MY CONCLUSIONS: Microsoft has bumbled into an epic fail: The Windows environment is dangerous for on-line purchasing and banking, even when patched and with reasonable user attention. To reject malware, do not browse the Web in Windows; use some other operating system (OS). To prevent infection, boot your browsing OS from CD or DVD.
There is a Web war on, and we are losing. Distant criminals can and do subvert the computers in our homes for their own profit. When criminals get control, they can distribute advertising, expose our passwords and data, find our personal information, and do whatever they want on our computers. When a Web computer is infected, anything on it can be exposed, changed or deleted remotely, so even "removing" the malware may not put things right.
We do not have to give up the Web. We do have to give it some attention.
Wikipedia reports that about 93 percent of browsing occurs from a Windows operating system (OS). Even though Microsoft effectively owns the browsing environment, Panda Security has estimated that 58 percent of US PC's are infected with malware. If that is true, then Microsoft is responsible for an environment that has failed to protect most users. Panda also reports,"The huge amount of Trojans in circulation is due to the spectacular increase in the number of banker Trojans aimed at stealing user data." Malware makes on-line banking risky for most of us.
I tried to find easy ways to protect PC's, but instead found that the usual approaches were not nearly enough. To get real security, we have to make some fairly substantial changes in the way we do things. For those willing to put in a little thought and effort, using the Web can be made far more secure.
Since I came at this as a Windows guy, my first recommendation comes with some sorrow:
I suggest Puppy Linux, because:
I suggest Puppy Linux, because:
I suggest Firefox with security add-ons, because:
Important Firefox security add-on's include:
The user needs to be aware:
I suggest LastPass.com with the Firefox add-on, because:
I suggest Google Gmail, because:
I suggest:
This project started as a recipe of fixes (free, where possible) to prevent malware problems on a Windows PC. To really fix something we first have to understand it. We can see malware as a wide range of criminal softwares, each exploiting on-line computing weaknesses. No single response will solve all malware problems. Some issues require users to know more, and to operate with purpose. But even with the best user actions, the Windows operating system (OS) includes a range of weaknesses which must be addressed.
Many things can be done, and those are included here, but in my opinion, Windows really cannot be patched into security. Nor can we expect Windows 7 to be more than marginally better, since it is following the same failed strategy. Malware is much worse than commonly thought, both more powerful and more common, and this is happening in a Microsoft planned environment. Current tools are fundamentally unable to solve these problems.
At the risk of claiming "The sky is falling," things are much worse than we think:
There will always be a few dummies that get into trouble. But when most normal users are infected, something is fundamentally wrong in the product design. If cars were built like this, the government would require their recall.
Our best-known anti-malware tools, firewalls and malware scanners, each have serious practical limitations:
One of the worst Microsoft failings is the lack of a tool to tell us what we need to know. We should not be working in an infected system, but there is no tool to certify that our Windows system is uninfected. No single malware scanner, nor any set of scanners, can hope to find every possible malware. Yet malware must change files in order to infect, and surely Microsoft can tell when one of their OS files has been changed. Hopefully Microsoft can similarly examine or eliminate every possible place for malware in their registry. An "uninfected Windows" certification tool could deliver renewed trust just when that is needed.
When infection is found, the situation changes. After a botnet has been in place for even a few seconds, nobody can know what it has done, not even Microsoft. The bot could have downloaded all its friends. It could have made fundamental changes to Windows. The bot could have changed entries in the hosts file, or downloaded false security certificates, and we would not know. After infection, absent some sort of Microsoft deep cleansing which does not now exist, the only real responses are to recover a saved uninfected OS image, or to re-install Windows, which is not easy.
Even if the antivirus says the virus has been removed, a recovery or re-install is necessary anyway, because the virus could have installed something that would not be identified as a threat. The absolute requirement to recover or re-install Windows after infection has not been made clear, and has yet to become the conventional wisdom.
Currently, the best protection I know is to use a "live" Linux DVD (like Puppy Linux) for browsing.
We can accept that a few dummies among us get into trouble.
We should not accept that ordinary computer use causes infection more
often than not.
Something is fundamentally wrong in the product design when PC's
cannot stand up to their normal usage environment.
What We Can Do
As individuals, we are not going to be re-designing our computers. But we can use available things and behave in ways that improve our security.
For better or worse, currently the best security advice is to not use Windows on the Web. One alternative is Puppy Linux, because it is small and easy, and supports the Firefox browser. Naturally, Windows is still desirable for the many standardized, professional and even free programs available for it. But on the Web, we get into a browser, and then we pretty much do not care what operating system is being used.
Unfortunately, the majority of us may already have malware, so
now what?
Things Should Be Simple
Things would be simple if we could just "Restart" the
operating system (OS) to get rid of malware.
That does not work because malware changes files on the hard drive to
get itself re-installed each time.
Windows cannot prevent those changes when it has been subverted by
the malware.
In contrast, booting from a live CD or DVD does restart without
malware, every time.
("Boot" apparently is a simplification of "bootstrap loader," which
refers to disk-based computers starting with a tiny loading program,
which brings in a better loader, which then brings in the OS.
The systems thus bring themselves up "by their bootstraps.")
The Old Days Versus Now
In the old days one might find "the" malware file and then examine it to know what it did, and thus know what was needed to unwind the changes. Sadly, the old ways no longer work. Modern malware tends to set up "bot" or robot programs which are criminally remote-controlled from the net. Once the bot has phoned home, anything can be downloaded, including completely different kinds of bot on each computer. Examining the original malware provides no clue about what happened to OS files after malware contacted the mother ship. There can be no guaranteed way to unwind malware changes.
Modern malware can set up a bot and join a herd almost instantaneously on broadband. Malware can hide in a rootkit that Windows cannot see. The bot can pretend to be a valid process. The bot can download a range of low-tech malware so the owner has something to find and remove. Then the scanner says "nothing found," and the hidden bot remains.
Currently, most PC's have malware, and most of those have multiple
malware files and families.
Just because a scanner finds no malware does not mean there is no
malware.
Scanners are inherently imperfect, even though many forms of malware
can be detected and removed.
The problem is that malware which cannot be detected probably is the
most dangerous and we do not want to keep that either.
Using scanners to certify that a machine is "clean" is asking for
more than scanners can do.
Recover an Earlier System
The easiest way to deal with malware is to step back in time before the malware arrived. We can do that by installing an OS image we cleverly made preparing for the future. Before recovering an old image, first make an image of the infected system (if possible), so the latest data files might be recovered later. Next, install the most recent image and try that. We may need several tries to get back far enough, yet save as much of the recent environment as possible.
Without saved OS images, we have a problem.
Unfortunately, we cannot go back in time to make the images we need.
Weekly or monthly imaging to an external hard drive is a very good
idea.
For noncommercial Windows imaging, I recommend Macrium Reflect
Free from download.cnet.com.
Businesses might try free PING, or the commercial Macrium Reflect
or Acronis True Image.
Reinstall Windows
The ultimate way to deal with malware is to install some OS from scratch. This can take considerable time, in fact days of work to re-configure user programs and the environment. Periodically making OS images is a really good idea. Before reinstalling Windows, first make an image of the infected system (if possible), so we later can recover the latest versions of any data files we need.
A helpful strategy is just to not customize the Windows
installation very much.
Then Windows can be reinstalled in something like 4 hours.
As a partial alternative to installing and configuring programs in
Windows, one might use a free portable program suite (e.g.,
LiberKey).
