Consumer Warning: Computer Security Product Scams


Eric's Home Page
  1. How the Scam Works
  2. Real Risks
  3. Protect Yourself


Real Security is more than Snake Oil

In the security business we call it "snake oil": products which are overhyped and claim to perform the impossible, which in actuality are pure bunkum. Security is not a product. Security is a process.

The first rule of security: Always keep your operating system patched and up to date! To my chagrin, I found that even my beloved Linux can be hacked if you fail to keep it up to date. I set up an automated job on my Linux box that downloads any security patches every night at 3am and installs them without human. With Windows, you can get the same general effect by making a point of running the update wizard every night.

Next, you want to remove programs from your computer that are a security risk. Especially: DO NOT USE MICROSOFT OUTLOOK EXPRESS! This program spreads every virus except AIDS (and Microsoft is working on that!). Use Eudora or Netscape Communicator instead -- since most EMAIL viruses are aimed at Outlook Distress, they'll pretty much bounce off of Eudora or Mozilla (I have verified this myself -- I have read mail via Mozilla that would have spread a virus via Outlook Distress).

If you are running Windows, you should be running a virus scanner. BUY ONE. Do NOT rely on one that a friend gave you! You don't know how old it is, or whether it is virus-infected itself for that matter. Trusting second-hand software with your security is nuts.

UPDATE YOUR VIRUS DEFINITION FILES NIGHTLY! Just as running the Microsoft update wizard nightly is just part of running Windows, updating your virus definition files nightly is also just part of running Windows. If you don't want to do this nightly, don't run Windows. I'm serious.

You should get a popup-stopper. These help with stopping browser-takeover viruses such as the one that Evidence Eliminator affiliates have been spreading lately. Ad-Aware is the most widely used popup-stopper, but there's others equally good.

BUY A BACKUP DEVICE -- AND USE IT! I cannot BELIEVE how many Windows users treat their computers as if they're infallible, and never back up their files to a tape drive, CD-RW, or DVD-RAM! What happens to your files if your computer craps out or gets invaded by a hacker? You guessed it: KAPUT. So buy a tape drive, CD-RW, or DVD-RAM drive, and back up your files (or at least all files changed since the last backup) NIGHTLY using a sensible media rotation scheme (look up "media rotation" at Google for more info).

GET A COOKIE BUSTER. To keep web sites from tracking you, you want a "cookie buster" type program, that intercepts requests to set cookies and asks you whether you want to set it or not. I use the Konquerer browser on Linux, which has a "cookie buster" built in. Note that it is not suggested to "reject all cookies" for all domains, since some applications (such as web shopping carts like at do not work right without cookies... though there are some domains (such as that I have set to "reject all cookies" (for obvious reasons!). Note that some popup stoppers such as Ad-Aware also include cookie buster functionality.

The next thing you probably want to do is install a firewall. If you are connecting to the Internet via a dial-up modem, you have little choice: You are going to have to run one of those "personal firewall" type programs. I have no experience with these on Windows. Most Linux distributions such as Red Hat Linux and Mandrake Linux come set up with a built-in firewall, that you can enable when you install Linux on the computer. If you have a DSL or cable modem connection, I recommend a hardware DSL/cable routers, such as the Linksys Cable/DSL router. I have one. It's a workhorse. I've since moved to OpenBSD for my firewall router, but the LinkSys worked, and worked well (it just wasn't flexible enough for some of the weird things I do, things that you probably don't do).

Now comes the fun part: Setting up encrypted filesystems. On Linux, you can set up an encrypted loopback device using the software that comes with most Linux distributions. Do a swift Google search for the terms "linux encrypted loopback" for more info on that, there is a "HOWTO" available that describes everything you need to do. For Windows, get Scramdisk (Free) or BestCrypt ($89.95) for on-the-fly encrypted disks. What you'll want to do is put any information you do not want compromised onto these encrypted "disks" -- and unencrypt them only when you are actually using the data.

