should not be seen by small children. Seriously, if you're under 14 then you have no business seeing this movie. It's not curse words or violence (though there's not much cursing and there's absolutely no nudity), but rather the themes that this movie revolves around. They're dark, complicated, and involve a lot of moral gray area. Besides, the Joker would probably seriously creep out anyone that young (I'd be surprise if he didn't give some adults bad dreams). The haunting imagery in this movie will likely stick with you, but you have to appreciate the fact that these characters are likely to stick with you. You really care about them and feel involved in their lives.
I give this movie an A+ with my highest recommendation for you to run out and see it right now. Please, go see it in IMAX if you can. If you are above the age of 16 and you do not see this movie then something is wrong with you. Yes, it's that good. Even my dad really enjoyed it.
I've been on hiatus for quite a while now, but it's almost over! I've spent the last week getting moved into my apartment and I'm quite pleased with how it has turned out. The furniture is classy but not really expensive, I love having my new HD TV, this DVR thing is ridiculous (especially with HBO + Showtime), and I'm having a lot of fun with my PS3 + Rock Band (especially while my brother and sister-in-law are here). I start work on Monday (finally) so I'll be back into a routine by Wednesday. By then I'll be much more homesick though with all my family gone (even my cousin who lives here and her family are out of the country). By the end of next week you should start to get back your regular dose of tech news with probably a dribble of some other stuff (we'll see).
The Dark Knight
I'm going to be keeping this spoiler-free, so don't be afraid to keep reading. I hate it when reviewers give away key plot details, it really hurts the movie experience. Speaking of which: you need to see this movie in IMAX if it all possible. It's worth the extra few bucks, trust me. Christopher Nolan shot 6 scenes in the movie using IMAX cameras, and it shows.
In case you've been living under a rock: this movie is a direct sequel to Batman Begins and is not at all related to the prior Batman films. The main premise is that the organized crime in Gotham, under siege from Batman, turn to The Joker for help and, naturally, chaos ensues. This movie is hands-down the best comic book movie ever made. It took my high expectations and just shattered them. This movie doesn't just blow away Iron Man, it really outshines Batman Begins in its dialogue, pacing, and action scenes. This is Batman the way it was meant to be experienced and really combines the elements that make Batman my favorite comic book/animated series.
There's so much to love about this movie that I'm not sure where I should start. I think I'll go with the acting: Heath Ledger steals the show as Joker among an already incredible cast. He doesn't just portray the Joker, but for 2 and a half hours he is the Joker. I can't think of the last time I saw an actor nail a role so well that I couldn't even believe it was them in the role. I'm not saying I thought he was a bad actor before, but just the voice and makeup and everything transforms him into a completely different person. He's so good that I'm sure Jack Nicholson will see it and say, "Damn, he was good!" If you go to this movie for no other reason it should be to see Ledger in his best role ever. It's so sad to know that he can't come back in a future Batman film or any film at all. If you ever doubted his abilities as an actor, this movie will embarrass you.
The rest of the cast doesn't disappoint either. Christian Bale is an even better Bruce Wayne than before and really takes on a darker, grittier Batman. This movie is really dark, and Bale doesn't shy away from this. Michael Caine is, well, Alfred. he was in the first movie and he is here also. If you've seen the first one (which you really should before walking into this one) then you know what to expect here. Maggie Gyllenhaal really steals Rachel Dawes from Katie Holmes because it will amaze you that Katie Holmes ever could have been Rachel Dawes. I always felt that Gyllenhaal was underrated and it shows in this film. Aaron Eckhart was the perfect man to play Harvey Dent. The concept of a DA with a passion for justice is not lost on Eckhart. He starts off as being not bad and then progressively just gets deeper and deeper into the role. Morgan Freeman's character is given more screen time in this one and while I would've loved to have seen his character fleshed out a little more I appreciate their time restrictions also.
Speaking of which: the worst thing you can drudge up about this movie is how dense it is. It's 2 and a half hours long and a lot happens, but I feel like it's paced well enough so that you'll always want to know what happens next and you can't possibly be bored. You probably will laugh, cry, and jump in your seat (or squirm) during this movie, it's just that powerful. I love the dark humor because I love dark humor in general, and the delivery is always impeccable. The dialogue in this movie is decidedly more mature when compared to its predecessor, which I think is saying a lot (probably because David Goyer was not a part of writing this one). Getting back to my point though: there are several plots throughout this movie that do all tie together but can get confusing if you don't pay attention. Of course, I just look at this as giving more re-watch value to the film. There's so many little details to appreciate and the cinematography is so spot-on that you can't help but want to watch certain scenes again and again. The special effects are never too heavy and are always just welcome inclusions.
This movie should not be seen by small children. Seriously, if you're under 14 then you have no business seeing this movie. It's not curse words or violence (though there's not much cursing and there's absolutely no nudity), but rather the themes that this movie revolves around. They're dark, complicated, and involve a lot of moral gray area. Besides, the Joker would probably seriously creep out anyone that young (I'd be surprise if he didn't give some adults bad dreams). The haunting imagery in this movie will likely stick with you, but you have to appreciate the fact that these characters are likely to stick with you. You really care about them and feel involved in their lives.
I give this movie an A+ with my highest recommendation for you to run out and see it right now. Please, go see it in IMAX if you can. If you are above the age of 16 and you do not see this movie then something is wrong with you. Yes, it's that good. Even my dad really enjoyed it.
Saturday, July 12, 2008
Get Smart and Wall-E
Sorry it's been a while, but my life has just been so extremely busy lately. After my vacation in Austin I had to pack up everything for Seattle and now I'm here trying to get my apartment together. I love the apartment and, of course, the city, but I do miss home. I'll get back to my normal mix of tech news in another week or so. Until then, enjoy a couple of movie reviews!
Get Smart
I don't know how I should feel about Get Smart. When I saw it, I actually really did like it, but then the reviews I read kind of made me think twice.
I had no familiarity with the TV series that the movie was based off of before walking into the theater, but the Alamo Drafthouse ran a few clips from the show before the movie started (which I thought was pretty neat) and the movie did seem to keep in theme with the show. However, some fans of the show have said otherwise. In any case, the movie was not what I was expected: I thought it'd be a dumb spy movie like Naked Guy where the protagonist is just dumb but it's really one where the protagonist is smart but really clumsy. The basic premise is that Control, this spy agency, has had some leaks so Steve Carell has to become a special agent and works alongside Anne Hathaway on a case.
