Is your computer security up-to-date?

Note to everyone: sorry for the long "tirades" of my replies, I don't want to hijack this thread by imposing my point of view, feel free to disagree. This thread is all about discussion, not about setting the perfect security rules in stone. Everyone can contribute!

(edit: may be I shall define what "contribute" means, rather than having to see lots of +1 coming?)

I'll try my best to make it live so that people can benefit from it, but it's ultimately a community effort. Security FTW!

Are you using enough boldface text to scare yourself silly?

No, thanks, I play GW on wine and don't care what the Windows sploit of the day is.

Crap Cleaner is a brilliant tool. Glad you added it up there.

For those that don't know, it's a brilliant cache cleaner and registry tool cleaner. Anything you've ever uninstalled in the past tends to have registry keys left behind. Crap Cleaner can find those and delete them for you.

No i dont use external programs for cleaning data.

Firefox is set to always clear private data when it closes though, dont want my brother starting it up and finding out that im a regular visitor of gay-serbia.com ... lol

No to all of them.
My computer won't let me do anything without it crashing all the time anyway, I had to get a laptop for usage on the internet.

I might add a "1.5) and a hardware firewall/router serving as a hardware firewall?" (And, if it happens to be a wireless router, have you disabled the wireless capabilities or done X, Y, and Z to secure it?)

I recall reading an article that compared various anti-spyware programs and discovered that none of them catch much more than 60% of what all of them together are able to catch, and most caught much less. The ultimate conclusion was that you need at least 2 anti-spyware programs to get decent coverage, and even then you'll have gaps.

I also have to admit that I only have one and I rarely run it. In my arrogance that "oh no, I am NOT a dumbass user who gets spyware" I'm not as careful as I perhaps should be.

Windows update on manual. One experience with "Windows Genuine Advantage" deciding that your copy of windows isn't legit can provide more than a life-time's worth of aggravation. I'm also not a huge fan of the .NET framework updates that break each other if installed in the wrong order.

"Sensitive data" perhaps? None of my self-generated data is "sensible."
Good advice though.
I might also add that they very best way to protect extremely sensitive data is not to put it on the computer in the first place.


Some other odds and ends:

• A few folks have mentioned Firefox. I have to agree. I suppose Opera's fine too. IE just has waaay too many unpatched vulnerabilities.
  
• Quote:

  Originally Posted by Etta Would "Stop going to the porn sites" help as well?

  I know you meant that as a joke, but it is a serious point, though it would perhaps be better rephrased as "don't visit sites that have a high likelihood of being malicious" or "don't be a dumbass user."
  
  It would be interesting to try to compile a resource on how to know which sites to stay away from. Not a simple list, mind you, but something that captures the method to determine if a site is untrustworthy.
  
• Some sort of anti-phishing advice probably belongs here too.
  
• It's maybe too much to ask of some users, but, "Are you keeping track of your start-up group?" I would strongly recommend:
  • First, find out which processes your computer is running on startup and what they do.
  • Second, eliminate the unnecessary ones.
  • Third, keep a list of the start-up processes that you've OK'ed.
  • Fourth, each time you install something new, check to see if it added itself to the start-up group, and either remove it or add it to your list.
  • Fifth, periodically check the start-up group for new entries that aren't on your list. Alarm bells should ring if you find one.
  Not only does this give you a heads up when anything short of a rootkit installs itself, but it also tends to greatly improve your PC's performance by removing a lot of crap that sucks resources without doing anything useful for you.

Lastly, GOOD THREAD!

The NCsoft security FAQ is fairly good and have some basic security advices:
http://www.plaync.com/us/support/doc...ml?p_faqid=993

1-4. No, I just do a full update of everything and a scan once every week or so. Do have a firewall, of course (who seriously wouldn't?)
5. Yes, thats the best protection: not doing stupid things.
6. On things that actually matter to me, yes. I will tell you though, my password for half the sites I have registered for is 12345, and I honestly don't care if you got into them.
7. Yes
8. I don't see how thats related to computer security, thats closer to redundancy in case of computer failure, but yes I do.


Something to add: if you are using firefox, download the noscript addon. It will block all scripts on a site (which malicious sites could be using to potentially harm your computer just by visiting it) and can easily be temporarily or permanently toggled on and off for specific sites in case you need to access something. Its very quick, easy to use, and non-intrusive, which are very important qualities to me.

