While Google claims that they are doing this to make the web faster and safer, which I believe is true, one cannot deny that Google, the world’s largest advertising firm, is doing this to get more information about you. This is yet another in a series of ways that Google will have to track your every move on the Internet.

Is this a victory for the end-user? Perhaps. This service will make DNS more visible in the public eye, and using it will most likely enhance end-user’s DNS performance and security.

But it is surely yet another defeat in the Google vs. Privacy battle.

There are several options.

1. Use Windows Vista or later. (Gah! I can’t believe I just suggested that. If you know me, you know I really don’t like Vista. Hopefully Windows 7, which looks promising, will be better.) This is because Vista makes you not an administrator by default, which is the opposite of the way XP and previous Windows versions did things.
2. Make a standard, non-privileged account and use it every day. Make a separate, administrator account, and use it only when absolutely necessary to install software. As an example, you would do your normal web surfing, email-checking, and word processing stuff as a normal user. But when it came time to install the latest Firefox update, or software patch, you would log off, log on as the administrator account, install the patch, and log off, and log back on again as a regular user. At first, you may think this sounds like a lot of work, but if you consider that you almost always have to reboot after installing new software anyway, the additional time is negligible.
3. Use DropMyRights from Microsoft. This is a little program which MS distributes for free, that allows you to run programs as a non-privileged account. While it does require a little fiddling to make a batch file or a shortcut, it would only take a few minutes for someone with some IT experience to configure.
4. Use the RunAs command, which lets you issue a single command to be run as a different user. This is included in Windows XP and later versions, and as far as I can tell, makes DropMyRights irrelevant, as it can also be used by an admin user to lower the rights of a program, such as a web browser, to run as a non-privileged account.
5. As a self-proclaimed IT contractor and consultant, of course I have to suggest that you have “your IT department” do anything that requires administrative rights. While I realize this may be out of the budget of some small businessess, in reality, you most likely don’t require software to be installed all that often, and can probably get by with this option. As always, if any of these measures sound appealing but you don’t know how to do it yourself, or are just unsure, check with your IT staff for help.

My rationale for  not wanting admin rights is as follows:

• Administrative rights give you the ability to install programs.
• Viruses, spyware, and other malware are programs. Therefore,
• administrative rights give you the ability to install viruses, spyware, and other malware.

I usually start lose people here because they think I mean they would intentionally attempt to install viruses, spyware or other malware. No, that’s not what I’m saying. The problem is that viruses, spyware and their ilk either pose as legitimate software, like a browser plugin (“You need a new video player to watch this movie. Click here to install!”) or an email attachment which you think you want to run (“Click here to view this greeting card!”).

As an average user, you do not require administrative rights to run your own machine. If programs need installing, then this is something you (or your administrator) should do separately, under a special, administrative account. You do not need to be an admin all the time. This is the principle of Least Privilege: you have only the minimum power that you require to do your job. Extra rights means extra responsibility and the potential for extra damage.

Let’s take some non-IT examples. Consider your workplace.

• Does every employee have a master key, allowing them to get into any and all rooms, offices, closets, safes, on the premises?
• Does every employee have the ability to write checks from the company checkbook?
• Does every employee have the ability to sign contracts and enter into new business agreements or hire new employees?

(Note: If you answered “yes” to any of these and you have more than two employees, you can probably stop reading right now, as you have larger problems that I can’t begin to address in this forum.)

Now, I do realize that the three examples could be potentially more of a risk than administrative rights over a desktop PC, but consider the example where a user has admin rights over their PC, and, by one way or another, that PC is compromised by some form of malware. That malware in turn is used as a springboard to launch an attack against the company’s servers. Once compromised, all data on the server is available to the attacker, including emails, client/patient/student/employee/payroll records, financial data, etc.

No, You Don’t Need That Program Installed

We commonly get asked “but what if I need to install XYZ program?” I answer “then you should call us and we’ll do it for you.” At first blush, this may sound a bit excessive, but in reality, it is not. Installing software, while easy, is an avenue for security holes. You should not need to be installing software on any given day. Generally, after the first week or two, everything you need installed on your system should be installed, and you should be good to go without administrative rights. After that, it’s usually some sort of actually needed software package which, once installed, is all set and doesn’t need much care and feeding afterward, so again, I recommend to my clients that we do software installs for them.

Example 1: We regularly get requests to install WinZip, for example. My clients are amazed when I tell them they do not need WinZip anymore. Now, I know that WinZip has a lot of features that Windows “Compressed folders” do not share. I also know that, to date, almost none of my clients are aware of said features and wouldn’t use them if they were. They want to make zip files and open zip files, which Windows has been able to do since 2001. Additionally, WinZip by default installs an agent which sits on your system tray, taking up memory.

