My Take on Computer Security

[spainach_12]

I'm not surprised to read so much discussion on what's the best security setup for the computer. I've been interested on computer security for quite a considerable time especially if we take into account how fast technology evolves over the years. However, I never really did pursue it despite it being one of my passions. Hence, I humbly confess that I am no expert in computer security and I renounce all claims that reports such and likewise denounce all assumptions of such.

Nonetheless, I have had my fair share of experience and research on the subject and had devised a method -- if I may call it such -- of protecting myself and my data. Like many others here, I presume, I've been a victim of fraud and malware. Traumatized, I tried to develop the most efficient way of maintaining my privacy and ensuring the security of both my identity and personal data. In hopes of widening my views and improving my methods, I wish to share them with you and hopefully, gain from your insights.

Note: I'm only writing this down from the top of my head so there might be some things I'd fail to include. I'm doing this because I'm hoping to make a re-install and would like to draft my "methods" and more. I'll edit it from time to time.

1. No On-Access AV
The usefulness of an on-access AV in systems has been greatly debated upon for years especially with the arrival of Windows XP. However, as much as I could, I personally prefer not to use any AV, whether on-access or on-demand (although I still keep a bootable on-demand scanner on a separate drive and manually scan every month as maintenance). Of course, I have my reasons, but the primary reason for not using an AV is data protection. I have a strong distrust for any application that attempts to access my files and upload them. As such, I refuse the use of cloud AV's regardless of their promises. Also, on-access AV's have been occasionally reported to have caused file corruption and even complete system corruption. Hence, using only on-demand, non-automatic scanners minimizes the chances of such events all the while maximizing performance and usability.

2. Multiphrenia
I've set-up multiple accounts, each for a specific purpose or use. Disposable emails are often used for regular one-time transactions while several all-purpose accounts are set-up for long-time use. These can be easily deleted/ignored when compromised. Since what is Important to me is different from what is Private, (where Important may be Private but Private may not be Important) this set-up fits my needs well. Ten-minute email and self-destructing email services are of great help.

3. TOR avoidance
TOR, in my opinion, is a luxury and suitable only perhaps for criminals (but even if I was one, I still wouldn't use it). Although it claims to protect your "physical location" and your identity for as long as no traceable data is included to link to you, it does not ensure the credibility of your exit nodes. As such, abuse is never a far-fetched idea. Properly used, TOR may be deemed effective, but the user is prone to make mistakes. I'm not willing to take that chance.

4. Use of VPN
My general distrust for companies has made me very reluctant on the use of VPN. Nevertheless, VPN services, unlike TOR, guarantees credibility to a certain extent. Hence, the use of VPN is only entirely for research purposes (researching a service or site for example if it is legitimate or a phishing site).

5. Dedicated OS
I've set-up a dualboot, a separate physical drive with a barebones, installation without internet access, and carry two portable OS's. Important accounts such as those used for transactions and work are NEVER used on the main system, but on a dedicated system, the portable OS's to be precise. Data-persistence is not enabled and access to sites is greatly limited.

On the laptop, the dualboot includes one Linux and a Windows. The Linux system is used for general and leisure purposes. Virtualbox is installed with at least three Windows snapshots and no shared folders. Applications are tested in Virtualbox before being installed in Windows. After testing, it is reverted back to bare installation.

If it were just me, I would never use Windows online, but since the computer is shared, no private or important data is placed in either OS while special "precautions" are taken for Windows. Maximizing security without affecting performance is top priority. Doing away with browsing activities and extensions such as adblock and noscript. It relies only on Windows Firewall and file and registry changes are monitored. Process Monitor is also installed to check for any unwanted applications. IDM is used as a means to monitor downloaded files. The speed is just an added bonus.

A scan is run every month using a bootable scanner. The bootable scanner contains a barebones Windows with offline scanners (Dr.Web CureIt, Malwarebytes, and Emsisoft Emergency Kit) and few other tools such as Unlocker, ESET SysInspector, 7zip, etc. NTFS permissions are also enforced (which is the most painstaking thing I've ever done).

