windows xp
Posted by: ken c on 19 September 2004
my daughter bought an hp zt3000 notebook sometime ago. nice pc, but a bit frustrating with the problems we have been having with XP Home.
the pc came with a security update which we were advised to install before logging on to the net, for obvious reasons. we were also advised to install windows updates, which we did -- this was the beginning of a long headache. you see, the windows updater kept telling us that there are some updates available, but it turns out there were the same updates being installed over and over again (could see this from control panel add/remove programs). we also tried to install Norton AV, but this introduced its own problems --- basically everytime i openned it to set it to do live updates automatically, the Norton window would simply close down.
OK, i thought, better wait for SP2 on CD and try again. when this came, couldnt install it --- whenever i tried, the installation would simply abort at various places without any explanation.
anyone had any of these or similar problems with XP home? how did you get around them?
many thanks...
enjoy
ken
the pc came with a security update which we were advised to install before logging on to the net, for obvious reasons. we were also advised to install windows updates, which we did -- this was the beginning of a long headache. you see, the windows updater kept telling us that there are some updates available, but it turns out there were the same updates being installed over and over again (could see this from control panel add/remove programs). we also tried to install Norton AV, but this introduced its own problems --- basically everytime i openned it to set it to do live updates automatically, the Norton window would simply close down.
OK, i thought, better wait for SP2 on CD and try again. when this came, couldnt install it --- whenever i tried, the installation would simply abort at various places without any explanation.
anyone had any of these or similar problems with XP home? how did you get around them?
many thanks...
enjoy
ken
Posted on: 25 September 2004 by John Sheridan
quote:
Originally posted by long-time-dead:
................ I'm off to buy shares in Apple.....
why? Do you think macs incorporate some sort of magic o/s that (a) can't be hacked and (b) doesn't require secure passwords (not that it would surprise me if you did)?
Posted on: 26 September 2004 by matthewr
Cliff,
It's not a personal attack but rather a responsible statement I believe is supported by the facts. To wit, you have claimed expertise on an important subject and offered advice and I have questioned your competance on the basis of the numerous errors you have made and suggested that your advice be viewed accordingly. I haven't, for example, called you names, cast aspersions on your character, or made stuff up about you.
"for anyone else reading this, Matthews point about password security being 99.9% of the security in a user and password set up is complete bollocks"
It's not "complete bollocks" at all, although the details of this specific point (which I'll address shortly) are not nearly as important as the general point about the quality of your statements. Specifically, that once again you made a bald, over-simplisitic statement which, despite being based on a grain of truth, demonstrates how you only half understand basic concepts of computer security and is potentially misleading to anyone reading this thread and wishing to learn about security (Now that was a decision they came to regret).
"A good cryptic user ID plus a strong password is n times as good as a strong password on its own"
The user ID is the public (in the technical not literal sense) means of identifying the user. It is not treated as secret information by design (they are in plain text on the screen, they appear on print outs, mail addresses, etc) or by the user. As such no well desinged security system would rely on it for any part of it's security and you should design your security as if a potential attacker already knows this information.
The password is, of course, the aspect of user identity that carries the security. And being so fundamental to security, good practice requires it adhere to certain standards. One of these standards is length where we typically require enough characters so that the password is not vulnerable to brute force attack.
Hence, in any well designed security system, user ids effectively provide no component of the security which instead resides almost completely in the password. This is why most computer systems have user ids based on people names -- if it's not part of security you might as well make it easy to remember and use for all sorts of reasons.
Or, to put it another way, if you need cryptic user ids to ensure security then the real issue is that you need longer passwords.
Matthew
It's not a personal attack but rather a responsible statement I believe is supported by the facts. To wit, you have claimed expertise on an important subject and offered advice and I have questioned your competance on the basis of the numerous errors you have made and suggested that your advice be viewed accordingly. I haven't, for example, called you names, cast aspersions on your character, or made stuff up about you.
"for anyone else reading this, Matthews point about password security being 99.9% of the security in a user and password set up is complete bollocks"
It's not "complete bollocks" at all, although the details of this specific point (which I'll address shortly) are not nearly as important as the general point about the quality of your statements. Specifically, that once again you made a bald, over-simplisitic statement which, despite being based on a grain of truth, demonstrates how you only half understand basic concepts of computer security and is potentially misleading to anyone reading this thread and wishing to learn about security (Now that was a decision they came to regret).
"A good cryptic user ID plus a strong password is n times as good as a strong password on its own"
The user ID is the public (in the technical not literal sense) means of identifying the user. It is not treated as secret information by design (they are in plain text on the screen, they appear on print outs, mail addresses, etc) or by the user. As such no well desinged security system would rely on it for any part of it's security and you should design your security as if a potential attacker already knows this information.
The password is, of course, the aspect of user identity that carries the security. And being so fundamental to security, good practice requires it adhere to certain standards. One of these standards is length where we typically require enough characters so that the password is not vulnerable to brute force attack.
Hence, in any well designed security system, user ids effectively provide no component of the security which instead resides almost completely in the password. This is why most computer systems have user ids based on people names -- if it's not part of security you might as well make it easy to remember and use for all sorts of reasons.
Or, to put it another way, if you need cryptic user ids to ensure security then the real issue is that you need longer passwords.