Now, and only now, should you be thinking about "file shredding" products that claim to "clean your hard drive". What you want is a product that cleans out your history file and cache file, which in Windows cannot be put into the encrypted filesystem container. It would also be good if it would clean out your swap file upon shutdown. On Linux, of course, you can put your entire /home directory into the encrypted filesystem container, history file and all, as well as your swap file, so it's not as big a deal there. Note that most of the scam products are "file shredding" or "disk cleaning" products -- they won't do anything mentioned in previous paragraphs.

Consider your operating system, and whether an alternative will work for you. Windows is horribly insecure. EMAIL viruses etc. are ridiculously simple to write to target Windows. It's likely that various TLA's already have EMAIL viruses that they target their opponents with, EMAIL viruses which pose as common spam but which really install a keyboard/mouse/screen snooper so they can see everything that you do. OpenBSD, is notoriously difficult to use but is widely regarded as the most secure operating system for consumer PC hardware.

If OpenBSD is not your bag of tea, you might try Linux and set up an encrypted loopback to put your home directories in (this works like Scramdisk, except that on Linux you can put everything except the OS kernel in there, including any record your web browser makes of your browsing habits). But be forewarned that while Linux can be hardened to be as secure as OpenBSD (unlike Windows, which will never be that secure), Linux by default is child's play for any TLA to break into via the network. You have to explicitly set up firewall rules to reject all incoming traffic to all ports < 1024 and to the "X" port (6664?) before Linux is secure (Linux has a built in firewall to log and reject attack attempts, but by default it is not enabled -- though I notice that Red Hat Software's latest version of Linux, Red Hat 7.1, does appear to have an option to enable that built-in firewall at install time, as does Mandrake 8.1 Linux).

Note that the only real way to keep a TLA from reading your hard disk is physical destruction: a thermite bomb on top of the disk drive (to melt it into a meaningless glob), removing the platters and sanding them on a belt sander, tossing them into a vat of molten steel like a scene right out of Terminator 2, etc. So either encrypt the whole thing (and keep the key on some easily-destroyed medium, like a floppy disk, where a couple of minutes in the oven will do the trick), or, if you have plenty of warning (or are getting rid of a used hard drive), destroy it. Note that simply encrypting, without some way of swiftly destroying the actual physical key, is not sufficient: in the Scarfo case, the FBI installed a key logger on Scarfo's computer to sniff out his encryption key.

Consider your paranoia level. For a Scarfo-proof level of paranoia, secure the physical premesis of your computer. Scarfo's error was that he did not have someone guarding his computer at all time. That's extreme, but the point is that it doesn't matter if your computer's hard drive is encrypted if someone from the FBI or one of your competitors snuck in and stuck a bug in the keyboard and behind the screen so that they can see everything you type and do.

Finally: Note that security is a continuum. Generally, the more secure a computer, the harder it is to use. You must assess your security risk, and adapt a security posture which fits your circumstances. If you are a friend of Scarfo's, you may wish to go the total paranoia route, including having two beefy bodyguards guarding the computer room at all times. If you are a typical person, you can probably stop after the "Install personal firewall" step -- you'll still be asking Windows for updates every night, and you'll still be asking for virus file updates every night (unless you are geeky enough to go to Linux, at which point you have only the nightly updates to worry about!), but you have no need to, e.g., go to OpenBSD and hire two beefy bodyguards to make sure the FBI doesn't sneak in and bug your computer.

For "normal" people, the only time they'll need a file erasure program such as Tolvenan Eraser is either a) to clean up before kids use the computer, or b) to clean up before sending the computer out for servicing. Assess your level of need, and download or purchase the right products to meet your need. Don't let scare tactics and hysterical fear-mongering scare you into buying inappropriate "snake oil" software that mostly only makes your wallet thinner.

John Bryant

Note that everything on this page is Copyright 1997-2018 John Bryant and represents my own opinions and nobody else's. Reproduction without permission strictly prohibited.