When most of your programs are portable on a removable flash drive,
re-installing the OS becomes a whole lot easier.
The advantage of LiberKey over other portable packages is an extremely
effective upgrade process (much like Firefox) covering the hundreds
of LiberKey programs.
On the other hand, sometimes the programs in
Lupo PenSuite are better.
Quick Alternative Access
When a computer is infected, the OS files on the hard drive have been changed so they will start malware on each new boot. Normally, it is not the computer box, or the power supply, or the keyboard, or the display, or the CPU, or the RAM, or even BIOS flash memory that has been infected, but just the hard drive. In most cases we can safely use even an infected computer just by booting an uninfected and different OS from CD or DVD. A good example would be Puppy Linux.
Many people find it scary to think about actually using a different
operating system, because nobody wants to learn another OS.
But many of us live in the browser anyway, so using a new OS
is not the big deal it used to be.
Browsing is the on-line activity at risk, and for browsing the
experience is pretty much the same either under Windows or Linux.
"Remove" Malware?
The classic approach to a malware infection has been to scan for a virus and delete it. Removal may still be appropriate for files that have not been executed. However, execution of modern malware generally means the creation of a "bot" or robot program under external criminal control. Even if we find and remove the bot loader, that does nothing about whatever the bot downloaded after calling home.
Scanning a drive for malware may not even be worth doing much longer. Scanning is limited to finding what somebody else has already found, analyzed, and introduced into the signature files. Scanning thus has little hope of finding "zero day" attacks, directed and limited attacks, or modern polymorphic or self-encrypting malware. (See, for example, the SANS risks for September 2009: The Top Cyber Security Risks: "World-wide there has been a significant increase over the past three years in the number of people discovering zero-day vulnerabilities...." "Some vulnerabilities have remained unpatched for as long as two years.")
Let us be clear about this: We can spend whatever time we want scanning and removing, but nobody (and I mean nobody) can guarantee a virus-free result by scanning, because antivirus scanning is inherently imperfect. Scanning cannot certify that a machine is "clean." If we want a clean machine, there is no choice but to load the OS from a saved clean image, or an original CD or DVD. Malware removal is just no longer appropriate. Others say the same things:
"If you discover malware on your system, don't mess around. Back up your data, format your hard drive, and begin again."
"The only way to be absolutely positive that you've removed any and all viruses is:
- Backup
- Reformat
- Reinstall
- Update
- Restore
- Learn."
Modern "rootkit" technologies change an operating system (OS) to hide malware files so they are not even reported by the file system. (See, for example, comments from researcher Joanna Rutkowska in an article from March 19, 2009: Researchers Warn on Security Flaw in x86 Chips: "Today, we cannot effectively detect even the 'traditional' ring 0 (kernel) rootkits....") Rootkit technologies also hide the changed contents of files and report back the original contents so that scans see nothing wrong. Using Windows to scan for rootkit-protected malware probably is a waste of time. When an OS is infected, we can no longer trust the results it delivers, including the list of files it has, and their contents. To expose rootkit-protected files we generally need a "live" CD which always loads a clean OS to report files as they really are.
It is easy to blame Microsoft for poor security, but hacking competitions have shown that no operating system (OS) can withstand expert attack. Large, complex systems like operating systems will always have serious errors. The criminal goal is to exploit users, and since most users run Windows, most criminal attacks target Windows.
Microsoft has put substantial resources into improving security, including free monthly patches and updates, even for Windows XP products that a customer last paid for 8 years before. Windows users who do not apply free updates are welcome to use a system with known problems, but then surely have no room to blame Microsoft for negative consequences. For example, millions of Windows PC's were infected by the Conficker worm of Nov. 2008 through Mar. 2009. Conficker A apparently started to spread around Nov. 20, 2008, even though Microsoft had issued a free patch for that vulnerability a month before, on Oct. 23, 2008.
As the Windows OS strengthens, attackers have moved toward
applications like browsers, players (e.g., Flash), and also file
formats (e.g., PDF).
Nevertheless, the problems are getting worse, not better.
We Need a Different Philosophy
It is unreasonable to expect complex software to have no errors
at all.
However, Microsoft does seem to have a design philosophy of
putting execution ability in everything.
We have had issue after issue with ActiveX, Word document malware,
Office file format hacks, media format malware, font engine issues,
Publisher files issues, video ActiveX issues, and on and on and on.
Allowing unauthenticated code to execute on user computers is a
design, not a mistake, and it is wrong.
We Need Better Tools
Microsoft seems strangely remiss in not providing tools to check
the authenticity of their own OS installation after it has been in
place for a while.
Surely Microsoft can tell when one of their files has been
The smart part of this is a possibility of absolutely knowing whether or not the system has been infected, knowledge not available from scanning. The dumb part of this is to just re-install every important file, and it is possible that something very much like the current Recovery Console could do that. (See: Langa Letter: XP's No-Reformat, Nondestructive Total-Rebuild Option, Description of the Windows XP Recovery Console for advanced users, and How to install and use the Recovery Console in Windows XP.) Microsoft does not support the Recovery Console as a malware recovery tool for users. Instead, Microsoft prefers to offer users nothing easier than a full Windows re-install.
Providing an equivalent fix for malware in the registry may be more difficult, but Microsoft created that problem. The logic of building a fix may illuminate why the registry is so dangerous that it may have to be restricted (like Autorun).
Microsoft should issue an OS file-and-registry check-and-correct
live DVD to verify the existence and contents of each and every
Windows file, and correct those which are missing or invalid.
A "live" DVD which needs a reboot would prevent hidden rootkits from
correcting changed files when scanned.
Even with the huge number of files in Windows, validating specific
known files should be vastly more efficient than scanning all
those same files plus every other file in the computer for
every virus signature.
We Need Hardware Protection
Our PC's are vulnerable largely because they have a tasty hard-drive that is easily changed by malware. Windows cannot protect the drive when Windows has been subverted by malware, so only hardware protection counts, and there is none. There needs to be a way to provide a hardware lock for OS files. OS file changes should not be allowed without prior authentication. The motherboard BIOS, video card BIOSes, and all other flashable BIOSes also need hardware write-protection and periodic verification. (See, for example, the ZDNet Zero Day column for March 23, 2009: Researchers demo BIOS attack that survives hard-disk wipe.)
In practice, the owner would create a local boot lock key at install time. Part of the OS install would set up OS areas to be protected. After install, the drive would lock those areas. Updates would require the owner to enter the local key. The drive itself would have to control write-protect and write-access protection, since we cannot trust either the OS or the BIOS after malware attack. Note that drives currently may know about partitions, but not files.
The new requirement for OS files to not be written in operation
probably would require Windows changes.
Every other feature of Windows which allows malware to hide on the
drive and be started on reboot must be controlled similarly, which
also would require Windows changes.
Most applications would have a similar installation process and
would need similar protection and similar changes.
We Need "Trust" With Consequences
Microsoft has embraced "trust" as a basis for user security. Unfortunately, trust fails to support the user, because users cannot know:
A better approach is to first authenticate items to a particular
owner, and then hold that owner responsible.
In general, trust without consequences is delusion.
We Need a Better Web
The whole idea of downloading pages that execute code on our machines was fine when everybody could be trusted--which was never!
The time has come to design and implement a scheme to provide cryptographic authentication of each item or page downloaded, before any code in that item or on that page is executed. Not only should we know to whom we are connected using SSL everywhere and all the time, but also that each item we get from that page was approved by the page owner.
