9 Facts About Computer Security That Experts Wish You Knew

  • To unlock all of features of Rams On Demand please take a brief moment to register. Registering is not only quick and easy, it also allows you access to additional features such as live chat, private messaging, and a host of other apps exclusive to Rams On Demand.

Prime Time

PT
Moderator
Joined
Feb 9, 2014
Messages
20,922
Name
Peter
http://gizmodo.com/9-facts-about-computer-security-that-experts-wish-you-k-1686817774

9 Facts About Computer Security That Experts Wish You Knew
Annalee Newitz

Every day, you hear about security flaws, viruses, and evil hacker gangs that could leave you destitute — or, worse, bring your country to its knees. But what's the truth about these digital dangers? We asked computer security experts to separate the myths from the facts. Here's what they said.

1. Having a strong password actually can prevent most attacks

Yahoo's Chief Information Security Officer Alex Stamos has spent most of his career finding security vulnerabilities and figuring out how attackers might try to exploit software flaws. He's seen everything from the most devious hacks to the simplest social engineering scams. And in all that time, he's found that there are two simple solutions for the vast majority of users: strong passwords and two-factor authentication.

Stamos says that the biggest problem is that the media focuses on stories about the deepest and most complicated hacks, leaving users feeling like there's nothing they can do to defend themselves. But that's just not true. He told me via email:

I've noticed a lot of nihilism in the media, security industry and general public since the Snowden docs came out. This generally expresses itself as people throwing up their hands and saying "there is nothing we can do to be safe". While it's true that there is little most people can do when facing a top-tier intelligence apparatus with the ability to rewrite hard drive firmware, this should not dissuade users from doing what they can to protect themselves from more likely threats and security professionals from building usable protections for realistic adversaries.

Users can protect themselves against the most likely and pernicious threat actors by taking two simple steps:

1) Installing a password manager and using it to create unique passwords for every service they use.

2) Activating second-factor authentication options (usually via text messages) on their email and social networking accounts.

The latter is especially important since attackers love to take over the email and social accounts of millions of people and then automatically use them to pivot to other accounts or to gather data on which accounts belong to high-value targets.

So I would really like the media to stop spreading the idea that just because incredible feats are possible on the high-end of the threat spectrum that it isn't possible to keep yourself safe in the vast majority of scenarios.


Adam J. O'Donnell, a Principal Engineer with Cisco's Advanced Malware Protection group, amplified Stamos' basic advice:

Oh, and my advice for the average person: Make good backups and test them. Use a password vault and a different password on every website.

Yep, having a good password is easy — and it's still the best thing you can do.

2. Just because a device is new does not mean it's safe

When you unwrap the box on your new phone, tablet or laptop, it smells like fresh plastic and the batteries work like a dream. But that doesn't mean your computer isn't already infected with malware and riddled with security vulnerabilities.

I heard this from many of the security experts I interviewed. Eleanor Saitta is the technical director for the International Modern Media Institute, and has worked for over a decade advising governments and corporations about computer security issues. She believes that one of the most pernicious myths about security is that devices begin their lives completely safe, but become less secure as time goes on. That's simply not true, especially when so many devices come with vulnerable adware like Superfish pre-installed on them (if you recall, Superfish came pre-installed on many Lenovo laptop models):

That's why the Superfish thing was such a big deal. They built a backdoor in, and they built a really bad, incompetent one, and now it turns out that anybody can walk through.

When you're relying on code delivered by somebody else, a service online or box that you don't control, chances are good that it's not acting in your interest, because it's trying to sell you. There's a good chance that it's already owned or compromised by other people. We don't have a good way of dealing with trust and managing it right now. And all sorts of people will be using that code.


The other issue, which erupted in the media over the past day with the FREAK attack, is that many machines come pre-installed with backdoors. These are baked in by government request, to make it easier for law enforcement and intelligence agencies to track adversaries. But unfortunately, backdoors are also security vulnerabilities that anyone can take advantage of. Says Saitta:

I think one thing that is really important to understand is that if you built a monitoring system into a network like a cell network, or into a crypto system, anybody can get in there. You've built a vulnerability into the system, and sure, you can control access a little. But at the end of the day, a backdoor is a backdoor, and anybody can walk through it.

