BBO Discussion Forums: Technology, especially security - BBO Discussion Forums

Jump to content

  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

Technology, especially security inspired by Y66

#21 User is offline   Winstonm 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 17,284
  • Joined: 2005-January-08
  • Gender:Male
  • Location:Tulsa, Oklahoma
  • Interests:Art, music

Posted 2017-January-03, 13:16

 hrothgar, on 2017-January-02, 06:51, said:

FWIW, my best advice is the following:

1. Assume that your system is going to get compromised
2. Make sure that you are in a good position to restore everything as quickly and easily as possible.

I have a windows box that I use for gaming and the like.

Everything that I care about on that box is backed up on a piece of Network Attached Storage that only connects to that device once every couple weeks or so.
If I am worried that something has gone wrong, I just wipe the Windows box down to bare metal, re-install the OS, and then move my games files back over.

In addition, I don't care what kind of system that you use to generate your passwords.
It's not good enough.

Invest in something like 1Password.


Do you consider this advice to be concerning a business computer or also a personal computer or both?
"Injustice anywhere is a threat to justice everywhere."
0

#22 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,488
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2017-January-03, 13:41

 Winstonm, on 2017-January-03, 13:16, said:

Do you consider this advice to be concerning a business computer or also a personal computer or both?


Personal computer.
Alderaan delenda est
0

#23 User is offline   kenberg 

  • PipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 11,225
  • Joined: 2004-September-22
  • Location:Northern Maryland

Posted 2017-January-03, 13:44

 Winstonm, on 2017-January-03, 13:16, said:

Do you consider this advice to be concerning a business computer or also a personal computer or both?


Preempting hrothgar, I would say personal. As a prof, or if I were some other employee, I follow whatever security precautions are set up I don't ask questions. If I were the cyber-security guy for a business, I would not be going to the wc for technical advice, meaning absolutely no disparagement of my buddy hroth. It's at the personal level we need advice. I suppose if I had a small business I might be seeking out advice for my computer stuff, but mostly I think I would hire a pro.

Oops, I was slow in my preempting, I should have put out the stop card.
Ken
0

#24 User is offline   barmar 

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • Group: Admin
  • Posts: 21,594
  • Joined: 2004-August-21
  • Gender:Male

Posted 2017-January-03, 14:12

 kenberg, on 2017-January-03, 13:44, said:

I suppose if I had a small business I might be seeking out advice for my computer stuff, but mostly I think I would hire a pro.

FYI, hrothgar is such a pro. He works in the security department of a major provider of Internet services (it happens to be the same company I worked for before I started working for BBO).

#25 User is offline   kenberg 

  • PipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 11,225
  • Joined: 2004-September-22
  • Location:Northern Maryland

Posted 2017-January-03, 14:17

 barmar, on 2017-January-03, 14:12, said:

FYI, hrothgar is such a pro. He works in the security department of a major provider of Internet services (it happens to be the same company I worked for before I started working for BBO).


Ok, then I would hire hroth. :)
Ken
0

#26 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,488
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2017-January-03, 15:00

 barmar, on 2017-January-03, 14:12, said:

FYI, hrothgar is such a pro. He works in the security department of a major provider of Internet services (it happens to be the same company I worked for before I started working for BBO).


Just to clarify, Hrothgar got pawned by a really nasty virus three years back which necessitated his current set up.

Equally significant, while I do work for the InfoSec department, my expertise is more in the theoretical than the practical.
(I do lots of work around capacity planning models and DDOS attacks)

We have a whole different group that is responsible for locking down our own computers...

The one point that I have taken to heart is that being able to recover quickly and painlessly is more important than trying to be bulletproof.

[And if your financial services institution doesn't use two factor authentication, they don't deserve your business]
Alderaan delenda est
0

#27 User is offline   mycroft 

  • Secretary Bird
  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,429
  • Joined: 2003-July-12
  • Gender:Male
  • Location:Calgary, D18; Chapala, D16

Posted 2017-January-03, 15:29

Yes, computer security is like motorcycle riding. The answers to the "have you had significant damage from an attack on your computer (note that the ravages of time is a computer attack)?" are the same as "have you been in an accident?" - there's "Yes", and there's "Not Yet".

I've been lucky, I (used to) know what I'm doing, and I Don't Do Windows. But that's still "Not Yet".
When I go to sea, don't fear for me, Fear For The Storm -- Birdie and the Swansong (tSCoSI)
0

#28 User is offline   y66 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 6,496
  • Joined: 2006-February-24

Posted 2017-January-03, 15:53

re: having a dedicated Windows machine for running Windows apps that can easily be restored -- good idea. Ran into a problem yesterday when I tried to run my old copy of Partnership Defense which uses a CD copyright protection scheme that Windows 10 does not like. Goodbye Windows 10. Welcome back Windows XP Service Pack 2. There's probably a workaround for Windows 10 but I did not have the time or inclination to find it.
If you lose all hope, you can always find it again -- Richard Ford in The Sportswriter
0

#29 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-04, 16:36

 mycroft, on 2017-January-03, 15:29, said:

- there's "Yes", and there's "Not Yet".

And there's also "I might be hacked, I might have all my passwords stolen, and I might be part of a botnet, but I'm not aware of it".

If you are lucky enough to have multiple computers, then I'd keep the fastest for windows running nothing but games (if that is your poison) and anything that you must have that is written for windows only, such as scorebridge. Reformat an older computer by installing a linux distro and use that for serious stuff like banking and spreadsheets etc. In the browser do not keep cookies except on bridgebase and banking sites, and make you do not have java or flash, and have ghostery. If you must use flash for BBO then have that in a separate browser used for that web site only, or better, use the windows box if you have one. Etc.

If you are lucky enough to have a 3rd computer spare to install as a dedicated firewall, then bully for you, but otherwise I'd have a software desktop firewall as better than nothing, and your own NATS internet router that you set up with MAC and IP addresses etc rather than accept an ISP offering.

Do not have any curtains/thermostats/fridge/cat etc controlled via wifi.

There are easy linux distros that can be used just like windows. Ubuntu is designed for the person who does not know anything about what's under the hood, and it works fine - you can even have a "windows look-alike" feel if you wish. Other varieties of linux give you more control if you wish to learn, but ubuntu's defaults are OK. Try it on a USB if thinking about it.
0

#30 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-04, 16:56

 Antraxxx, on 2011-January-01, 02:24, said:

.. then you're communication is adequately secure, meaning that even if someone were to mediate between you and your bank as you're conducting your business, he'd still be unable to gain anything from it, neither information nor the ability to create, modify or replicate transactions. Generally speaking, if you see "https" and your browser doesn't draw broken locks in red all over the place, then you should be fine.
...
The reason I'm recommending a firewall along with an antivirus is the aforementioned keylogging spyware. If it can't phone home, then they can't steal your passwords. .. Firewalls control the net traffic - so they can stop data from getting out, as well as stop some attacks that try to get in not by some piece of code, but by remotely abusing some service on your computer.


Thoroughly agree with the comments, but a couple of technical issues :

1) "Man in the middle" can spoof the HTTPS security, I believe, and the only way you'd know is by checking the fingerprints of the certificates each time you use a site (I don't), but I'm sure this was just a feasibility proof and not something you'll come across.

2) Firewalls do not prevent outgoing data unless you have configured exactly which programs can do that (and I have not done so), and the only way you'd practically know is to rigourously check logs that are switched to verbose mode. (And I don't.) I think the only practical method to prevent trojans is use software that has integral high security, and be careful in what you do.
0

#31 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-04, 17:03

Another thought on security is to have an email address which is not one you use for anything except access to those websites that need to access your bank/investment accounts. I can't help thinking that less used is more secure. My fromagegb account can be hacked with no consequence.
1

#32 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-05, 04:59

 kenberg, on 2016-December-31, 18:31, said:

Blocking 3rd party cookies? I have been lazy about that.

It's just a simple setting to make once only - no excuses. Firefox menu - preferences - privacy, then "accept third-party cookies" = "Never".
While you are at it, "keep until" = "I close Firefox", and for any exceptions you must keep, put them in the "Exceptions".
0

#33 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-05, 05:27

 Antraxxx, on 2011-January-02, 00:40, said:

Kenberg, if you have time to play around with it, there's a Linux distribution called Ubuntu (or Kubuntu, there's some difference there but it applies to both) that's supposedly very nice and friendly and cool for Windows users.