In computer security, the first issue to think about is data
protection.
Every hard drive eventually will fail, typically without warning.
We cannot stop failures, but we can duplicate our data so that any
single failure will not cause loss.
Ideally, we will have any important file saved in at least 3
separate and independent drives, devices, and/or services.
Backups
A backup is a copy saved where it cannot be damaged with the original. Users need to get personally involved in assuring their data are backed up. Users can copy their files to USB flash drives, or email-to-self, or perhaps save to a Web backup service. Since it is only necessary to back up new or changed files, backup programs "synchronize" the contents of disk directories. New files are copied, and unchanged files are ignored.
For backing up files to an external drive, I recommend
"SyncBack Free".
Operating System Images
An "image" backup is a copy of the installed operating system as it exists on the hard drive, with installed programs and custom configuration settings, and usually the "boot track" and startup code as well. The point of an image backup is to capture the system as it was when the copy was saved. That image can later be used to reproduce the earlier system exactly, thus eliminating any malware which arrived later.
The better imaging programs allow an image to be "mounted" as a drive, making individual files accessible from Windows Explorer. Individual files can be recovered from the image even though they had not been identified as being important enough to have been backed up as files.
For imaging, I recommend "Macrium Reflect Free".
Passwords
A password is a sequence of characters used to identify a particular user. Passwords work by making it unlikely that someone who does not know the password could present it correctly. But computers are able to try one password after another, tens of millions of times, in a "brute force" attack. The typical attack will try "more probable" characters and words before nonsense random values. Any word in a dictionary, or multiple such words, or a sentence of words, may be tried before scanning through random values of much shorter length.
Password protection fundamentally implies that short passwords of any kind can be hacked, as can much longer human language passwords. Having a password hacked by brute force is a user failure.
Password security requires the user to take responsibility for creating different long, random passwords for each site or account or piece of hardware. Good passwords should be machine-generated random sequences of at least 15 characters. Since few if any of us can make or remember long random passwords, we need a password manager to generate and keep them for us.
Our goal is to use passwords that an opponent cannot predict and
cannot afford to search.
Each password character should be an arbitrary selection from among
upper-case alphabetic, lower-case, and numeric characters.
With 62 possible choices, each character would represent somewhat
less than 6 bits of strength.
A good 15-character password would represent a random selection from
among
A 15-character random password is comparable to an 89-bit secret
key and perhaps a 1024-bit public key.
Much less strength is needed when the password is allowed only a
few tries, or when the time for each try gets increasingly lengthy.
Preventing brute-force attacks is something all password-receiving
devices (or sites) should do, but we probably cannot depend on it.
Password Managers
A password manager keeps all our various passwords in a little encrypted database file that we can keep on a flash drive or in cloud storage or send and save as an email attachment. A password manager allows us to keep any number of long, random passwords and user names and all the site information we want, which even reminds us which sites we have already joined. A password manager allows us access to a range of good passwords using a single memorized password.
Using the password manager in the browser is not a good idea. In 2009, researchers were able to hijack the Torpig botnet for analysis:
"It is also interesting to observe that 38% of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual login session. (Sect. 6.1)
Some password managers advertise an ability to remove passwords from browsers without needing a master password. Malware could grab the passwords just as easily.
Since emergencies eventually happen to all of us, our partners or at least somebody should have access to our current password database and the master password to access our web accounts.
For a cross-platform Linux and Windows password manager, I
recommend "LastPass.com" on the Web, with the Firefox add-on.
Various plug-in and bookmarklet implementations are available for a
variety of platforms.
Even off-line, the browser plug-in should be able to use (but not
add to) the automatic local backup of the encrypted keys.
A separate portable version allows use completely outside any browser.
SSL is short for "Secure Sockets Layer," a security protocol
introduced by Netscape in 1995.
It has since been updated various times with the current version
actually known as TLS or "Transport Layer Security," but still
often called SSL.
The intent is to establish a secure connection between browser
and web page, so that nobody along the line can snoop.
SSL capitalizes on Public Key Cryptography to generate the same
transient encryption key on both ends of the conversation.
The trick is that the key is not exposed to anyone monitoring the
network.
Once a transient key has been established, full data encryption
starts that protects the communicated data from exposure.
The Internet Protocol (IP) is a store-and-forward network
moving information from node to node in little chunks called
"packets."
Each and every node between the two ends can be thought of as
being "in the middle" of the conversation.
If we accidentally establish a secure channel to somebody in the
middle, they can decrypt our data, read it, and re-encrypt it
properly to send to the far end.
With a "man-in-the-middle" attack neither end notices anything
wrong, but the man-in-the-middle is reading the conversation.
For SSL to work, we must know exactly who is on the other
end of the communication.
Authenticating the web site occurs by receiving a certificate
linking the web site address to an issuer whose certificate is
included in the browser or the OS.
Most SSL security problems involve an attacker trying to pass
off a different certificate, or hide a mismatch or claim it
does not matter.
SSL is particularly important for hiding passwords, especially
for banking sites.
But SSL only protects communications.
SSL does not make an insecure system suddenly secure.
If a botnet or key-logger is resident in the OS, it can easily
capture passwords and whole login sequences, making SSL security
irrelevant.
This sort of sneaky background attack is exactly what is
happening with "banking trojans" that install a bot whose
whole purpose is to hide and watch for logins.
The problem is not SSL, the problem is system security.
One class of attack tries to exploit the leading edge of SSL
protection, as an SSL connection is about to be established.
In an open subnet like a Wi-Fi hotspot, it is possible for one
of the users to innocuously put itself "in the middle" with an
"ARP Spoofing" attack.
The problem is that many site login pages are not secured by
SSL, but only have a button which is supposed to be secure, as in
"sign in securely."
In the original page the button probably includes an "https://"
link to open an SSL connection.
But someone in the middle can modify that page and remove the
"s" from the "https://" so that clicking the button sends the
password in the clear for the guy in the middle to collect.
(For a related but different class of attack, see:
Breaking Web Browsers' Trust.)
ARP Spoofing exposure is prevented by establishing a full SSL
connection before entering any login data.
Currently the user has to check this.
It is important to only enter passwords into pages which already
have an established SSL connection.
For every login, you want all SSL, all the time.
If that is not supported by a website, you need to complain.
You cannot trust the content on any page not delivered by SSL.
You cannot trust your entered data to be secret on any page not
delivered by SSL.
Even SSL cannot be trusted on an infected PC.
Since malware scanners cannot find every possible infection, we are
necessarily reduced to re-installing the OS from scratch and keeping
it pristine, just to depend on on SSL.
Since all security requires an uninfected OS, we should be using a
Linux live DVD for browsing, unless Microsoft comes out with an
improved response.
ARP Spoofing is yet another reason to secure your Wi-Fi.
Obviously, unsecured or open access would allow anyone nearby to
download and re-distribute child pornography, copyrighted programs
and music that could be traced to your broadband connection.
In addition, ARP Spoofing would allow someone to steal your passwords,
unless you and your family are just as careful at home as you need to
be in a coffee shop. (Also see:
YOUR Unsecured Wireless Internet is the Dangerous Weak Link.)
Criminals design attacks which encounter users at random.
The one product a random user is most likely to be using is Windows.
So attacks which focus on Windows are most likely to encounter their target.
Only attacks which encounter their target can succeed and profit the
criminal.
According to Wikipedia
(Usage share of desktop operating systems)
the different OS's are used to browse the Web approximately in the
proportions of: Windows 93pct., Mac 5pct., and Linux 1pct.