6. USB's
Sensitive files are kept in an encrypted USB with copies in an encrypted external drive. File transfers are made only through a dedicated OS. Other files are kept in a USB with NTFS file permissions. Inside is an invisible, undeletable autorun.inf folder as well as several folders that categorizes files. This is the first level which I call the Surface level. No write permissions are granted on this level and permissions can only be read but not changed. Within those folders, file access are granted but permissions cannot be changed. I call this the Prison level. Since the files are categorized, any files that are out of place can easily be spotted and deleted. No executables are transferred in the USB without changing their extensions and archiving them. Therefore, any .exes are deleted.

7. Paranoia
I keep a close watch on where I go and scout them beforehand.

So far, I've been relatively safe aside from the usual traffic scares. :blink:

Long post. If you managed to get here without going TLDR, I commend your patience and bow to you.
:notworthy: :snooty: I stopped at 7 because I went TLDR myself. :w00t: :yes: :rockon:

EDIT:
I forgot to include my contingency plan which goes as follows:
1. Disconnect.
2. Cut the power.
3. :pos:
4. :chug:

5. :sui:

[eurobyn]

• another one that thinks he is safe without av and infects his friends ? ?

[spainach_12]

• another one that thinks he is safe without av and infects his friends ? ?

How? :huh: I've never made any statement or claim that I am safe. I wouldn't take such measures if I thought I was now, would I? :ermm: Besides, I just said no on-access av. That doesn't mean I don't have one.

...(although I still keep a bootable on-demand scanner on a separate drive and manually scan every month as maintenance).

...using only on-demand, non-automatic scanners minimizes the chances of such events all the while maximizing performance and usability).

...

A scan is run every month using a bootable scanner. The bootable scanner contains a barebones Windows with offline scanners (Dr.Web CureIt, Malwarebytes, and Emsisoft Emergency Kit) ...

Though I did say I prefer not to use one whether on-access or on-demand, I did add that my preference is "only as much as I could". In other words, there are instances when I don't have much of a choice but to use one.

If you're perhaps implying the usual argument "damage has been done", that's not necessarily true. Even if Windows was compromised, no sensitive data is contained in it nor will it hamper productivity. Think of it as if it were a home. It's just the fence...of my vacation property. If it was attacked, my house will still be pretty much intact and untouched.

[DesiPirate]

You are paranoid. :P

Why do you dual boot when you are already using virtualbox ? You can add another OS with linux in virtual box.

[spainach_12]

You are paranoid. :P

Why do you dual boot when you are already using virtualbox ? You can add another OS with linux in virtual box.

It's in moderation :thumbsup:

Anyway, I still dualboot because (1) i'm not the only one using the laptop, (2) some things work better in an actual installation than in vbox, and (3) I just don't want it too near to one of my homes.

[eurobyn]

how safe are youre friends ? if you think you are safe ? what if youre friends are not safe and you think you are safe ?

[eurobyn]

do you really think if you multiboot that you are safe ? it is still the same harddrive.or if you use another user to log in ? it is still the same system and harddrive.

i'm safe and my friends are safe when i use a good protection. i use nod32 antivirus and winpatrol and admuncher and i think that i know what i'm doing.

so better be safe then infect the friends or be infected by friends who think they are safe.

[VileTouch]

sad...computers were invented to make your life easier, not to add another layer of chore to your life. buy a hardware firewall, you don't need a vpn or any of those rigmaroles. (dual boot, encrypted usb, manually setting permissions for everything,etc) if you don't feel safe with windows, just run a flavor of linux that suits your fancy...or mac! but don't think just because of that you're safe. there are malware and network attacks and phishing and hacking for linux and mac too. the most successful intrusions, usually don't come through the network cable. think about it, why bother to bomb down a 10 ton iron door if you can simply break a glass? also what makes you think the evil secret hacker organization, government, etc. would bother to break into your computer? to steal your family pics? your mp3s and porn? naah, there's plenty of all that for free all over the place! ...and if you did have something so unique and secret and valuable and dangerous and illegal that would justify all that.... whoever want it would just send an armed aquad to take it physically by force. so your efforts are really not as effective as you think in the end,

keep calm and carry on....and go get an AV!