3. Even the very best software has security vulnerabilities

Many of us imagine that sufficiently good software and networks can be completely safe. Because of this attitude, many users get angry when the machines or services they use turn out to be vulnerable to attack. After all, if we can design a safe car, why not a safe phone? Isn't it just a matter of getting the tech and science right?

But Parisa Tabriz told me via email that you can't look at information security that way. Tabriz is the engineer who heads Google's Chrome security team, and she believes that information security is more like medicine — a bit of art and science — rather than pure science. That's because our technology was built by humans, and is being exploited by humans with very unscientific motivations. She writes:

I think information security is a lot like medicine — it's both an art and science. Maybe this is because humans have explicitly built technology and the internet. We assume we should be able to built them perfectly, but the complexity of what we've built and now hope to secure almost seems impossible. Securing it would require us to have zero bugs, and that means that the economics are not on the side of the defenders. The defenders have to make sure there are zero bugs in all software they use or write (typically many millions of lines of code if you consider the operating system too), whereas the attacker only has to find one bug.

There will always be bugs in software. Some subset of those bugs will have security impact. The challenge is figuring out which ones to spend resources on fixing, and a lot of that is based on presumed threat models that probably would benefit from more insight into people's motivations, like crime, monitoring, etc.


RAND Corporation computer security researcher Lillian Ablon emailed me to say that there is simply no such thing as a completely secure system. The goal for defenders is to make attacks expensive, rather than impossible:

With enough resources, there is always a way for an attacker to get in. You may be familiar with the phrase "it's a matter of when, not if," in relation to a company getting hacked/breached. Instead, the goal of computer security is to make it expensive for the attackers (in money, time, resources, research, etc.).

4. Every website and app should use HTTPS

You've heard every rumor there is to hear about HTTPS. It's slow. It's only for websites that need to be ultra-secure. It doesn't really work. All wrong. The Electronic Frontier Foundation's Peter Eckersley is a technologist who has been researching the use of HTTPS for several years, and working on the EFF's HTTPS Everywhere project. He says that there's a dangerous misconception that many websites and apps don't need HTTPS. He emailed to expand on that:

Another serious misconception is website operators, such as newspapers or advertising networks, thinking "because we don't process credit card payments, our site doesn't need to be HTTPS, or our app doesn't need to use HTTPS". All sites on the Web need to be HTTPS, because without HTTPS it's easy for hackers, eavesdroppers, or government surveillance programs to see exactly what people are reading on your site; what data your app is processing; or even to modify or alter that data in malicious ways.

Eckersley has no corporate affiliations (EFF is a nonprofit), and thus no potential conflict of interest when it comes to promoting HTTPS. He's just interested in user safety.

5. The cloud is not safe — it just creates new security problems

Everything is cloud these days. You keep your email there, along with your photos, your IMs, your medical records, your bank documents, and even your sex life. And it's actually safer there than you might think. But it creates new security problems you might not have thought about. Security engineer Leigh Honeywell works for a large cloud computing company, and emailed me to explain how the cloud really works. She suggests that you begin thinking about it using a familiar physical metaphor:

Your house is your house, and you know exactly what the security precautions you've taken against intruders are - and what the tradeoffs are. Do you have a deadbolt? An alarm system? Are there bars on the windows, or did you decide against those because they would interfere with your decor?

Or do you live in an apartment building where some of those things are managed for you? Maybe there's a front desk security person, or a key-card access per floor. I once lived in a building where you had to use your card to access individual floors on the elevator! It was pretty annoying, but it was definitely more secure. The security guard will get to know the movement patterns of the residents, will potentially (though not always, of course!) recognize intruders. They have more data than any individual homeowner.