Matthew
Posted on: 26 September 2004 by ken c
just a quick update on my daughter's pc's health.
i reformatted hard disk -- took a while as it a whole 60gigs. then re-installed XP base from the CD supplied by HP, then installed drivers. then i checked <winver> and found out that what i thought was XP base was actually XP SP1.0a.
then i went straight to SP2. this installed smoothly. no funny error messages like "scmc.exe has encountered a problem, please click here to report this problem to microsoft".
then i installed CA eTrust antivirus -- this also installed without problems. the pc came with norton av 2004, but i wasnt comfortable to install this, although i suspect would have been OK. then i installed WebRoot spy detector.
then went on the net -- and live-updated the antivirus and spysweep.
when i went to the windows update web site, i was happy to see that there were no critical updates, just one to do with GDI+ detection tool. i recall having problems with that last time -- probably because the pc was in a poor state anyway. the advice i obtained from microsoft help was to disable antivirus and firewall for a while while downloading and installing this GDI+ tool. i am not too comfortable doing that -- given how quickly this pc apparently got infected last time.
i am using the XP firewall right now, but given what i have heard about h/w firewalls, i might get one.
i find the virus/spy and the general computer security scene quite depressing. paying for things like antivirus and spy detectors smacks of paying "protection money", with all its criminial connotations -- feels like around 1920 all over again.
thanks a lot for all the help guys.
the ongoing debate on strong vs weak p/w has made me review my p/w -- so this was useful. the rest is over my head...
enjoy
ken
i reformatted hard disk -- took a while as it a whole 60gigs. then re-installed XP base from the CD supplied by HP, then installed drivers. then i checked <winver> and found out that what i thought was XP base was actually XP SP1.0a.
then i went straight to SP2. this installed smoothly. no funny error messages like "scmc.exe has encountered a problem, please click here to report this problem to microsoft".
then i installed CA eTrust antivirus -- this also installed without problems. the pc came with norton av 2004, but i wasnt comfortable to install this, although i suspect would have been OK. then i installed WebRoot spy detector.
then went on the net -- and live-updated the antivirus and spysweep.
when i went to the windows update web site, i was happy to see that there were no critical updates, just one to do with GDI+ detection tool. i recall having problems with that last time -- probably because the pc was in a poor state anyway. the advice i obtained from microsoft help was to disable antivirus and firewall for a while while downloading and installing this GDI+ tool. i am not too comfortable doing that -- given how quickly this pc apparently got infected last time.
i am using the XP firewall right now, but given what i have heard about h/w firewalls, i might get one.
i find the virus/spy and the general computer security scene quite depressing. paying for things like antivirus and spy detectors smacks of paying "protection money", with all its criminial connotations -- feels like around 1920 all over again.
thanks a lot for all the help guys.
the ongoing debate on strong vs weak p/w has made me review my p/w -- so this was useful. the rest is over my head...
enjoy
ken
Posted on: 26 September 2004 by Mike Hughes
Cliff,
I think it's you and I who should be out for a drink sir. Mine's a 1664 too. Not only have you stolen even more words from my mouth re: Mathew and F&PS, you have done so in exemplary fashion.
Still, we both know that Mathew is right... because he says he is and that's that eh!!!
Mike
PS: I really don't recommend a pissing contest after 1664. Now after Slim Fast Cafe Classe or Mocha - that's a whole different ball (ahem!) game. Omigod, I've turned into Berlin Fritz!!!
I think it's you and I who should be out for a drink sir. Mine's a 1664 too. Not only have you stolen even more words from my mouth re: Mathew and F&PS, you have done so in exemplary fashion.
Still, we both know that Mathew is right... because he says he is and that's that eh!!!
Mike
PS: I really don't recommend a pissing contest after 1664. Now after Slim Fast Cafe Classe or Mocha - that's a whole different ball (ahem!) game. Omigod, I've turned into Berlin Fritz!!!
Posted on: 26 September 2004 by matthewr
Cliff,
Every single time you post you just confirm more and more the impression that you do not know what you are talking about with reagrd to security. You are, on evidence of this thread, absolutely incapable of posting on this subject without makig major errors. Your most recent post was, once again, full of half truths, misinformation and lots of spectacular missing of the point.
I posted detailed and specific objections to your last statement (and, indeed, others) and you replied with yet more innacurate and misleading information that completely failed to address the problems I identified in your previous post.
Mike,
Almost everything Cliff has posted on this subject has been flat wrong. I strongly suggest you pick your allies more carefully in the future as your endorsement of Cliff's catastrophic misunderstandings further undermines your already dubious position on the subject.
Anyway, I have had enough of this.
In summation:
Cliff has consistently demonstrated in this thread his lack of understanding of basic issues of computer security. I have provide extensive, detailed arguments justifyig this view and cliff has completely failed to address them.
In short, i think I can say without fear of credible contradiction, that Cliff is not someone who should be relied upon for advice relating to computer security.
I think my views are easily confirmed from readin this thread.
Matthew
Every single time you post you just confirm more and more the impression that you do not know what you are talking about with reagrd to security. You are, on evidence of this thread, absolutely incapable of posting on this subject without makig major errors. Your most recent post was, once again, full of half truths, misinformation and lots of spectacular missing of the point.
