10 Exceptional Reader Questions

February 20, 2013

This site is no longer being maintained so anything below could still be accurate, or very outdated.

A few weeks ago I celebrated tSc’s one year anniversary (on the couch, alone...with a bag of Ghirardelli squares) and I thought it a good idea to hunt down the best questions I’ve been asked by readers over the past year. After some further procrastination, here they are. Hey, it’s the thought that counts.

Q: Should I really be using an antivirus?

I stand mainly in the no-AV corner but of course with a few exceptions (this person was using Windows 7 at home). There are enough options available these days that negate the need and surpass the capabilities of a real-time antivirus program with link scanners, mail scanners, cloud integration, threat level modulators and other such bloat. Not to mention leasing prices and nearly unrestricted system access.

Windows is capable of more security heavy lifting than many are privy to and I place more value in the hardcoded kernel-level policies than most 3rd party applications, plus this is one area where a little common sense goes a long way. FYI, Windows 8 and up do repackage Microsoft Security Essentials as Windows Defender so in that case, you do get a decent realtime AV out of the box.

Here’s an outline for success you should start with:

Whenever possible, go for a 64-bit install of Windows to take advantage of hardware-level data execution prevention, digitally signed device drivers and more memory space available for ASLR. The account you create when you install Windows will be your administrator account and rarely used so go ahead and harden but don’t bother with personalization. Next make a standard user account for your everyday activities. Because a standard account needs administrative privileges to do anything outside your restricted area (meaning, you enter the admin password), it’s more difficult to run malicious software and damage system files.

Install EMET (which requires .NET framework, your call). Use EMET's all.xml profile and keep up with the "important" Windows updates. At minimum, disable AutoPlay/AutoRun for USB devices. Google Chrome with an ad blocker is the easiest starting place for browser security. If you want Firefox with NoScript, that's more powerful but less convenient and even Internet Explorer can be reasonably hardened with some extra steps.

Google Safebrowsing (in Chrome, Firefox & Opera) and IE’s SmartScreen Filter are enabled by default if you want constant URL scanning. If you choose to use Internet Explorer, go to Control Panel > Internet Options and click the Security tab. Bump up the security level slider to Medium-High for the Trusted and Local internet zones unless you have specific reason not to (this affects Windows Media Player too). Then switch on Protected Mode for each zone and Enhanced Protected Mode in the Advanced tab. That's important, so is NOT installing Java plugins.

Commence further system hardening by disabling unneeded Windows services, setting all networks to Public and only sharing the specific devices and folders needed. The result is Windows security which is effective, free, light on resources and easy to deal with. Again, not acting a fool helps too.

If you want to spice things up a bit, you can use an application firewall with intrusion protection. Check out Comodo Firewall or Online Armor for that. You could also consider running your browser and other internet-facing programs in Sandboxie. Does all this mean you can't ever get hacked or infected? Of course not but you'll never remove that possibility entirely.

* * * * *

Now what about people who constantly exchange files over USB? Here you would want something scanning every storage device connected to the computer. But even if realtime scanning isn't needed, it's certainly not a bad idea to keep one or two basic on-demand antivirus and malware scanners of you choice. Their purpose would be to scan files you download and receive from other people and if you wanted to go all out, a Linux live CD/USB can do malware scanning, data recovery and other useful forensics.

Many on-demand malware scanners are free. They can still auto-update definitions and give you a right-click menu entry but some have nag popups and other reminders to buy the premium version. Avast, ClamWin, Hitman Pro, Malwarebytes and SuperAntiSpyware are some which won’t bother you often or try to install extra junk like toolbars and search engines. Another option is to use an upload service like VirusTotal to check your sketchy files.

While it’s not too far off topic, I must stress: backups, backups, backups. And just in case you missed that—BACKUPS. Yes, it’s that important. If you have a clean system image and your personal data duplicated safely on an external non-networked drive (even stashed on Dropbox is better than nothing), recovering your computer from a malware infection is but an inconvenience. To craft your system images, I suggest Clonezilla.

So to answer the question: If you think using an antivirus program or suite would be useful, whatever works for you.