[insanedown58]

First of all, that was a lot of big words in the beginning. Second, yes an AV can "track" you but it makes most of the stuff a lot easier so I would never stop using AVs.

[dcs18]

There're many perceptions on security in various combinations & permutations - each one weirder than the other. Security per se, is dynamic and evolves so swiftly that what is relevant today may not be so, tomorrow.

There've been many topics on security at this Board, mostly outdated - in fact one of them continues to figure as a sticky here, on the forums. :tehe:

[dMog]

may i add...you are not paranoid...people ARE out to get you :lol:

[spainach_12]

sad...computers were invented to make your life easier, not to add another layer of chore to your life. buy a hardware firewall, you don't need a vpn or any of those rigmaroles. (dual boot, encrypted usb, manually setting permissions for everything,etc) if you don't feel safe with windows, just run a flavor of linux that suits your fancy...or mac! but don't think just because of that you're safe. there are malware and network attacks and phishing and hacking for linux and mac too. the most successful intrusions, usually don't come through the network cable. think about it, why bother to bomb down a 10 ton iron door if you can simply break a glass? also what makes you think the evil secret hacker organization, government, etc. would bother to break into your computer? to steal your family pics? your mp3s and porn? naah, there's plenty of all that for free all over the place! ...and if you did have something so unique and secret and valuable and dangerous and illegal that would justify all that.... whoever want it would just send an armed aquad to take it physically by force. so your efforts are really not as effective as you think in the end,

keep calm and carry on....and go get an AV!

It's a lot easier than it sounds. Sort of like having a drawer with folders, each with a label. The only thing that was difficult was configuring the NTFS permissions but that was supposed to be for fun until it turned annoying. I didn't want to leave it unfinished or something might break so I went through the whole thing. But get that done and it's not going to bother you again.

Likewise, I never claimed that linux or mac were completely secure (as a matter of fact, I think mac is more susceptible to an attack). As for the "unique and secret and valuable and dangerous and illegal that would justify all that", well, there's no need to explain any of that. It wouldn't matter. I never said I'm an enemy of the government. :usama: :wtf:​ Why on earth would I be here telling everyone this if I was one. I keep wondering where in what I said people got the idea of me being the enemy of the government or that I was paranoid of the government? I can't see anywhere where I said "I think I'm being followed! It's a government conspiracy!" That's laughable. :lol: As if you can ever escape being tracked by the government. You have public records to begin with so if I was that paranoid, shouldn't I be destroying those first and go live in the mountains or something? :eekout: :rolleyes: Why is it even always the government? Can't it be a competitor or something? I don't know, maybe pictures or videos of an affair you don't want your wife who has a cracker for a friend to see? Or maybe your gambling habits and its a record of your losses and winnings? A sadistic stalking sociopath and potential serial killer who stalks and videos women as objects of fantasy then sends it to the victim's family to taunt them for fun? I don't know. :rofl: Why the government?

First of all, that was a lot of big words in the beginning. Second, yes an AV can "track" you but it makes most of the stuff a lot easier so I would never stop using AVs.

Sorry for that. Just a tad bit difficult switching mindset from work to my free time. I don't mind being tracked. Wouldn't use the internet if I was so afraid, now would I? It's just a general distrust on applications and av's got caught in it. Now that I noticed. Why does everybody think I'm not using one? I just said I don't use an on-access AV, doesn't mean I'm not using one. I just prefer to use offline AV's because it makes more sense that it isn't hampered by the internet connection especially in a place where DoS or a slow connection can easily mess it up. It even makes more sense that it doesn't complain if you're not online. We can do research and share files without going online (we even prefer that. Less distraction).