The Market Share results
(Operating System Market Share)
are the same.
If you were a malware designer who had to pay for your attacks, and
those attacks only could find computers at random, for which target
would you prepare?
The Mac benefits also from being a less-popular OS.
Roger Grimes says, in
Macs' low popularity keeps them safer from hacking and malware:
Basic SSL
Graze Away from the Herd
"If anything, Macs have more known vulnerabilities -- by far -- than
Windows and are often patched slower."
Similar comments occur in other articles, for example:
Researchers: Macs are less secure than Windows PCs, and
Risky Keyboards and Weaponized iPods: Is Apple Security an Oxymoron?
Currently, many attacks can be avoided simply by using a different operating system when on the Web. An attack which is designed to exploit OS faults, or simply use OS services, is unlikely to succeed on another OS. However, the CPU instruction set coding is largely the same on modern machines, so machine language should work on any OS, if it can be inserted somehow into running code. Interpreted systems like JavaScript and Flash also execute on any OS. The browser itself is an issue: A Browser's View of Your Computer.
Commentators and experts are recommending a Linux live CD for on-line use:
Unix also benefits from being a less-popular OS, but is in no way malware-immune. Those who claim that Unix and Linux are immune to serious security issues have not been paying attention. In fact, the very first worm, the Morris worm of 1988, attacked BSD Unix, not Microsoft Windows 2.0 running on DOS. A brief scan of the past few of years of security news finds:
Comments:
Staying away from the bad side of the Web is no longer enough to stay safe. Malware is no longer confined to porn sites, but instead commonly comes from legitimate business sites: Researchers Hijack a Drive-By Botnet, and Hijacked Web sites attack visitors.
We cannot know what we have in our own computers. Bots try to hide so they can stay in service. Bots that are found and removed are the failures, and those are all we know. Since we do not find successful bots, we cannot believe we have them.
Malware infections may be much more common than we know.
Antivirus scanners cannot certify a computer as uninfected
(let alone the router outside that computer).
The limitations of conventional tools make it far easier to
claim to be uninfected than to actually be uninfected.
The way to be uninfected is to frequently reboot the OS from
hardware write-protected storage (like a DVD), and allow only
controlled and authorized changes to that storage.
Travel with Your Own OS
Everybody wants to sit down at some random computer and sign on to handle personal business, but that is a very bad idea. Key-loggers, screen-loggers and password-stealers for Windows may be resident and waiting. Good security requires that you either have your own computer, or that you boot your own OS DVD on any computer which may have an infected boot drive. Do not use any public computer for email without booting your own OS DVD. That means:
Booting Linux from DVD automatically avoids most resident malware. Currently, the ideal choice seems to be Puppy Linux, which has the unique ability to save browser and add-on updates to a DVD in another session. The updated browser is then used on subsequent boots. Puppy Linux also supports Firefox, which provides cross-platform support for a wide array of add-on programs and important security features. Firefox provides automatic updates as needed for browser and add-ons.
Booting Linux from DVD does not defeat network snooping, so use SSL.
Switching from Windows to Linux is not a trivial change. Windows is a pricy product where we expect and get a certain level of polish and fit for our money. If we are disappointed by Windows, we have every right to complain, and perhaps even vent some outrage. In contrast, Linux generally is a free product and often somewhat rough. As a free product, when we are disappointed by Linux, our outrage may be sadly limited to mere questions and comments.
Taking your computer when you travel places your hard drive at risk, and you may not know what is on that drive. A surprisingly useful option is to simply remove the hard drive and use the laptop by booting into Puppy Linux from DVD. Put the hard drive in an external USB box, and leave that at home. It seems strange, but browsing without a hard drive is almost completely as usable as browsing with a hard drive. Without a hard drive, the laptop is a little lighter and the battery lasts longer. Also take a small router for use as a hardware firewall. Use wired connections wherever possible. Use only WPA2 AES-CCMP wireless security.
On-line accounts need long, random passwords for security. Since we cannot remember such passwords, we need a password manager, and we cannot trust the browser. The best cross-platform (Windows and Linux) alternative I know is an on-line account with LastPass.com. They have a Firefox add-on that automatically fills in the username and password fields for most login pages. There is a portable version for off-line use. Supposedly we can trust LastPass because our computer encrypts the passwords before they are sent to LastPass storage.
It is important to use SSL whenever possible to protect your data. When you do have an SSL connection, you are secure unless you have installed a bad certificate. If you go to a site which should allow SSL but does not, someone may be intercepting your traffic.
It is crucial to protect on-line account passwords with SSL before they are sent on line. Firefox has a relatively new add-on (SSLPasswdWarning) that warns when passwords are about to be sent in the clear.
Sometimes we need to save downloaded or created files, or just URL's, when browsing on a diskless machine. Modest size files are easily saved by attaching them to an email to self, using SSL-protected Gmail for secure access and filing. Of course, even huge files are easily stored to a modern USB flash drive, but then the security of a drive becomes an issue. Bookmarks can be saved to Google bookmarks.
Malware is deliberately malicious software installed without permission of the computer owner. Some (non-exclusive) categories include:
Although malware is often compared to biological viruses and worms, malware is not alive. Malware does not infect humans or animals. Malware is just a sequence of values stored electronically. When malware is executed, the sequence of values tells the processor to make a sequence of data changes that we may not like.
A malware is a computer program, and all programs consist of data, usually in a disk file, and execution. If we can prevent a malware file from being present, it cannot do anything. If a malware file is present, but cannot get executed, it also cannot do anything. Malware has no independent "life," and it does not "lurk" or "wait." Malware does not jump out and take over. Malware must be executed by something before it takes action. Unfortunately, it is easier for an attacker to get a malicious file in place and executed than one might think.
Modern web practices commonly download code (JavaScript, Flash,
etc.) and execute it in the browser.
Attackers can get their code executed by hacking a web page and
changing it to download and execute their code.
Attackers can change a web page to claim the user needs to download
and install a new player, which of course will be malware.
Attackers can send their code as an attachment in an email.
Malware Goals
Modern malware is built to make a profit. Expert development groups build very sophisticated programs specifically for criminal use. Some possibilities include:
It should be interesting to look at current malware, how it is acquired and what it will do. Unfortunately, what we mainly have is statistics about malware scanner detection classes. The August 2009 Threats Update summary from the ESET Threat Center lists the most-often-found ESET scanner detections. Some are apparently a particular code sequence used in a wide variety of malware, which is efficient for detection, but not particularly insightful.
Malware is thought to be detected by scanning files looking for a signature of each known malware, but that theory has serious problems:
Malware must add new files or change old files (or the BIOS or boot sector) to live beyond a reboot. Malware can be exposed by detecting the changes that occur from infection, provided we know or record the state as it was before infection.
Malware can operate without infecting, and a DVD boot will not prevent that. A DVD boot does provide an uninfected system next time.
Malware is not the only threat to computer operations. Many problems are just software issues, the result of faulty or arrogant programming. One serious threat is the loss of stored information due to disk crash or motherboard failure or software problems or human error. We probably cannot prevent system failure, but we can minimize information loss by using appropriate backup procedures.
It is easy to prevent malware: Just do not use the Internet. Just do not use Wi-Fi or connect to a LAN (local area network). Just do not share flash drives with computers that are on a LAN. This is not a joke, but instead a viable option, and, indeed, an actual requirement for serious security. Virtually any modern computer can be hacked from the Internet if the attacker is willing to put enough effort into the problem. If you have secrets of your own to keep, get off the Net, get off the LAN, get all the way off all automatic interconnections. Reinstall your OS from scratch, and be very careful with flash drives.