Q: How do I spoof my ip address?

You don’t "spoof" an IP address like you can fake a MAC address or user agent string. Your internet service provider assigns your IP address, not you or anything on your computer. It is possible to force your computer to appear as a specific source IP but that’s a one way street. Responses sent to the faked IP won’t be received and that’s if those requests aren’t immediately dropped by whatever you’re attempting to connect to.

By redirecting your internet traffic through one kind of proxy server or another, you can change the IP address which is viewable to websites and services you use. This can be a simple VPN or can be a complicated chain of elite proxies and 'darknet' protocols like I2P or Tor. Using any of these safely requires learning a bit about how they work, although the Tor Browser Bundle is by far the easiest way to get up and running quickly.

Wilders Security Forums is one of the best resources available for VPN advice and recommendations. There are free VPN services but (giving them the benefit of the doubt that they're not honeypots) they’re intended to be trials for a paid service so they’re limited either by speed and/or data caps but watch out, some are downright suspicious. When selecting a VPN, things to be aware of are the country in which the company and their servers are located, available payment methods, traffic logging policies and most of all, experiences of other users.

When choosing a proxy server, always use what’s called an elite proxy, sometimes referred to as a high-anyonymity proxy. Elite proxies don't include your originating IP address in the HTTP headers. Proxy servers blip into and out of existence quickly so you may need to spend a few minutes searching for one that works. Here are some aggregate sites to get you started: [1], [2], [3].

Q: What browser is best for privacy and security?

Simply put: Chrome is currently the most secure and Firefox has the greatest potential for highest privacy.

The longer answer is much more tedious and debatable. No browser is invincible, all have fallen to in-the-wild exploits and talented hacker conferences and of them do and will continue to have 0-day attacks. For security, I always look first to built-in mitigation techniques because they literally are default settings which require no user input. Of the built-in features like support for DEP, ASLR and Stack Cookies, process isolation (sandboxing) is a big security benefit but not as evenly distributed among the current top browsers, so let’s focus on that. And yes, this is only scratching the surface.

Chromium based browsers sandbox just about everything—extensions, renderers, gpu acceleration, Flash and Chrome’s pdf viewer (but not all plugins), and then of course the tabs and broker process too. In Windows Vista and later, all Chrome processes run at the untrusted integrity level, except for the broker process and Native Client which are medium integrity. You can confirm the integrity level of any Windows process by using Process Explorer from Microsoft (free).

The tradeoff for this is that Chromium based browsers use huge amounts of RAM compared to others. In Linux, Chromium user levels are more complicated. The broker process has SUID privledge which adheres to a policy of discretionary access control, while other browser processes are run in user owned chroot jails. From Apple OS X 10.5 and up, Chromium processes run restricted in Seatbelt sandboxes for mandatory access control.

Microsoft refers to sandboxing in Internet Explorer versions 7-9 as Protected Mode and then there’s Enhanced Protected Mode for IE 10+. Internet Explorer and Apple Safari (5.1 and up) separate tab processes from the main broker process. However, included in each tab process are all plugins, extensions, HTML & JavaScript renderers so IE and Safari aren’t as thorough in their isolation as Chromium browsers. Internet Explorer’s tab processes run at low integrity (or in AppContainer for Windows 8 IE Modern) and the broker process at medium.

From Firefox 3.6.4 and Opera 12, both browsers use what’s called Out of Process Plugins (OOPP), meaning they separate browser plugins from the browser itself, but that’s all. Tabs, extensions and everything else are contained in the one browser process and OOPP’s are more for ensuring stability than security. Except for Flash, Firefox’s processes run at medium integrity and Opera’s are all medium. Safari, Firefox & Opera all run at user level in OS X/Linux.

Of course there are many other sides to browser security, but sandboxing for least-privileged processes currently throws up one of the largest obstacles to attacking the browser itself. If you want further reading, here’s a detailed report by Accuvant Labs (2011) on browser security implementations of Chrome, Internet Explorer and Firefox. (Note: It was funded by Google.) NSS Labs frequently conducts comparisons of browsers and other security products, worth spending some time reviewing. Last, here is a multi-year comparison of the top 5 browsers from the standpoint of public vulnerabilities and exploits.