Edit: Also do most of the things Chthon listed, along with the "In my arrogance that "oh no, I am NOT a dumbass user who gets spyware" I'm not as careful as I perhaps should be.". I am obsessive-compulsive over things that like to load at startup.
Nice of you to check

Apparently not on this website

It's not if you think in "classical" terms. Nowadays "availability" is seen as an important property, if your data is "unavailable" due to a hard disk crash or a server DDoSed, you can't do much.

Agree, but it requires to check the scripts disabled because from time to time some sites don't work anymore.

@Chthon: thanks for the excellent advices, I'll try to factor them into information (I'll mention phishing and in-game scams). (P.S.: I haven't forgotten our discussion, just put it on hold)

Great post, honestly. Though in my opinion you omitted one of top notch security/preventative. The best preventative/security is knowledge/education. If you don't know about something your downloading or how it works, you most likely should not download/run it.

I hope you don't mind if I share some knowledge and experience.

The absolute best form of keeping your computer safe in two easy steps is:

1. Never give out any information of any kind out online.
2. Only download files from trusted websites (the manufacturer) and use SSL whenever possible for registrations.

1. Sure, to some this may sound like overkill, but you don't know who it is you're talking to. Any e-mail address can be spoofed with ease. No company is going to ask you for your password(s) or other personal information. If you have to log in to access support, then they already have access to all of the information they need. Another good saying is, "If it's too good to be true, it usually is." It's common with scams or even offers for freebies.

The same goes for online friends. Even if you know that person in reality, you should never disclose any information online. Not even IM network protocols are secure. However, there are exceptions. Pidgin uses encryption such as OffTheRecord which helps to keep people from spying on you. But that won't stop a keylogger.

For example, your password reminder question is about your favorite movie. Someone in your guild chat or IM list strikes up a chat with you about movies, then talks about favorites. You may not notice how easy it is to slip and disclose the answer to your email's secret question.

I have seen people on these very forums who claim to be "white hats" in terms of security. Claiming they know how to hack your MSN/WLM with your email address. (Yet when challenged they can't do it or provide any information that proves their claims!)

2. As far as downloading from trusted sources such as the manufacturer, I can present a perfect example as of this post just see my starring item below*.

There are also downloading websites such as FileHippo, Download.com and several others that are very trustworthy for downloading programs. McAfee SiteAdvisor is also a good way to check and see if the website is safe, but beware of false positives, like how they said that WinAntiVirusPro.net is a safe website.

Many manufacturers/developers and download websites are offering MD5 hashes to help you verify that you are getting an unaltered download. This is extremely beneficial and I honestly hope to see it catch on.

----------

Above all else, you should do your best to keep your computer secure and up to date. This can be done by checking for updates manually every Patch Tuesday (the second Tuesday of each month when Microsoft releases Windows Updates) or by using Automatic Updates. Be sure you have installed all of the hotfixes and that you keep all the software on your computer up to date.

There are alternative browsers that can also help to prevent malware. Firefox and Opera, because they do not use ActiveX. Maxthon and several others are just IE Shells which change the appearance but use Internet Explorer's core for browsing.

Updating to Internet Explorer 7 is a great idea. Even though this version has broken several programs that rely on the IECore (McAfee for example) when IE7 was first released, it really was a good thing. Sure, that might sound like a wild thing to say, but think about it. This forces these companies to update their programs which in turn enhances your security.

Internet Explorer 7 fixed a multitude of vulnerabilities and issues. Because Internet Explorer is integrated into Windows itself, by updating from Internet Explorer 6 to version 7, you're updating the IECore and many other components that your computer heavily relies upon. Internet Explorer 7 has a very useful addon called IE7Pro which enhances the IE7 browser by adding more functionality and security.

From the IE7Pro website:
IE7Pro includes Tabbed Browsing Management, Spell Check, Inline Search, Super Drag Drop, Crash Recovery, Proxy Switcher, Mouse Gesture, Tab History Browser, Web Accelerator, User Agent Switcher, Webpage Capturer, Flash Block, Greasemonkey like User Scripts platform, User Plug-ins and many more power packed features. You can customize not just Internet Explorer, but even your favorite website according to your need and taste using IE7Pro.