I posted detailed and specific objections to your last statement (and, indeed, others) and you replied with yet more innacurate and misleading information that completely failed to address the problems I identified in your previous post.
Mike,
Almost everything Cliff has posted on this subject has been flat wrong. I strongly suggest you pick your allies more carefully in the future as your endorsement of Cliff's catastrophic misunderstandings further undermines your already dubious position on the subject.
Anyway, I have had enough of this.
In summation:
Cliff has consistently demonstrated in this thread his lack of understanding of basic issues of computer security. I have provide extensive, detailed arguments justifyig this view and cliff has completely failed to address them.
In short, i think I can say without fear of credible contradiction, that Cliff is not someone who should be relied upon for advice relating to computer security.
I think my views are easily confirmed from readin this thread.
Matthew
Posted on: 26 September 2004 by matthewr
"Matthew what a fucking arse you truly are!"
<Rests case>
<Rests case>
Posted on: 26 September 2004 by matthewr
I expect them to supply cogent and believable reasons as to why my charge is unfounded. Rather than just spouting foul mouthed abuse.
Matthew
Matthew
Posted on: 26 September 2004 by Berlin Fritz
Mick'll sort it aat for yer Matt me old Son.
G.G.v: XpProchinesecarcrashes
G.G.v: XpProchinesecarcrashes
Posted on: 26 September 2004 by matthewr
Cliff said "Who on earth do you think you are Matthew
"I expect them to ..."
Who are you? the forum god?
My comment was an obvious direct response to your question about "what do you expect". To quote it out of context like this is, quite frankly, pathetic.
"Clearly its you that know nothing about security, because"
No clearly it's you becuae you have consistently said things that are wrong. I have never claimed to be an expert, but clearly know more than you becuase I am able to point in excruciating detail why you are wrong. Critiques for which you apparently have no answers.
"Passwords account for 99.9% of the security"
You again selctively quote me out of context in a manner that would likely make anyone reading this think you are either disingenuous or else a complete idiot. I'm sorry if this upsets you but its an unavoidable conclusion of your consitstent and repeated idiotitc repsonses to my perfectly reasonable points.
"Nobody secures a system against penetration from the internet (or for that matter via a phone line) using just passwords. Thats plain not true."
It's also not remotely what I said and you know it. However, by contrast, you have consistenlty demostrated that you do not understand something as basic and fundamental as password security. Read over the thread. Your repeated errors, my dismantling thereof and your failure to effectively answer my critiques are all readily apparent.
"You have not given one compelling reason to believe that I am not right about security"
Correct. I have given many more then one compelling reason to be very sure that you are not right about security.
"For example. XP SP2 allows you to flag messenger as an exception or not to communicate with the internet"
I've no idea why you suddenly brought this up again, but suffice it to say that once more you are displaying your ignorance.
"Do you really believe that a program wanders around the internet randomly hacking open ports to see if messenger is running and then asking it to log on"
Yes. Programs absolutely do randomly wonder around the internet by scanning large numbers of IP addresses looking for certain open UDP and TCP ports on which Messenger runs. And if such programs do find Messenger running they can (in unpatched systems) exploit buffer overrun vulnerabilities in Messenger to install various trojans and completely compromise your system.
"Messenger logs on to the Messenger server and is PREVENTED FROM DOING THIS IF YOU UNCHECK THE EXCEPTION ALLOWED TAB."
Almost right. It's not "Messenger" that you are worried about logging on -- it's malicious code that is looking to compromise your machine.
Matthew
"I expect them to ..."
Who are you? the forum god?
My comment was an obvious direct response to your question about "what do you expect". To quote it out of context like this is, quite frankly, pathetic.
"Clearly its you that know nothing about security, because"
No clearly it's you becuae you have consistently said things that are wrong. I have never claimed to be an expert, but clearly know more than you becuase I am able to point in excruciating detail why you are wrong. Critiques for which you apparently have no answers.
"Passwords account for 99.9% of the security"
You again selctively quote me out of context in a manner that would likely make anyone reading this think you are either disingenuous or else a complete idiot. I'm sorry if this upsets you but its an unavoidable conclusion of your consitstent and repeated idiotitc repsonses to my perfectly reasonable points.
"Nobody secures a system against penetration from the internet (or for that matter via a phone line) using just passwords. Thats plain not true."
It's also not remotely what I said and you know it. However, by contrast, you have consistenlty demostrated that you do not understand something as basic and fundamental as password security. Read over the thread. Your repeated errors, my dismantling thereof and your failure to effectively answer my critiques are all readily apparent.
"You have not given one compelling reason to believe that I am not right about security"
Correct. I have given many more then one compelling reason to be very sure that you are not right about security.
"For example. XP SP2 allows you to flag messenger as an exception or not to communicate with the internet"
I've no idea why you suddenly brought this up again, but suffice it to say that once more you are displaying your ignorance.
"Do you really believe that a program wanders around the internet randomly hacking open ports to see if messenger is running and then asking it to log on"
Yes. Programs absolutely do randomly wonder around the internet by scanning large numbers of IP addresses looking for certain open UDP and TCP ports on which Messenger runs. And if such programs do find Messenger running they can (in unpatched systems) exploit buffer overrun vulnerabilities in Messenger to install various trojans and completely compromise your system.