* * * * *

Alright, so privacy. Believe it or not, these browsers are remarkably close when it comes to privacy but it would take an entire separate writeup to map out all the little differences. I can already hear you screaming, “But..but..Chrome’s installation ID!! Internet Explorer is...INTERNET EXPLORER!!”

Yeah but guess what, Mozilla Firefox has a unique update ID generated when it’s installed. This can be withheld from being sent to Mozilla by disabling automatic updates, but the ID still lives in your system. Not to be outdone, Internet Explorer has a unique product ID based on your Windows activation key. On top of that, Google SafeBrowsing (used by Chromium and Firefox based browsers) and Internet Explorer’s SmartScreen Filter all generate unique identifiers of their own. Then there’s metrics data or customer experience opt-ins which creates a third.

Concerning Safari, I can find no documentation or mention on Apple’s website of identifiers in Safari for the desktop. Apple uses unique IDs in a lot of places (iOS, iTunes, Apple ID, etc.) so I’d be surprised if Safari does not have some kind of program ID, but I don’t know for sure. Opera seems to be without identifiers, too. Nothing is mentioned about would-be IDs in places you’d expect such as the community forum, privacy policy or knowledge base. Inquiries to Opera and Apple went unanswered.

I don’t want too much harping on ID’s so moving on, you can disable malicious URL filtering and all 5 browsers allow you to control the most effective way websites track you across the internet—cookies. This is far more severe a privacy issue than browser-generated identifiers. All 5 browsers also give you control over JavaScript, geolocation, plugins, popups, search engines and search suggestions. They have a private browsing mode and a Do Not Track setting. Internet Explorer doesn’t allow DNS prefetching to be disabled (Microsoft calls it pre-resolution) and both IE and Safari don’t natively allow any modification of browser referrers, you need an addon/extension for that.

Chromium based browsers can be finetuned with binary switches for things like caching, user agent string and referrers. It’s Firefox which allows the finest control over the largest amount of settings and this is why I say it has the most potential for privacy. You have immense amounts of tweaking available in about:config and opera:config is similar. Internet Explorer and Safari limit you to what’s available through the menus but regardless of the browser, once you add some extensions or add-ons, you open up many more options on both the privacy and security fronts. Duckduckgo recently made a webpage of recommended extensions for each of the top browsers. It’s not at all complete, but good starting point.

Q: Where are you from and what’s your background?

ERROR: Current version AI does not support ego.loopback.

Q: Should I use DD-WRT on my Linksys router or keep the normal firmware?

In a word: yes. Most people use a 3rd party firmware because they want features not offered in the native firmware or want features that actually work. Whether this results in better stability or performance depends on the combination of router and firmware build. Here is a brief list of benefits DD-WRT can give you, most of which also apply to the other open source 3rd party firmwares like OpenWRT and Tomato. These firmware would also exempt you from issues like Cisco’s Cloud Connect fiasco, the plethora of unpatched vulnerabilities in so many OEM router firmwares and other speculation of kill switches, backdoors & such things, so it is a security improvement.

If you’re set on using 3rd party firmware, then you must do your homework!! and buy a router for your firmware of choice; don't buy fancy cutting-edge equipment and then try to figure out what it works with. You will be disappointed. Besides, advancements in SOHO routers these days are miniscule, if not marketing and 802.11ac still needs time to mature, let alone support from the surrounding infrastructure. DD-WRT, OpenWRT and Tomato mods all have lists or wikis of what exact routers their builds work on.

For more info, check out DD-WRT’s forums (Hint: seek out the peacock thread), and sites like SmallNetBuilder and DSL Reports. If you want the super easy way, Buffalo and Netgear sell a few modesl with DD-WRT preinstalled, albeit a modified version, while FlashRouters sells a variety of models with DD-WRT and Tomato pre-installed and ready to use.

Q: Is there a Facebook page for your site?