I personally thought that the movie was hilarious. The jokes weren't always fresh, but I thought that the delivery on them were great. Steve Carell is great at being dorky but lovable and Anne Hathaway at times is good at being graceful and sexy. Of course, Alan Arkin was awesome because he's Alan Arkin, but I really wasn't impressed with the Rock (I've actually seen movies where I've liked his acting). My friends and I were laughing the entire time, but the criticisms that I've heard but didn't personally have are good ones: the technical shooting quality was subpar, the jokes have mostly been done before, and it did try really hard to be a serious action movie. I think it wanted to be a funnier True Lies but it missed the mark on that count.
The bottom line is that this movie is not for everyone. That's kind of a disclaimer with all comedies though, they appeal to certain people more than others. I went and saw it because some of the people I was following on Twitter enjoyed it and my friend really wanted to see it. In the end, I was definitely entertained, so I give it a B-. If you're not sure about seeing it, then just wait for it to come out on video and try it then. If you want a comedy though, try Wall-E first.
Wall-E
Has Pixar ever made a bad movie? Granted, I haven't seen all of them but I haven't heard of Cars being bad either. To continue the pattern, Wall-E is probably the cutest movie that I've ever seen. There's so much to love about it for all ages. From the short that precedes it to the end credits, it's truly a visual feast.
The premise is that Wall-E is the last robot in his line to be left on Earth cleaning it up while all the humans are away. He becomes very curious and self-aware over time, and then one day a foreign robot comes to Earth and launches us into the rest of the movie.
What's really interesting about this movie is how little dialogue it incorporates. So much of the movie tells the story by the actions of these robots and, while there is dialogue, there's so little talking (other than what's computer-generated) that you forget that there was any at all! It's just a testament to how great the animation is. There are no words for the visual quality of the movie: it's technically brilliant and they utilize it so well to tell a haunting, yet endearing story. The movie actually kind of reminds me of Idiocracy and I, Robot, but it definitely paints robots in a better light than most movies tend to. It's by no means strictly a children's movie: I can't imagine anyone walking in and not having a good time. It's cute, funny, and just interesting overall.
The only criticism I have for this movie is hard for me to explain, but it does have to deal with the movie crossing the boundary between the cartoon world and the real world. Other than that, I really enjoyed the voice acting and the story overall. I give it an A and will definitely be buying it when it comes out.
Get Smart
I don't know how I should feel about Get Smart. When I saw it, I actually really did like it, but then the reviews I read kind of made me think twice.
I had no familiarity with the TV series that the movie was based off of before walking into the theater, but the Alamo Drafthouse ran a few clips from the show before the movie started (which I thought was pretty neat) and the movie did seem to keep in theme with the show. However, some fans of the show have said otherwise. In any case, the movie was not what I was expected: I thought it'd be a dumb spy movie like Naked Guy where the protagonist is just dumb but it's really one where the protagonist is smart but really clumsy. The basic premise is that Control, this spy agency, has had some leaks so Steve Carell has to become a special agent and works alongside Anne Hathaway on a case.
I personally thought that the movie was hilarious. The jokes weren't always fresh, but I thought that the delivery on them were great. Steve Carell is great at being dorky but lovable and Anne Hathaway at times is good at being graceful and sexy. Of course, Alan Arkin was awesome because he's Alan Arkin, but I really wasn't impressed with the Rock (I've actually seen movies where I've liked his acting). My friends and I were laughing the entire time, but the criticisms that I've heard but didn't personally have are good ones: the technical shooting quality was subpar, the jokes have mostly been done before, and it did try really hard to be a serious action movie. I think it wanted to be a funnier True Lies but it missed the mark on that count.
The bottom line is that this movie is not for everyone. That's kind of a disclaimer with all comedies though, they appeal to certain people more than others. I went and saw it because some of the people I was following on Twitter enjoyed it and my friend really wanted to see it. In the end, I was definitely entertained, so I give it a B-. If you're not sure about seeing it, then just wait for it to come out on video and try it then. If you want a comedy though, try Wall-E first.
Wall-E
Has Pixar ever made a bad movie? Granted, I haven't seen all of them but I haven't heard of Cars being bad either. To continue the pattern, Wall-E is probably the cutest movie that I've ever seen. There's so much to love about it for all ages. From the short that precedes it to the end credits, it's truly a visual feast.
The premise is that Wall-E is the last robot in his line to be left on Earth cleaning it up while all the humans are away. He becomes very curious and self-aware over time, and then one day a foreign robot comes to Earth and launches us into the rest of the movie.
What's really interesting about this movie is how little dialogue it incorporates. So much of the movie tells the story by the actions of these robots and, while there is dialogue, there's so little talking (other than what's computer-generated) that you forget that there was any at all! It's just a testament to how great the animation is. There are no words for the visual quality of the movie: it's technically brilliant and they utilize it so well to tell a haunting, yet endearing story. The movie actually kind of reminds me of Idiocracy and I, Robot, but it definitely paints robots in a better light than most movies tend to. It's by no means strictly a children's movie: I can't imagine anyone walking in and not having a good time. It's cute, funny, and just interesting overall.
The only criticism I have for this movie is hard for me to explain, but it does have to deal with the movie crossing the boundary between the cartoon world and the real world. Other than that, I really enjoyed the voice acting and the story overall. I give it an A and will definitely be buying it when it comes out.
Thursday, July 03, 2008
How to Secure Your Machine (for free!)
I've had this in my head for over a month now, but I wanted to wait until after the trip to write it all out (and there was a lot to write!). A lot of people don't take security on their home machine under much consideration because, frankly, they were never educated much about it. Why would we be? To be honest, even I didn't really understand what was necessary and why until I took a class on network security last year. I'm going to try to hit all the basics of the minimum you need to use your machine with little chance of bricking it, losing all your stuff, or, even worse, losing your sensitive information. If anything is unclear, feel free to comment. If you catch me saying something incorrect, please also comment so I can correct it; there's a lot here for me to keep up with.
I've never tried a full-on original essay like this before so I hope it goes well...