When it comes to Internet Explorer, I highly recommend using SpywareBlaster (also for Firefox) and IESpyAds. Completely avoid using any toolbars in Internet Explorer because they attach to your Internet Explorer, and your Windows Explorer which also uses the IECore. So if you have problems that make your computer crash or behave oddly, it can often be a toolbar.

The first post in this topic mentions using CCleaner and using it weekly. There is an option to "Run CCleaner when the computer starts" (Found at Options > Settings) and you may want to check "Close program after cleaning" (Found at Options > Advanced).

As mentioned in the first post, use a secure password. I have heard that having no password on your computer can actually be better than having one. This is because most people simply use "password" or a very easy to guess/crack password. Even using the password hint to plainly state the password. Yeah, that's real secure.

I'm pretty much rehashing much of what I have already stated in my wiki about PC Security.

If you'd like to read my wiki article, you can do so by visiting:
http://wiki.lunarsoft.net/wiki/PC_Security


----------

*Microsoft has released Service Pack 3 for Windows XP to OEMs on April 21st, 2008. This was leaked onto several torrent sites. Many people are scrambling and downloading these torrents and using them on their computers. THIS IS ILLEGAL! If anyone remembers AutoPatcher and how they received a takedown notice, this is a similar issue. Redistributing hotfixes and service packs released from Microsoft violates the EULA.

Microsoft has released SP3 to TechNet/MSDN Subscribers on April 22nd, 2008. A lot of people think they received the official final version, but they have not. The Softpedia link does NOT have the final English package. Softpedia has labeled it as final, but it is Build 3311. They aren't the actual/official RTM released package.

If you have to get a "free" service pack from Microsoft from a torrent/torrent website and not download.microsoft.com, then common sense tells you that it's NOT AVAILABLE YET.

When Service Pack 3 has been officially (and legally) released, you will be able to get it directly from Microsoft's website!

----------

@Inde - try Firefox Safe mode. If you still encounter issues try a clean install of Firefox. Delete your profiles after backing up your bookmarks.

Actually, fenix is correct. Having more than one anti virus is very well known to cause a multitude of issues. The two (or more) tend to conflict with each other, especially when a virus is found that both know of. It's not a pretty sight and it does cause more problems than it's worth.

You wrote a brilliant post, really nice! But I wonder whether it'll be understandable to the security "layman". As for Ctb, I'll try to factor out the best into the OP. I can already see disagreements with the host file It was bound to happen, as the technics of security is an obscure domain spawning so many situations.

(Re 2 A/V, I'm not convinced in general, in particular as I run 2 A/Vs myself, but that does not seem like an important topic.)

1) Yup

2) Yup, and boy does it annoy me when I get lag in the middle of a big fight.

3) Both, haven't really come across anything better than those two.

4) I don't use Auto updates as it can be pretty annoying to have Microsoft reboot my machine if I'm running long renders overnight. So I have it set to inform me of updates and download, then I'll run them.

5) Pretty much. Certainly can't think of any that are potentially dodgy. I rarely download free apps unless they're well known and useful.

6) I favour the 'headbutt the keyboard' approach. I'd throw the cat at it, but I don't have one,

7) Yup


8) Hmm.. I haven't had great success with optical media over the years, so I tend to back up to an external drive.


9) Not that much I suppose. There's only the two of us and our machines are networked and protected. I have been known to lecture the odd friend about it, usually after the event.

has anyone tried the ghost hardrive anti virus software?


i dont remember the name but that is the newest thing and as of right now you can't mess up your computer as long as you clean out the hardrive everyonce and a while.
if something goes wrong clean the ghost drive and laugh

Don't think I mentioned anything about the hosts file, did I?

----

@Inde: It seems that you don't like giraffes. Oh the poor giraffes!

Sorry, it was Ctb!

Answers bolded.

1. Yes
2. Yes
3. Yes
4. Yes
5. Yes
6. Yes
7. Yes
8. I regularly delete my "sensible data"
9. I kick them off and install/upgrade whatever they lack for them.

I have an antivirus and a firewall that update itself. No need for a spyware checker or the "trusted software" crap if you know what you're doing and don't crawl around warez sites.

I agree.

NOD32 is probably safer than the security used for nuclear weapons.

Well then I'm gonna assume we're all doomed.