No. I may make one, I may not. In the past I thought it almost hypocritical for a website half-centered on internet privacy to try reaching out to people through Facebook, a site notorious for all kinds of privacy and security risks, and generally encouraging the sheeple to continue sheeping.

But then I remembered that Facebook users willingly gave all their info to FB, señor Zuckerberg didn’t break into anyone’s house threatening to cover their pet chinchilla with peanut butter. So there is hope for a tSc page on Facebook, I just need to summon the will to do it.

Q: Do you have any tips to ease the process of migrating my small business to open source software?

This is an awesome question but not easy to answer knowing nothing about your business. As a general rule though, it would be wise to expect the unexpected. You likely will hit speedbumps along the way but the more thought put into planning, the smoother the migration will be. Have a clear vision of what you hope to accomplish by going open-source and where in your business you want to begin. Remember you’ve got to think about support; interacting with customers, outsourced services or other companies with your new software base, and maybe training employees.

By mixing a small amount of open source into your current software structure for a demo period, you’ll immediately experience the differences between the two sides and witness first-hand any points of friction. Realize that it may not be practical or even desirable for you to go full FOSS, so don’t be ashamed to keep one or two computers as dual boot or dedicated to Windows or OS X. Two out of 20 workstations is still both time and money saved. Take it slowly if you must, be sure to give employees plenty of heads up as to what’s going on, get A LOT of feedback and keep extra servings of patience around for their differences in speed of adaptation.

I know that’s a very general, single-sized answer, but so much hinges on your current software and how it’s used. If you do web searches like "LibreOffices vs MS Office" or "Active Directory on Linux", or whatever software you're looking for, you'll find many other people’s experiences on forums, personal blogs and other places.

Q: What logs do you keep?

Here’s how logging works for the_simple_computer. CPanel lets me look at the last 1000 site hits which I have no control over—CPanel doesn’t allow for this to be disabled. What’s a site hit, you ask? This means every GET request to a website; one for each image, each HTML & CSS file, any downloads I make available etc. CPanel’s recent 1000 hits associates each hit with an IP address, browser user agent string, timestamp (date & time) and referrer URL. This info is constantly being rotated out of the recent viewer queue as other people connect to the site.

Then there is server logging by the web host provider. This lists every IP, timestamp, user agent string and referrer in a text file for me to download (and technically, anyone with access to the server or connection) as a compressed archive. I delete these every month, or otherwise sooner when I’m logged in to the server. I have zero interest or reason to keep them but there’s no way to disable them with the limited access given by my shared hosting plan.

The next part of this is AWStats and Webalizer. They aggregate info such as the top countries visiting the site and from which network providers, most frequently viewed pages, most common user agent strings, top referrering URLs, number of hits per day/hour/month and such things. Their websites have screenshots of what exactly the reports look like. They don't contain IP addresses or anything that can identify individual viewers, not even timestamps. UPDATE Aug. 10: WordPress comments are now disabled for the entire site. 99% of it was spam so good riddance.

Q: Why don’t you ever write about Macs? You a hater?

Nah, not really. I recently manhandled a 2013 15″ MacBook Pro and there’s no escaping the immediate impression of the beautiful retina display and overall hardware quality. For me, that’s Apple’s primary appeal but high cost aside, Macs are a great ‘it just works’ solution for people who don’t care about computers.

I never do anything for Macs because I don’t own one, thus no access to the bare metal. The last Apple machines in my house actually said Macintosh on them.

Q: Will you start focusing on Windows 8 now that it’s available?

Nope but at the moment, I can’t think of anything I’ve done on this site in Windows 7 that wouldn’t work in Windows 8...maybe some plugin related things for browsers. Nonetheless, I won’t be changing from 7 because I don’t plan to spend the money on a Win 8 license or a new retail computer any time soon. I do almost wish I jumped on the $30 offer in January but I'm not loosing sleep over it.

For now I’ll continue doing the majority of my topics in Windows 7 and Ubuntu. If something needs distinguishing between Windows 7 and 8 or even XP, I’ll make that point. Who knows, maybe there will be occasional dabbling in Apple OS X. The possibilities are endless.

Feel like writing to tSc?

Share this page.