thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn

If you use a computing device that is not maintained by a corporate IT department, you need to know that your device is likely vulnerable to security issues. It doesn't matter whether it's a Mac, a Windows PC, a Nokia Phone, an iPhone/iPad, an Android phone, a Windows Mobile, a Linux laptop, an XBox or Playstation, all computing devices have security issues from time to time. What does differ a little is how quickly they get fixed, and how quickly you can find out about them and install the fix, and the type and scale of problems, but really, the take home message is that all computing devices have security issues.

If you own a device that connects to the Internet in any way (and pretty much everything does now), then you have a device that can be potentially be hacked by any random other person on the Internet. If that happens, you are really stuffed. Your computer (or phone, or whatever) will be used to conduct all kinds of illegal activities (like hacking other people, sending spam, etc), all your personal data can be made public leading to identity theft, online banking theft and worse,

Ultimately you, as the end user, need to be informed. If you don't even know that your computer/phone/games console/whatever might have a security problem, that means it is sitting there waiting to be hacked and controlled by someone else.

The first place you should be looking for timely information is a known security updates publisher. For normal people, I highly recommend the Australian Government's Stay Smart Online Alert Service (AusCERT funded by and the US CERT: Non-technical users page.

US CERT and AusCERT also have much more detailed alerts, which are more focused at professional systems administrators than for "normal" people. If you have the time and inclination, I recommend AusCERT.

I know those security updates may look daunting and confusing for many people, especially ones not involved in the IT industry. Please, really, really, take the time to learn enough to understand what the security updates mean and how to take appropriate action, and get informed about the computing devices you use, at least enough to know how to update your Operating System and any Software you use. Use Wikipedia to search out any terms you don't understand, ask around any computer geeks you know for help. We want you to stay safe, I promise.

The main things you need to care about on any given security alert is:

  1. Does it apply to you (does the Operating System match one you use, and/or is it about Software you use)?
  2. Do you need to do anything (is there an "update your software here" link in the update, or other instructions)?

If the answer to both of those is yes on any given security alert, then please, go and update whatever needs updating. If you don't, your computer will remain vulnerable to a known security exploit - which means that at some point in time, your computer will eventually be hacked by some bad person, leading to all the issues above.

So please, for your own safety, Be Alert, not Alarmed. The world needs more lerts.

Edit: This post was originally written before the existence of the Stay Smart Online Alert Service, which was launched shortly afterwards. The post has been edited to recommend non-IT experts to go there first, rather than directly to US/AusCERT.

(no subject)

Date: 2010-02-16 03:27 (UTC)
From: [personal profile] subtle_eye
I'm genuinely curious as to how you think sending consumers to a resource aimed at IT security professionals is going to help.

Do you think every motorist should read the " Journal of the Australasian College of Road Safety" to work out which car they should be buying? Do you think RACV safety ratings are insufficiently detailed?

How is having people reading a fire hose of incomprehensible trade talk that if the IT industry wasn't so fail, they wouldn't *need* to care about, going to help?

All major device/OS vendors have automatic patch downloading these days.
The problem is, most people have learnt to have 'The Fear'.

"If I change anything on my computer (including applying the security patches that have been downloaded) then it will catch fire in a way I don't understand, and my computer will become a paperweight"

Which means they make the (to them) perfectly rational decision to live with the risk of an insecure computer, to avoid the risk that patching will break said computer. It doesn't take many reports of patching gone horribly wrong to reinforce this evaluation.

Yes this situation sucks. But contrast upgrading the firmware on your iPhone vs Microsoft Patch Wednesday.

(no subject)

Date: 2010-02-16 06:57 (UTC)
From: [personal profile] subtle_eye
If you're providing instructions on how to edit the Window's Registry, you have ceased to target consumers.

I still think CERT are much closer to the Trade Journal than the RACV Safety Reports.

IDEA: Choice Magazine (or similar) sell a subscription service where people who know how to write for Real People(tm) filter the stream of Security Updates

(no subject)

Date: 2010-02-16 09:34 (UTC)
From: [personal profile] subtle_eye
Choice idea was hopeful wishing, unforch.

Unfortunately, the market for Security Products continues to be a poster child for the "Market for Lemons"

(no subject)

Date: 2010-02-16 05:26 (UTC)
anthologie: (Default)
From: [personal profile] anthologie
I think you mean, "...not managed by a corporate IT department... OR DEVIN." :)

(no subject)

Date: 2010-02-16 06:01 (UTC)
tangent_woman: (Default)
From: [personal profile] tangent_woman
On the AusCERT site, it seems that the information pertinent to me is behind a pay-wall. Oh well.

(no subject)

Date: 2010-02-16 08:49 (UTC)
tangent_woman: (Default)
From: [personal profile] tangent_woman
Well. I will be your nuffy home-computer user feedback provider for today.

Today's sample at AusCERT is clearly a poor one for a Linux user, as the only two alerts effecting Linux are "AusCERT member only content".

The US CERT site looks generally informative, though.

Heh. Your whole post brings to mind the difference between LiveJournal and Dreamwidth:

On LJ, brightly coloured, flashing pop-ups tell you your computer has security risks and tries to get you to buy a subscription to fake antivirus software which is malware.

On DW, sincere, if exasperated, IT gurus post entries telling people their computer has security risks and tries to get you to subscribe to an RSS feed of genuine alerts.

(no subject)

Date: 2010-02-16 07:25 (UTC)
rbarclay: (Default)
From: [personal profile] rbarclay claims to have superseded AusCERT ("thank you for the work, now begone, evil unpolitical spawn of shaitan" is what I read between the lines) for national CERT matters,

How much that's going to be worth in the real world I don't know, they're neither connected well internationally (not even FIRST members) nor do they have much useful information on their website.

Registering for email alerts

Date: 2010-02-23 04:13 (UTC)
From: (Anonymous)
Thought I'd give the Stay Smart Online email alerts a spin. The registration page asks for a "Memorable Phrase" to be included in all emails that they send to me, so that I know that

The memorable phrase is not secret information that requires protection in the way that your password created above needs to be kept secret. The memorable phrase will be used by us and included in any Stay Smart Online Alert Service or Advisories that we send to you via email. The memorable phrase will be unique to you. It is a way of checking that the email Alert or Advisories you receive from us are authentic, ie were sent to you by us.

so that

If you receive an email that claims to be from us as part of the Stay Smart Online Alert Service and it does not include your memorable phrase, then it is not genuine and should not be trusted.

Their very first email, the confirmation email did not include the memorable phrase. Some kinks to be worked out methinks.

Now who to report it to.


April 2015

12131415 161718

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags