A question for the computer geniuses

[AngelicAssassin]

... before you download and install XP Service Pack II ...

Make sure you've backed up your system ... worse case, anything you don't want to lose.

Download every driver for any peripheral you have installed in and/or attached to the machine to include DVD/CD-ROM drives (read only and writes), printers, video cards, modems, tape readers ... et al. Bill, in his infinite wisdom, forces a driver on each piece of the pie requiring one, and picked one ceritified by MS. They had to freeze the code for production, so guess what ... you get an older, in some cases, outdated driver and sometimes that driver ain't the best of the bunch.

 

[cellis]

Make sure you've backed up your system ... worse case, anything you don't want to lose.

Download every driver for any peripheral you have installed in and/or attached to the machine to include DVD/CD-ROM drives (read only and writes), printers, video cards, modems, tape readers ... et al. Bill, in his infinite wisdom, forces a driver on each piece of the pie requiring one, and picked one ceritified by MS. They had to freeze the code for production, so guess what ... you get an older, in some cases, outdated driver and sometimes that driver ain't the best of the bunch.

Great point!

I try to back up my system every 3 months... a little often I am sure... but just one of those things I am terribly anal about...

Ever had to install windows from dos... a nightmare I tell you!

 

[DVS]

Great point!

I try to back up my system every 3 months... a little often I am sure... but just one of those things I am terribly anal about...

Ever had to install windows from dos... a nightmare I tell you!

Actually, I enjoy those kinds of nightmares. But then, I also enjoy other anal things, too.

 

[Shadowsdream]

Thank Y/you all for the incredible info to help Me sort through this computer bull I am dealing with.

It is likely I have a high dose of paranoia going on due to a (insert your own idea) woman posing as a Mistress contacting Me with bizarre conversations that border on the totally unintellectual jargon of one who cannot remember what she types from one sentence to another.

The mode of contact was My first hint...ICQ contact gave Me a second hint..and there were other hints that took My friends to her IP location.

Even though I have nothing to hide on My computer I do hold pictures of those I have trained from time to time and email contacts that I prefer to keep private for all of the right reasons.

My concern is about back door programs that could cause embarrasment to friends and collegues of Mine.

When I discovered there was a malicious program running and have not been able to determine what it was even though it was isolated I came looking for info.

I suppose I still wonder if she did infact infiltrate through My email or ICQ. I don't even know if this is possible if I don't accept files..which I have not done.

So thank you one and all for the info!

 

[DVS]

Thank Y/you all for the incredible info to help Me sort through this computer bull I am dealing with.

It is likely I have a high dose of paranoia going on due to a (insert your own idea) woman posing as a Mistress contacting Me with bizarre conversations that border on the totally unintellectual jargon of one who cannot remember what she types from one sentence to another.

The mode of contact was My first hint...ICQ contact gave Me a second hint..and there were other hints that took My friends to her IP location.

Even though I have nothing to hide on My computer I do hold pictures of those I have trained from time to time and email contacts that I prefer to keep private for all of the right reasons.

My concern is about back door programs that could cause embarrasment to friends and collegues of Mine.

When I discovered there was a malicious program running and have not been able to determine what it was even though it was isolated I came looking for info.

I suppose I still wonder if she did infact infiltrate through My email or ICQ. I don't even know if this is possible if I don't accept files..which I have not done.

So thank you one and all for the info!

I've heard that with XP, programs like ICQ can allow backdoor transfers. These would happen without your even knowing it. But, you also said you have a firewall, if I remember correctly. Is it possible you find it necessary to disable the firewall during ICQ chats? Some chat programs do need this to be done, because they are not compatible. I know Yahoo is that way, but only when sending files. But, that would be enough to allow some malicious program entry.

Nobody else has said this, but I am sometimes skeptical when told there is malware on my computer. There are so many different ones out there, and I'm sure it is possible to have a legit program be seen as malware by some.

Just something to think about, especially since you can't tell the actual name. If you had a name, you could find out the symptoms, then see if your computer had those.

But, with XP it is very necessary to have the latest update. Actually, the latest update is just for what we're talking about. The back door issues and other security measures that XP has are (hopefully) fixed in this update.

