![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thorfinnIf you use a computing device that is not maintained by a corporate IT department, you need to know that your device is likely vulnerable to security issues. It doesn't matter whether it's a Mac, a Windows PC, a Nokia Phone, an iPhone/iPad, an Android phone, a Windows Mobile, a Linux laptop, an XBox or Playstation, all computing devices have security issues from time to time. What does differ a little is how quickly they get fixed, and how quickly you can find out about them and install the fix, and the type and scale of problems, but really, the take home message is that all computing devices have security issues.
If you own a device that connects to the Internet in any way (and pretty much everything does now), then you have a device that can be potentially be hacked by any random other person on the Internet. If that happens, you are really stuffed. Your computer (or phone, or whatever) will be used to conduct all kinds of illegal activities (like hacking other people, sending spam, etc), all your personal data can be made public leading to identity theft, online banking theft and worse,
Ultimately you, as the end user, need to be informed. If you don't even know that your computer/phone/games console/whatever might have a security problem, that means it is sitting there waiting to be hacked and controlled by someone else.
The first place you should be looking for timely information is a known security updates publisher. For normal people, I highly recommend the Australian Government's Stay Smart Online Alert Service (AusCERT funded by gov.au) and the US CERT: Non-technical users page.
US CERT and AusCERT also have much more detailed alerts, which are more focused at professional systems administrators than for "normal" people. If you have the time and inclination, I recommend AusCERT.
- Stay Smart Online Alert Service (AusCERT funded by gov.au)
- US CERT: Non-technical users page
- Stay Smart Online (Australian Government)
- US CERT
- US CERT RSS Feeds and Mailing Lists
- AusCERT
- AusCERT RSS Feeds
- AusCERT National Alerts Mailing List
I know those security updates may look daunting and confusing for many people, especially ones not involved in the IT industry. Please, really, really, take the time to learn enough to understand what the security updates mean and how to take appropriate action, and get informed about the computing devices you use, at least enough to know how to update your Operating System and any Software you use. Use Wikipedia to search out any terms you don't understand, ask around any computer geeks you know for help. We want you to stay safe, I promise.
The main things you need to care about on any given security alert is:
- Does it apply to you (does the Operating System match one you use, and/or is it about Software you use)?
- Do you need to do anything (is there an "update your software here" link in the update, or other instructions)?
If the answer to both of those is yes on any given security alert, then please, go and update whatever needs updating. If you don't, your computer will remain vulnerable to a known security exploit - which means that at some point in time, your computer will eventually be hacked by some bad person, leading to all the issues above.
So please, for your own safety, Be Alert, not Alarmed. The world needs more lerts.
Edit: This post was originally written before the existence of the Stay Smart Online Alert Service, which was launched shortly afterwards. The post has been edited to recommend non-IT experts to go there first, rather than directly to US/AusCERT.
(no subject)
Date: 2010-02-16 03:27 (UTC)Do you think every motorist should read the " Journal of the Australasian College of Road Safety" to work out which car they should be buying? Do you think RACV safety ratings are insufficiently detailed?
How is having people reading a fire hose of incomprehensible trade talk that if the IT industry wasn't so fail, they wouldn't *need* to care about, going to help?
All major device/OS vendors have automatic patch downloading these days.
The problem is, most people have learnt to have 'The Fear'.
"If I change anything on my computer (including applying the security patches that have been downloaded) then it will catch fire in a way I don't understand, and my computer will become a paperweight"
Which means they make the (to them) perfectly rational decision to live with the risk of an insecure computer, to avoid the risk that patching will break said computer. It doesn't take many reports of patching gone horribly wrong to reinforce this evaluation.
Yes this situation sucks. But contrast upgrading the firmware on your iPhone vs Microsoft Patch Wednesday.
(no subject)
Date: 2010-02-16 06:25 (UTC)And whilst OS vendors generally do auto-patching, an awful lot of software vendors don't. And yes, the contrast between iPhone OS and App updating vs Microsoft Patch Wednesday is rather huge - that's part of the point.