Example 2: The next most-requested program? iTunes. Yep, iTunes. My standard response, which I got from David Hoelzer, is “What is the business need for iTunes?” iTunes is another example of stuff you don’t need always running. When you install iTunes, you also get QuickTime, the Apple Mobile Device service, and Apple’s software updater, which all constantly run in the background, chewing up CPU time and memory.

Why Is My System Slow?

When people ask me “why is my system slow,” the answer is almost always because they have unnecessary software installed (malicious or otherwise).

• You have to have administrative rights to install software.
• When you install software, it frequently installs an “agent” or “service” which runs all the time, even if you don’t know you’re running it.
• Agents or services which run on  your system slow your system down.
• Ergo, your admin rights slowed down your system.

If I still haven’t impressed upon you that this is bad, (intentionally) installing unneeded software programs can also slow down your system. Before you install  anything on your system first ask yourself

• Do I need this program installed?
• Do I know all of the ramifications installing it?
• Is my system slow enough already?

If you’re interested in addressing this issue , please see the follow-up post.

• “Nobody is interested in our network.”
• “We don’t have anything that anyone would want.”
• “Our systems aren’t that important.”
• “No one would steal my account/password/login.”
• “Why would someone want to hack our computers?”

Recently, two things came to light that made me seriously question this attitude.

Tipped off by the Data Security Podcast, I read an interesting story about Ashton Lundeby, a sixteen year-old who is accused of making bomb threats via the Internet. He was subject to a raid by FBI agents, sanctioned by the USA PATRIOT Act, who stormed his house, seizing his computer and other personal property.

I am not going to go into the political issue of due process, and the constitutionality of the USA PATRIOT Act, because I am not a lawyer and frankly, I don’t know what can be done about this. However, there is another issue here which you can do something about. Lundeby’s mother claims that the boy was the victim of a “proxy attack.” In other words, he did not conduct any sort of attack, but someone else hijacked his network and did so. If this is the case, then it is quite likely that his home computer and/or network were hijacked by a malicious hacker, who then conducted his attack (in this case, bomb scares), from the boy’s network.

My guess would be that his computer either was infected with some sort of malware (virus, spyware, trojan, or similar) or that his family’s wireless network was open, allowing anyone to connect and use it for their own purposes.

To help make my point, here’s an extreme analogy: Imagine that a bunch of criminals set up shop in your basement, and used it as a base of operations for their illegal activities, but because you never noticed (hard to imagine, but just pretend you have a really big house and don’t go to the basement much), this was allowed to go on for a long time. Imagine that the only hint that anything was wrong was that your utility bill was a bit higher (or, for sake of comparison, your Internet usage was higher, or speeds were slower). Then suddenly the FBI knocks on your door one day and says “Hi. You’ve been harboring criminals in your basement. Please come with us.” This is essentially the same thing that Lundeby’s mother is claiming happened to him.

Also this week, I was at a client’s house, helping them set up their new satellite Internet connection. For years, they have had an open, unencrypted wireless system. Also for years, they have complained that their Internet connection is slow. This is no surprise, as satellite Internet is notoriously slow – the slowest of the “broadband” options that I’ve ever had to endure (and believe me, I endured it for years). However, this was really, really slow. Having had prior experience with their new provider, HughesNet, I had seen this before, when a brand new installation was super slow. I called HughesNet and they confirmed my suspicion – my client had “exceeded their fair access limit” by downloading too much stuff.

My client was bewildered, and claimed that this was impossible, as Hughes said that they had downloaded over 1GB of files between the hours of 3-6am, when no computers were even on!To give you an idea, 1GB of files is like downloading 20 different albums (not songs) from iTunes, several Windows service packs, or thousands of books in electronic format.

I immediately suspected that someone was leeching off their open wireless connection. Despite my client’s assurances that this was unlikely, as they have a very remote house, they agreed to let me lock their wireless network down with WPA2 encryption. The next day, my client called and, in a rarity in my line of work, expressed happiness with the fact that everything was working great! Coincidence? I think not. My conclusion is that someone was using her network, probably for a long time, and they never knew it.

While this is not exactly the same as Ashton Lundeby’s predicament, it very well could have been and both of these stories underscore why security should be everyone’s concern.

References:
WRAL News article on Ashton Lundeby’s case
Wikipedia article on Man in the Middle Attacks
USA PATRIOT Act highlights