NSA recommends home users to upgrade to WIN 7 as part of their Best Practice for Securing a Home Network. May I add, with good cause.

It is something regular users might consider; the bad guys target any U.S. (or related) IP, especially if an initial peek looks slightly interesting (Corporate or Government).

http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf

Before running to upgrade research compatibility issues which may affect you (Hardware and Software), as there are some significant ones.

I'd just like to add that while OS security is drastically improved, when compared to Windows XP, it's still not a system I would consider secure by any stretch.

While the castle walls are solid, Every time you open a web browser or launch another application, it's one rope ladder thrown over that wall to the outside.

Very few Internet protocols were designed with *any* security in mind. And what *is* there was bolted on as an after-thought.

SSL and the public key crypto schemes we use have been known to have severe flaws for quite some time in security circles, but it's getting bad enough now that even the mainstream is learning of this (http://en.wikipedia.org/wiki/Comodo_Group#Iran_SSL_certificate_controversy , for example). I can go on more about this vulnerability, if anyone wants me to.

So what's the best thing you can do? Keep everything patched and always maintain a healthy dose of skepticism and cynicism.

Run a quality anti-virus setup, and get to know what it's windows look like. Download the harmless EICAR file (which is a harmless file which will trigger a simulate virus warning in any quality AV software). Remember what that alert looks like. You'll be browsing the web and encounter many fake AV warnings which in reality install bot and spyware software.

So what's the best thing you can do? Keep everything patched and always maintain a healthy dose of skepticism and cynicism.



Without hi-jacking,, but along these lines,,
Where does IOS and Android measure up, as far as internet security??

I'm thinking of moving the wife off her T61 Thinkpad, WIN XP Pro onto a tablet. Right now the candidate is the new ASUS Eee Pad Transformer TF101-A1.

It looks to be 1/2 smart-phone tablet and 1/2 laptop,, running Android 3.0, Honeycomb.

:munchin

Without hi-jacking,, but along these lines,,
Where does IOS and Android measure up, as far as internet security??

I'm thinking of moving the wife off her T61 Thinkpad, WIN XP Pro onto a tablet. Right now the candidate is the new ASUS Eee Pad Transformer TF101-A1.

It looks to be 1/2 smart-phone tablet and 1/2 laptop,, running Android 3.0, Honeycomb.

:munchin

If I may,
Ill answer that using some contrast. Windows is written with the PC platform in mind, the designers knew that the OS would be host to users running business and personal applications which could contain a lot of sensitive information. (Excel with tons of accounting information, Access systems for inventory, attorneys using documents with confidential information on them, computers connecting to data sources on networks etc).

With this in mind, they developed the permissions/account layer. To properly use this built in 'security' it is considered best practice to create an administrative account on your machine to use for installing applications, managing users etc, and creating a lower level account to use for browsing the internet and using applications. Most don't do this and don't apply the general mindset that perdurabo set forth. The way Microsoft evaded the browser monopoly issue was by hooking IE into their OS kernel. Which essentially opened up a HUGE hole that is exposed to everything the internet can throw at it. There are ways to keep yourself 'mostly' safe on the internet, but again, not everyone knows or cares. Ill save the long winded discussion on how malicious developers can play around with your data and move on to Android.

Android was written specifically for smart phones. Not business users. It did not include some lower level security that a business smart phone needs at a minimum. It was not until the Android Droid Pro came out that business enterprises would even consider the platform. In Android, the browser is not bundled with the kernel. It runs in its own little sandbox. Does this make an android based system safer than a windows system? That depends on your viewpoint.

I approach it this way (and I am a dedicated Droid user).
Never store credit card information in your computer or cell phone.
Ensure that a web site that you are entering credit card information into is both secure and well known.
Pay careful attention to the permissions required for applications you install on the android device and be aware of the reputation of the developer before you download them. The developers ranking and comments on the Android market provide valuable insight into their reliability.

To go from a PC to a tablet (in my mind) is a move to increased security. I say that because you are typically not going to be doing the same sort of work. Most people use a tablet to browse the internet and play games, maybe look at pictures and watch movies. They are not going to have tax returns, letters to attorneys, financial tracking, budget spreadsheets etc on the tablet. Therefore there is relatively little exposure even if the tablet gets a virus.
I would still recommend perdurabo's advice. You can never be 100% secure with a computer. Knowing this, act accordingly and I think your wife will really enjoy a tablet computer.

PS - If you want to offload that thinkpad, please PM me. I have a thing for IBM laptops.

Without hi-jacking,, but along these lines,,
Where does IOS and Android measure up, as far as internet security??

I'm thinking of moving the wife off her T61 Thinkpad, WIN XP Pro onto a tablet. Right now the candidate is the new ASUS Eee Pad Transformer TF101-A1.

It looks to be 1/2 smart-phone tablet and 1/2 laptop,, running Android 3.0, Honeycomb.