And, keep that firewall going. With this update, the firewall in XP is on by default. Before, it was necessary to turn it on, if I remember correctly.

Update everything anti-virus related, malware related and operating system related regularly. If not, you might be inviting unwanted guests that aren't related.

Personally, I have Spybot-Search and Destroy, the new Adaware SE Personal and CWshredder installed. CWshredder is specific to only one malware, but it saved my ass one day. I also have a watchdog that tells me when something has been changed, and allows me to OK that change. The programs others have mentioned are also good, as no malware program will remove everything. And, like viruses, there's always new malicious crap coming out. Thank God, malware removal programs are mostly free!

 

[James G 5]

Nobody else has said this, but I am sometimes skeptical when told there is malware on my computer. There are so many different ones out there, and I'm sure it is possible to have a legit program be seen as malware by some.

Very true
AdAware is CONVINCED the persistent cookie used by my bank for access to their website is malicious

 

[m wisdom]

Very true
AdAware is CONVINCED the persistent cookie used by my bank for access to their website is malicious

Looks like more people them me are having trouble with AdAware. It thinks that just because I have changed my startpage in internet explorer my browser is hijacked

Personally, I have Spybot-Search and Destroy, the new Adaware SE Personal and CWshredder installed. CWshredder is specific to only one malware, but it saved my ass one day.

CWshredder have saved my ass as well

 

[catalina_francisco]

I have used AdAware in the past and found it to be very lacking. Spybot picks up more spyware and is less intrusive to my system.

Being paranoid is good extremely good the more paranoid you are on the Internet the better.
A tip for all who have sensitive information on their Hard drive, that they really can not share with the outside world, buy a removable HHD, for about 200 Dollars you can buy a 250 GB USB drive. Put all of your information on that drive and when not using them just disconnect it. Even better is to use some good encryption software like for example PGP (http://www.pgp.com) and encrypt it.

More resources can also be found here....Windows XP SP 2 resource page: http://hhi.corecom.com/windowsxpsp2.htm

As mentioned before I would suggest installing Linux to anyone who dares (http://www.linuxiso.org/), try it and you will be amazed.

Francisco.

 

[Sir_Winston54]

A little late, but...

If you have HijackThis, run it and send the log to http://forums.thetechguys.com/index.php?
(If you don't have HijackThis, you can get it (free) at http://www.majorgeeks.com/download3155.html
Near the top center of the page, they show 5 download centers. Just pick the one closest to you.)

Thetechguys.com has a forum there specifically for posting HijackThis logs and some truly *excellent* tech people who review the logs and give precise instructions how to remove *all* the garbage the log reveals. I got some new garbage into my computer last week, and the tech guys had me fixed up and smiling again within about 48 hours. Clear, easy to follow directions, and links to things like how to turn System Restore on and off (a necessity during many cleaning operations), etc. I would recommend them to anyone, any time.

You can also run a good free web-based virus checker from http://housecall.trendmicro.com/housecall/start_corp.asp
Write down the "uncleanable" items it shows, and send that list to thetechguys along with your HijackThis log.

AVG is a pretty decent free anti-virus app. I also use Spybot and AdAware 6, ignoring the things (like the bank cookie mentioned above) that they don't like that I know are safe.

Best of luck with the problem(s). Hope you're cleaned up and smiling again soon!

 

[m wisdom]

A tip for all who have sensitive information on their Hard drive, that they really can not share with the outside world, buy a removable HHD, for about 200 Dollars you can buy a 250 GB USB drive. Put all of your information on that drive and when not using them just disconnect it. Even better is to use some good encryption software like for example PGP (http://www.pgp.com) and encrypt it.

Francisco.

I recommend Cipher Shield if you need to protect sensitive information, it's an external harddrive with encryption. Safer and easier to use then most software encryption programs.

 

[cellis]

I think that there are a lot of choices in utilities out there. I like to keep what works for me...

I am open to other utilities but while I have tried others what I have now works best for me...

 

[catalina_francisco]

I recommend Cipher Shield if you need to protect sensitive information, it's an external harddrive with encryption. Safer and easier to use then most software encryption programs.

