Paranoid2000: Thoughts on Internet Security

This month a prominent UK network tester and Internet security specialist nicknamed Paranoid2000, active figure in security-related forums including Outpost Firewall Forum, has kindly agreed to answer our questions. What should you expect in terms of online safety and what should you do to resist existing threats? Please find the revelations of an advanced user and computer specialist below.

Q.: Computer security appears to be your big interest, why is it so appealing to you?

A.: For purely selfish reasons - I want to keep control of my computer! Malware product has changed from being a (somewhat macabre) hobby to a fully fledged industry and one which shows no respect for individual rights or general well-being.

To take a common case - consider a spammer or other online fraudster who sends out ten million emails a day for a year. Even if only 10% reach someone who then spends 5 seconds reviewing and deleting them (many will spend more time reporting them, adjusting spam filters or reconfiguring servers), that amounts to nearly 58 years of time taken that could be used for other things.

Now a serial killer who murders 10 people may have denied society 400 years of life (assuming the victims had an average age of 32 and would otherwise have lived till 72). So the consequences of a major career spammer (sending out billions of emails per day over 5 or more years) in terms of time lost could exceed this by a factor of 10 or more. Spamming cannot generally be equated with mass murder, but this sort of calculation should provide an indication of its consequences to online society and the inadequacy of existing deterrents.

And spamming is just one of many online crimes that take advantage of inadequate online security.

Furthermore, there is an increasing trend with commercial software to use measures to track or restrict users (e.g. CD checks, online activation and even rootkits) so it is important to keep an eye on how things develop there. Here users have more power to deal with unacceptable conduct (via product boycott in the worst cases) but appropriate security software is often necessary to detect anything untoward.

Q.: Could you tell us a bit about yourself - how did you get started in security? Do you have any special skills or experience? What’s your education in relation to IT?

I’ve been into computers since early teens (started with an Apple II - still have it, still works) and did Computing Science at university but I picked up the most useful skills while a network tester. This involved using protocol analysers to view network traffic and required in-depth knowledge of network protocols, including the now ubiquitous TCP/IP.

Q.: Don’t you think that tweaking protection to the maximum creates an equally unusable environment where you have to answer a barrage of security dialog windows, making your work less productive and all these distractions intruding upon your everyday experience? How do you feel about this situation?

A.: There are several aspects to achieving “maximum protection”, each with different overheads.

The first is disabling any unnecessary features which could be abused - for example in Windows, services like Universal Plug and Play or Windows Messenger. This is a once-off adjustment which should involve no further prompts.

The second is blacklisting/whitelisting, checking programs against known lists (antivirus scanners come in here). Prompts here should be minimal (in most cases, only when a problem is identified) but constant scanning can affect system performance.

The third (which is where firewalls like Outpost come in) is behaviour tracking, alerting on specific actions (e.g. network access, registry modification, driver installation). Here certainly there can be problems with the quantity and quality of prompts - most security utilities only provide very low-level information which does little to inform the expert (let alone the novice) as to what to allow or deny.

To take an example with Outpost Firewall 2008, whenever I switch on (or off) the wireless interface on the notebook I run it on, OPF 2008 prompts me that Svchost is trying to modify Explorer. There’s no indication of what or why this is happening (I would *guess* that Svchost is prompting explorer to refresh its display to add or remove network drives) and Svchost itself is too easily hijacked to say “Allow” all the time. Here there is a need to provide more information about what is happening, either by looking at the circumstances triggering the event (a hardware addition/removal in this
case) or by looking more closely at the interaction (identifying the hook used, API routine called, etc.) and then providing a readable explanation of what is happening.

Whitelisting could reduce some prompts, but would not help here due to the wide range of actions performed by Svchost and the possibility of malware causing them. Some examples already use Svchost to access the Background Intelligent Transfer service (normally used by Windows Update) to avoid being blocked by firewalls.

A large number of prompts will be a problem, but this is solvable by making it easy to create rules (either temporary or permanent) covering a wider range of behaviour. For example, program installers typically create and modify many registry keys - System Safety Monitor (a “process firewall”) provides an Install Mode option that allows most subsequent registry changes, only alerting on critical ones like driver installation.

ZoneAlarm Pro provides a very simplified “trust” system where applications can be assigned one of four trust levels, but this is taken too far in my view since it does not separate network access from process or registry modification. However this could be taken as a starting point for an “application profile” system (as offered by Tiny Firewall) which would allow users to set appropriate permissions with, at most, 2 or 3 dialogs.

Q.: From the nature of your work, you deal with day-to-day PC gripes of your fellow forum members and other regular users. What are the common problems and how do you help resolve them?

I’ve not been doing as much troubleshooting recently - but the biggest challenge is getting the right information to start with, especially with novice users who may not know what is significant (e.g. error messages, system setup). Without this, it is all too easy to draw the wrong conclusions and waste time as a result.

Q.: How would you rate the overall level of security knowledge and awareness of regular PC users, what do you think they need in that regard?

A.: For most people, security knowledge is sadly close to zero - often just a simple awareness that it is needed. Here computer vendors could do far more by including a copy of instructions like http://www.cert.org/tech_tips/before_you_plug_in.html or something similar.

Currently all that most offer are trial versions of AV software that they receive commissions for, which can often cause further problems.

Q.: What Microsoft OS do you use? What, in your opinion, Vista lacks security-wise and what are its security benefits?

A.: I’m using Windows 2000 on my main system, having boycotted XP due to its online activation requirement. I do now have a system with an activation-free XP (via a BIOS lock - I spent over a week trying to install Win2K on it initially) but I have now become very cautious with Microsoft products. All too often the pain (online activation, limited compatibility, planned obsolescence, software dependencies) outweighs the gain on their recent offerings.

As for Vista, the increased level of Digital Rights Management (DRM) rules it out completely for me. Even without that, it offers almost nothing over a Win2K/XP system with an appropriate choice of third party software (firewall, media player, disk backup, etc.) while seeming to have a disproportionate cost in memory, CPU utilisation and money.

The most successful Windows versions were those that fixed clear problems - Windows ‘95 fixed hardware setup with Plug and Play, ‘98 fixed cluster issues on large hard disks with FAT32, Win2K largely solved program stability and resource (user/GDI/stack) limits. That leaves security and system maintenance (notably “digital bitrot” where the remnants of uninstalled applications cause slower systems). Vista if anything complicates such maintenance due to features like file/registry redirection and while UAC may have security merits, it seems to cause enough frustration to remove any benefit for most. On the other hand, Microsoft’s kernel lockdown has hampered security software providers, resulting in less choice for Vista users wanting to secure their system further.

Q.: To conclude, what advice would you like to share with our readers to keep their computers in a healthy, security-sound state?

A.: There are many ways to proceed so take the time to read and experiment to find what’s best for you! There are many vendors offering a different approach and visiting security forums like Castlecops or Wilders Security can provide a great deal of help and information. The basics (firewall and anti-virus) should be set up as quickly as possible but with these in place, you have time to consider what, if any, further measures are appropriate (consider the worst case - how much could you lose if your online accounts were hijacked?).

It is however better to have 3-4 security programs that you know well and have set up properly than 8 or more poorly configured and possibly conflicting with each other.

Q.: Thank you for your answers! And best luck in the world of security!