My other point is that if you are using a computer that isn't professionally administered (by someone who is reading CERT, etc), you actually do need to know. CERT and AusCERT are the actual direct equivalent of RACV safety reports. You, as the consumer, need to know this sort of information, if you intend to stay safe.
Yes, it sucks that the average consumer needs to read CERT to get useful security information. Unfortunately, they actually do need to know this stuff, and it's not something they should just ignore. If you have a more useful site for ordinary people, then I'd like to hear about it. AFAIK, there isn't one.
(no subject)
Date: 2010-02-16 06:57 (UTC)http://www.us-cert.gov/cas/alerts/SA10-013A.html
I still think CERT are much closer to the Trade Journal than the RACV Safety Reports.
IDEA: Choice Magazine (or similar) sell a subscription service where people who know how to write for Real People(tm) filter the stream of Security Updates
(no subject)
Date: 2010-02-16 07:11 (UTC)And I note that that alert mentions a whole bunch of other things to do, most of which are more comprehensible to end users.
Regarding your idea - do Choice actually sell such a service? I can't see anything obvious on their website that is specifically relating to timely notification of computer security updates and how to apply them. I like the idea of it, but I'm not aware of any actual such service.
(no subject)
Date: 2010-02-16 09:34 (UTC)Unfortunately, the market for Security Products continues to be a poster child for the "Market for Lemons"
http://en.wikipedia.org/wiki/The_Market_for_Lemons
(no subject)
Date: 2010-02-17 01:22 (UTC)(no subject)
Date: 2010-02-22 07:21 (UTC)Announced today. :-)
(no subject)
Date: 2010-02-16 06:48 (UTC)(no subject)
Date: 2010-02-16 05:26 (UTC)(no subject)
Date: 2010-02-16 06:27 (UTC)(no subject)
Date: 2010-02-16 06:01 (UTC)(no subject)
Date: 2010-02-16 06:27 (UTC)(no subject)
Date: 2010-02-16 08:49 (UTC)Today's sample at AusCERT is clearly a poor one for a Linux user, as the only two alerts effecting Linux are "AusCERT member only content".
The US CERT site looks generally informative, though.
Heh. Your whole post brings to mind the difference between LiveJournal and Dreamwidth:
On LJ, brightly coloured, flashing pop-ups tell you your computer has security risks and tries to get you to buy a subscription to fake antivirus software which is malware.
On DW, sincere, if exasperated, IT gurus post entries telling people their computer has security risks and tries to get you to subscribe to an RSS feed of genuine alerts.
(no subject)
Date: 2010-02-17 01:21 (UTC)(no subject)
Date: 2010-02-22 07:21 (UTC)Announced today. :-)
(no subject)
Date: 2010-02-16 07:25 (UTC)How much that's going to be worth in the real world I don't know, they're neither connected well internationally (not even FIRST members) nor do they have much useful information on their website.
(no subject)
Date: 2010-02-16 07:45 (UTC)US CERT is probably the best go to location anyway.
(no subject)
Date: 2010-02-22 07:21 (UTC)Announced today. :-)
Registering for email alerts
Date: 2010-02-23 04:13 (UTC)The memorable phrase is not secret information that requires protection in the way that your password created above needs to be kept secret. The memorable phrase will be used by us and included in any Stay Smart Online Alert Service or Advisories that we send to you via email. The memorable phrase will be unique to you. It is a way of checking that the email Alert or Advisories you receive from us are authentic, ie were sent to you by us.so that
If you receive an email that claims to be from us as part of the Stay Smart Online Alert Service and it does not include your memorable phrase, then it is not genuine and should not be trusted.Their very first email, the confirmation email did not include the memorable phrase. Some kinks to be worked out methinks.
Now who to report it to.
Loom
Re: Registering for email alerts
Date: 2010-02-23 05:41 (UTC)