Putting your data in the cloud is sort of like living in that secure apartment building. Except weirder. Honeywell continued:

Cloud services are able to correlate data across their customers, not just look at the ways an individual is being targeted. You may not [control access to the place where] your data is being stored, but there's someone at the front desk of that building 24/7, and they're watching the logs and usage patterns as well. It's a bit like herd immunity. A lot of stuff jumps out at [a defender] immediately: here's a single IP address logging into a bunch of different accounts, in a completely different country than any of those accounts have been logged into from ever before. Oh, and each of those accounts received a particular file yesterday — maybe that file was malicious, and all of those accounts just got broken into?

But if it's a more targeted attack, the signs will be more subtle. When you're trying to defend a cloud system, you're looking for needles in haystacks, because you just have so much data to handle. There's lots of hype about "big data" and machine learning right now, but we're just starting to scratch the surface of finding attackers' subtle footprints. A skilled attacker will know how to move quietly and not set off the pattern detection systems you put in place.


In other words, some automated attack methods become blatantly obvious in a cloud system. But it also becomes easier to hide. Honeywell says that users need to consider the threats they're seriously worried about when choosing between a cloud service and a home server:

Cloud services are much more complex systems than, say, a hard drive plugged into your computer, or an email server running in your closet. There are more places that things can go wrong, more moving parts. But there are more people maintaining them too. The question folks should ask themselves is: would I be doing a better job running this myself, or letting someone with more time, money, and expertise do it? Who do you think of when you think about being hacked — is it the NSA, random gamer assholes, an abusive ex-partner? I ran my own email server for many years, and eventually switched to a hosted service. I know folks who work on Gmail and Outlook.com and they do a vastly better job at running email servers than I ever did. There's also the time tradeoff — running an email server is miserable work! But for some people it's worth it, though, because NSA surveillance really is something they have worry about.

6. Software updates are crucial for your protection

There are few things more annoying in life than the little pop-up that reminds you that updates are required. Often you have to plug your device in, and the updates can take a really long time. But they are often the only thing that stands between you and being owned up by a bad guy. Cisco's O'Donnell said:

Those software update messages are [not] there just to annoy you: The frequency of software updates is driven less by new software features and more because of some very obscure software flaw that an attacker can exploit to gain control of your system. These software patches fix issues that were publicly identified and likely used in attacks in the wild. You wouldn't go for days without cleaning and bandaging a festering wound on your arm, would you? Don't do that to your computer.

7. Hackers are not criminals

Despite decades of evidence to the contrary, most people think of hackers as the evil adversaries who want nothing more than to steal their digital goods. But hackers can wear white hats as well as black ones — and the white hats break into systems in order to get there before the bad guys do. Once the vulnerabilities have been identified by hackers, they can be patched. Google Chrome's Tabriz says simply:

Also, hackers are not criminals. Just because someone knows how to break something, doesn't mean they will use that knowledge to hurt people. A lot of hackers make things more secure.

O'Donnell emphasizes that we need hackers because software alone can't protect you. Yes, antivirus programs are a good start. But in the end you need security experts like hackers to defend against adversaries who are, after all, human beings:

Security is less about building walls and more about enabling security guards. Defensive tools alone can't stop a dedicated, well resourced attacker. If someone wants in bad enough, they will buy every security tool the target may have and test their attacks against their simulated version of the target's network. Combatting this requires not just good tools but good people who know how to use the tools.

RAND's Ablon adds that malicious hackers are rarely the threat they are cracked up to be. Instead, the threat may come from people you don't suspect — and their motivations may be far more complicated than mere theft:

A lot of the time an internal employee or insider is just as big of a threat, and could bring a business to its knees – intentionally or inadvertently. Furthermore, there are distinct types of external cyber threat actors (cybercriminals, state-sponsored, hacktivists) with different motivations and capabilities. For example, the cybercriminals who hacked into Target and Anthem had very different motivations, capabilities, etc. than those of the state-sponsored actors who hacked into Sony Pictures Entertainment.