Using the Internet and avoiding malware can be tricky. Only a limited amount of protection can be bought with firewalls, antivirus scanners and anti-malware programs. Targeted malware probably will not be found by scanning. Probably the most important protection is to not use Windows for browsing. If using Windows, at least keep the system updated and patched. Use an external router that has a hardware firewall (most do). Learn to not click on a malware link. Unfortunately, links do not describe themselves as malware. Attackers deliberately lie to get your click.
Attackers use modern advertising techniques to tempt users to click a link, supposedly to install a program or open an email attachment. Seemingly trustable web pages may have been hacked to download malware, while calling it anything else. Perhaps 9 out of 10 malware infestations are traceable to users specifically allowing attack code to run, believing it is something they want or need. Users must learn to hover the cursor over a link and look at the Status Bar (typically at the bottom of the browser) to see where the click would take the browser. Before clicking, the user should think whether the actual target is the claimed target.
It is possible to operate as a user, as opposed to an administrator. The historical reason for having users and administrators seems to have been a need to protect the OS from user damage in a multi-user environment. That environment concedes that an attacked user will be fully compromised, but hopes that reduced privileges will prevent the OS and other users from being compromised as well. In contrast, many modern PC's are single-user systems where there are no other users to protect.
The advantage of operating as a user is to gain some amount of protection for OS files, not user files. Any important files a user can access, an attacker who exploits that user can also access, for exposure or damage. Protecting OS files is the extent of what limited user privileges can prevent on a single user system.
OS files reside on a drive which is completely exposed to the attacker when the OS is defeated or bypassed. Changing OS boot files is how malware survives a reboot.
OS files can be protected by a "live DVD" boot, where the critical OS files reside on DVD, and cannot easily be changed by attackers. For malware to survive a DVD reboot, it would have to write to the boot DVD, which is both difficult and obvious, easily avoided by removing the DVD, and the DVD is easily replaced in any case.
Live DVD security is fundamentally superior to the classic hard drive boot, and makes limited user privileges unnecessary. While Puppy Linux is designed for a live DVD boot, Windows is not. For Windows, various other issues would come into play, such as extended boot time and registry update and protection.
Anti-malware systems can detect old and widely-distributed malware when scanning downloads and attachments. New "zero day" viruses probably will not be detected, nor will viruses targeted at particular individuals, groups or offices. And once malware runs, not much can be done. In past years, later scans might find and remove the malware. Nowadays, malware files can still be removed, but modern malware has broadband access and often joins remote-controlled bot-herds. There is no way to reliably know what the malware did under remote control, or how to reverse it. One possibility is that more extensive and better hidden malware has been installed. On a system which sees any valuable data or passwords at all, an uncorrected malware infestation can have serious consequences.
The correct response to a malware infestation is a lengthy process of saving current data and then re-installing the operating system (OS) or an uninfected image. Then the system must be brought up to date, and configured for individual use. Then we have to check any other computers and USB drives that may have been attached to an infected system, and all the systems they may have attached to. All equipment with programmable on-board flash ROM (e.g., motherboards, video cards, possibly hard drives, CD drives, routers, printers, etc.) should be re-flashed, a process which is not only tedious, but also carries substantial risk of failure. The settings on programmable equipment (e.g., routers and network printers) should be set up again. All this can take days of effort, spread over weeks of computing interruption, and is so much work that nobody ever really does it.
The best approach is to not get malware in the first place. Malware is easily avoided by not using a computer, or by not connecting to the Internet. Unfortunately, the Internet usually seems too advantageous to avoid, which is why we have performance-sucking scanners and awkward hardened systems that irritate users. Nobody wants to deal with layer after layer of protection, but we really do not want to do what should be done after getting infected.
There seem to be some fundamental approaches to malware defense:
A related alternative would be for Microsoft to supply a live
boot DVD that checked every necessary Windows file and replaced any
that needed replacement.
A full and aggressive implementation of this approach holds perhaps
the best near-term promise of a malware fix for Windows.
Another live DVD might provide a secure environment for browsing, but
would have to not be Windows underneath.
While a simple Windows boot CD would help by preventing changes to boot files, Windows is large, thus slow to boot on an optical drive, and we would just end up with the Windows target again. Windows-oriented malware could still break through individual sessions, just not be able to save itself for next time. The Windows updates so important for hard drive systems actually mitigate against an unalterable boot DVD. The DVD boot disk advantage seems best when applied to a small (fast loading) and stable (no updates) OS.
A useful expansion from the CD boot is to actually have no hard drive at all (using, for example, Puppy Linux). When there is no hard drive, there is no hard drive for malware to infect. Computing without a hard drive really is very pleasant and practical. Beyond saving the occasional file to a USB flash drive, and the relatively slow DVD boot, the lack of a hard drive may not be noticed.
An extremely useful option is a writable multi-session DVD which is practically ideal for program updates. Browser and add-on updates are simply downloaded as usual and then automatically appear in subsequent boots, just like on a hard drive. At the end of a work session, the user can tell Puppy Linux to write changed files to a new DVD-R or DVD+RW multi-session, or not. Previous file versions remain on the DVD unchanged, and the Puppy Linux OS is responsible for loading the most recent copy into the memory file system for use. In Puppy Linux, after boot time, the DVD can be removed, or the DVD mounted to access archived older versions of files.
Multisession writes do carry some risk of malware infection, but the user need not save a session unless there are updates, and even then only if nothing seemed strange. Saved sessions can be viewed and inspected. Saved sessions can be voided if infected or even if some program configuration has gone wrong.
Booting from a flash drive is another possibility, potentially faster than a DVD, but unfortunately carrying a very real risk of malware infection. For an effect similar to a DVD load, it may be necessary to have a flash drive with a hardware write-enable/disable switch (such as an SD-card in a small USB card reader). Ideally, we could remove the flash drive to enable writes, then replace it for an end-of-session update, something not currently possible in Puppy Linux.
Yet another possibility is to boot inside a virtual machine (VM).
Unfortunately, if the base machine is infected, we no longer can
trust the VM, and even a CD boot cannot be trusted.
In contrast, when we boot the physical machine from a live DVD,
the only relevant infection is whether the DVD is infected.
A similar issue exists with respect to the motherboard BIOS, the video card BIOS, and every other flashable BIOS in the system. These all need hardware protection against unauthorized change and the ability to easily authenticate their contents. The OS cannot provide this protection.
Hardware storage authorization also might be useful for USB flash drives, and in general, all drives.
We can start with some basic Web protection:
Firefox add-ons like NoScript expose the difference between casual browsing and cautious use: If we consider security as a wall around our protected town, good security involves closing every possible access, opening only when we need to, and only for what we need. We thus enable access to specific pages, which is a "white-list" or "opt-in" policy, as opposed to the usual policy of leaving everything open unless we actually catch some bad things sneaking in. Sadly, NoScript will actively prevent many exciting user interactive things which are potentially dangerous and so cause some anguish. However, if desired, we can easily enable everything on a particular site. Finer control is available, and very useful, once we realize that the annoyance is in our own best interests.
Just using safer programs is not enough:
The top recommendations are:
The single most important defense against malware is to not be browsing from Windows.
