In order to explain fully why I do not use any kind of anti-virus on my personal computer. I must explain a bit about the way things used to be and the way they are now. This story is roughly chopped into three pieces ‘The way things where.’, ‘The way things are.’ and ‘OK so anti-virus is almost useless what do I do?’

‘The way things were’

Most of us are our family technicians, we are the people that setup Mom’s surround sound. When spyware/adware started to get bad we would get the call to come and take care of a friends computer. Often the computer would be spontaneously popping up ads and slowly chugging along hogging what little bandwidth the dial-up had. Along comes the tech friend with a few minor tools like hijackThis and a boot disk and hunts down the offending executable.

The old method for malware writers was a game of hide and seek. Without getting into too much technical detail there are a large handful of places to hide something to make it run at boot on a windows system. Hiding a request to make some code start up and obfuscating the where and the how is all malicious software could manage. In this day anti-virus software was very handy most of the time because it was trivial to remove most problematic programs when they where found. The scanning software did not need to be too fanatical about things since most badware really wasn’t that bad.

In the old days of bad software the payload was often something trivial, funny, or annoying but rarely if ever truly malicious. The Whale Virus filled your hard drive up by replicating itself zillions of times. The Yankee Doodle Virus made your internal speaker play the song for which it was named relentlessly. Most virus writers where not bad people and the few that where bad people knew that when a virus obliterates the system it is on it no longer has that system under its control and can no longer replicate itself.

At this time I recommended and sometimes even used anti-virus software.

And then things changed…

Continue Reading »

E-Mail addresses are today’s de facto communication method. It’s how we keep in touch with friends and co-workers it is important that your e-mail address says what you want it to say about you. Reading something more into a e-mail address is something we all do, if you see an @yahoo.com address on a business card it better be from someone who works at Yahoo.

Below is how I handle e-mail it may not be the best way but it has worked well for me for several years. This is how you can have a nearly unlimited number of e-mail address and only ever have to check one.

1. Get a domain name. I use 1and1 for all the hosting I need and don’t have means to do at home. You can get your domain name and e-mail forwarding and thats is all you need for this. Starting at $1 a month (50% off for the first 3 months). I even host this site and many others at 1and1. I have a “my first and last name.com” and a nice domain name with my family name in it specifically for e-mail reasons.
2. Set up a master account. The address is unimportant since you wont be giving it out to anyone, but what is important is the interface. I prefer a Gmail account, it is free, has a wonderful interface and uses its massive member database to detect spam e-mail amazingly well. With a nearly limitless number of e-mail addresses pointed at your master address a powerful spam filter is important. I hardly hear a whisper of spam on my master account.
3. Set up your forwards. In the 1and1 control panel (as with most other providers) you can set up a *@DomainName.com e-mail address to forward to your master e-mail address. This will send all mail to that domain to the master account.
4. Set up your FROM address. Gmail will allow you to setup multiple “Send As” addresses. Go to Settings>Accounts>Send Mail As. I set up an Admin@ Webmaster@ me@ and so on for the various domains. So I can send mail as any prefix on a domain I own that I want to at that time.

This entire process should take no more than an hour and should be very easy to do.

Whats the upside?

• Being able to tell anyone your e-mail address is TheirName@YourName.com is cool and gets fun looks. People tend to remember that kind of thing.
• Giving a specific address to a site you register for allows you to keep track of who sold you out to a spam list. If a forum asks you to register you can give it the address ForumName@YourName.com and be able to back that up with an authorization response.
• If a specific address starts getting an abundance of unblocked spam you can always set up a filter to block that address.

If you don’t have the desire to go through the above, services like 10 Minute Mail and BugMeNot offer a quick, easy and perfectly acceptable solution to the spam address problem. But I like my way a lot better.

To keep our things secure we need to understand how someone might circumvent our security, knowing how a lock works or how a lock might be defeated is step one in securing our things. Digital security is no different we must understand how the “lock” works and how someone might “break” it to make it secure.

I have found over recent years that very intelligent, rather technically minded people often have no idea how passwords work. Much of what we know about passwords are wrong and the math behind what makes a good password is a total mystery to us. A few years ago this didn’t matter at all to people and unfortunately it often still does not. As a result our passwords are awful, for the most part, easily guessed and instantly brute forced.

So, why aren’t all corporate networks cracked open instantly by the millions of attackers across the globe constantly beating on our networks? What I call the ‘eggshell effect’, the hardening of the outside of the network has softened the inside. Network Address Translating routers have became the standard I wont go into how they work in depth but they cut alot of the noise out of our home and office networks and kept alot of attacks out. This is great, unfortunately it allows us to become complacent. Since NAT routers protect us from all sorts of “outside” attacks zero day exploits don’t send the technical department scrambling anymore. Network administrators take care of the security holes whenever they get around to it. This means that when someone does get in (and they will) the chance of a major incident is very high.

This situation has allowed the network administrators to go lax on security not keeping up to date in their education or practice. The first security best practice I will be going over is the weakening of passwords. The ‘eggshell Effect’ has made us less interested in internal network security and therefor our passwords have gotten worse. Computing power is doubling around every two years, with multiple cores and distributed computing networks the power available to your attack the yield of number crunching is far out pacing Moore’s Law.