Actually I would not recommend Kubuntu as it uses the KDE desktop environment, and this is definitely not for beginners. (I'm using KDE in Manjaro right now, and I like it, but it needs experience.) Plain vanilla Ubuntu is brilliant, easy, automatic. If you don't like the look of the unity desktop and want something more like microsoft, try Xubuntu, and try ubuntu mate. Or Zorin OS, which is based on ubuntu, but while I can praise ubuntu's support and updates, I have no experience of Zorin.
0

#34 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-05, 06:12

Other security ideas I adopt :

Never do banking from a mobile. Not only does google know everything (even if you run your phone on cyanogen and turn off everything you can, you can't stop google), a phone is insecure.

When a site has additional security questions such as "where were you born", never use the true answer, and use a different answer for each site. In fact, as there is no atlas verification (in this example), I can and do treat this as just another password of various random characters. Not only is this extra security, but it makes it impossible for anyone with access to your email account (should that be lost) to ring the bank and claim to be you who have forgotten your password. Your true partner's name, mother's name, date of birth and such stuff is semi-public domain and will be known to an impostor.

Do not access banking from any site other than your own house and own computer. If you do access your (non-bank) email from a holiday wifi, or with a mobile, change the password afterwards asap.

OK, I may be paranoid, but I do not use software password completion. With keypass, 1password, or any such aid all your eggs are in one basket. If that is hacked, you have lost everything. I think it better to use a collection of random characters for passwords, the longer the better (one of mine is in excess of 25), and to record these in encrypted form on paper and in a document on the computer (and in the safe). You can devise your own inversion, grouping, transposition, reversing etc method (unrecorded) that you mentally use for all passwords, such that the recorded characters bear no resemblance to the actual password, and is pretty unhackable even if someone broke in and stole my sheet of paper and the computer. When I lose the mental decryption capability, I will be handing my financial affairs to someone else!

But for less important passwords, I use a common one that I easily remember. I don't mind if someone breaks into a website to see my purchase history of USB memory sticks.
0

#35 User is offline   barmar 

  • PipPipPipPipPipPipPipPipPipPipPipPip
  • Group: Admin
  • Posts: 21,594
  • Joined: 2004-August-21
  • Gender:Male

Posted 2017-January-05, 10:16

 fromageGB, on 2017-January-05, 06:12, said:

When a site has additional security questions such as "where were you born", never use the true answer, and use a different answer for each site. In fact, as there is no atlas verification (in this example), I can and do treat this as just another password of various random characters.

While good advice, how practical is it? The main point of these questions is to help out if you've lost the password. If you've lost that, what's the chance you'll remember the fake answer you gave. Do any of the password managers fill these in?

I have enough trouble with them even when I give true answers. A common question is the street where you grew up -- did I just give the name or did I include "lane" at the end?

#36 User is offline   mycroft 

  • Secretary Bird
  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,429
  • Joined: 2003-July-12
  • Gender:Male
  • Location:Calgary, D18; Chapala, D16

Posted 2017-January-05, 10:40

Just as a description. Note this is serious Blue Advanced territory (thanks Kaitlyn S), and can be skipped completely by anyone for whom computer == Microsoft (and, to a lesser extent, because they can play if they want, those for whom Mac = Jaguar or whatever it is now).

My main computer is running current desktop Ubuntu (mostly because it's what I had 5 years ago, and it still works) with i3wm as the desktop manager, and (mostly) Gnome tools. I used XFCE for a long while until they got on the "images is better" bandwagon. Treble monitor, and on one of them is pretty much always my virtualbox running one of two WinOS virtual machines (one that DOES NOT KNOW about the internet, because it's insecure as **** and I only use to run a game and an application that only work on 98, one that I use when I absolutely need Windows (because I can't RDP into ACBL TD tools from linux for some reason that eludes me to this day)). Games are on the console (yeah, okay, it works, and I'm not hardcore).

My laptop dualboots, but with a similar setup for "normal use". My biggest problem with it is that it takes hours to update every time I boot into Windows.

Everything on main computer is on mirrored drives except /home and /, which are on SSD and backed up weekly. Useful stuff is also backed up weekly, to RAIDed Synology NAS (Never, ever, EVER use D-Link NAS - it makes a good router. Could never get it to actually securely serve files - which is sort of what a NAS does, no? Synology Just Works (for Advanced values of Just Works).