Users should take a deep breath and at least consider using Puppy Linux on DVD (or some other Linux "live" DVD alternative) as their OS for the Web. When Puppy
is running Firefox, the browsing experience can be very similar to Windows, albeit with some occasional glitches. When Puppy Linux is booted from DVD, the resulting security should be better than a whole raft of Windows add-ons. Puppy browsing is just a boot away on almost any PC. Even better would be Puppy Linux on a machine with the hard drive removed, or simply disconnected.How can we keep our doors closed, when we have to open them to
deal with the outside world?
The Heart of Security
Sometimes security is described as "lock every gate," but the locking part may be the lesser problem. Gates imply a wall, and if a security wall does not make weakness obvious, there could be gates anywhere. The real problem lies in finding all the possible gates. Closing each newly-found gate is some help, but overall may not make much difference if other open gates remain undetected.
All good security works by preventing almost everything, then paying close attention to the few things allowed. Avoiding all but a few selected alternatives avoids the need to analyze each and every possibility as it occurs to see if it is a threat. Avoiding analysis is important for computing, because exposing an apparently innocuous file as a threat may require a deep understanding of content which computers do not yet have.
On the Internet almost every alternative is allowed, so the
potential for security problems is almost unlimited.
Since computers do not understand content, full analysis cannot
occur in real time, leaving the net inherently unprotected against
new deceptive attacks.
The current approach of trying to patch each bad alternative after
it has been found cannot provide security and will never be
complete.
The Walled-City Model
Many of the issues in general security can be modeled by analogy to a city surrounded by a defensive wall. The wall cannot be perfect, and large gates are necessary. On the Internet, each piece of "wall" might be the "ports" controlled by a particular application or service.
A real city has a continuous flow of people and goods in and out, and that flow is necessary for life. If we want a live city, we had better not permanently close all the gates, even if that would be secure. Similarly, using the Internet implies a flow of data in and out. We can cut off outside connections, but what we want is to have those connections and be safe anyway. With limited information, that may not be possible.
At the walled city, we can minimize the number of gates. Then we can put guards on the gates, and prevent the random wanderer from coming in. We can oppose an organized attack. But many of those entering will do so on invitation from someone inside, and there really is not much guards can do about that. Similarly, our Internet firewalls mostly prevent random external access, but pass anything requested from inside. All an attacker needs is for somebody inside to request an entry. The only way we could hope to prevent that is to know a lot more about the external petitioners than web lets us know. In a sense, we need a "photo ID" for every page that responds to us.
Once inside the city, anonymous plotters can infect previously
well-working organizations and systems.
In a real city, it is tough to find illegal infiltrators, so we
generally relax until they do something very illegal.
In a computer, it should be possible to know and check each and every
allowed file, and we can or do have their hash value "photo ID".
Ideally, all the critical files would be in the same general place,
and no other files would be allowed.
Unfortunately, that is not our current reality.
Computer Security
Modern personal computer (PC) operating systems (OS's) are large, detailed and immensely complex. Since complexity makes strong security impossible, our OS's are by design vulnerable to attack and control. These large complex systems require frequent patching, and so necessarily reside on easily writable hard drive storage, which is easily infected by malware. Ideally, the system would allow only authenticated changes, but when an OS has been subverted it cannot be trusted to perform authentication. An alternative would be some sort of live-CD patcher that makes and validates updates, but no such system is known. Ideally the OS and hardware would conspire to absolutely prevent unvalidated changes to OS code on the hard drive, but currently that does not happen.
For whatever reason, Windows is the OS of choice of most computer users, making it also the target of most malware attacks. General OS and Windows-specific complexity allows malware to hide among tens of thousands of legitimate files, registry entries and distributed BIOS code. Malware necessarily must add or change system code simply to come up again after reboot. System code changes should be very detectable from a booted live CD, yet no such system is in common use.
Although Windows OS updates and security patches are a valiant effort, they cannot even fix all implementation errors, let alone security faults in fundamental design or in application programs. Running an unprotected Windows system is demonstrably dangerous for many users. Recovering from infection often requires a full-image restore or a lengthy full OS re-install because malware has changed the system on the disk. A hardened Windows system is difficult to develop, can be unusably slow, and for all that still cannot guarantee security.
Our best strategy is to prevent problems, or prepare to handle
them.
We seek to protect passwords, on-line accounts, financial accounts,
private data, and the usability of our computers.
We need to identify as many distinct problems as possible, and then
innovate responses to handle those problems:
Trojan Horse programs are avoided by users knowing how
to not run programs coming from outside their system.
Attacks on operating system flaws are avoided by installing updates as soon as they are available.
Worm attacks are prevented by using an external router with NAT (Network Address Translation) and firewall. The only incoming packets allowed are specific responses to previous outgoing packets.
Attacks that reprogram the BIOS flash are prevented if a write-enable hardware jumper exists and is physically removed.
Absent some form of BIOS write protection, it may be necessary to re-flash the BIOS whenever it might possibly have been virus-flashed.Flash-drive viruses are opposed by disabling autorun, and by using an SD memory card USB reader (instead of a USB flash drive) and flipping the SD write-protect switch.
Incoming computer viruses are rejected by using an antivirus
program to scan every drive write operation.
Unfortunately, antivirus scanners cannot detect what has not yet been
found and analyzed, making perfect detection impossible.
Installed computer viruses might be detected by a general
scan of all files. Rootkit malware that has somehow gotten through the
defenses may not even be visible from inside the OS. Dangeous websites are hidden by using OpenDNS (and
possibly a hosts file) and are indicated by WOT (Web Of Trust). Attacks on web accounts are defeated by using long,
random password values stored in a password-manager (absolutely not
in the browser). Attacks on web account credentials are defeated by
using random password values for challenge question answers. Browser attacks are addressed by using
the strongest acceptable browser, security add-ons, and the
latest updates. Software problems, or at least their effect on the
computing platorm, are minimized by automatic daily backups of the
registry (ERUNT) and periodic registry cleaning (CCleaner). File loss is minimized by making backup copies of
important files. Hard drive failure (a) is completely fixed by getting
a new drive and loading it with a saved drive image. Hard drive failure (b) sometimes can be recovered in
place by SpinRite, which is a commercial, bootable, live CD.
A backup is a copy saved where it cannot be damaged with the original. Computer backups can be file copies or drive images.
Backups save data as it was at a particular time, with the intent being to recover that data if the original is damaged. But as time goes on, originals are edited, updated or changed to new and improved versions and the old backups become correspondingly less useful. When failure occurs, we want to recover the system we had just before the failure, not as it was a week or a month ago.
Backups have a surprisingly limited useful life, so only a couple
of backups need be retained.
Backups should be stored independently, since keeping backups on the
same physical drive as the originals risks a disk crash that takes
out everything.
File backups just save a particular file or set of
files, which saves the file data as it was at a particular time. Image backups generally copy each sector of
a logical drive, thus inherently including both data and file system
structure.
Some imaging programs allow an image to be mounted as a drive,
making individual files accessible for copying, even though they
had not previously been identified as important.
Because an image backup generally includes boot sectors which are
hidden from a file system, an image often can be recovered to a
different drive and then simply booted into operation.
Image backup recoveries thus avoid lengthy OS re-installs otherwise
needed to support files.
Image backups also retain the original OS configuration.
Multiple copies are important so that if one is
damaged, the others remain.
Cloud backup services are available with a modest amount of free storage.
Various distinguishing issues include the amount of storage, the number of computers on a single account, security, etc., along with details of how files are sent and later received. Some cloud services are:Frequent backups are crucial to minimizing loss. Backups going back years are rarely helpful.