"Messenger logs on to the Messenger server and is PREVENTED FROM DOING THIS IF YOU UNCHECK THE EXCEPTION ALLOWED TAB."
Almost right. It's not "Messenger" that you are worried about logging on -- it's malicious code that is looking to compromise your machine.
Matthew
Posted on: 26 September 2004 by matthewr
"1. You can't get a virus by connecting an XP machine to the internet within 10 minutes - in his word bollocks"
I apologised for saying bollocks. I noted that this was not my recent experience with Windows. I gave adivce that to be sure you need to patch things apropriate before connecting to the net.
"2. Passwords form 99.9% of the security in a user/password set up
-> Assuming they're the same length and use the same sort of cryptic form, I make that 50:50"
Which is wrong for the detailed reasons given before. Like I say you are incapable of making a post without making your ignorance more obvious.
3. XP performs no Egress checking
-> SP2 adds to what was already there (user configurable port filters) with an option to allow certain programs to contact and receive response back from the internet (eg Messenger, F&PS, Remote Desktop etc)
XP2 provides no egress filtering -- see the previous quotes and links (including Cliff's own) for comprehensive evidence of this.
"4. Patterson is incompetent on all aspects of security
-> See above posts on recommended security techniques and real world examples and judge for yourself"
I agree.
"5. Hackers can't read clear text passwords in netbios datastreams"
I didn't say that -- I said that in a situation where your LAN is compromised by a packet sniffing attack network shares are likely the least of your worries.
6. Norton antivirus is utterly useless
I simply said that I had stopped using Norton after numerous problems. And that other people have had similar experiences.
7. Posting your own password methodology on the internet is a means to validate it
-> Well I would agree if nobody uses the information to hack back into your PC. But to me its like Ford publishing the spec for how it makes the security on its ignitions and waiting for the first car thief to nick one before changing it.
Again you demonstrate your complete lack of understanding of this issue. Refer to previous posts for details.
8. Matthews password methodology is what "everyone" on the best sites on the internet recommends.
-> Cryptic passwords are good, but only in an encrypted datastream, otherwise you can find them next to the datastream/packet header with a big arrow marked PASSWORD
Again you are talking nonsense. People not on my network do not have access to plain text datastreams from my LAN. If they do it's not problems with passowrds causing this situation.
9. Matthew says "I am not a security expert my any means"
Well Matt, thats one thing I agree on.
I make no claim to deep experitse. I am more than willing to concede mistakes and errors I might make and to acknowledge that many, many people know much more about this than me.
"10. The website http://www.grcsucks.com/ is full of helpfull advice on "hysteria" about security
-> As far as I can see its just a nigh on libellous attack on Steve Gibson, but if it helps Matt secure his PC, good luck to him."
It's an extensive, detailed and well documented critique of Steve Gibson's output over a number of years. If it's libellous presumably he might sue.
"11. Scope ID makes netbios really secure by making the pcs and shares invisible (a "fact" he gets from the following website incidentally http://cable-dsl.home.att.net/netbios.htm#ScopeID"
> This assumes that all other PCs hacking into the network are MS PCs with compliance to the use of scope ID. Since netbios and Wins are broadcast based, the data "MYPC" with share "MyCdrive" is sent out regularly on the lan, and anyone with a PC, C++ (for example) and an ethernet card can hack it. Theres also a bit of software on my Ipaq that can see scope ID secured shares without having the scope ID entered on it.
Again you are using the fact that the LAN has been severely compromised to the extent that a third party can read the datastream to make your point. It's just not true to say "anyone with an ethernet card" can hack it -- they require physical access to your network ro a major flaw in other aspects of your security.
Can you use you iPAQ to read the names of my shares on my LAN? I bat you a milion pounds you can't despite your repeated assertions that my use of F&PS is insecure becuase attackers can read my plain text datastream.
"So you now agree that XP does more egress checking under SP2 than before"
NO! It doesn't do any. At least accorinding to all the quotes and links on this thread.
"At no point have I said XP SP2 does full egress"
I said it does no egress blocking. You said this was "simply not true". I still maintain it does no egress filtering basesd on the third party evidence quoted in this thread.
"XP does however allow you to block the ports that these Trojans use on the way out to "phone home", so even XP V1 had some kind of egress protection."
Windows Firewall does not allow you to close those ports unless it's being very, very coy about it.
Matthew
I apologised for saying bollocks. I noted that this was not my recent experience with Windows. I gave adivce that to be sure you need to patch things apropriate before connecting to the net.
"2. Passwords form 99.9% of the security in a user/password set up
-> Assuming they're the same length and use the same sort of cryptic form, I make that 50:50"
Which is wrong for the detailed reasons given before. Like I say you are incapable of making a post without making your ignorance more obvious.
3. XP performs no Egress checking
-> SP2 adds to what was already there (user configurable port filters) with an option to allow certain programs to contact and receive response back from the internet (eg Messenger, F&PS, Remote Desktop etc)
XP2 provides no egress filtering -- see the previous quotes and links (including Cliff's own) for comprehensive evidence of this.
"4. Patterson is incompetent on all aspects of security
-> See above posts on recommended security techniques and real world examples and judge for yourself"
I agree.
