Internet won't hack you unless you provoke it

Updated: June 29, 2006

Internet is a world. In this world, there are good guys and there are bad guys. In this world, most of the time, trouble does not come after people; people come after trouble.

Today, Internet is an inseparable part of our lives (at least in some parts of the world). We use it to communicate with friends and strangely-blond strangers, we use it to send messages to friends in form of electronic letters (called emails), we use it to browse for information, to conduct business, to check out news headlines and weather reports, to play games, to download music and movies, and much more. At each step of the way, we are faced with the choice of a trouble.

Of course, we are not entirely on our own here. The bad guys are trying to help us step into their traps by luring us with gifts and sweet offers of empty air, by trickstery and illusion, by trying to take advantage of our mental and physical disadvantages (our own intelligence and our AI intelligence - the PC). The good guys help us by providing us with programs that help us fight the bad guys. These are the firewall, anti-virii, anti-spam programs, and whatnot.

But there's a problem here. The dark side of the Internet is rapidly growing. And so, alarmed by the threat on our virtual existence, we pile up on more and more of the security products to keep ourselves safe from harm. And this is the wrong way to handle the situation.

If you have a burglar in your neighborhood, it would be wise to buy a gun to defend yourself in case he barges in in the middle of the night, right? Now, if there were 2 burglars in the neighborhood, would you buy 3 guns?

Let me raise some more tricky points. Let's say you're a good shot. You can hopefully hit the burglar with one of the bullets in your clip. So if two burglars showed up, what is the best choice: 1) Buy a second gun. 2) Buy a second clip. 3) Learn how to shoot more accurately.

The correct answer is 3. It's called education. So here I am, about to dispel the myth of Internet security and make you breathe more easily. Of course, this article is meant for Windows users. Linux geeks have always been safe.

Fearmongering

Security experts will tell you horrid stories about identity theft - which only happens in USA, for some reason. They will talk about things that begin with ph - phishing, pharming. They will tell you that the cybercrime has gone up 1,000% since the last time they reported it. They will tell you that an average PC gets hacked within 10 microseconds from the moment you plug it into the wall. Most likely, the facts are true. But not the reason. The reason - they say the criminals are getting better and better and more aggressive. Not true. The reason is - you decided to let them fool you.

I'll come to the reasons soon. The experts will warn you that in order to survive the Internet today as a Windows user, you must have at least 9 firewalls, 12 anti-virii, 4 anti-trojans, 8 anti-spyware programs, 3 anti-scripting programs, 4 anti-worms programs, 5 registry monitors, 27 hardening tools, and 4,333 HIPS programs. Negative.

P.S. Trojan is pronounced tro-yan, not tro-jan. The legendary city where Brad Pitt gets owned by Legolas is called Troy, not Troje. The j here is like the Dutch j.

Now, another analogy. Bear with me. Try to follow the story. Private Dick has just finished the boot camp, he's fresh and young. Rambo is a hardcore veteran of many battles with millions of hours of combat behind his belt. We send them both to war. We equip Dick with the best of the best weapons that can be had, scoped rifles, laser RPGs, automatic mortars, BFG-9000. On the other hand, we give Rambo only a knife. Unsurprisingly, Dick gets pwned. Rambo survives to tell the story.

Why? And how?

Dick was not taught to handle the weapons. So in his hands, they are pretty much useless. Rambo knows how to utilize the situation to the best of his needs. And this is exactly what happens on the Internet today.

Your average user has the money to buy a nice PC. He does. He wants to try the Internet. He plugs the PC into the wall. He gets hacked. The second time, he listens to the advice and buys an expensive security suite that protects him from evildoers. After a few weeks he gets owned. He buys more and more and more software. But nothing seems to help. What's going on?

Patience is not the human greatest virtue. Furthermore, Fermat's theorem says that a body moving from A to B will try to minimize the action of its movement (not the actual distance but the energy state). This means that your average human will shortcut through logic and common sense to satisfy his primal urges. In other words, if there's something on the net that he wants, he'll get it, no matter the price or the consequence.

Our average guy is armed like hell with security softwares, his PC takes 30 minutes just to boot. He decided to try out one of the Internet's greatest things - porn. After getting his inbox spammed for registering at dubious sites, the guy realizes he's still not getting the movies he wanted to see. So he falls for the promises of 500% increase in Internet speed, the download boosters, the search helpers, and similar concepts.

At first, his security programs are warning him that he's doing something wrong. But the multitude of alarming and conflicting messages (often popups) are only contributing to the growing frustration at things not getting done like he expected them. One by one, our average guy shuts his guardians down. And finally, gets cankered again.

To clarify the concept of a security warning, here's a screenshot:

Warning

Charming, isn't it? Unless you know what the above means, you could as well be prompted in other languages. So, what our guy needed was not programs - it was the knowledge he lacked. So, if you do not have any, you might as well follow my advice how to keep yourself safe, because no amount of programs will help you.

Here it is:

What do we do on the Internet?

We browse various sites - this includes downloading pictures and programs. We chat - this happens either through dedicated programs or through browsers at dedicated sites. We mail - this can happen through browsers or dedicated programs. We share files - most likely, people do this by using P2P programs. We game - using online game servers through client software on our machines. And this summarizes about 99% of average online activity.