Introduction
There's a tradeoff between security and convenience. The reason that malicious hackers are able to have so much fun is usually just laziness. Most victims simply just don't do enough to protect themselves because it's human nature to try and enjoy conveniences. That's why 1-click shopping is popular on Amazon and iPods are still selling like hotcakes even though there are competing mp3 players that do more. It's amazing how often a simple password list will work (consists of password, password123, the user's name, etc.) because it's inconvenient to come up with one of random letters, numbers, and symbols. People ignore security patch updates and that's the way a lot of attacks succeed way past the vulnerability has been discovered. Programmers are sometimes sloppy and allow for buffer overflow attacks, which is probably the most commonly exploited vulnerability class. In essence, if you want a machine built like a tank then you're going to have to sacrifice some conveniences, so that will be a recurring theme in this article.
The reason for this tradeoff in convenience is this arms race we have in computer security. When we came out with anti-virus software, they came out with polymorphic viruses that change themselves constantly (like real-life viruses can, I believe?) to make detection harder. So, scanning just isn't enough we also have to be responsible about how we use the computer. Also, there's intrusion detection systems (IDS) (something I did research in last semester), but they rely on looking for anomalous behavior. The question is, how does it know what anomalous behavior is? They still need our help to keep out intruders.
What you have to realize though, nonetheless, is that each one of the following recommendations is an important pillar in your machine's safety as well as that of the information that passes through. Hence, I highly recommend doing all of the following things. Fortunately, you can do these things without buying any fancy software. The only place you'll need to spend money is in my first tip.
Back it up!
Any successful large company understands the merits of mastering disaster recovery. Average people, however, aren't quite so reliable. It's almost as if we think we're invincible, believing that the stories on the news about some widespread virus or worm only happen to idiots. In reality though, the most important tool in your security arsenal is keeping at least one backup of all the programs and files that are most important to you. After all, iTunes won't send you your library again if your hard drive dies. As careful as any of us can be, shit happens. Just accept it and move on with your life. They say you should live your life as if each day is your last. I say the same about your computer: use it as if when you wake up in the morning it won't be there anymore. The attacks and hardware problems that can occur are too numerous to be listed.
Ok, so enough of my soapbox, what do you need to do? First thing is first: you need a backup medium. There are some online services that promise sync your hard drive while your asleep and keep your data somewhere in the clouds (i.e. on a server somewhere far away). I've blogged about some lists of free ones here and here. I've started using Dropbox lately and I really dig it for its simplicity. The premium services are a bit pricey, but usually worthwhile. The reason you'd want to backup online is that if you have a hard backup somewhere in your apartment and your computer is in your apartment then what if your neighbor has a bad day and burns down the building while you're at work?
Barring the natural disaster or physical theft scenarios, keeping a hard backup is a great option and a necessity at an absolute minimum. The advantages are that hard drives and optical media are quite inexpensive, you have complete control over it, it offers you a way to take your files with you without having to lug your computer with you, it protects you from malicious attacks since you can always just format your computer and start fresh from the backup, and it protects you from hardware failures in your computer (i.e. dead hard drive, worn out power supply, etc.) for the same reason. They have some pretty physically small external hard drives out there now for $100 or less, or some bigger ones for the same price but double the capacity. Look for a name brand, read the reviews to make sure people have good experiences overall, and just order one. You need one at least as big as your hard drive, even if you don't backup all your data on it.
Most hard drives will come with free software for back-up right out of the box, but if you decide to use a USB flash drive or optical media (i.e. CDs or DVDs) then you'll need to take to the Internet. I had to do this because Retrospect on my Western Digital doesn't work on Vista. After using several different ones, I liked Karen's Replicator the best. You just setup jobs to copy folders to where ever you want and then set them to run automatically while you're asleep at whatever frequency you want. It does progressive backups, so after the first backup it'll only handle changes rather than re-copying all your data every night and wearing out your backup hard drive faster than necessary. It's not as convenient to do automatic backups on optical media, but they can still be used. A competitor to Karen's Replicator that may be better for optical media is WinBackup. Both of these programs are kind of quick and dirty and don't give you all the features you may want, like taking an image of your entire hard drive. You can always shop around for the paid software that does everything you want, like maybe Genie, which makes it really easy to back up your registry and e-mails and all that.
Oh, and most companies already secretly backup your work machines so consult your IT department on that or ask them for the means to backup your work computer(s). If they don't oblige then you should definitely raise Hell about it.
Spyware: The Silent Killer
If you don't know what the word 'spyware' means, then you probably do but just don't realize it. It's used as an umbrella to refer to software that either intercepts what you do on your computer (i.e. sites you go to so that an advertiser knows what your interests are) or partially takes over your computer without you knowing. It's often just annoying, but there is a security risk in that it could steal sensitive information, as well. It can also install 3rd party software on your computer to the point that your computer is near unusable due to having its resources bogged down. Some tell-tale symptoms are that your computer runs slower than usual, you see windows pop up out of nowhere, browsing the Internet takes much longer than usual, when you go to the task manager you see processes that probably shouldn't be there, and changes are made to your registry that you didn't make.
Side note: You know how Vista always asks you if you want to allow a program to be opened after you just double-clicked it and you think the OS must be retarded? Well, I think it does that because spyware could open software it installs without your telling it to, but if Vista forces the decision to go to you then it's less likely to work. Anyway, you can disable this if it becomes too prohibitive; I don't think you necessarily need it at its default setting.
There are two programs that I think are absolutely necessary in fighting the war on spyware, and both of them are 100% free. The first is Spybot Search & Destroy (they must love that name). Spybot is really three tools in once. My favorite is called TeaTimer, which asks you to approve any changes made to the system registry (which is just a repository for Windows settings and data). This is important because a lot of times spyware manages to install junk on your computer by modifying you registry to tell Windows to do stuff when it restarts (a lot of software you install will make changes to the registry for routine tasks like clean-up or making some changes that it can only make before Windows boots and such). It will also warn you when processes that look suspicious try to run. It isn't as annoying as it sounds, and will give you piece of mind. The second piece of Spybot that's great is immunization, which is basically a preventive measure (much like getting inoculation shots in real life) to keep things like tracing cookies at bay. This will protect your privacy and help keep out nasty spyware. The final piece is its scanning, which I recommend you run regularly (at least weekly). Unfortunately, there's no way to set up a schedule for it to update itself or scan your computer, so be sure to do both regularly. If you don't update it, then you're probably vulnerable to the latest, hottest spyware out there (which is the stuff you're most likely to get).