"5. Hackers can't read clear text passwords in netbios datastreams"
I didn't say that -- I said that in a situation where your LAN is compromised by a packet sniffing attack network shares are likely the least of your worries.
6. Norton antivirus is utterly useless
I simply said that I had stopped using Norton after numerous problems. And that other people have had similar experiences.
7. Posting your own password methodology on the internet is a means to validate it
-> Well I would agree if nobody uses the information to hack back into your PC. But to me its like Ford publishing the spec for how it makes the security on its ignitions and waiting for the first car thief to nick one before changing it.
Again you demonstrate your complete lack of understanding of this issue. Refer to previous posts for details.
8. Matthews password methodology is what "everyone" on the best sites on the internet recommends.
-> Cryptic passwords are good, but only in an encrypted datastream, otherwise you can find them next to the datastream/packet header with a big arrow marked PASSWORD
Again you are talking nonsense. People not on my network do not have access to plain text datastreams from my LAN. If they do it's not problems with passowrds causing this situation.
9. Matthew says "I am not a security expert my any means"
Well Matt, thats one thing I agree on.
I make no claim to deep experitse. I am more than willing to concede mistakes and errors I might make and to acknowledge that many, many people know much more about this than me.
"10. The website http://www.grcsucks.com/ is full of helpfull advice on "hysteria" about security
-> As far as I can see its just a nigh on libellous attack on Steve Gibson, but if it helps Matt secure his PC, good luck to him."
It's an extensive, detailed and well documented critique of Steve Gibson's output over a number of years. If it's libellous presumably he might sue.
"11. Scope ID makes netbios really secure by making the pcs and shares invisible (a "fact" he gets from the following website incidentally http://cable-dsl.home.att.net/netbios.htm#ScopeID"
> This assumes that all other PCs hacking into the network are MS PCs with compliance to the use of scope ID. Since netbios and Wins are broadcast based, the data "MYPC" with share "MyCdrive" is sent out regularly on the lan, and anyone with a PC, C++ (for example) and an ethernet card can hack it. Theres also a bit of software on my Ipaq that can see scope ID secured shares without having the scope ID entered on it.
Again you are using the fact that the LAN has been severely compromised to the extent that a third party can read the datastream to make your point. It's just not true to say "anyone with an ethernet card" can hack it -- they require physical access to your network ro a major flaw in other aspects of your security.
Can you use you iPAQ to read the names of my shares on my LAN? I bat you a milion pounds you can't despite your repeated assertions that my use of F&PS is insecure becuase attackers can read my plain text datastream.
"So you now agree that XP does more egress checking under SP2 than before"
NO! It doesn't do any. At least accorinding to all the quotes and links on this thread.
"At no point have I said XP SP2 does full egress"
I said it does no egress blocking. You said this was "simply not true". I still maintain it does no egress filtering basesd on the third party evidence quoted in this thread.
"XP does however allow you to block the ports that these Trojans use on the way out to "phone home", so even XP V1 had some kind of egress protection."
Windows Firewall does not allow you to close those ports unless it's being very, very coy about it.
Matthew
Posted on: 26 September 2004 by ErikL
A few questions on security:
Should I worry if, for example, my investing account login and password is the same as my web-based email account login and password?
Are there "special" things I, as a security novice, can/should do with my firewall settings to block evil bastards of the Internet? Beyond what the firewall already does with basic settings, I guess.
I remember reading how to turn off something in "Services" (?) to better protect from MSN Messenger intrusions, is that right?
I run Win2k. Thanks.
Should I worry if, for example, my investing account login and password is the same as my web-based email account login and password?
Are there "special" things I, as a security novice, can/should do with my firewall settings to block evil bastards of the Internet? Beyond what the firewall already does with basic settings, I guess.
I remember reading how to turn off something in "Services" (?) to better protect from MSN Messenger intrusions, is that right?
I run Win2k. Thanks.
Posted on: 27 September 2004 by matthewr
Ludwig,
"Should I worry if, for example, my investing account login and password is the same as my web-based email account login and password?"
Absolutely. You should use different passwords for all your accounts. If you accidentally tell that freshman design student your hotmail password in a bit of loose pillow talk you don't want her grabing your cafrefully constructed off-shore portofilio the minute you tell her "It's not you, it's me".
"Are there "special" things I, as a security novice, can/should do with my firewall settings to block evil bastards of the Internet? Beyond what the firewall already does with basic settings, I guess."
Just follow the instructions that come with your software. Most of them start very tightly screwed down and you add exceptions as things don't work.
"I remember reading how to turn off something in "Services" (?) to better protect from MSN Messenger intrusions, is that right?"
There is a service called Messenger which, by default, used to open various network ports. This was then used both by spammers to create certain types of popup spam message and hackers who used it to exploit a particular vulnerability in Messenger to compromise your machine.
This vulnerability was patched a long time ago and messenger (at least in this sense) is no longer at risk from this as long as you are up-to-date with your windows update patches.
Also, as you have a firewall then, as long as this is blocking the appproriate ports (which it almost certainly is) then messenger is safe from all concievable forms of attack. To be 100% sure you can still disable it in Services since it's unlikely you need it at all.
"I run Win2k"
Lots of the security improvements in XP SP2 are not available in W2K. This is an excellent reason to upgrade to XP2 at some point, especially if you have concerns about security.