Most av's are not even preventive. It's either reactive or proactive both of which require the virus to be in the system with the slight difference that the latter does not necessarily need signatures. It stops infection, not prevent it. There are other ways for which you can stop infection that requires low maintenance plus a higher level of confidence and it's not on-access scanners. An example would be sandboxing or virtual environments. Though there have been reports of malware being able to detect if they are in a virtual environment, none of them have successfully jumped only going to as far as not working in the virtual environment. It even has a very strict limitation that the virtual environment and host both have to be Windows. :wut: That's uh...that's...mmm...yeah.

This laptop was shipped with McAfee at a time it caused thousands of computers to crash. I can't imagine what would have happened if I hadn't turned it off. Same with Avast!. There were dozens maybe even hundreds or thousands more that were affected despite it being immediately patched. Companies make lapses. That's nothing new. A false positive is easily one of the greatest dangers and it's not even malware. What's even more frightening is that it doesn't even have to have a symptom. It just happens. :pos:

There're many perceptions on security in various combinations & permutations - each one weirder than the other. Security per se, is dynamic and evolves so swiftly that what is relevant today may not be so, tomorrow.

There've been many topics on security at this Board, mostly outdated - in fact one of them continues to figure as a sticky here, on the forums. :tehe:

That is true. Most people argue that there is no such need for any other protection other than that provided by antimalware companies. I've encountered so many staunch advocates of antimalware products in other forums and few have even read papers on security nor took any time to examine the faults and differences between researches. Few also bothered with discrepancies found in the research and oftentimes it's just the companies fighting over each other, mudslinging like crazy (like in one paper a company claims that paid products are better than free antiviruses) and none of them even made any comment when it was discovered that antiviruses were also susceptible to attack. Not to mention that most infections come from cracks meant for their paid products, only to say that "that's why you should legitimately buy products instead of cracking them." What a capitalist answer. You entrust your safety to guys like this? It's like having a bully protect you in exchange for your lunch. Hey I understand people gotta eat, but come on. At least educate people, not scare our a$$es off. At least bodyguards are kind of enough to tell us what to do so we don't rely on them all the time.

At the moment, they're questioning the methodologies used in testing AV's and a few have dropped their membership in AMTSO. Sometimes I wonder if it's because a lot of products are failing in tests (because I don't see those who did well complaining) or because they realize they're always behind. But meh. It doesn't matter.

Hmm...I said more than I should, didn't I? Sorry 'bout that. Didn't catch myself. :P

[spainach_12]

may i add...you are not paranoid...people ARE out to get you :lol:

:fear: :lmao:

[nekomata]

get him

[LazyPotato]

I'm not surprised to read so much discussion on what's the best security setup for the computer. I've been interested on computer security for quite a considerable time especially if we take into account how fast technology evolves over the years. However, I never really did pursue it despite it being one of my passions. Hence, I humbly confess that I am no expert in computer security and I renounce all claims that reports such and likewise denounce all assumptions of such.

Nonetheless, I have had my fair share of experience and research on the subject and had devised a method -- if I may call it such -- of protecting myself and my data. Like many others here, I presume, I've been a victim of fraud and malware. Traumatized, I tried to develop the most efficient way of maintaining my privacy and ensuring the security of both my identity and personal data. In hopes of widening my views and improving my methods, I wish to share them with you and hopefully, gain from your insights.

Note: I'm only writing this down from the top of my head so there might be some things I'd fail to include. I'm doing this because I'm hoping to make a re-install and would like to draft my "methods" and more. I'll edit it from time to time.

1. No On-Access AV

The usefulness of an on-access AV in systems has been greatly debated upon for years especially with the arrival of Windows XP. However, as much as I could, I personally prefer not to use any AV, whether on-access or on-demand (although I still keep a bootable on-demand scanner on a separate drive and manually scan every month as maintenance). Of course, I have my reasons, but the primary reason for not using an AV is data protection. I have a strong distrust for any application that attempts to access my files and upload them. As such, I refuse the use of cloud AV's regardless of their promises. Also, on-access AV's have been occasionally reported to have caused file corruption and even complete system corruption. Hence, using only on-demand, non-automatic scanners minimizes the chances of such events all the while maximizing performance and usability.