When failure occurs, we are interested in recovering what we had yesterday, not last month or last year. On the other hand, we can have the computer make a copy every 5 minutes, but if we put those copies on the same drive as the original and the drive fails, we then lose the backups along with the original. It is important to have multiple independent copies, where damage to one will not also damage the others.Automated backups are risky because automatic things tend to fail unexpectedly in unexpected ways.
For example, automatically rotating through a limited number of backup copies fails us as soon as we need to go back farther than the earliest remaining copy. Similarly, putting multiple copies on the same drive fails us when that drive fails. In contrast, we can easily survive drive failure by making backups and saving them in multiple independent places. Manually copying a file to a flash drive and/or sending it to yourself as an email attachment surely could not take more than 5 minutes, yet could avoid massive recovery efforts and actual data loss.Image recovery is impossible (in general) when drives are actively in use.
Typically, image recovery requires a "live CD" that boots from CD and runs a replacement operating system in memory. That OS then can analyze and recover even the original boot drive.Image recovery is dangerous because it will overwrite the entire file system for a particular drive. Frequently some files have changed with that being unnoticed or forgotten until they are no longer available. It is important to save an image of the damaged system (when possible) before recovering an earlier image. It may be possible to examine that image later, and recover forgotten files that way.
Puppy Linux is a free alternate operating system that most ordinary Windows users can use quickly. Puppy Linux supports the Firefox browser and most Firefox add-ons, thus delivering a browsing experience similar to Windows. There are various advantages:
Puppy Linux is not Windows. Malware that infests Windows generally assumes the presence of Windows services, data structures and program code. When Windows is not present, the malware generally cannot operate successfully.
Puppy Linux can boot from DVD. If an infection is acquired during operation, even in Linux, a simple DVD re-boot solves the problem.
Puppy Linux updates the boot DVD. A modern browser is updated frequently to patch security flaws. With a DVD OS, updates would normally mean burning a new DVD and doing a new configuration. In contrast, Puppy Linux allows writing file changes and browser and add-on updates as another session on a multisession boot DVD. The next time we boot we have the updated browser just like we would with a hard drive OS. If a work session seemed strange, we do not have to save it. If Puppy starts acting funny, we can void the previous session and restart to a session before the problem.
Puppy Linux does not need a hard drive. When there is no hard drive, there is no hard drive to infect. Browsing without a hard drive is surprisingly normal. We have many options to save information beyond relying on a vulnerable hard drive:
Bookmarks are a self-made burden. For synchronizing bookmarks between Windows and Puppy I had been using Xmarks with great success. Eventually, though, my rapidly-expanding bookmark list made that intrusive by needing a ponderous download for every sync operation. Now, by exporting bookmarks as HTML then sending that file to myself as an email attachment, I can have all the old and obscure bookmarks available by viewing email. I save important new bookmarks to Google bookmarks "in the cloud," to avoid extending the DVD on every session. I do keep a few everyday bookmarks (tabs) locally.
Puppy Linux is not the whole security solution. Using a different OS can protect the computing environment from malware, including viruses, key-loggers and bot-nets. Browser, password, and connection security issues remain, although Firefox add-ons can be a big help. In addition to using Puppy Linux, users should:
Puppy Linux is free, voluntary software.
New versions have been coming out every few months, none of which
are oriented specifically toward secure use.
Apparently Puppy has had multi-session DVD operation for years, and
may be the only live-DVD Linux supporting browser updates.
The Linux Development Environment
The reality of free Linux can be a shock to Windows users. Microsoft has a few basic flavors of Windows, all of professional quality, which stay basically the same for years. Puppy Linux especially has any number of different versions, often going in different directions with a few part-time developers, which may last a few months to the next version, or just die out. The way to assess the new work is to download a likely .iso, burn it to DVD and see what it does.
Business users often point to the lesser quality in the free Linux distributions, but if Windows was really doing a quality job, we would not be here. Windows has simply failed to provide the on-line protection we need. Reasonable people can disagree about which OS is better and yet still prefer Linux to Windows for particular situations. In most cases, we can take an ordinary PC, boot Puppy Linux in a couple of minutes, do our online work in much greater safety, then reboot Windows. Those who do most of their work in the browser may not have as much need to reboot Windows as they first expect. However, when it comes to devices that are in any way unusual or specialized or new, Windows always has a driver, and Puppy generally does not.
In free systems, it is common for things to not work as well as in
a professional product.
In the case of Puppy Linux, usually there are work-arounds, since many
other people have to do the same things as you anyway.
Or there may be a new fixed version in a few weeks or a month.
On the whole, Puppy Linux is very usable.
Puppy Linux Resources
A surprising amount of information is available, although some of it is dated and some is hard to find. Here are some starting points:
For security use, Puppy should be booted from DVD and not installed to a USB flash drive or hard drive. Any boot medium that is immediately writable can be trivially infected. To freeze out malware, we need to not provide a easily infectable environment. The following instructions are for Puppy 4.3.1 and similar.
Although the documenation recommends DVD-R, I think the results depend upon particular equipment and especially discs, which seem to vary a lot. I have had better luck with DVD-RW, and I can erase those and start over.
We want Firefox, and it need not be recent because it is so easy to update. We also want the latest possible Flash Player, which is harder to update. Some Puppy versions (e.g., puppies-431.iso) include Firefox and an updated Flash Player, and so do not need .pet installs. The main Puppy version (e.g., pup-431.iso) usually does not have Firefox, and Flash Player quickly becomes outdated. Firefox and Flash can be installed (or re-installed) by finding and downloading .PET files. To install a .PET, copy it into Puppy memory (perhaps /tmp), click to install, then delete the file.
There is a Linux program called Wine which emulates Windows and
allows some Windows programs to run in Linux.
You may be tempted to install Wine, but do not do it!
Wine has gotten good enough to support a range of Windows malware,
which is precisely what we are trying to avoid.
If we need to run Windows programs, we probably should stop browsing
and re-boot into Windows.
Example Puppy Install
When used for improved security, Puppy Linux should not be installed to a hard drive but should instead boot from DVD on every session. As programs and configurations are added to Puppy, the changes should be saved to the Puppy DVD, provided nothing strange has happened. If any attack files actually do make it into the RAM file system and are backed up on the DVD, that session can be marked bad later. This example install is limited by my ancient monitor. This is a working example for my particular equipment--do not follow it blindly!
Files in the /tmp directory are not saved to DVD at the end of a
session.
Files in the /archive directory are saved to DVD, but not recovered
in the next boot.
Otherwise, changed files are saved to DVD without overwriting the
older versions, and only the most recent version recovered on boot.
This tends to archive the progress of a project over time in a way
that does not occur in normal computer file systems.
Each different session of files on the DVD can be read under Linux
or Windows.
DVD Issues
Optical storage simply is not as reliable as hard drive storage. Although DVD problems tend to be infrequent, in the Puppy application they can be quite costly. After every end-of-session save, Puppy announces: "Have saved session to live-DVD (unless it has not which is an error)." This amusing message unfortunately becomes much less funny when the session really has not been saved.
Because optical storage is less reliable than we want, verifying an optical burn is not optional, unless we are happy to lose the data, in which case why are we saving it? Puppy does not verify end-of-session DVD writes. In general, it would not be uncommon for an optical write to not verify, and then Puppy should allow the user to select re-trys, try new discs, use USB drive storage and other options to prevent loss of user data. Some user control is available in Puppy by using the "save" bulls-eye on the Puppy desktop before ending the session. The "save" icon writes the session changes to DVD without shutting down, but it also does not verify the result, and it is not clear whether a write error would be recognized. Currently, using "save" without a normal end-of-session save does produce a "unclean exit" error for "X" on the next boot, which is easily ignored.