:munchin

I could go on for hours about Android and iOS, but to answer your question, I'd say the Transformer would be a far worse option than just sticking with Windows 7.

The problem with this device is that ASUS licenses the Android source code from Google. Their programmers then modify and add software to this as part of their product personalization. So what you end up with is something much different than the Android came out of Google (and Android security isn't great to begin with). So my next questions would be:

- What is the competency of these ASUS programmers? How many new security vulnerabilities did they inject into the code base?
- How are they vetted for trust? Are they cheap labor? Are they into ID theft, bots, etc?

The only thing the Transformer product has going for it is that it has less eyes on it. So while it may be far more insecure than Windows, less exploits will ultimately be found and reported in the press.

But the gist is, the security model of Android is a mess (code signing, mandatory access controls are laughably designed, etc). It's made even worse when third party product engineers get their hands in there and tinker with stuff.

iOS is a little better off, their code signing is adequate, their mandatory access controls are tight (it's alternately called "seatbelt" or "sandbox" internally), and the code quality and code security practices are generally quite superior to Android. This all goes out the window if you jailbreak your iOS device, though.

You hear about iOS vulnerabilities more than Android because of the numbers of devices sold, and because there's less fragmentation than Android.

A Windows 7 device with BitLocker drive encryption* enabled is a pretty secure device, depending on what ropeladders (aka third-party software) you install. The T61 specs look up to snuff for this, a good CPU and it appears to have a TPM chip, which is used by BitLocker.

* BitLocker is great protection against criminals, but likely zero protection against western governments, as there might be a backdoor, or said governments might own a set of private keys enabling them to decrypt the data.

PS: Sorry for the ramblingness of this post, I was trying to give an answer within this week :)

[QUOTE=perdurabo;389691 I'd say the Transformer would be a far worse option than just sticking with Windows 7.

The problem with this device is that ASUS licenses the Android source code from Google. Their programmers then modify and add software to this as part of their product personalization. So what you end up with is something much different than the Android came out of Google (and Android security isn't great to begin with). So my next questions would be:

- What is the competency of these ASUS programmers? How many new security vulnerabilities did they inject into the code base?
- How are they vetted for trust? Are they cheap labor? Are they into ID theft, bots, etc?[/QUOTE]

Perdurabo, you're obviously knowledgeable on dev...

I concur, Win 7. Most of the phone OS's have another decade before they reach the maturity where one would consider them stable and somewhat hardened. Us old guys normally consider this period to be 20yrs from inception. Blackberries appear to be the more secure of the bunch. Also, don't forget what you're told about your phone...

As Perdurabo stated, the more code, changes (possibly by a fn that isn't fond of freedom), and programs, the more points for failure or intrusion. Plus it's usually slower too :D

The guys whom put this document together work with vendors and reverse engineer the code to help protect obviously vital data. It's a good 'general' guide to go by and makes things harder for the pos's.

all - good thread/posts and very useful information. thx

The problem with this device is that ASUS licenses the Android source code from Google. Their programmers then modify and add software to this as part of their product personalization. So what you end up with is something much different than the Android came out of Google (and Android security isn't great to begin with). So my next questions would be:



I was aware of this, but didn't see the impact.

Isn't this much like what most of the PC makers do?? They lease a copy of WIN xx and them modify it to fit their machine. They do so much that you can't take a store-bought retail copy of WIN xx and install it.

This is one of my major bitches about IBM & Dell. In the case of IBM Thinkpads, you can generally re-install from the ghost partition. Dell sometimes gives you a copy of the serialized OS unique to your system,, sometimes not..

It goes way back, When we released the early versions of DOS, within a couple months there were four or five companies making their own DOS,, including MS & Gates..

I guess I just assumed business as usual.. :mad:

Isn't this much like what most of the PC makers do?? They lease a copy of WIN xx and them modify it to fit their machine. They do so much that you can't take a store-bought retail copy of WIN xx and install it.

You should be able to use a retail copy of WIN and then run Windows update to get most drivers. Anything more specialized is usually in the downloads/support section of the PC's maker.

That T61 is a laptop worth keeping. Tough, solid, reliable as you know. Fewer and fewer laptop models are being built like that. I'm still using a T42 as my pack around laptop in addition to various other PCs and some Macs. It was built in 2004 and is still using all it's original parts. I'm running Ubuntu Linux 10.04 LTS on it now which has really unchoked its meager Pentium M.

Win->Linux conversions have been a popular and ever growing part of my workload for the last few years as various distros have become more refined and more non-CLI inclined user friendly.

I was aware of this, but didn't see the impact.

This is one of my major bitches about IBM & Dell. In the case of IBM Thinkpads, you can generally re-install from the ghost partition. Dell sometimes gives you a copy of the serialized OS unique to your system,, sometimes not..

It goes way back, When we released the early versions of DOS, within a couple months there were four or five companies making their own DOS,, including MS & Gates..