8. Cyberattacks and cyberterrorism are exceedingly rare
As many of the experts I talked to said, your biggest threat is somebody breaking into your accounts because you have a crappy password. But that doesn't stop people from freaking out with fear over "cyberattacks" that are deadly. Ablon says that these kinds of attacks are incredibly unlikely:

Yes, there are ways to hack into a vehicle from anywhere in the world; yes, life-critical medical devices like pacemakers and insulin pumps often have IP addresses or are enabled with Bluetooth – but often these types of attacks require close access, and exploits that are fairly sophisticated requiring time to develop and implement. That said, we shouldn't be ignoring the millions of connected devices (Internet of Things) that increase our attack surface.

Basically, many people fear cyberattacks for the same reason they fear serial killers. They are the scariest possible threat. But they are also the least likely.

As for cyberterrorism, Ablon writes simply, "Cyberterrorism (to date) does not exist ... what is attributed to cyberterrorism today, is more akin to hacktivism, e.g., gaining access to CENTCOM's Twitter feed and posting ISIS propaganda."

9. Darknet and Deepweb are not the same thing

Ablon writes that one of the main problems she has with media coverage of cybercrime is the misuse of the terms "Darknet" and "Deepweb."

She explains what the terms really mean:

The Deepweb refers to part of the Internet, specifically the world wide web (so anything that starts www) that isn't indexed by search engines (so can't be accessed by Google). The Darknet refers to non-"www" networks, where users may need separate software to access them. For example, Silk Road and many illicit markets are hosted on [Deepweb] networks like I2P and Tor.

So get a password vault, use two-factor auth, visit only sites that use HTTPS, and stop worrying about super intricate cyber attacks from the Darknet. And remember, hackers are here to protect you — most of the time, anyway.​
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
Facts About Computer Security That Experts Are Glad You Do Not Know

  • Silicon Valley companies regularly hire incompetent computer programmers who make rookie mistakes that leave their customer's data exposed to attack.
  • Silicon Valley entrepreneurs are generally arrogant, and believe that they won't be hacked, or simply care more about growth than they do about data breaches.
 

Prime Time

PT
Moderator
Joined
Feb 9, 2014
Messages
20,922
Name
Peter
  • Thread Starter Thread Starter
  • #3
Facts About Computer Security That Experts Are Glad You Do Not Know

  • Silicon Valley companies regularly hire incompetent computer programmers who make rookie mistakes that leave their customer's data exposed to attack.
  • Silicon Valley entrepreneurs are generally arrogant, and believe that they won't be hacked, or simply care more about growth than they do about data breaches.

I'm typing this from a Linux operating system and am glad I left Microsoft behind. But this pc is so damn slow that I'm getting ready to buy a new one and all the ones I've looked at are loaded with Windows 8, yikes! It's mindboggling that Microsoft would build an OS that needs constant updates and is bloated with so much crap.
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
I'm typing this from a Linux operating system and am glad I left Microsoft behind. But this pc is so damn slow that I'm getting ready to buy a new one and all the ones I've looked at are loaded with Windows 8, yikes! It's mindboggling that Microsoft would build an OS that needs constant updates and is bloated with so much crap.
I only buy old Lenovo workhorses. I swap out the drives for 10K RPM ones, upgrade the RAM, and load Ubuntu. I instantly have an awesome & fast workhorse. And the old Lenovo's are never more than $500, and they're are plenty of great ones coming off of 4-to-5yr biz leases.
 

iced

Well-Known Member
Joined
Jan 12, 2013
Messages
6,620
I'm typing this from a Linux operating system and am glad I left Microsoft behind. But this pc is so damn slow that I'm getting ready to buy a new one and all the ones I've looked at are loaded with Windows 8, yikes! It's mindboggling that Microsoft would build an OS that needs constant updates and is bloated with so much crap.

you need constant updates because hackers constantly evolve

windows 7 is favorite OS,and i refuse to go to 8.

BTW I really agree with #5 from the original list - security nightmare.

I run Kali Linux off VMware on my desktop - but she's built for it. I-5, 32 gigs of ddr3.
 