Yeah, I wasn't just saying it for the sake of saying it. I had that exact thing happen to me.

NOD32 and Avira both detected the same virus.
NOD32 quarantined the file.
Avira removed it from NOD32's quarantine to put it in its own quarantine.
NOD32 removed it from Avira's quarantine to put it in its own quarantine.

Rinse and repeat LITERALLY 30+ times. It was doing it so fast that I didn't have time to do anything, so I had to click like a ninja while mashing ctrl-alt-del to bring up the Task Manager to close Avira. Computer went booom for about 2-3 mins while it was happening haha.


Snow Bunny knows the score. NOD32 is pretty awesome. 49 (at least) awards for virus detection to date? Winsauce.

http://www.eset.com/company/awards.php

1) Avira Antivirus, works great.

2) Yes.

3) Don't need it, delete cookies once a month is enough (tracking cookies). last time i checked i only had tracking cookies, last time i scanned before that was over 300 days before that.

4) Yes.

5) Yes.

6) My password is different for everything, passwords ranging from 13 to 27 characters.

7) Xcleaner once a year.

8) The most important thing on my pc is my music which is about 380 gb, no space to back that up.

9) Nothing, won't help. they will still download The Sims or whatever, even though it's a 70kb exe file, if you catch my drift.

I'll add answers to the new questions & clarify some other stuff I said earlier

7) Most of this is cleared by Firefox with the "Clear Private Data on exit" setting. My passwords are stored behind a master password, which must be entered to access them in any way.

8) I don't store sensitive stuff on my computer (partly because I don't have much sensitive information to store :P). What little there is, I store in one spot and back up occasionally (usually only if I plan on formatting a drive).

9) I do give good information when people ask for it. Many of my friends refer to me for "computer stuff" and I try to give them good advice, including security, in those cases.

Also, while I said I don't run AV/Anti-Mal stuff, I do have other security measures. I keep my network behind a router (which is a nice first step) which I make sure has sane security settings (Wireless encryption, disable UPnP because I'd rather set server ports myself, a few other roadblocks that should keep the neighbors off). I update my OS regularly. I have most "attack vectors" closed off by things like script white-listing (No-Script plug-in for FF is nice), sane use of email, and an inherent distrust for any link to a domain I don't know (or an obfuscated link like tinyurl).

I don't think this solution works for many people, so I recommend AV/Malware stuff for others who ask about it.

A note to all - if your post gets deleted, don't repost it. If you feel it was deleted in error or deserves to be undeleted, please PM a mod and/or supermod and it will get reviewed. Re-posting deleted post's will only end in the repost being deleted and you facing possible posting suspension.

Once more i will point you all to the Forum Rules ->

http://www.guildwarsguru.com/content...nes-id2030.php

Discovered today that a new version of AVG will be out shortly, with a nice little inline verification of google links:
http://www.pcpro.co.uk/news/191172/a...s-scanner.html

Also a short security check offered by F-Secure (only works in IE):
http://www.f-secure.co.uk/healthcheck

If anyone knows a free nice "application and driver version tracking" program, let us know. Something like this one:
http://www.download.com/VersionTrack...-10223175.html

1) Do you have an antivirus and a firewall running at all times (even when playing games)?

Behind a router and I am on a T3 which is auto firewalled via my ISP. So yes.

2) If so, are they automatically and regularly updated?

Router is static firewall, ISP takes care of other stuff.

3) Do you run regularly anti-spyware software, such as Lavasoft AD-Aware and Spybot Search&Destroy (S&D)?

Don't need to, I use Firefox.

4) Do you regularly update your Operating System and all applications?

I use Microsoft Update via their website. Auto updates is annoying.

5) Do you make sure that applications you install can be "trusted"?

I don't install anything that I don't know about, and considering my professional opinion trumps that of most people I know, I need not worry if things are trusted.

6) Most importanly, do you have strong passwords and do you make sure not to use the same passwords for different site/applications?

I use 64bit randomly generated passwords using a powerful algorithm. Good luck breaking them.

7) Do you regularly clean your browser and application data (such as caches, saved passwords)?

I use Firefox.

8) Do you regularly back-up your sensible data?

No, my computers harddrives are kept under a very heavy maintenance schedule. I actually open up my HDDs and tune them up myself. Also, I have 6 different HDDs, 5 of which do not have an operating system installed, therefore, there is a very small likelihood of data corruption. They are also kept in Raid 10.