What I can see out of the specs, it only supports synchronous encryption which means that everything depends on your key. Which is basically a password stored on a token.

PGP is a hybrid solution which makes it possible to use asynchronous and synchronous encryption, asynchronous encryption is a lot safer since it works with public and private keys and synchronous encryption is a lot faster. In fact PGP is the standard for mail and file encryption. If you combine PGP with an USB token or smartcard there is no safer solution.

Especially since PGP creates a sandbox in which data is being decrypted and decrypted which means unlike Cipher Shield it will not leave unencrypted data in the swap file. Even better with PGP you can store your data Encrypted wherever you want, be it on a HDD, floppy, USB token, email or Internet and decrypt it from wherever you want.

Francisco.

 

[DVS]

PGP is a hybrid solution which makes it possible to use asynchronous and synchronous encryption, asynchronous encryption is a lot safer since it works with public and private keys and synchronous encryption is a lot faster. In fact PGP is the standard for mail and file encryption. If you combine PGP with an USB token or smartcard there is no safer solution...
Francisco.

I used to work IT for a mortgage corporation. It was only regional, but the bank that owned it was country wide, other than California (what IS it with the California mortgage laws?).

We were required to encrypt any transaction that went from office to office, be it email or whatever. We were also required to do this when communicating with the famous three...Fannie Mae, Gennie Mae and Freddie Mac.

We used PGP. It can be a bitch to setup, but we might have had a more in-depth setup, that the home user wouldn't require. And it was also a bitch to train users, but my situation was unique.

It seems mortgage people aren't that computer savvy, as a rule, and have a difficult time understanding the procedures. They are stubborn, too, preferring to keep their blinders on. But, that's OK. That door swings both ways.

 

[m wisdom]

What I can see out of the specs, it only supports synchronous encryption which means that everything depends on your key. Which is basically a password stored on a token.

PGP is a hybrid solution which makes it possible to use asynchronous and synchronous encryption, asynchronous encryption is a lot safer since it works with public and private keys and synchronous encryption is a lot faster. In fact PGP is the standard for mail and file encryption. If you combine PGP with an USB token or smartcard there is no safer solution.
Especially since PGP creates a sandbox in which data is being decrypted and decrypted which means unlike Cipher Shield it will not leave unencrypted data in the swap file. Even better with PGP you can store your data Encrypted wherever you want, be it on a HDD, floppy, USB token, email or Internet and decrypt it from wherever you want.

Francisco.

I know you are a security expert so if I'm wrong please let me know. I always enjoy learning new things.

Asynchronous is safer but since the encryption key on the CipherKey can't be read in any way from the OS, I think it is safer then any software based solution. You always have the risk of someone reading your key or password when using a software based solution.

I know PGP is standard for mail and file encryption, I have used it myself. And if you need to send sensitive information over the net Chipher Shield is of course completely useless. But for complete harddrive encryption I still think it's better then PGP.

The swap files is a problem that I didn't think of. Could be solved by using software but then everthing gets more complicated.

The thing that I like most about Chipher Shield is it's ease of use. Put the key in, do your stuff, take the key out. PGP is more complicated, at least it was the last time I used it (about 4years ago). I also like the fact that you don't need to worry about forgetting your password, and it dosen't take any resources from your computer.

Now if someone could solve the swap file problem...

 

[catalina_francisco]

Hello m wisdom,

I agree that normally speaking for most users which are not as paranoid as I am Chipher Shield would be the best solution. The only real weakness I see with it is the key and the swapfile but that could be solved by creating a script that makes sure that the memory space gets filled with random number after decrypting.

I am not an expert on the particular product so I might be wrong, but it seems to me that the key is not protected and that is a weakness since the only thing you need to get to the data is the key. Steal the key and you can get to the data. Another weakness I see in the product is that the company keeps a copy of the encryption key so in case of a lost key they can help you recover the data. Not a bad practice but I am paranoid about those things and yes it is optional but if you value your data you really do not have a choice but to have them make a copy of the key.

I agree with you DVS that PGP can be a bitch to use, but it has improved dramatically over the years, especially in a corporate environment a lot can be preconfigured for the users so they really do not notice much of the PGP. However in a SOHO environment if you are not into security like m_wisdom or myself it can be a lot of work to maintain.