The other free, great tool is Ad-Aware. It's a great second-tier defense, it doubles as an anti-virus program (paid version), and it's highly respected. If you pay for it, you get some great benefits: scanning on a schedule, real-time protection, a process monitor, and more. It's worth the money if you have it to spare and like the software. Otherwise, just run a scan in Ad-Aware after you run your regular SpyBot scan; it's worthwhile even in its free version.
Fighting Viruses (without buying Norton)
Viruses come in all shapes and sizes. The term 'computer virus' generally refers to malicious code that hides in legitimate applications but can only propagate by being physically run by a person (i.e. cannot spread on their own, they need your help). Some viruses are infected documents or files that exploit vulnerabilities in the programs that process them (e.g. bad .doc files that exploit a problem in Word) but infect the entire program once opened, whereas some infect the operating system so that the infected files look normal (like the Sony rootkit fiasco where Sony CDs restricted your ripping the CD or putting the music on certain mp3 players) and others still spread themselves over P2P networks (some media companies put these out on purpose to discourage piracy over P2P). The really bad part about viruses is the rise in polymorphic viruses, which scramble their own code to make them harder for anti-virus software to detect as they spread (technobabble: via encryption with different keys) or self-destruct when you try to run them in an emulator (you would run it in a safe environment to see if the program is infected or not) or debugger (which would help discover how it works). You might even consider Skype a benign polymorphic virus because of its heavy obfuscation and anti-debugging techniques to hide how it works (for security reasons).
Fortunately, there are a few free applications to help protect you from viruses. You don't need to install them all (just your favorite one), but you can if you want. They each use different definition files, but I'm sure there's a lot of overlap. I personally use ClaimWin Free, which is only for Windows (unless you count the ClamAV engine on which it's based) but it's completely free and it's lite. It has a scheduler and everything. The other popular alternative is Avast, which also has a paid version. Unfortunately, it's also only for Windows (or Mac, if you pay) but AVG has a free version and also works on Linux. Lastly, going back to the ClamAV engine, there is ClamXav for Macs.
The problem is that the way that all the programs I just mentioned work is to look for the signature of a virus: like the fingerprints that a criminal may leave behind at the scene of a crime. If we haven't taken that criminal's prints before then how do we catch him when we see his prints? Similarly, these scanners can only look for what they know about, making it hard for them to catch polymorphic viruses and impossible to catch viruses that haven't been discovered yet. In order to catch those you need an intrusion detection system (IDS) that looks for anomalous behavior, which begs the question of what normal behavior looks like. This is a field that is still being researched because we can get 0 false positives (technobabble: using static analysis of the source code in question all alarms are correct) but not 0 false negatives (i.e. some viruses can get away). The reason that you don't see an anti-worm detector is that worms are standalone programs that self-propagate and usually are known as 0-day attacks because they spread so rapidly before they can be discovered and defended against properly (research Slammer, Nimda, Code Red, Storm Worm, or Blaster for more).
What is the point of creating a virus or a worm? Usually, it's for profit. Sending out large amounts of spam is costly, but if you are forced into a botnet (a network of zombies machines that can be surreptitiously issued commands, sometimes encrypted commands, remotely from a master) then you're part of the source of spam. Another purpose of a botnet could be a distributed denial of service attack (DDoS) where lots of machines try to open a connections to a website simultaneously in order to bring it down by overloading its servers, which can be used for extortion. Sometimes it's not for money though. Sometimes it's just for glory and popularity. Make no mistake about it, worms and viruses are on the rise and you need to stay safe. What can you do about worms though without a reliable IDS? Try following the rest of my tips.
Setup a Firewall
I'm sure you've heard this term bounced around a lot and you may think of it as some sort of virtual, impenetrable shield. Well, it's more like a virtual moat: it tries to separate your computer and local network from the big bad Internet. The idea is to restrict not only access from the outside but outbound connections, as well. It should be obvious that you don't want bad guys to get into your machine, but why would you want to restrict connections coming from your machine? For the same reason you don't cough on people when you're sick: if you become a zombie in a botnet then you'll be phoning home to your master for commands (to do bad things to others) and if you have a worm then it'll try to spread itself so we want to keep things like this from happening.
There are several types of firewalls: packet filtering (dumb and stateless, it just examines each data packet you receive individually and follows some set rules without considering other packets), session filtering (packet filtering but in the context of the connection the packets connect to, so some state is involved), and application-level gateways (filtering rules set up by specific applications) are some examples of the more common ones. Some of the reasons why firewalls aren't as powerful as the name may suggest are that they don't prevent insider attacks (I know, that's a low blow), they don't fix the problem I mentioned above of buggy software (which cause big vulnerabilities for attackers to exploit), they don't prevent denial of sevice attacks (hitting a machine or server hard with requests to overwhelm them into breaking down), and misconfiguration woes (more on this in the next paragraph). Also, realize that software that you may install on your computer from a CD that's bad and stuff that doesn't involve connections to/from the Internet are completely unprotected from a firewall.
Still, you should use a firewall because it does help keep your Internet connection tighter so that it's much harder for bad guys to get to you to cause harm and also hard for them to do more damage even if they do get nasty code onto your machine. The most popular solution out there is ZoneAlarm. Aside from keeping out connections that clearly don't make sense, it's famous for its impressive program control functionality: whenever any of your software tries to access the Internet or act as a server, it asks you to approve it. Don't fret, you can set to always approve a certain application that you trust without a shadow of a doubt, but it's such a great idea for you to make sure that a virus isn't hiding out and trying to receive or send data (or receive remote commands). I know it seems annoying, but you'll get used to it and it's definitely a necessary addition to your arsenal.
Use the Right Browser
This is pretty much a no-brainer: Firefox is consistently hailed as the safest browser around and Internet Explorer has historically been the worst, but Microsoft has been making changes to help rectify this. Because it's so popular, Internet Explorer's vulnerabilities are constantly being tracked down and exploited, so it's not entirely their fault. Still, Firefox's vulnerabilities are typically fixed faster and discovered less often, whether or not it has as many as Internet Explorer.