9) What do you do to raise awareness about security and trust around you?
No one touches my computer, period. As far as passwords go, I don't even know my own passwords. The only person that knows my passwords is the encryption software stored on my jump drive that has each password saved. And that is kept safe.


EDIT: Ah, and I downloaded a lovely cracked version of NOD32 to take a looksy. I am impressed, much less bloated than other Antivirals out there. I very well may purchase NOD32, just because I support companies that actually make good products. (aka, not Norton, McAfree, AVG, or any of the other "Popular" antivirus programs that are so bloated and manipulative and invasive that it makes you want to slit your wrists)

This reminds me of a Simpson episode:

Having a decent anti-malware and a half decent firewall and some common sense is all you really need, there's no need to be over paranoid either. I've never even encounter a computer virus in my entire life, you shouldn't underestimate malware/viruses but you shouldn't overestimate them either.

Rahja... much of your post doesn't seem to make any sense at all...

64-bit encryption? Are you joking? That's a trivial key size, and there's no compelling reason, short of some sort of software or hardware limitation on older systems, to use at LEAST a 128 bit key size these days.

Hell, AESCrypt won't even let you use a key size smaller than 128-bit, and it has no trouble with 192-bit and 256-bit key sizes as well.

And I'd be interested to hear what a "very heavy maintenance schedule" is for a hard drive, or what you mean by opening them up. If you mean you actually open the drives physically, I call BS. There's nothing you could conceivable gain by doing so, and even if you could the time and risk certainly isn't worth it when magnetic mass storage is going for 0.20 USD a gig. Furthermore, if you're actually utilizing your RAID 1+0 capabilities, you have a de facto backup of sorts, even if that's not the primary intent.

Finally, eschewing additional protections because you "use firefox" is beyond silly. Do you also never load images, flash, audio plugins, video plugins, or load anything but plaintext and HTML plaintext? Because practically everything except plain ASCII text has the capacity to harm your machine and load viruses. Even an image file has to be loaded into memory and manipulated by a program, so even that has the capability to trigger bugs in the controlling code and cause overflows, disk-writing, etc.

I'd be interested in hearing a little more about what all this actually means...

1) Ofcourse.
2) Daily.
3) No, since there is no need. My AV software scans for malware, grayware and other culprits.
4) Ofcourse. Windows are patched with all Critical and Security patches.
5) Yes. There aren't many apps installed on my PC.
6) Ofcourse.
7) Weekly.
8) There isn't any sensitive or valuable data on my PC.
9) The only one that uses my PC is my girlfriend and she logs on under a separate, limited user account.

For an antivirus App, I've always preferred Nod32 as it's light and lean and catches everything. I used Kaspersky AV for awhile, but it got to where I felt like I was hunting squirrels with an elephant gun. I use mostly the free stuff now. Avira is what I use on my laptop and recommend to all my non techie friends/family. Again, it's light and lean and is the best scanner of the three big three AV's.

For my firewalls, I have a firewall in my Router at home, and I've agonized over the security settings, so I don't have a third party app on my desktop. Windows Firewall is more than enough when it's sitting behind a router. On my laptop (and Mom and Dad's computer) is Comodo Firewall Pro which is an excellent completely free third party firewall. I usually disable the +defense as I don't see much added security that comes with the enormous amount of annoyance, but the basic firewall is excellent.

Anti-Spyware/adware programs I rotate every so often. I always have at least two, and run them one right after another once a week or so. I usually browse sites like Download.com to see what's new or whats been rated highly by the editors/community. I like to change them every couple of months because they have a pretty weak detection rate by themselves and using fresh ones so often increases your chances of catching something. I keep Windows Defender active all the time though. It comes with windows vista and is a free download for XP. It has real time scanning (spyware apps don't clash with antivirus apps) is integrated into the OS, updates automaticlly with windows, and is actually pretty good. I've tried any number of other apps: a-squared, Spybot S&D, Ad-Aware (there's a new version out in beta!), superantispyware, the free version of AVG's antispyware, etc. Just be sure that you download from a reliable site, and that you pay attention to reviews and articles about whatever you want to try. The last thing I keep all the time is HijackThis. It requires a great deal of time and effort to go through every item on the log it prints out, but it catches just about everything. There is now a firefox addon that assists in using Hijackthis.