I guess I just assumed business as usual.. :mad:



It was more consistent then (the actual OS, not command.com which is a command processor) and was licensed from MS whom purchased it from an accomplished assembly programmer. They would just stamp it with their company names, normally this was only done to command.com, the 'user interface'. I reversed engineered its core which was well built. It was a much smaller ethical community back then.

I tried to stay away from the Linux ;) It is a solid OS which I use daily. But I manually compile it from source (mostly Gentoo and CentOS) for server platforms without a pretty interface, like the DOS prompt. From my perspective it is the only one which should be used for mission critical high performance computing (SunOS used to be. HPux is close).

Linux adds issues in complexity and compatibility. The former less so with distributions that ES 96 mentioned, Ubuntu. It will though put the WIN platform to shame in performance, reliability, and flexibility. It also will not run most WIN software (WINE, a WIN emulator has gotten better but has issues).

If you're just going to use business apps on it (and up to some reading and bumps) Linux is not a bad choice and has some pretty interfaces. There's even a full blown business app (Like MS-OFFICE) that was developed by Sun Micro systems (now Oracle) that's pretty damn good. It is able to share and create documents that are compatible with MS-OFFICE. I use both. GIMP is another useful example, almost as good as Photoshop, and all free...(at least money wise)

As with most things computer and life, the cost and benefits must be weighed carefully for your situation.

PS. Mr. Furious, I know how these little machines can drive a person nuts and pos's just add to it. Glad you found it helpful.

Funny, Contractors for the most TS Gov Defense contracts use XP. This must be for the home user to block his IP physical address?

Funny, Contractors for the most TS Gov Defense contracts use XP. This must be for the home user to block his IP physical address?

Your first statement depends on several factors which I won't comment on here.

The IP question: The purpose of WIN 7 (or ugh vista) is it protects a little more what is coming and going to your IP; and more importantly what this traffic is able to do (or not) to your system. Like read files and execute programs. The other steps outlined encrypt as well as obfuscate any traffic even more. Making it even more difficult for your data to be compromised.

Your physical IP comes from the modem or router the ISP gave you and is generally determined by the devices or your PC's MAC address. The MAC address is kinda like an electronic serial number.

Hope that helps some.

Funny, Contractors for the most TS Gov Defense contracts use XP. This must be for the home user to block his IP physical address?

Win XP PRO is still the OS of choice. My kids work at Northrop-Grumman and they have been told they can not use any OS other than XP PRO and Blackberry phones

I was aware of this, but didn't see the impact.

Isn't this much like what most of the PC makers do?? They lease a copy of WIN xx and them modify it to fit their machine.


Yep, same thing. And Windows 7 may be a castle, but the vendor throws rope ladders all over everything with cheap labor programmers. Even worse, the vendor often adds stuff into an operating system's kernel space, which is an area exempt from most of an OS's security (as opposed to the more secure user space, which is subject to more security layers).



They do so much that you can't take a store-bought retail copy of WIN xx and install it.


It depends on how savvy you are. I always erase a new PC and put a clean install back on, but I have Microsoft developer licenses to do so. Often a vendor only provides you with a crapware Windows image to restore from. I avoid using vendor-provided drivers and try to get them all from Windows Update (Microsoft), if possible.

I don't install any software, drivers, or browser plugins unless I trust the provider.


This is one of my major bitches about IBM & Dell. In the case of IBM Thinkpads, you can generally re-install from the ghost partition. Dell sometimes gives you a copy of the serialized OS unique to your system,, sometimes not..



Lenovo (formerly IBM) Thinkpads generally have decent quality software loads. Their engineers seem better than the rest of the crowd. Dell is very hit and miss in terms of quality and trust.

My main computing platform is Mac OS X these days (though I use Windows 7 about equally). Mac OS X isn't really any more secure than Windows 7 and is arguably less secure (mach_inject, and the highly dynamic nature of Objective C, the language used to develop many Mac apps; neat but a liability). In reality though, there are fewer criminal eyes examining Mac OS X for vulnerabilities, so there are fewer attacks. And I prefer the Mac/UNIX base.

I can keep both platforms pretty secure, but it involves major tradeoffs. If Windows were UNIX, I'd probably jump ship to Windows 7 ;)

For those interested in Windows security, I highly recommend the Windows Internals book by Russinovich (http://goo.gl/qPL81, which is outdated, but a W7 version is about to be released), and the NSA guides (http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml)

There aren't really any good up-to-date sources for Mac OS X security or Linux, it's all just kind of scattered. Anything by Greg Kroah-Hartmann or James Morriss (of the NSA's SELinux fame) is gold, though.

Funny, Contractors for the most TS Gov Defense contracts use XP. This must be for the home user to block his IP physical address?

But Windows 7 is much more secure. I imagine they stick to XP, because it is known, tested, and they have an extensive set of existing procedures & computer policies (both physical and Group Policies). I don't think it's a wrong choice at all.

In computer security, it takes just one little slip up...

#