Also, Firefox 3.0 has some great security additions. It provides you with identity information right in the address bar to prevent phishing (where a bad guy designs a site identical to a site like a bank and gets you to input sensitive information that gets sent to the bad guy, but this feature allows you to verify that it's the site you think it is), it actively warns you of forged sites (again, phishing), and it blocks pop-ups (which is an easy route to force malicious code onto you). But wait, there's more! The NoScript add-on is invaluable and a must-have for anyone who browses the web: it blocks all scripts (Java, JavaScript, Flash) by default and punts to you for approval of each domain's scripts permanently or temporarily. This helps pages load faster but, more importantly, scripts that would otherwise load automatically and could do serious damage now don't and so if you click a link on accident or something like that then you're safe! Think of it like a condom for your web browsing: it just works. It keeps the main culprits of web browsing woes, even for sensible Internet users, safely at bay. Plus, you don't get the irritating ads that appear over the article you're reading (though you can get AdBlock Plus for this). I know approving scripts can get tiresome, but after a few weeks you'll be browsing your favorite sites with ease. Oh, and Tools->Clear Private Data is also excellent for maintaining your privacy.
E-mail
Here's a biggie: safe e-mail usage. You don't need software for this, you just need to use your head. You could use Gmail though, which has 2 great features: you can read the start of your e-mails before opening them to see if it's gibberish or important and it won't load images until you tell it to (yes, images can carry malicious code).
When you download attachments, I'd say you should always scan them (ClaimWin adds an option to your shell menu for when you right-click on files) before you open them. Even if it comes from a trusted source, you never know (maybe they've been compromised, like in a vampire movie).
Whenever you click a link, always always always mouseover the link and look into your status bar to check that the URL matches the text you're clicking on or where it should be going (e.g. www.paepal.com is not the same as www.paypal.com). If you know that a site uses https (this means it has a Secure Socket Layer (SSL) to prevent eavesdropping), then the URL the e-mail takes you to should also start with https and not http. However, https does not mean you can trust a given site! Anyone can set up SSL for their site, if they pay for it, to secure your transmissions, but if you're using SSL to talk to a bad guy then it just means that no one can see what you're sending to the bad guy except for them. If someone wants you to go to a fake site that involves you spending or managing your money, they're going to do a great job of replicating it and pick a URL that looks just like it should except for a couple of letters. They may even write a URL in the e-mail that you can click on that ends up going somewhere else altogether! Check the URLs you click even when you're browsing the Web normally though with a simple mouseover.
Watch out for spam! Mark spam as you see it in your favorite e-mail client and don't bother reading it. If, for whatever reason, it happens to be an ad that's tempting and you think may be from a trusted source, then research the URL it suggests before you click on it. Just do a simple Google search, or do a simple DNS lookup/whois (i.e. check that the URL domain belongs to someone legitimate). It's honestly just that simple. People are lazy and don't do this so many fall for scams and phishing attacks.
In general, don't read e-mails that you don't expect. That's a pretty good policy to follow.
Don't Forget Security Patches!
Keep your system patched! Don't you have to get your kids the proper shots before they go to school? And don't your pets have to get their shots, too, before you take them home? So why not give your computer the same treatment? You must install any security updates that your OS pushes out as well as your browser, anti-virus software, anti-spyware software, or your firewall, or else they're useless. That's just at a minimum: you should really be patching anything you use. Some pretty big outbreaks have come out of unpatched software, like Code Red I, which hit unpatched copies of Microsoft's IIS Server software. From sifting through hundreds of vulnerability descriptions in my research in the NVD I can safely say that not keeping some of your simplest software updated can completely compromise your entire computer. Don't avoid updates because they require restarts or something like that, just take the 5 minutes to do it! You'd be surprised how severe the consequences can be if someone takes advantage of your procrastination.
Passwords
This is more of a general tip that doesn't require much explanation: you need to have good passwords for anything that matters to you. What's a good password? It can't be a dictionary word and should be hard to guess based on any information about you that's publicly available. So if my password was "eltoneptiger" then I'd be kind of dense. The best password crackers in the world rely first on creating passwords from what they know about you, then try common passwords (like "password") and default passwords, and then they try dictionary words. The best way to thwart them are random combinations of letters (upper and lower case), numbers, and symbols. Of course, if it's random how do you remember it? Just try to come up with a story that is abbreviated by the characters in your password or similar mnemonic devices. You can start here.
Please do me a favor: when given a default password, always change it. Kevin Mitnick likes to tell a story of how a bank was robbed because of a router using its default password. There's an attack called drive-by pharming where if you don't change the default password on your router an attacker could use an invisible Javascript script to reconfigure your router so that putting in things like "www.wamu.com" will take you to their fake WAMU site so that you can hand over your password. The scary part of that attack is that you wouldn't know you had been victimized because the URL would probably look alright (your router is supposed to look up the URL domain using a Domain Name System (DNS) server, but if it's corrupted then it may not do this properly). (Note: if you used NoScript then I think you'd be safe from this attack)
If you want to protect your CPU, you can change your computer's password in its BIOS so that if your computer gets stolen the CPU is useless. I personally don't do this, but it's not a bad idea. You should also have a password to run your OS and make the screensaver ask for a password when you resume usage. Always lock your computer when you walk away from it when around other people so that it asks for this password, and make it a good one so that it can't be cracked.
Quick tangent from passwords: be sure to encrypt your important data so that it's useless even if stolen. Software like Microsoft OneNote and Excel have this functionality built-in, but there's plenty of other software (like Notepad++) that can do this.
Conclusion
I know I've given you a lot to swallow and following all of them still doesn't guarantee that you're 100% safe, but it means that you're better protected that 90% of people out there so it'd be pretty hard for you to run into issues. Since I've started following them over the past several years I haven't had a single security breach. The key is not necessarily to be scared, but to be vigilant and use common sense.
Have a great 4th of July weekend everyone! I head to Seattle early Monday morning to arrive on Wednesday night, but I'll do my best to squeeze out another post before then including reviews of Wall-E (A+) and Get Smart (B+/A-).
I've never tried a full-on original essay like this before so I hope it goes well...