Let me invent some statistics

Let say a person spends 4 hours a day in front of his PC. During that time: He spends 5-10 minutes reading and writing mails. He spends 3 hours browsing, including 40 minutes chat somewhere and 2 hours 20 minutes of porn. He talks with his friends using Instant Messaging - 30 minutes while browsing boring porn sites. He downloads music and movies for exactly 4 hours. He plays a game online; only 15 minutes because his ping is bad due to all the downloads in the background.

What are the dangers he faces?

For the duration of 4 hours, he's visible on the Internet, with a sort of a long number ID called IP. His PC has lots of doors (65,000 and some). If he does not close these doors, someone might try coming in.

The mails that he reads might be fitted with malware that might try to execute locally on his PC. While chatting, some strangely-blond stranger might send him his (her) photo or links to a photo, and the user might be tempted to click and see. While browsing, he visits lots of sites, all of which are loaded with content, and some of this content might try to trigger things locally on his PC. While gaming and sharing files, his PC is communicating with remote servers and other users worldwide.

How to handle the potential dangers?

Everything we do is a conscious, deliberate choice. We make most of the choices while browsing. Every site we visit is a choice. We do that hundreds or thousands of times a day. Ultimately, this is the biggest avenue of danger we face. And if we cut down here, we increase our security instantly. So, to keep safe, we need to follow a number of simple rules:

Overall exposure

Just use a firewall. I would recommend ZoneAlarm or Sygate, as freebies. Once you install a firewall, make sure it stealthes or closes all the ports. A popular site for testing firewalls is Steve Gibson's ShieldsUp!!. If you pass the test, you're most likely OK against routine port scans that happen all the time.

Email

Do not open email attachments (even from friends and known contacts) unless you are sure that the content is safe.

Instant Messaging

Do not click links or download photos from strangers. Keep the programs up to date.

P2P

Use clean, unbundled software, keep it up to date. Do not download programs (executables) and cracks to programs, because you cannot be sure they are not well-crafted malware. There is a general misconception that P2P is extremely dangerous. It's partially true. Some programs are bundled with malware. Just don't use them. Second, downloading malware through P2P does not make it any different than downloading malware through a web browser. Often, the availability of programs (and dangers) is much greater through P2P than web sites.

Gaming

Make sure the software is up to date.

Finally, the web

Web browser is the machine that communicates with sites. Some browsers are more prone to vulnerabilities than others. It comes down to how the browsers handle active content and how deeply enmeshed they are into the operating system. Active contents comes in a variety of guises, mainly ActiveX and javascript. If you cut down on the active content, you significantly reduce the exposure. And the simplest choice is the Firefox browser, by Mozilla Corporation.

First, inherently, the browser does not support ActiveX. It supports javascript, but it can be turned off. True, it can be turned off in most browsers. But Firefox gives the user the greatest flexibility in toggling it on and off between different sites. Javascript is sometimes necessary for sites to work.

Noscript extension for Firefox allows you to enable / disable javascript per site basis with a simple right-click anywhere on the browsed page. It's very convenient and safe. For the sites you love and trust, enable it. For the ones you don't, don't.

And that's it. Head out there with impregnated Firefox, and you'll be safe no matter what site you go to. Of course, some sites will not work. But that's the whole idea. You don't want them to work.

If you're interested, download Firefox and the Noscript extension.

You can test if your browser has javascript enabled at the bottom of the page. If you click the little box, it will popup a message saying "Javascript enabled." if you have javascript enabled, and it will not if you don't.

Theoretically, the code behind the little box can be configured to do lots of useful stuff. It could be configured to display heart-warming messages of greeting with different content at different hours of the day, or to calculate the entropy of a glass of blueberry juice. On the other hand, if my site were to be hacked, for instance, someone could replace benign code with malicious code. Therefore, if you do not absolutely 100% trust the site, do not click things on it.

Firefox has hundreds of useful extensions. It's probably the most customizable browser available. You can find about all the possible extensions at Mozilla Firefox Add-Ons.

I recommend Adblock for ad-blocking, Cookie Button for cookie control/blocking and Tab Mix Plus for enhanced tabbed browsing. And that's it.

Careful use of programs, a firewall and Firefox with Noscript should keep you rather safe. However, nothing at all will protect you if you decide to run destructive programs on your computer. So ... do not run them. But how can you tell the difference?

Yes, it can be tricky. But it's simple really. Before you download or run a program of interest, head to a security forum and post a question there. People with vastly more experience will try to help you decide. A general good rule is to avoid too much shiny freeware, download from vendor's sites and do a bit of research before double-clicking. Search engines like Google will provide more than enough sources to read from. Just type something along "program's name, malware" and see what comes up.

Some great security forums are:

Wilders Security Forums

CastleCops

More than enough to get you started with. Of course, if you really really must, an anti-virus scanner can be useful. Firefox can be useful here, too, because it has an extension, called Dr.Web anti-virus link checker, which uses the Dr.Web online anti-virus engine and allows you to scan files before you download them.

Furthermore, Kaspersky has a Free Online Anti-Virus Scanner (ActiveX) for Internet Explorer. ClamWin anti-virus can be a nice on-demand addition, used only when needed, without hogging resources. And finally, you can always upload a suspect file to Jotti's Online malware scan, where the uploaded file will be scanned by some 15 different anti-virii.

All of the above can be had for precisely 0 money. It will give you a nice solid start, from which you can slowly and carefully build your knowledge and experience. Do not be tempted to cram your hard disks with unnecessary content. Invest in your education and you will benefit many times over, financially and security-wise.

Peace.

Test if javascript is currently enabled in your browser (click below):