Since all storage systems are somewhat unreliable, our Puppy response is just to be more rigorous than usual. For example, I manually back up important local work (like this article, during development) before the end of every session. I copy work files to a USB flash drive, I send the files to myself as email attachments, and save them to a Windows drive, if present. An email save generally takes under 2 minutes, total. A flash save generally takes under 1 minute. Only after everything has been saved do I shut down.
Sometimes upon restart Puppy comes up (the splash screen shows), but then fails upon reading the last saved session. We can void the last session by starting Puppy again and entering the command "puppy pfix=1" at the splash screen input.
Rarely, we can find that the last session save has made the disc completely unreadable, at least for boot purposes. Then we need to start over with a new disc. It is useful to have made copies of a fully-configured system, but it can be quite difficult to copy an unclosed multi-session DVD.
One way to "copy" configured Puppy DVD's is to first boot from a fully-configured DVD. Then load a blank DVD and burn a new .iso. There is a lot of drive door opening and closing going on, and I have found it important after any door closing to watch the burner LED and wait for it to settle down before issuing a burn or verify command. Then follow Menu / Shutdown to "Reboot computer", which triggers an update burn on the new disc. All this is more tedious than one might hope.
A better option might be to follow Menu / Setup to select "Remaster Puppy live-CD". The goal is to end up with a slightly-larger .iso including Firefox with add-ons and their configuration which can be saved as a file. Presumably we would update this from time to time. Unfortunately, I have been unable to make that include the Firefox add-ons and their configuration. Possibly the Firefox FEBE add-on could recover a saved configuration in a different way.
This list of "do's and dont's" started out much shorter. We should all be sorry that security is this hard:
This document started as an attempt to explain the curious fact that the efforts of a great many very smart people have not managed to make PC's secure. The attackers are, in fact, winning.
My original goal was to fix security holes in Windows. I expected to find a recipe of settings and added programs that would make most users secure, and much of this document is just that sort of information. Sadly, I ultimately was forced to accept that good Web security is just not available within the current Windows environment.
Absent an actual winning approach, our best bet is to move away from using Windows on the Net. The first step in malware protection is to use any OS but Windows for browsing. The second step in malware protection is to boot your browsing OS from DVD.
For some reason, everyone seems to have gotten stuck on the idea that the way to win against malware is to make perfect software with perfect security protocols. But that is only "winning," if you never want to end the race. Perfection is impossible in the real world, and if we are to win, we must must tolerate reality.
In my view, Microsoft and their legions of committees and doctoral experts have been working the wrong end of the problem for many years:
From the point of view of the operating system, attacks come
from the "outside," so there would seem to be an opportunity to
identify and repulse attacks before they succeed.
One of our problems is that we cannot specifically define what an
attack looks like.
We might define an attack as "an external interaction that changes
our OS in undesirable ways."
To understand the effect of data flowing from outside to inside the
OS, and then classify it as dangerous, we must understand what the
OS will do as a result of the data.
To understand OS actions, we must infer the entire inside context of
the OS (and the running applications it contains), which is
just what we try to avoid by thinking of "the OS" as a single
unit.
Knowing what the OS will do, without knowing the vast dynamic state
inside, is just impossible.
Externally identifying a new attack (i.e., an outside interaction
with the danger quality) by inspecting only outside data (seen, for
example, by a firewall or a malware scan) is necessarily difficult,
and absolute certainty is virtually impossible.
Improve Internet Design
The possibility exists that some design for outside surface
interactions could guarantee security based on outside data alone.
While it is unclear whether such a design is possible, our real world
has nothing like that.
In the real world, Internet protocol design has never had (as far as
I know) a goal of identifying dangerous interactions.
Indeed, bad interactions are not even defined in terms of outside
data.
Dangers are generally seen as "higher level" issues, and quite
independent of lower-level protocols and data.
Unfortunately, the low-level data are all we can see from the outside,
and the only information we have to infer danger.
The Internet re-design approach seems unlikely to be much real-world
help, at least in the near term.
Attack Success Means Detectable OS Damage
An attack which is unidentified and not repulsed may be successful
and essentially become part of the OS itself.
Attacks that are not stopped damage the OS, so the OS can no longer
be trusted with any form of protection.
Surely OS damage is undesirable, but far worse is an inability to
know with absolute certainty that damage has occurred, where it is,
and how it can be corrected.
An inability to identify and correct OS damage (which is, after all,
just wrong data in memory or on a hard drive), must be seen as a
fundamental failure of security design in the OS itself.
Hardware Boot Protection
One way to start winning is to prevent malware from modifying our saved critical OS files so as to get itself re-loaded on every boot. Probably the OS will need modification so critical files are not normally changed in operation. Then the critical files can be collected in a single directory or partition, and protected by serious hardware control.
Perhaps the hard drive would prevent changes to critical files, and must do so even if OS file system was subverted and file attribute read-only bits ignored. Perhaps the hard drive would accumulate new file versions but not perform replacement until each had full cryptographic authentication coupled with an overall owner authorization. The drive should hold multiple configuration steppings, to make it possible to revert to earlier configuration.
Sadly, our PC hardware design does not include selective hardware
file protection, nor is it likely that the current OS could use that
if it existed.
OS File Check and Repair
Absent selective file protection in hardware, it is at least
possible to imagine periodically checking and absolutely repairing
every single critical file.
Check and repair does not mean scanning for viruses or malware, it
instead means checking each critical file for existence and contents,
and correcting whatever needs correcting.
To avoid rootkit effects, such checking probably would require a
reboot into a "live" DVD, and may further require a deep analysis of
the registry so it could be similarly repaired.
Device drivers would be another issue, as would hardware BIOS flash
memory contents on various boards.
Boot from DVD
Another possibility is to boot our OS from some form of fixed or read-only storage, such as a DVD. Although much slower than a hard drive, the DVD boot automatically destroys previous memory contents including malware (excepting, of course, BIOS infections). Unfortunately, the large size of the Windows OS may make DVD reboots so undesirable as to be almost unusable. Even if we accept the inconvenience, we just end up with Windows again, which is the malware target.
Since software updates are our reality, it would make sense to use
the multi-session capabilities of DVD+R or DVD+RW storage.
Any such system can and should involve cryptographic authentication
that malware cannot provide.
Unfortunately, software control necessarily depends on the OS not
having been subverted, which may not be true.
Absent separate authentication hardware in the DVD reader, this whole
approach may have only temporary worth.
Of course our systems are themselves temporary, and when the next step
becomes obsolete, we may have better hardware to deal with it.
Boot from Hardware Protected Flash
Perhaps more ideal than DVD, and certainly faster, would be some sort of flash memory boot. Flash memory itself is hardware, but here we refer to hardware protection, the ability to prevent unauthorized changes to critical files. Common USB flash drives seem unlikely to be very helpful because the critical security aspect is not holding or reading data, but instead preventing malware from changing that data. Write-protection must occur in hardware (or firmware in a separate hardware system), because when malware is present the OS has been subverted. Ideally, we would have full cryptographic authentication and hardware selective file protection inside a USB flash boot device, all of which is perfectly reasonable. What we need is a modified OS and a USB flash boot device with selective file protection, update authentication and owner authorization for updates.