Matthew
"Should I worry if, for example, my investing account login and password is the same as my web-based email account login and password?"
Absolutely. You should use different passwords for all your accounts. If you accidentally tell that freshman design student your hotmail password in a bit of loose pillow talk you don't want her grabing your cafrefully constructed off-shore portofilio the minute you tell her "It's not you, it's me".
"Are there "special" things I, as a security novice, can/should do with my firewall settings to block evil bastards of the Internet? Beyond what the firewall already does with basic settings, I guess."
Just follow the instructions that come with your software. Most of them start very tightly screwed down and you add exceptions as things don't work.
"I remember reading how to turn off something in "Services" (?) to better protect from MSN Messenger intrusions, is that right?"
There is a service called Messenger which, by default, used to open various network ports. This was then used both by spammers to create certain types of popup spam message and hackers who used it to exploit a particular vulnerability in Messenger to compromise your machine.
This vulnerability was patched a long time ago and messenger (at least in this sense) is no longer at risk from this as long as you are up-to-date with your windows update patches.
Also, as you have a firewall then, as long as this is blocking the appproriate ports (which it almost certainly is) then messenger is safe from all concievable forms of attack. To be 100% sure you can still disable it in Services since it's unlikely you need it at all.
"I run Win2k"
Lots of the security improvements in XP SP2 are not available in W2K. This is an excellent reason to upgrade to XP2 at some point, especially if you have concerns about security.
Matthew
Posted on: 27 September 2004 by Mekon
Matthew - is this article claiming we shoudl switch to passphrases hysteria?
Posted on: 27 September 2004 by Martin D
Patrick
Thats exactly the problem I have at work, and why I end up writing them down as I just can remember them.
Martin
Thats exactly the problem I have at work, and why I end up writing them down as I just can remember them.
Martin
Posted on: 27 September 2004 by pingu
Hi chaps
its my first post
Its been very interesting reading through this thread, and knowing a bit about security I thought I might say:
I agree with Matthew that Scope ID plus a long cryptic password is better on netbios & File and Printer sharing than having no password at all, but I also agree with Cliff that its old technology largely superseded by other methods of securing systems and data, and netbios is easily hacked.
Clearly (Martin and Mekon) long passwords are hard to remember, and although I disagree with Cliff a bit (he is right that a cryptic user/password is stronger than plain text user and cryptic password) - however if you sign on to multiple computers too many cryptic user IDs given to you by the administrators is even harder to remember. My internet trading password is of a 10 alphanumeric cryptic form and very hard to remember so I secure it in my Ipaq with fingerprint recognition.
Lastly Cliff's point about XP SP2 being better on securing outgoing connections, is probably not very clear from his wording, but I too have seen the message (program XXX is trying to access the internet, do you want to keep blocking it?) So think Cliff needs to explain his wording a bit better and the testers site Matthew has referred us to need to do more testing IMHO.
[This message was edited by pingu on Mon 27 September 2004 at 10:43.]
its my first post
Its been very interesting reading through this thread, and knowing a bit about security I thought I might say:
I agree with Matthew that Scope ID plus a long cryptic password is better on netbios & File and Printer sharing than having no password at all, but I also agree with Cliff that its old technology largely superseded by other methods of securing systems and data, and netbios is easily hacked.
Clearly (Martin and Mekon) long passwords are hard to remember, and although I disagree with Cliff a bit (he is right that a cryptic user/password is stronger than plain text user and cryptic password) - however if you sign on to multiple computers too many cryptic user IDs given to you by the administrators is even harder to remember. My internet trading password is of a 10 alphanumeric cryptic form and very hard to remember so I secure it in my Ipaq with fingerprint recognition.
Lastly Cliff's point about XP SP2 being better on securing outgoing connections, is probably not very clear from his wording, but I too have seen the message (program XXX is trying to access the internet, do you want to keep blocking it?) So think Cliff needs to explain his wording a bit better and the testers site Matthew has referred us to need to do more testing IMHO.
[This message was edited by pingu on Mon 27 September 2004 at 10:43.]
Posted on: 27 September 2004 by sideshowbob
Everyone should use strong passwords, and preferably should use software to generate them, something like:
http://www.webattack.com/get/wmpwgen.shtml
For internet security and home use, it doesn't really matter if you write down all your passwords on a Post-It note and stick it to your monitor, since the point for most people is to prevent remote access by script-kiddies, rather than physical access by somebody actually sitting down in front of your monitor and keyboard.
Doing this one thing alone makes you much less vulnerable to brute-force dictionary attacks.
On the question of turning off unused services, and using a decent firewall to block all unused ports, I'm all for it. Even code that hasn't yet exhibited vulnerabilities may, in fact, be vulnerable, so the less that's running on an internet-connected machine the better.
-- Ian
http://www.webattack.com/get/wmpwgen.shtml
For internet security and home use, it doesn't really matter if you write down all your passwords on a Post-It note and stick it to your monitor, since the point for most people is to prevent remote access by script-kiddies, rather than physical access by somebody actually sitting down in front of your monitor and keyboard.
Doing this one thing alone makes you much less vulnerable to brute-force dictionary attacks.