Prime Time

PT
Moderator
Joined
Feb 9, 2014
Messages
20,922
Name
Peter
  • Thread Starter Thread Starter
  • #6
I only buy old Lenovo workhorses. I swap out the drives for 10K RPM ones, upgrade the RAM, and load Ubuntu. I instantly have an awesome & fast workhorse. And the old Lenovo's are never more than $500, and they're are plenty of great ones coming off of 4-to-5yr biz leases.

I was at a local computer place the other day where they build them for you. There was a Lenovo on display with a white keyboard. I've heard good things about them. There are lots of refurbished pc's on sale but I would prefer something new.

While I was able to follow the simple instructions and swap Windows XP for Linux, the thought of swapping out drives and updating RAM is over my head.
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
I was at a local computer place the other day where they build them for you. There was a Lenovo on display with a white keyboard. I've heard good things about them. There are lots of refurbished pc's on sale but I would prefer something new.

While I was able to follow the simple instructions and swap Windows XP for Linux, the thought of swapping out drives and updating RAM is over my head.
It's unbelievably easy. Lenovo has step-by-step instructions online, and their are usually videos available. If you can use a screwdriver, then you can do this :)

My X61 is as small as tiny business laptops that typically cost upwards of $1500, but I paid $195 for it. I think my new drive was $90 and RAM was another $65. I also bought a docking station for it - another $40. And now I have a great tiny travel machine that I don't think it's possible to break. Perhaps the only downside is that the screen res isn't as good as the new stuff.

6163-IMG0502s.jpg


My T410 cost $500 after it came-off a 1yr lease. It was like new. I just upgraded the RAM on it, as the drive was fine. It's my daily driver, and I wouldn't trade it for any of the new junk out there.

1283152357_345097651_o.jpg


Just fantastic robust machines. Drop a cup of coffee on the keyboard and watch it pour out the bottom and keep on running. Friends of mine took an old one and put it under the faucet to see if they could kill it while it was on, and the water just went thru the drain holes and the insides stayed dry. I'm telling ya, the older ones, pre circa 2012, are the best machines ever built. I wouldn't get any of the newer ones with the Chicklet keyboards, as I think that's when they started to go down hill, say post T420 series.
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
Oh, and I bought new batteries for each machine after a couple of years - they were approx $75 each. The extra long life batteries were a bit more expensive, and I didn't want to carry the extra weight.

Here's a link to the Lenovo Outlet store
http://outlet.lenovo.com/outlet_us/

I bought my stuff off of ebay & craigslist, but if you're not comfortable with that, then I recommend the Outlet store
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
Wow, an X230 New for $504. I'm tempted.
http://outlet.lenovo.com/outlet_us/itemdetails/2325X05/445

I guess the X-series started introducing the Chicklet keyboard after the 230-series, as it looks like this one has the conventional keyboard.

Here's a video of a guy explaining the diffs in the classic v modern lenovo laptop design

 
Last edited:

Prime Time

PT
Moderator
Joined
Feb 9, 2014
Messages
20,922
Name
Peter
  • Thread Starter Thread Starter
  • #10
If you can use a screwdriver, then you can do this

And there's my problem. :snicker:

I'm currently shopping for a pc that can handle all the plugins I use for recording music with my DAW(Digital Audio Workstation). My old Acer, on which I record music, causes too many latency and stuttering problems and the RAM is maxed out.

I need a minimum of 3.5 Ghz, 8 Gb of RAM and lots of free disc space. Thanks for the link I will research that today.
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
Nope, I was wrong, the X230 does have the Chicklet keyboard. If that doesn't bother you, than this is an amazing price. I just prefer the older style keyboard and don't like the chassis design changes they made when they introduced the new keyboard style in the 30 series.

65145.jpg
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
And there's my problem. :snicker:

I'm currently shopping for a pc that can handle all the plugins I use for recording music with my DAW(Digital Audio Workstation). My old Acer, on which I record music, causes too many latency and stuttering problems and the RAM is maxed out.