Introduction
There's a tradeoff between security and convenience. The reason that malicious hackers are able to have so much fun is usually just laziness. Most victims simply just don't do enough to protect themselves because it's human nature to try and enjoy conveniences. That's why 1-click shopping is popular on Amazon and iPods are still selling like hotcakes even though there are competing mp3 players that do more. It's amazing how often a simple password list will work (consists of password, password123, the user's name, etc.) because it's inconvenient to come up with one of random letters, numbers, and symbols. People ignore security patch updates and that's the way a lot of attacks succeed way past the vulnerability has been discovered. Programmers are sometimes sloppy and allow for buffer overflow attacks, which is probably the most commonly exploited vulnerability class. In essence, if you want a machine built like a tank then you're going to have to sacrifice some conveniences, so that will be a recurring theme in this article.
The reason for this tradeoff in convenience is this arms race we have in computer security. When we came out with anti-virus software, they came out with polymorphic viruses that change themselves constantly (like real-life viruses can, I believe?) to make detection harder. So, scanning just isn't enough we also have to be responsible about how we use the computer. Also, there's intrusion detection systems (IDS) (something I did research in last semester), but they rely on looking for anomalous behavior. The question is, how does it know what anomalous behavior is? They still need our help to keep out intruders.
What you have to realize though, nonetheless, is that each one of the following recommendations is an important pillar in your machine's safety as well as that of the information that passes through. Hence, I highly recommend doing all of the following things. Fortunately, you can do these things without buying any fancy software. The only place you'll need to spend money is in my first tip.
Back it up!
Any successful large company understands the merits of mastering disaster recovery. Average people, however, aren't quite so reliable. It's almost as if we think we're invincible, believing that the stories on the news about some widespread virus or worm only happen to idiots. In reality though, the most important tool in your security arsenal is keeping at least one backup of all the programs and files that are most important to you. After all, iTunes won't send you your library again if your hard drive dies. As careful as any of us can be, shit happens. Just accept it and move on with your life. They say you should live your life as if each day is your last. I say the same about your computer: use it as if when you wake up in the morning it won't be there anymore. The attacks and hardware problems that can occur are too numerous to be listed.
Ok, so enough of my soapbox, what do you need to do? First thing is first: you need a backup medium. There are some online services that promise sync your hard drive while your asleep and keep your data somewhere in the clouds (i.e. on a server somewhere far away). I've blogged about some lists of free ones here and here. I've started using Dropbox lately and I really dig it for its simplicity. The premium services are a bit pricey, but usually worthwhile. The reason you'd want to backup online is that if you have a hard backup somewhere in your apartment and your computer is in your apartment then what if your neighbor has a bad day and burns down the building while you're at work?
Barring the natural disaster or physical theft scenarios, keeping a hard backup is a great option and a necessity at an absolute minimum. The advantages are that hard drives and optical media are quite inexpensive, you have complete control over it, it offers you a way to take your files with you without having to lug your computer with you, it protects you from malicious attacks since you can always just format your computer and start fresh from the backup, and it protects you from hardware failures in your computer (i.e. dead hard drive, worn out power supply, etc.) for the same reason. They have some pretty physically small external hard drives out there now for $100 or less, or some bigger ones for the same price but double the capacity. Look for a name brand, read the reviews to make sure people have good experiences overall, and just order one. You need one at least as big as your hard drive, even if you don't backup all your data on it.
Most hard drives will come with free software for back-up right out of the box, but if you decide to use a USB flash drive or optical media (i.e. CDs or DVDs) then you'll need to take to the Internet. I had to do this because Retrospect on my Western Digital doesn't work on Vista. After using several different ones, I liked Karen's Replicator the best. You just setup jobs to copy folders to where ever you want and then set them to run automatically while you're asleep at whatever frequency you want. It does progressive backups, so after the first backup it'll only handle changes rather than re-copying all your data every night and wearing out your backup hard drive faster than necessary. It's not as convenient to do automatic backups on optical media, but they can still be used. A competitor to Karen's Replicator that may be better for optical media is WinBackup. Both of these programs are kind of quick and dirty and don't give you all the features you may want, like taking an image of your entire hard drive. You can always shop around for the paid software that does everything you want, like maybe Genie, which makes it really easy to back up your registry and e-mails and all that.
Oh, and most companies already secretly backup your work machines so consult your IT department on that or ask them for the means to backup your work computer(s). If they don't oblige then you should definitely raise Hell about it.
Spyware: The Silent Killer
If you don't know what the word 'spyware' means, then you probably do but just don't realize it. It's used as an umbrella to refer to software that either intercepts what you do on your computer (i.e. sites you go to so that an advertiser knows what your interests are) or partially takes over your computer without you knowing. It's often just annoying, but there is a security risk in that it could steal sensitive information, as well. It can also install 3rd party software on your computer to the point that your computer is near unusable due to having its resources bogged down. Some tell-tale symptoms are that your computer runs slower than usual, you see windows pop up out of nowhere, browsing the Internet takes much longer than usual, when you go to the task manager you see processes that probably shouldn't be there, and changes are made to your registry that you didn't make.
Side note: You know how Vista always asks you if you want to allow a program to be opened after you just double-clicked it and you think the OS must be retarded? Well, I think it does that because spyware could open software it installs without your telling it to, but if Vista forces the decision to go to you then it's less likely to work. Anyway, you can disable this if it becomes too prohibitive; I don't think you necessarily need it at its default setting.
There are two programs that I think are absolutely necessary in fighting the war on spyware, and both of them are 100% free. The first is Spybot Search & Destroy (they must love that name). Spybot is really three tools in once. My favorite is called TeaTimer, which asks you to approve any changes made to the system registry (which is just a repository for Windows settings and data). This is important because a lot of times spyware manages to install junk on your computer by modifying you registry to tell Windows to do stuff when it restarts (a lot of software you install will make changes to the registry for routine tasks like clean-up or making some changes that it can only make before Windows boots and such). It will also warn you when processes that look suspicious try to run. It isn't as annoying as it sounds, and will give you piece of mind. The second piece of Spybot that's great is immunization, which is basically a preventive measure (much like getting inoculation shots in real life) to keep things like tracing cookies at bay. This will protect your privacy and help keep out nasty spyware. The final piece is its scanning, which I recommend you run regularly (at least weekly). Unfortunately, there's no way to set up a schedule for it to update itself or scan your computer, so be sure to do both regularly. If you don't update it, then you're probably vulnerable to the latest, hottest spyware out there (which is the stuff you're most likely to get).