I love PGP, I think it is one of the coolest encryption products. Phil Zimmerman is the creator of PGP (by the way PGP stands for pretty good privacy), he believed so much in privacy that he went to jail for protecting his right to keep PGP open source.

http://www.philzimmermann.com/EN/background/index.html

You can download a freeware version of PGP here, but be warned it is not easy in use.

http://www.pgpi.org/

Francisco.

 

[m wisdom]

Hello Francisco.

It is true that if you want the highest degree if security a product like Chipher Shield might not be for you. The key is not protected and the company does keep a copy of the encryption key. I don't work for that company and I'm not an expert on this product so I'm not sure about this, but the say that the only way they can know what encryption key you have is if you tell them the ID on the key. So you could write down that ID and put it in a safe and not order a spare key util you actually need it. This should prevent the company from giving out the encryption key to anybody.

I really should download PGP again and try it, hopefully it's alot easier to use now. Most people I work with have little knowlege of how computers works so if they would want me to recomend a encryption product, I would go for the most easy to use stuff I can find, becuse I know that if they don't understand how to use it they will not use it or not use it correctly.

I like PGP but I have to agree with DVS that it's not to easy to use.

 

[catalina_francisco]

The Internet has slowly been taken over by the bad guys, at least if you believe the latest statistics. Attack upon attack is set loose on companies which are facing hordes of teenagers with an uncanny mindset on how to break into their system. But this is known, news stories about young hackers writing viruses are becoming commonplace.

The ultimate challenge for anyone who wants to promote information security is to find a balance between scare tactics, information security and workable environment. Securing data and electronic environment will mean putting restriction and it will decrease the ease of use of computers. Most users find computers difficult enough to use so they are almost never in favour of information security systems.

Information Security is about minimizing risk to an acceptable level while maintaining the Confidentiality, Integrity, and Availability of the systems and data. All systems have some level of risk. A completely secure, zero risk system is one that has no functionality. It is my task as security professional to implement a strategy that will manage the risk to my systems on an acceptable level.

I have heard often enough that it is better to use a system that offers at least some security which is easy to use then a secure system which is more difficult in usage. I would agree but important for this is that a good sense of reality is in place. Never should you think that you are protected. In fact it should be made clear that security has been sacrificed for user commodity. Security is about managing risk so, as long as everyone involved is aware of the risk it is a good decision.

In any case if anyone wants to know more about computer security or has a specific question do not hesitate to send me a PM. If I can not answer it, then I can point you at least in the right direction. I have bored enough people, if you have made it this far than you must be a real geek.

Francisco.

 

[m wisdom]

Well said Francisco.

I think that someone that even consider open a thread called "A question for the computer geniuses" is probably a geek

 

[DVS]

Well said Francisco.

I think that someone that even consider open a thread called "A question for the computer geniuses" is probably a geek

What I wonder is how many original subscribers to this thread have since scrolled down in their notify email and selected To unsubscribe from this thread, please visit this page:

 

[m wisdom]

What I wonder is how many original subscribers to this thread have since scrolled down in their notify email and selected To unsubscribe from this thread, please visit this page:

Checks statistics ... calculates information security popularity ... compensates for geekiness ... and the result is:

87.2%

 

[Shadowsdream]

This geek is still here and still reading every word avidly...then emailing all the info to My slave.

You are all very intellectual with your info and My geekiness is no match for his!

I am of the opinion that One can never have too much info and so I thank you all for continuing to share your knowledge with all who do or will need it at one time or another in Internet life!

 

[snowy ciara]

Please excuse the hijack everyone, but I have a computer question and I don't feel it's important enough for a new thread, so I'm going to ask it here.