On the question of turning off unused services, and using a decent firewall to block all unused ports, I'm all for it. Even code that hasn't yet exhibited vulnerabilities may, in fact, be vulnerable, so the less that's running on an internet-connected machine the better.
-- Ian
Posted on: 27 September 2004 by ken c
can one upgrade a win2000 m/c to XP?? i have a dell inspiron 7500 running windows 2000 pro, upgraded from windows 98 last year. the sticker on the m/c says "designed for win200, win NT w/s 4.0 and win 98 -- which sort of answers my question -- unless there is more to it than this...
enjoy
ken
enjoy
ken
Posted on: 27 September 2004 by matthewr
Mekon -- That's quite an in-depth article and on a brief reading I'd disagree with a lot of what he says. However, I recommend you consult a security expert about what it all means.
Cliff -- I see little point in continuing as basically I have described what I believe to be errors on your part in detail several times and you respond either by changing the subject or by claiming I didn't provide detailed reasoning even though I very obviously did. Despite all this you continue to repeat what I believe to be false or misleading statements (e.g. "I say that in a user/password login the security provided is 50% by each component"). It's all there should you choose to read it.
"You state that again I know noting about security"
I think you have made a number of statements containing basic errors on fundamental issues of security and have given detailed reasons why.
I am sorry you don't like my posting style. I like to think that I argue my case robustly and passionately without resorting to personal attacks.
In contrast, you have littered this thread with personal attacks and digs at me ("Or perhaps you don't know how to find that tab" in your latest post) culminating in you calling me a "fucking arse". Although, to be honest, I am less bothered by this than by your habit of, AFAICT, deliberately and maliciously misrepsenting what I say to create frankly pathetic straw man counter arguments (e.g. "You advocate reading a website as a source of security information when all it does is rubbish someone elses opinions about security", "you claim XP does not support packet filtering", etc.)
Patrick -- The more secure an application the more you should care about password security. I use highly secure passwords for things like my online banking, my root level administrator accounts, etc. For one time signups to websites, temp mail accounts, etc. where I don;t rally care if it gets hacked, I use a small number of moderately secure passwords. And so on. Any good security consultant will take into account the level of security appropriate to your particular case and advise accordingly.
Martin -- It's obviously better to not write them down, but if you must then at least secure the password somewhere. There is a world of difference between a password in a firesafe and one on a post-it note on your monitor. I also agree with Ian that a strong password even written down is better than a weak password as the main threat it not from people who can read you post-it notes. Obviously you should never write down passwords for things like online banks.
You can also try writing hint phrases that allow you to recover your password without actually writing it down, IYSWIM.
Ken -- "can one upgrade a win2000 m/c to XP??", Yes. Upgrading from Win2k to XP is generally striaghtforward. It's certainly easier than going from 95/98/ME to Win2k.
Matthew
Cliff -- I see little point in continuing as basically I have described what I believe to be errors on your part in detail several times and you respond either by changing the subject or by claiming I didn't provide detailed reasoning even though I very obviously did. Despite all this you continue to repeat what I believe to be false or misleading statements (e.g. "I say that in a user/password login the security provided is 50% by each component"). It's all there should you choose to read it.
"You state that again I know noting about security"
I think you have made a number of statements containing basic errors on fundamental issues of security and have given detailed reasons why.
I am sorry you don't like my posting style. I like to think that I argue my case robustly and passionately without resorting to personal attacks.
In contrast, you have littered this thread with personal attacks and digs at me ("Or perhaps you don't know how to find that tab" in your latest post) culminating in you calling me a "fucking arse". Although, to be honest, I am less bothered by this than by your habit of, AFAICT, deliberately and maliciously misrepsenting what I say to create frankly pathetic straw man counter arguments (e.g. "You advocate reading a website as a source of security information when all it does is rubbish someone elses opinions about security", "you claim XP does not support packet filtering", etc.)
Patrick -- The more secure an application the more you should care about password security. I use highly secure passwords for things like my online banking, my root level administrator accounts, etc. For one time signups to websites, temp mail accounts, etc. where I don;t rally care if it gets hacked, I use a small number of moderately secure passwords. And so on. Any good security consultant will take into account the level of security appropriate to your particular case and advise accordingly.
Martin -- It's obviously better to not write them down, but if you must then at least secure the password somewhere. There is a world of difference between a password in a firesafe and one on a post-it note on your monitor. I also agree with Ian that a strong password even written down is better than a weak password as the main threat it not from people who can read you post-it notes. Obviously you should never write down passwords for things like online banks.
You can also try writing hint phrases that allow you to recover your password without actually writing it down, IYSWIM.
Ken -- "can one upgrade a win2000 m/c to XP??", Yes. Upgrading from Win2k to XP is generally striaghtforward. It's certainly easier than going from 95/98/ME to Win2k.
Matthew
Posted on: 27 September 2004 by Tarquin Maynard - Portly
quote:
Originally posted by Matthew Robinson:
I expect them to supply cogent and believable reasons as to why my charge is unfounded. Rather than just spouting foul mouthed abuse.
Matthew
And Matthews first post on the issue.....
Spending money I don't have on things I don't need.
Posted on: 27 September 2004 by Tarquin Maynard - Portly
quote:
Originally posted by Matthew Robinson:
"Sounds like you have a virus"
Does it? Which virus causes the symptoms Ken is experiencing?