2. Multiphrenia

I've set-up multiple accounts, each for a specific purpose or use. Disposable emails are often used for regular one-time transactions while several all-purpose accounts are set-up for long-time use. These can be easily deleted/ignored when compromised. Since what is Important to me is different from what is Private, (where Important may be Private but Private may not be Important) this set-up fits my needs well. Ten-minute email and self-destructing email services are of great help.

3. TOR avoidance

TOR, in my opinion, is a luxury and suitable only perhaps for criminals (but even if I was one, I still wouldn't use it). Although it claims to protect your "physical location" and your identity for as long as no traceable data is included to link to you, it does not ensure the credibility of your exit nodes. As such, abuse is never a far-fetched idea. Properly used, TOR may be deemed effective, but the user is prone to make mistakes. I'm not willing to take that chance.

4. Use of VPN

My general distrust for companies has made me very reluctant on the use of VPN. Nevertheless, VPN services, unlike TOR, guarantees credibility to a certain extent. Hence, the use of VPN is only entirely for research purposes (researching a service or site for example if it is legitimate or a phishing site).

5. Dedicated OS

I've set-up a dualboot, a separate physical drive with a barebones, installation without internet access, and carry two portable OS's. Important accounts such as those used for transactions and work are NEVER used on the main system, but on a dedicated system, the portable OS's to be precise. Data-persistence is not enabled and access to sites is greatly limited.

On the laptop, the dualboot includes one Linux and a Windows. The Linux system is used for general and leisure purposes. Virtualbox is installed with at least three Windows snapshots and no shared folders. Applications are tested in Virtualbox before being installed in Windows. After testing, it is reverted back to bare installation.

If it were just me, I would never use Windows online, but since the computer is shared, no private or important data is placed in either OS while special "precautions" are taken for Windows. Maximizing security without affecting performance is top priority. Doing away with browsing activities and extensions such as adblock and noscript. It relies only on Windows Firewall and file and registry changes are monitored. Process Monitor is also installed to check for any unwanted applications. IDM is used as a means to monitor downloaded files. The speed is just an added bonus.

A scan is run every month using a bootable scanner. The bootable scanner contains a barebones Windows with offline scanners (Dr.Web CureIt, Malwarebytes, and Emsisoft Emergency Kit) and few other tools such as Unlocker, ESET SysInspector, 7zip, etc. NTFS permissions are also enforced (which is the most painstaking thing I've ever done).

6. USB's

Sensitive files are kept in an encrypted USB with copies in an encrypted external drive. File transfers are made only through a dedicated OS. Other files are kept in a USB with NTFS file permissions. Inside is an invisible, undeletable autorun.inf folder as well as several folders that categorizes files. This is the first level which I call the Surface level. No write permissions are granted on this level and permissions can only be read but not changed. Within those folders, file access are granted but permissions cannot be changed. I call this the Prison level. Since the files are categorized, any files that are out of place can easily be spotted and deleted. No executables are transferred in the USB without changing their extensions and archiving them. Therefore, any .exes are deleted.

7. Paranoia

I keep a close watch on where I go and scout them beforehand.

So far, I've been relatively safe aside from the usual traffic scares. :blink:

Long post. If you managed to get here without going TLDR, I commend your patience and bow to you.

:notworthy: :snooty: I stopped at 7 because I went TLDR myself. :w00t: :yes: :rockon:

EDIT:

I forgot to include my contingency plan which goes as follows:

1. Disconnect.

2. Cut the power.

3. :pos:

4. :chug:

5. :sui:

VPN ain't that neccessary,in my honest opinion,having VPN only helps you from being traced down. I doubt somebody will walk into my house & hit me on face for no reason,it'll only slow down my Internet and nothing else.