The other free, great tool is Ad-Aware. It's a great second-tier defense, it doubles as an anti-virus program (paid version), and it's highly respected. If you pay for it, you get some great benefits: scanning on a schedule, real-time protection, a process monitor, and more. It's worth the money if you have it to spare and like the software. Otherwise, just run a scan in Ad-Aware after you run your regular SpyBot scan; it's worthwhile even in its free version.
Fighting Viruses (without buying Norton)
Viruses come in all shapes and sizes. The term 'computer virus' generally refers to malicious code that hides in legitimate applications but can only propagate by being physically run by a person (i.e. cannot spread on their own, they need your help). Some viruses are infected documents or files that exploit vulnerabilities in the programs that process them (e.g. bad .doc files that exploit a problem in Word) but infect the entire program once opened, whereas some infect the operating system so that the infected files look normal (like the Sony rootkit fiasco where Sony CDs restricted your ripping the CD or putting the music on certain mp3 players) and others still spread themselves over P2P networks (some media companies put these out on purpose to discourage piracy over P2P). The really bad part about viruses is the rise in polymorphic viruses, which scramble their own code to make them harder for anti-virus software to detect as they spread (technobabble: via encryption with different keys) or self-destruct when you try to run them in an emulator (you would run it in a safe environment to see if the program is infected or not) or debugger (which would help discover how it works). You might even consider Skype a benign polymorphic virus because of its heavy obfuscation and anti-debugging techniques to hide how it works (for security reasons).
Fortunately, there are a few free applications to help protect you from viruses. You don't need to install them all (just your favorite one), but you can if you want. They each use different definition files, but I'm sure there's a lot of overlap. I personally use ClaimWin Free, which is only for Windows (unless you count the ClamAV engine on which it's based) but it's completely free and it's lite. It has a scheduler and everything. The other popular alternative is Avast, which also has a paid version. Unfortunately, it's also only for Windows (or Mac, if you pay) but AVG has a free version and also works on Linux. Lastly, going back to the ClamAV engine, there is ClamXav for Macs.
The problem is that the way that all the programs I just mentioned work is to look for the signature of a virus: like the fingerprints that a criminal may leave behind at the scene of a crime. If we haven't taken that criminal's prints before then how do we catch him when we see his prints? Similarly, these scanners can only look for what they know about, making it hard for them to catch polymorphic viruses and impossible to catch viruses that haven't been discovered yet. In order to catch those you need an intrusion detection system (IDS) that looks for anomalous behavior, which begs the question of what normal behavior looks like. This is a field that is still being researched because we can get 0 false positives (technobabble: using static analysis of the source code in question all alarms are correct) but not 0 false negatives (i.e. some viruses can get away). The reason that you don't see an anti-worm detector is that worms are standalone programs that self-propagate and usually are known as 0-day attacks because they spread so rapidly before they can be discovered and defended against properly (research Slammer, Nimda, Code Red, Storm Worm, or Blaster for more).
What is the point of creating a virus or a worm? Usually, it's for profit. Sending out large amounts of spam is costly, but if you are forced into a botnet (a network of zombies machines that can be surreptitiously issued commands, sometimes encrypted commands, remotely from a master) then you're part of the source of spam. Another purpose of a botnet could be a distributed denial of service attack (DDoS) where lots of machines try to open a connections to a website simultaneously in order to bring it down by overloading its servers, which can be used for extortion. Sometimes it's not for money though. Sometimes it's just for glory and popularity. Make no mistake about it, worms and viruses are on the rise and you need to stay safe. What can you do about worms though without a reliable IDS? Try following the rest of my tips.
Setup a Firewall
I'm sure you've heard this term bounced around a lot and you may think of it as some sort of virtual, impenetrable shield. Well, it's more like a virtual moat: it tries to separate your computer and local network from the big bad Internet. The idea is to restrict not only access from the outside but outbound connections, as well. It should be obvious that you don't want bad guys to get into your machine, but why would you want to restrict connections coming from your machine? For the same reason you don't cough on people when you're sick: if you become a zombie in a botnet then you'll be phoning home to your master for commands (to do bad things to others) and if you have a worm then it'll try to spread itself so we want to keep things like this from happening.
There are several types of firewalls: packet filtering (dumb and stateless, it just examines each data packet you receive individually and follows some set rules without considering other packets), session filtering (packet filtering but in the context of the connection the packets connect to, so some state is involved), and application-level gateways (filtering rules set up by specific applications) are some examples of the more common ones. Some of the reasons why firewalls aren't as powerful as the name may suggest are that they don't prevent insider attacks (I know, that's a low blow), they don't fix the problem I mentioned above of buggy software (which cause big vulnerabilities for attackers to exploit), they don't prevent denial of sevice attacks (hitting a machine or server hard with requests to overwhelm them into breaking down), and misconfiguration woes (more on this in the next paragraph). Also, realize that software that you may install on your computer from a CD that's bad and stuff that doesn't involve connections to/from the Internet are completely unprotected from a firewall.
Still, you should use a firewall because it does help keep your Internet connection tighter so that it's much harder for bad guys to get to you to cause harm and also hard for them to do more damage even if they do get nasty code onto your machine. The most popular solution out there is ZoneAlarm. Aside from keeping out connections that clearly don't make sense, it's famous for its impressive program control functionality: whenever any of your software tries to access the Internet or act as a server, it asks you to approve it. Don't fret, you can set to always approve a certain application that you trust without a shadow of a doubt, but it's such a great idea for you to make sure that a virus isn't hiding out and trying to receive or send data (or receive remote commands). I know it seems annoying, but you'll get used to it and it's definitely a necessary addition to your arsenal.
Use the Right Browser
This is pretty much a no-brainer: Firefox is consistently hailed as the safest browser around and Internet Explorer has historically been the worst, but Microsoft has been making changes to help rectify this. Because it's so popular, Internet Explorer's vulnerabilities are constantly being tracked down and exploited, so it's not entirely their fault. Still, Firefox's vulnerabilities are typically fixed faster and discovered less often, whether or not it has as many as Internet Explorer.