Finally I'd suggest two more apps to complete your arsenal. Revo Uninstaller and Ccleaner. When you uninstall a program lots and lots of stuff is left on your hard drive or in you registry. Revo Uninstaller assures that every trace of the program is wiped off your computer. Ccleaner's been mentioned already, but it's fantastic.

If you're interested in having a limitless level of control over your router and firewall, get an old machine (or an Eepc or something similarly small) and drop FreeBSD on it. Back when I was poor and couldn't afford a router, I used an old machine and two old nics to make my own router, firewall, and DNS cache (with djbdns at http://cr.yp.to/). I dropped SSHD on it too and used PuTTY to connect so I didn't even need a monitor or keyboard hooked up.

With a little more ingenuity, you could do a lot of other things too: honeypots, an email relay with an appropriate retry setting so that you can send e-mails even when your ISP's email server is out or your connection is down, etc. Plus, the default firewall setting for SOHOs that comes with FreeBSD is a pretty darn solid starting point.

The only real downside is that you'll have to also get a switch and put it somewhere since, obviously, two NICs isn't enough for a real "network".

He said "64bits passwords", not encryption key (and it'd rather be 2048 for asymetric ...). But that does not make sense either, nor does the opening HDDs or the "I downloaded a cracked version of NOD32". And forget about creating your own router or honeypots, it's ridiculously complex for the majority of people, and a lot of time lost, unless you're protecting very sensitive data.

I feel the wind of derailment on this thread, as I can already see people not reading it. Just in case, I'll try to refocus the debate on the most important question of the 9 of the OP:

9) What do you do to raise awareness about security and trust around you (e.g., other people using your PC, members of your family, friends, guildies, Alliance members, colleagues)?

That's what I don't get. "64 bit key" makes sense. A 64-byte password would also make sense, though it would be an odd way of saying "my password is 64 characters long). That's why I'm itching for some clarification.

Actually, making your own router with a UNIX system is surprisingly simple and is a very viable step for people interested in going a little beyond the typical setup. Granted, for a normal user, it's out of the question and an unnecessarily tangled mess.

I'll just reiterate what I do for "normal" users with other people's suggestions incorporated into my future endeavours:

1. HOSTS file
2. Privoxy
3. AVG or NOD32
4. Windows Firewall turned on
5. If relevant, disable LANMAN hashes
6. Auto download and install updates turned on
7. Install Firefox and "hide" access to IE
8. Spybot S&D, HijackThis, and Ad-aware sweep and necessary cleanup

I also try to encourage people to set up two accounts: the administrator and a regular user, and to not use the administrator. Depending on the level of activity on the computer, the success of this strategy varies. Some people get tired of their kids complaining about games not working and skip it, others have a great deal of success.

Also, with passwords, I like to encourage people to either use fake words (supergone, littlejive, etc.), or to use entire phrases. I try to steer people away from the "1337-like" password method and create things like "I was born on the ninth of july to John and Marie". Windows passwords can now be very long, and it's much easier to remember a simple, meaningful phrase than it is to try and use a one-word 1337ified password. Plus, you'll never find phrases like that in the dictionary, so dictionary attacks become virtually useless. Plus, I think - THINK - that a password over 16 bytes is not LANMAN hashed even if LANMAN is not disabled.

Personaly I run pretty bare-bones myself, just because I don't get viruses. When I do, they are a pain, but sometimes I have a lil fun with em.

Avoiding viruses just takes street-smarts.. I mean web-smarts.

-No Warez
-No downloading music or videos illegaly
-Porn is a HUGE risk, some sites are trusted though
-Sites with more than one pop-up at a time that bypass your pop-up blocker, pull the plug then reboot and scan immediatly
-Only open EXEs from well trusted site, or scan them first
-Don't open emails that seem out of context
-Don't open viagra ads... go see a doctor or something, it'll be alot less trouble
-Use Peer2Peers ONLY when neccesary

...Stuff like that

(Oh and don't use myspace if you're gonna pick fights with smart kids)


So my computer security is up to date as long as I keep everyone else off it.
(I do run Windows Firewall though, its the least bothersome firewall ive ever seen)

I know perfectly well, and even for a knowledgeable user it's not something you'd like to spend time on unless there's a good reason. I'd rather spend some time researching what's the most secure router out there.