Keypass2 with encrypted database cloudshared, so it synchs with all relevant tools.

NO Internet of S*** devices, and that will remain so unless the server is in my grubby little hands (never mind all the built-in insecurity of most systems, if they own the servers, they can turn you off. And have.)

For those running a Real OS (yeah, I'm biased), check out a tiling window manager (as I said, I like and use i3). If it works for you (and anyone who doesn't do "one window per screen" is likely to work well with it) it's insane. If it doesn't work for you, it's a nightmare, never to be returned to.
When I go to sea, don't fear for me, Fear For The Storm -- Birdie and the Swansong (tSCoSI)
0

#37 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-05, 11:05

 barmar, on 2017-January-05, 10:16, said:

While good advice, how practical is it? The main point of these questions is to help out if you've lost the password. If you've lost that, what's the chance you'll remember the fake answer you gave. Do any of the password managers fill these in?

I find it practical. "To help you out when you lose the password" is the way your identity can be stolen, and your bank account with it.
It is even more important when the "password" per se is requested as three random characters of your password. While this circumvents keystroke loggers, it is just a 3 character password from a hacking point of view. The follow-up answer to a secret question is therefore your opportunity to use a real password.

Yes, if you lose it you will have to visit your bank manager with passport and proof of residence etc, but I dare say you'll get there in the end. Which is why I have my encrypted passwords at hand, in the safe, in the computer, and backups offsite.

I expect auto password handlers may cope, but I don't like that idea, especially if "synched" to the world. Are you 100% convinced that the CIA or whatever does not have a backdoor? Or the software provider?
0

#38 User is offline   StevenG 

  • PipPipPipPipPip
  • Group: Full Members
  • Posts: 629
  • Joined: 2009-July-10
  • Gender:Male
  • Location:Bedford, England

Posted 2017-January-05, 11:25

I do wonder what the point of all this is. I'm opening myself up for a lot of criticism here but...

I run Windows 7, which I converted fron Windows XP just under a year ago, only because some software upgrades weren't working any more. I will not go to Windows 10 until I have to buy a new machine.

I use Firefox with NoScript as my main defence. Yes, it's a pain trying to make some websites work properly, but I refuse to run scripts on any website without making a decision as to how trustworthy I think it is. I also FlashBlock and AdBlockPlus (I know it's no longer flavour of the month, but I've too many custom filters to give it up.)

I do not allow websites to keep my debit card details. Consequently I'm not that bothered if any hacker ever guesses a password; there's nothing much they can do. (And I never type in my card details on my Android tablet either.)

I back up to an external hard drive occasionally. I back up anything I'm working on to Dropbox, sometimes more than once a day. I'm far more worried about a hard drive failure than I am about viruses or hackers. I have never had a virus do any damage since I went on the Internet. (I was lucky the first few ignorant months - after that I installed an AV program and ZoneAlarm.) The only time anything got through, it was a known exploit for which Microsoft had not yet issued the patch. Flash was disabled, but the replacement malware to run Flash files never got into the system. None of the virus scans I've done over the years have ever found a problem.

My first proper home computer ran DOS 5. I wrote a lot of code in the excellent QBASIC program, which got converted to Visual Basic 5 and then VB6. I assumed I'd have to go to VB.NET eventually, but VB6 runs under Windows 10 and VB.NET free versions don't seem to be guaranteed for the future (paid is prohibitive for a hobbyist), so I think I'm safe with VB6 for the medium term. Anyway, I've now got so much VB code and there's no realistic prospect of porting any of that code onto any software for Linux-based systems, so I have no interest in changing OS.
0

#39 User is offline   fromageGB 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,679
  • Joined: 2008-April-06

Posted 2017-January-13, 11:09

No criticism needed, it sounds like you are very security minded anyway. Certainly VB makes you hooked. Years ago I wrote VB excel macros for managing the interclub teams, then found of course I couldn't use it when I parted with microsoft.
0

#40 User is offline   Winstonm 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 17,284
  • Joined: 2005-January-08
  • Gender:Male
  • Location:Tulsa, Oklahoma
  • Interests:Art, music

Posted 2017-January-18, 13:16

I downloaded 1Password for Windows but the app won't open. Any suggestions?
"Injustice anywhere is a threat to justice everywhere."
0

  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users