Also, Firefox 3.0 has some great security additions. It provides you with identity information right in the address bar to prevent phishing (where a bad guy designs a site identical to a site like a bank and gets you to input sensitive information that gets sent to the bad guy, but this feature allows you to verify that it's the site you think it is), it actively warns you of forged sites (again, phishing), and it blocks pop-ups (which is an easy route to force malicious code onto you). But wait, there's more! The NoScript add-on is invaluable and a must-have for anyone who browses the web: it blocks all scripts (Java, JavaScript, Flash) by default and punts to you for approval of each domain's scripts permanently or temporarily. This helps pages load faster but, more importantly, scripts that would otherwise load automatically and could do serious damage now don't and so if you click a link on accident or something like that then you're safe! Think of it like a condom for your web browsing: it just works. It keeps the main culprits of web browsing woes, even for sensible Internet users, safely at bay. Plus, you don't get the irritating ads that appear over the article you're reading (though you can get AdBlock Plus for this). I know approving scripts can get tiresome, but after a few weeks you'll be browsing your favorite sites with ease. Oh, and Tools->Clear Private Data is also excellent for maintaining your privacy.
Here's a biggie: safe e-mail usage. You don't need software for this, you just need to use your head. You could use Gmail though, which has 2 great features: you can read the start of your e-mails before opening them to see if it's gibberish or important and it won't load images until you tell it to (yes, images can carry malicious code).
When you download attachments, I'd say you should always scan them (ClaimWin adds an option to your shell menu for when you right-click on files) before you open them. Even if it comes from a trusted source, you never know (maybe they've been compromised, like in a vampire movie).
Whenever you click a link, always always always mouseover the link and look into your status bar to check that the URL matches the text you're clicking on or where it should be going (e.g. www.paepal.com is not the same as www.paypal.com). If you know that a site uses https (this means it has a Secure Socket Layer (SSL) to prevent eavesdropping), then the URL the e-mail takes you to should also start with https and not http. However, https does not mean you can trust a given site! Anyone can set up SSL for their site, if they pay for it, to secure your transmissions, but if you're using SSL to talk to a bad guy then it just means that no one can see what you're sending to the bad guy except for them. If someone wants you to go to a fake site that involves you spending or managing your money, they're going to do a great job of replicating it and pick a URL that looks just like it should except for a couple of letters. They may even write a URL in the e-mail that you can click on that ends up going somewhere else altogether! Check the URLs you click even when you're browsing the Web normally though with a simple mouseover.
Watch out for spam! Mark spam as you see it in your favorite e-mail client and don't bother reading it. If, for whatever reason, it happens to be an ad that's tempting and you think may be from a trusted source, then research the URL it suggests before you click on it. Just do a simple Google search, or do a simple DNS lookup/whois (i.e. check that the URL domain belongs to someone legitimate). It's honestly just that simple. People are lazy and don't do this so many fall for scams and phishing attacks.
In general, don't read e-mails that you don't expect. That's a pretty good policy to follow.
Don't Forget Security Patches!
Keep your system patched! Don't you have to get your kids the proper shots before they go to school? And don't your pets have to get their shots, too, before you take them home? So why not give your computer the same treatment? You must install any security updates that your OS pushes out as well as your browser, anti-virus software, anti-spyware software, or your firewall, or else they're useless. That's just at a minimum: you should really be patching anything you use. Some pretty big outbreaks have come out of unpatched software, like Code Red I, which hit unpatched copies of Microsoft's IIS Server software. From sifting through hundreds of vulnerability descriptions in my research in the NVD I can safely say that not keeping some of your simplest software updated can completely compromise your entire computer. Don't avoid updates because they require restarts or something like that, just take the 5 minutes to do it! You'd be surprised how severe the consequences can be if someone takes advantage of your procrastination.
Passwords
This is more of a general tip that doesn't require much explanation: you need to have good passwords for anything that matters to you. What's a good password? It can't be a dictionary word and should be hard to guess based on any information about you that's publicly available. So if my password was "eltoneptiger" then I'd be kind of dense. The best password crackers in the world rely first on creating passwords from what they know about you, then try common passwords (like "password") and default passwords, and then they try dictionary words. The best way to thwart them are random combinations of letters (upper and lower case), numbers, and symbols. Of course, if it's random how do you remember it? Just try to come up with a story that is abbreviated by the characters in your password or similar mnemonic devices. You can start here.
Please do me a favor: when given a default password, always change it. Kevin Mitnick likes to tell a story of how a bank was robbed because of a router using its default password. There's an attack called drive-by pharming where if you don't change the default password on your router an attacker could use an invisible Javascript script to reconfigure your router so that putting in things like "www.wamu.com" will take you to their fake WAMU site so that you can hand over your password. The scary part of that attack is that you wouldn't know you had been victimized because the URL would probably look alright (your router is supposed to look up the URL domain using a Domain Name System (DNS) server, but if it's corrupted then it may not do this properly). (Note: if you used NoScript then I think you'd be safe from this attack)
If you want to protect your CPU, you can change your computer's password in its BIOS so that if your computer gets stolen the CPU is useless. I personally don't do this, but it's not a bad idea. You should also have a password to run your OS and make the screensaver ask for a password when you resume usage. Always lock your computer when you walk away from it when around other people so that it asks for this password, and make it a good one so that it can't be cracked.
Quick tangent from passwords: be sure to encrypt your important data so that it's useless even if stolen. Software like Microsoft OneNote and Excel have this functionality built-in, but there's plenty of other software (like Notepad++) that can do this.
Conclusion
I know I've given you a lot to swallow and following all of them still doesn't guarantee that you're 100% safe, but it means that you're better protected that 90% of people out there so it'd be pretty hard for you to run into issues. Since I've started following them over the past several years I haven't had a single security breach. The key is not necessarily to be scared, but to be vigilant and use common sense.
Have a great 4th of July weekend everyone! I head to Seattle early Monday morning to arrive on Wednesday night, but I'll do my best to squeeze out another post before then including reviews of Wall-E (A+) and Get Smart (B+/A-).
Subscribe to:
Posts (Atom)