Schneier on Security
A blog covering security and security technology.
« Base Rate Fallacy |
| Swiss Security Problem: Storing Gold »
July 27, 2009
Tips for Staying Safe Online
This is funny:
Tips for Staying Safe Online
All citizens can follow a few simple guidelines to keep themselves safe in cyberspace. In doing so, they not only protect their personal information but also contribute to the security of cyberspace.
- Install anti-virus software, a firewall, and anti-spyware software to your computer, and update as necessary.
- Create strong passwords on your electronic devices and change them often. Never record your password or provide it to someone else.
- Back up important files.
- Ignore suspicious e-mail and never click on links asking for personal information.
- Only open attachments if you're expecting them and know what they contain.
- If shelter is not available, lie flat in a ditch or other low-lying area. Do not get under an overpass or bridge. You are safer in a low, flat location.
- Additional tips are available at www.staysafeonline.org.
Those must be some pretty nasty attachments.
Here's the current version of the page, with the misplaced bullet point removed. And here's where it was copied and pasted from.
Posted on July 27, 2009 at 4:16 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is retarded - not because of the shelter suggestion- but the idea that you can possibly ever create and manage more than one or two strong passwords- result, people use weak passwords, or one strong password for every site.
People should use one strong password to a password safe, and keep the rest in there, which are generated randomly from a strong password character set.
All else is madness.
I suspect the last point is for the "family" tech person that's going to get the call from the person that didn't follow the points above it.
Aren't these the same people from Boston who went rabid when somebody put some blinkenlights around town?
Wow, I didn't know explosive decompression of a zip file was so dangerous.
Remote desktop from a nuclear bunker for me in future....
I've found a reasonably good way to create a semi-strong password is to use equipment that you deal with in your line of work. For instance, if you work with military aircraft you can use an C130 engine: "AllisonT56-A-15" as fitted on the C-130. i.e "AllisonT56A15" or or "T56AllisonA15onC130", or "T56a15"
Unless I'm missing something obvious, besides the humorous point at the end of the list the others are all pretty reasonable?
If you work on military aircraft you'd be better off making passwords like 3n+3rPr1s3 or U55Rr3ge@n.
When has a tornado hit Boston?
Hmm, City of Boston emergency measures? Doesn't the advice somehow seem appropriate after the 2007 kerfuffle about mooninites?
After all, is it that long a mental discontinuity from zip decompression, to explosive decompression?
The first tornado on record in the United States occurred in 1671 in Rehobeth, Massachusetts. Very little is known about the aftermath of that tornado. However, in the last 325 years the US has seen thousands of tornadoes tear across every part of the country, with every state experiencing at least one tornado.
I'm not sure seeking shelter would protect you from some of the thigns attached to posts on /b/
Amazing the things MS Windows users have become accustomed to... My own Unix and Linux desktops have never needed such measures and never once had a virus or trojan or other malware over the past 20 years.
@Roger: Are you implying, that you are constantly clicking on Viagra Ads? Or do you mean that you have a weak login password on your box?
BTW: Backups protect not only against malware...
The mooninites were attached to bridges and overpasses. You can't see them if you hide in a ditch.
Well, no wonder, it came from a government agency.
I think the last wayward point wasn’t too wayward after all. The sentiment was right, they just got the semantics a bit wrong. What they meant to say was something like:
Keep a low profile. Avoid giving out personal information, especially at social networking sites, such as Twister...
The bullet has been removed from the visible portion of the page. However, they left it in as a comment. Which raises the question..... Why?
@Particular Random Guy
Backups can also backup the malware.....
"On June 9, 1953 one of the most powerful tornadoes yet recorded struck Worcester the official recorded deaths by NOAA indicate 90 people died. News reports indicate 94 died. The States small size and the large number that died from this single tornado causes Massachusetts to lead the list of States in deaths per sq. mile."
Looks exactly like the stuff produced by the department currently responsible for corporate information security where I work!
"My own Unix and Linux desktops have ... never once had a virus or trojan or other malware over the past 20 years."
That you know of.
How about some tips on how to stay safe when using public computers? (Apart from the guidance of "don't use public computers" which is just a bit more secure than it is useless).
I remember someone telling me a good way to make a safe password that was hard to guess was something like
Change "MSN" to whatever site you're creating the password for. Change "1234" periodically. Since the password is almost the same for all the websites, it's easier to remember and you can make it more complex if you want.