After much wracking of brains and finally asking someone for help, I found the web page for using ascii code to make foreign language accent marks on an English/American keyboard. I have windows xp and I've been using word perfect to write all my papers and such for classes. It works there. But, when I try to use the accents on lit and another vBulletin style board, they don't work! I tried writing the response in word pad an c and p ing it into the response box here, and it didn't translate. I got "do {string of incomprehensible computer babble that had a tilde in there} na." I had noticed this once before, where if I used word pad rather than word perfect, I'd get the same result with quotation marks and apostrophes. For example, in the preceding instead of I'd get you would see I {string of incomprehensible computer babble that had an apostrophe in there} d get. Now, IE spell will catch and add a few French accents for me, but it doesn't work for Spanish and it doesn't work for Japanese. AAAAAAAARRGGGHHHHHH. Er, that's Japanese spelled phonetically. My keyboard doesn't do Japanese characters either variety.

So why is it doing this and more importantly, how do I fix it?

 

[TaintedB]

Please excuse the hijack everyone, but I have a computer question and I don't feel it's important enough for a new thread, so I'm going to ask it here.

After much wracking of brains and finally asking someone for help, I found the web page for using ascii code to make foreign language accent marks on an English/American keyboard. I have windows xp and I've been using word perfect to write all my papers and such for classes. It works there. But, when I try to use the accents on lit and another vBulletin style board, they don't work! I tried writing the response in word pad an c and p ing it into the response box here, and it didn't translate. I got "do {string of incomprehensible computer babble that had a tilde in there} na." I had noticed this once before, where if I used word pad rather than word perfect, I'd get the same result with quotation marks and apostrophes. For example, in the preceding instead of I'd get you would see I {string of incomprehensible computer babble that had an apostrophe in there} d get. Now, IE spell will catch and add a few French accents for me, but it doesn't work for Spanish and it doesn't work for Japanese. AAAAAAAARRGGGHHHHHH. Er, that's Japanese spelled phonetically. My keyboard doesn't do Japanese characters either variety.

So why is it doing this and more importantly, how do I fix it?

It's doing this because web pages use the character set that comes with html rather than the ones that come with advanced word processors like Word. To do special characters in html, you need to go to a website that gives you the commands for making them, and then insert these commands into your text. HTML probably should have all special characters and symbols covered by now. Here is a chart:

http://www.starr.net/is/type/htmlcodes.html


If, however, Lit has turned off html commands (I just saw a thread about that going around) then the codes you put into your text won't work.

I will do a test right now to see if this is so: I'll try a lower case u with an accent over it (uacute):

ú

edit: well my test didn't work, but there may be something to doing html tags in the Lit editor box that I don't know, as I never use them. However, if you were to use this code in a text story which was going to be uploaded to an html page, the coding would translate over into the right symbol or special character once the text was on a website.

You probably need a special keyboard to type in Japanese. But if all you want to do is view the original kanji characters in your Word document, there's a few small settings to change that will give you Japanese character support in all MS Office apps.

 

[snowy ciara]

I did try the starnet html charts, too, but it doesn't work. I did check the other site I use, and it too has html code turned off. The Japanese I'm not really worried about, yet. I'm not at the having to type stuff in that yet, really. Everything is hand written for now.

Thanks for giving it a shot though.

A lovely friendly lurker has suggested unicode... I did locate said item and am unable to insert the code into the posts here. I shot off an email to techno support on the other vBulletin sight that I use, since they tend to get back to people faster than Lit does. This is not intended as a slam to Lit or Manu and Laurel. It is simply an acknowlegment that my writing board is much smaller than Lit and that makes it easier to get them to answer these sort of questions. He says that unicode won't work for them either unless the html is functional. Has something to do with not being able to use the [ctrl] key as you would with the html code. They are trying to find a workaround that doesn't count as a liscensing violation with the software product.

Thanks again, lovely lurker, it was worth a shot. I'm doomed to live a tilde-less life I guess, unless I get a keyboard with the n plus tilde key... le sigh

 

[Aeroil]

You probably need a special keyboard to type in Japanese. But if all you want to do is view the original kanji characters in your Word document, there's a few small settings to change that will give you Japanese character support in all MS Office apps.

Actually, you can type Katakana and Hiragana easily enough using phoenetic translation with an english keyboard, but kanji is much trickier, since there are often five different kanji characters that all have the same pronunciation and two different meaning each.....
Kanji is better done with a special program, our school uses Kanji word (which actually also does Hiragana and Katakana)