I need a minimum of 3.5 Ghz, 8 Gb of RAM and lots of free disc space. Thanks for the link I will research that today.
Then I'd either go desktop or the Lenovo T500 series, which is their multimedia laptop with the super hi-res 15" screen.
http://outlet.lenovo.com/outlet_us/itemdetails/20BEX004US/445
 

iced

Well-Known Member
Joined
Jan 12, 2013
Messages
6,620
And there's my problem. :snicker:

I'm currently shopping for a pc that can handle all the plugins I use for recording music with my DAW(Digital Audio Workstation). My old Acer, on which I record music, causes too many latency and stuttering problems and the RAM is maxed out.

I need a minimum of 3.5 Ghz, 8 Gb of RAM and lots of free disc space. Thanks for the link I will research that today.

Are we talking desktop, laptop,or all in one?

Why the assumption of 3.5 ghz?Audio editing isn't quite as lucrative as video editing i think

8 gigs of ram is the bare minimum you should buy for desktops today, imo. I actually saw over the weekend 16 gigs for $60 on newegg.

Replacing Ram is literally as simple as swapping out chips.

Hard drive isn't hard either. There's only thing 2 things that connect to it - a power cable from the power supply, and a cable from the motherboard
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
Here's a quick overview of the T520, which is the last in the T5xx series to have the classic design.

 

Angry Ram

Captain RAmerica Original Rammer
Joined
Jul 1, 2010
Messages
18,000
If you go to shady sites or download illegally, expect to get malware and viruses.

You have to blame people too who don't know what they are doing, instead of automatically blaming the machine or Microsoft. And you'd be shocked at how many people don't know how to operate a computer.
 

VegasRam

Give your dog a hug.
Rams On Demand Sponsor
Joined
Sep 7, 2011
Messages
3,930
Name
Doug
Wow, an X230 New for $504. I'm tempted.
http://outlet.lenovo.com/outlet_us/itemdetails/2325X05/445

I guess the X-series started introducing the Chicklet keyboard after the 230-series, as it looks like this one has the conventional keyboard.

Here's a video of a guy explaining the diffs in the classic v modern lenovo laptop design



Stranger - I need a laptop, and have always heard good things about Lenovo/Thinkpads, and trust your opinion.
Went to their outlet store from your link, and now am lost, i.e., there's L,X,S T,E designations plus all the various different numbers.
Would you be so kind as to make a short list of the specific Letter/Number units you would buy?
Cost is always important, but not a huge issue. Thanks.
 

iced

Well-Known Member
Joined
Jan 12, 2013
Messages
6,620
If you go to shady sites or download illegally, expect to get malware and viruses.

You have to blame people too who don't know what they are doing, instead of automatically blaming the machine or Microsoft. And you'd be shocked at how many people don't know how to operate a computer.

no offense but there is a lot of irony in this statement

you can avoid malware and viruses, as well as letters from your ISP
 

iced

Well-Known Member
Joined
Jan 12, 2013
Messages
6,620
Stranger - I need a laptop, and have always heard good things about Lenovo/Thinkpads, and trust your opinion.
Went to their outlet store from your link, and now am lost, i.e., there's L,X,S T,E designations plus all the various different numbers.
Would you be so kind as to make a short list of the specific Letter/Number units you would buy?
Cost is always important, but not a huge issue. Thanks.

what are you using your laptop for?
 

Stranger

How big is infinity?
Joined
Aug 15, 2010
Messages
7,182
Name
Hugh
Stranger - I need a laptop, and have always heard good things about Lenovo/Thinkpads, and trust your opinion.
Went to their outlet store from your link, and now am lost, i.e., there's L,X,S T,E designations plus all the various different numbers.
Would you be so kind as to make a short list of the specific Letter/Number units you would buy?
Cost is always important, but not a huge issue. Thanks.
Give me a brief overview of what's important to you, and then I'll do my best ;)

For example, do you want a super hi res screen and great graphics card so you can watch HD movies? Do you want a big screen, or do you want small lightweight that you can easily travel with? Other considerations?