"The average time to infection on a WinXP system is about 5-10 mins when connected to the Internet"
Bollocks.
"Matthew
Pot, kettle, black...
OK Bollocks is not TOO rude...
Regards
Mike
Spending money I don't have on things I don't need.
Posted on: 27 September 2004 by matthewr
I am not sure why you chose to stick you oar in at this point, Mike, but for completeness sake you should probbly have included my subsequent apology:
"Maybe bollocks was a bit strong and I was in a bad mood, so for that I apologise"
Also, to be pedantic, it was a foul mouthed, arbitary and unfair dismissal of someone's point and not foul mouthed abuse.
To compare this to calling someone a "fucking arse" *after* agreeing to stop the previously extensive name calling is unwarranted in my view.
Matthew
"Maybe bollocks was a bit strong and I was in a bad mood, so for that I apologise"
Also, to be pedantic, it was a foul mouthed, arbitary and unfair dismissal of someone's point and not foul mouthed abuse.
To compare this to calling someone a "fucking arse" *after* agreeing to stop the previously extensive name calling is unwarranted in my view.
Matthew
Posted on: 27 September 2004 by Mike Hughes
Cliff,
Sadly (?) I am not based in London but, if you're ever "oop north" let me know. Always nice to meet a Naimie. I had planned a trip down South to see Tom Waits but a lack of tickets scuppered that one!!!
Now then, just for a laugh, I also offer another pint to someone who can find a thread where Mathew has actually done the above - ever!!!
Friends, family and employees of the said Mr. Robinson are excluded from this competition for fear they may endlessly argue that they are right and have been quoted out of context.
Now then, I think I have this figured out.
Someone makes a point.
Mathew disagrees with some element.
Someone points out that Mathew is wrong or has misinterpreted what was originally said.
Mathew disagrees and claims that, au contraire, tis he who has been misinterpreted.
Mathew then goes on to make several new points that totally ignore the main point of the thread.
Someone is stupid enough to point this out by reference to explicit detail.
Mathew claims he has been quoted out of context.
Mathew then claims someone said something that they patently did not.
Someone gets understandably very angry and unbelievably frustrated.
Mathew apologises for some small element and tries to be concilliatory whilst effortlessly inserting some small comment that might politely be described as either "intentionally provocative" or "willfully stupid".
Mathew takes us back a minumum of two pages whenever anyone asks him to be specific. Mathew believes that "this is true because I believe it and here is someone else who does too" is specific.
Rest of forum guffaw and silently mouth the words "Are you Stallion is disguise?" whilst trawling through pages of this guff.
I love this thread!!!
Mike
Sadly (?) I am not based in London but, if you're ever "oop north" let me know. Always nice to meet a Naimie. I had planned a trip down South to see Tom Waits but a lack of tickets scuppered that one!!!
quote:
I make no claim to deep experitse. I am more than willing to concede mistakes and errors I might make and to acknowledge that many, many people know much more about this than me.
Now then, just for a laugh, I also offer another pint to someone who can find a thread where Mathew has actually done the above - ever!!!
Friends, family and employees of the said Mr. Robinson are excluded from this competition for fear they may endlessly argue that they are right and have been quoted out of context.
Now then, I think I have this figured out.
Someone makes a point.
Mathew disagrees with some element.
Someone points out that Mathew is wrong or has misinterpreted what was originally said.
Mathew disagrees and claims that, au contraire, tis he who has been misinterpreted.
Mathew then goes on to make several new points that totally ignore the main point of the thread.
Someone is stupid enough to point this out by reference to explicit detail.
Mathew claims he has been quoted out of context.
Mathew then claims someone said something that they patently did not.
Someone gets understandably very angry and unbelievably frustrated.
Mathew apologises for some small element and tries to be concilliatory whilst effortlessly inserting some small comment that might politely be described as either "intentionally provocative" or "willfully stupid".
Mathew takes us back a minumum of two pages whenever anyone asks him to be specific. Mathew believes that "this is true because I believe it and here is someone else who does too" is specific.
Rest of forum guffaw and silently mouth the words "Are you Stallion is disguise?" whilst trawling through pages of this guff.
I love this thread!!!
Mike
Posted on: 27 September 2004 by matthewr
Mike,
If you are going to take the trouble to post a lengthy diatribe on the subject my behaviour you might at least do me the courtesy of spelling my name correctly.
Matthew
If you are going to take the trouble to post a lengthy diatribe on the subject my behaviour you might at least do me the courtesy of spelling my name correctly.
Matthew
Posted on: 27 September 2004 by pingu
Hi Matthew
this is getting entertaining. What exactly are your objections to Cliff's post of "Mon 27 September 04 09:45"
I think he might just have you banged to rights.
cj
this is getting entertaining. What exactly are your objections to Cliff's post of "Mon 27 September 04 09:45"
I think he might just have you banged to rights.
cj
Posted on: 27 September 2004 by pingu
quote:
Originally posted by ken c:
can one upgrade a win2000 m/c to XP??
ken
Hi Ken
I upgraded 5 dell PCs at my wifes office recently with no problems. I recommend you take some kind of backup (preferably Norton (sorry Matthew) disk copy if you have a spare hard drive) before you start, just in case