On Vista it's already done for you with UAC, which means you don't get Admin privileges. Nice advice on other systems, but I'm not sure it's worth the effort (you'd have to reloggin to install some programs).

Long password is bad, because it increases the chance of typing it wrong (and then getting locked out because of too many wrong attempts, not on Windows by default) and of forgetting it. Complexity is the most important element, with l33t transformation being very simple: e or E replaced with 3, a or A with 4, etc.

I personally only use three (strong) passwords, one of which is the master password of PasswordSafe.

Don't forget Ctb that to be usefull, security advices have to be understandable. Bear in mind LANMAN, host and stuff like that is as if I was going to start a discussion on cryptography on this board, it'd be pointless.

LANMAN doesn't store a hash for any password longer than 15 characters which is why encouraging a longer password is so useful in Windows. You can completely defeat the entire LANMAN weakness with a sufficiently long (16 or more characters) password and never even bring up LANMAN to the user.

Furthermore, longer passwords are better than complicated passwords. By virtue of the fact that it's a contextual phrase that has some meaning to the user, a sentence long password offers several benefits:

1. It has meaning to the user and is thus more easily remembered
2. It is not a dictionary word and is immune to 1-1 dictionary attack
3. It is exceptionally long compared to a typical password and, therefore, is unjustifiably difficult to crack timewise.

Something as simple as "I was born on 10/21/1976 in Dearborn Michigan" incorporates whitespace, non-alphanumerics, and different cases, it is long enough to bypass the LANMAN exploit, and it is neither a dictionary word, nor a password short enough to be reasonably cracked by a brute force attack. It is also a password for which a meaningful reminder can be created.

This is trivially defeated by all modern password crackers. They already index tens of thousands of words, adding a few letter mutations to the already extensive list is not a significant deterrent. The difference between cracking "joseph" and "j053ph" may be a matter of seconds depending on how the cracker handles mutations. Unfortunately, simply mutating real words is not a significant measure anymore.

The Hosts file is not meant to be used to block malware. It is solely to act as a DNS redirect. I have written a detailed article about this in my wiki, which you can see by going to http://wiki.lunarsoft.net and viewing the Blocking Malware article which details why you should not use a Hosts file.

A big problem with the Hosts file is it slows down browsing because every line has to be parsed into the DNS. The DNS can only hold a set number of entries. So if you have a Hosts file with 10,000 lines and the DNS only holds the last 30 used, it has to chug along and process a lot of unnecessary work to try and block malware. To try and get around this, many sites that offer Hosts files foolishly tell users to disable the DNS Client service. You should never disable any of your services. Ever. Your programs have a higher chance of breaking because they rely on services. It has also been debunked that there is no performance gain by disabling services. Even from the very minute amount of memory that you may free, it's not enough to make a noticeable difference. If you believe that it has dramatically helped, I shall refer you to the placebo effect.

Even Microsoft has a segment about why you should not disable the DNS Client service.

I have one question:

Is it dangerous to tell people what your security routines are?

We've been over this before. The resolver cache issue is only significant for attempts to resolve a non-existant domain. Unless you repeatedly try to resolve those non-existant domains, the tiny increased delay while the loaded HOSTS data is queried is an inconsequential part of the entire transaction. Modern computers have more than enough memory and computing cycles to handle very large HOSTS files in-memory with ease.

Furthermore, the HOSTS file is meant to resolve whatever you want to wherever you want. That is its entire purpose in existing to this day. You can resolve any domain name to any IP, at will, and you are neither violating standards nor causing any significant problems outside of any problems you cause yourself.

I've used large HOSTS files on numerous home PCs and never once did anybody notice any additional slowdown, even on dial up.

THIS is entirely false, flat out. Any service you understand and know you don't need can be disabled. Arguing that it "might break something" is no different than arguing that deleting random things under /system32 "might break something". If you don't know what it is, don't mess with it, if you do, go nuts.

I also find it somewhat amusing that your main website is categorized in Websense as "malicious"....

Depends. If you expose a weakness it is, so you shouldn't discuss detailed information about your security system with people you don't trust. Obscurity can offer some level of protection, even if it's nothing more than to slow down the attacker or keep out complete scrubs.

However, you should not rely on obscurity to be a level of security.