I hate the sites that limit you to 8 character passwords, those are really annoying and I don't bother trying to remember them, I just use the reset password feature then use a random password for the time being.
@zonky: Try expressing yourself without using the word "retarded".
I think this is great advice, but isn't my Wi-Fi going to be degraded, if I'm always lying in a ditch, when I want to go online?
@TS: worse yet, the sites that limit your password length but don't tell you about the limit until you try to log back in after changing your password (to one that's longer than the limit)
The Dutch government (Justice department) recently opened a similar site. It turned out to be easy to access via deep links provided by Google before it was officially presented, which caused a fair amount of embarrassment, but the real problem is that it doesn't include any advice on using Tor to avoid the government's spying programme (all URLs you visit to be stored for 18 months). I wonder why that is. It's an obvious privacy/security issue...
There is a fundamental flaw in password and Secret question security at many sites.
1) Many sites do not allow special characters such as !@#$%^&**() in the use of passwords and many only allow an 8 character limit (and only the _ character is allowed. Thats weak.
2) Secret questions are even worse. At my bank for instance they only allow 7 or 8 characters and NO special symbols at all.
If the limit went up to 15 and at least all the number/special characters were allowed. Less compromise would be certain in my view.
Secret question password: FooBar!77%@%@
Your not cracking it sorry !
Here's a fun one... I do have one really strong password for a safe, and keep all of my other passwords in there. But I have one password that I use most often - the one for systems at work, and I keep them all in sync. But you have to get into the system to use the safe, and if you've forgotten the "work password", you can't even get there.
So I write it down on a small slip of paper.
Then I put it in the change compartment of my wallet, along with last month's, and the one before that, etc. IMHO, this is quite safe.
My wallet has my money, my credit card, my driver's license, and other forms of ID. Therefore I keep pretty good track of it. Actually, if my wallet is stolen, my work password is one of the lesser exposures.
When synchronizing work passwords, sometimes you miss one, so it's handy to have the previous password handy. It's on the 2nd least rumpled piece of paper.
Older passwords are on older pieces of paper, even more rumpled. Get rumpled enough and they "expire" - they become illegible.
@Anonymous at July 28, 2009 9:26 AM: what I like to do when using "public" computers (libraries, hotel lobbies, etc) is slip in a CD and boot off a known good OS (linux, knoppix).
If you would like, you can download an .iso from here and burn your own boot CD/thumbdrive:
(disclosure: this is provided by the DoD, so if you dont trust the govt...)
This from the same Boston which blew up a traffic monitoring box they had placed to count traffic on a certain road because the police didn't recognize it.
@Nick: "# Keep you OS, Browser and Virus Scanner patched and up to date; Don’t ingnore the warning messages from Microsoft and others in the bottom left of your screen."
I'm assuming you meant bottom right, not bottom left. Also, you should probably use a spell checker :)
"Never click on a link you recieve in an email"
That's painful... And also requires a spell checker :)
"Also, you should probably use a spell checker"
Saddly due to the likes of myself (possibly the worst speller of the lot), and other engineering types, spelling is something that is a little lacking on this blog (along with poor punctuation etc).
Also watch out for English not American spelling. Even Bruce has been pulled up on this (unfairly) on one of his Guardian IT articles.
However you need to remember that although some people don't mind being pulled up (me I've a skin like a rhino so am not overly fussed) some people can be touchy about it.
Partly because they may have an underlying cause and struggle hard to spell "by rules" not by rhote.
Left handed and left brained individuals often end up as engineers etc because they have a mild form of ASD. And this tends to go hand in hand with "word blindness" or dyslexia.
Because of the relationship people can and have been misdiagnosed, which has led to the wrong "help" in the past which can make things worse for an individual. And because of this people can be very touchy (I was excesivly so when younger and felt I was unfairly being picked on, which is why I have grown my rhino hide ;)
I'm of the opinion that if the content of what is writen is understandable then I don't care about the spelling (it is after all just a means to an end which is to transfer knowledge or information). Other people are not of "my" opinion.
And occasionaly a mis spelled word can be very funny all the more so for the unintended meaning it convays 8)
Finaly please remember that as in my case a spell checker may not be an option (the phone I type on does not have a spellchecker available for it).
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.