You can read this because javascript is not enabled in your browser, which also means the style of the page is very basic. Menus will only function as intended with javascript enabled.


ingratebriton - Trust No-one

Who do you trust? Nobody, if you've any sense.


We have to draw a line somewhere I hear you say. Well I say, no you don't and I'll tell you why. It boils down to the difference between blacklisting and whitelisting or opting-in and opting-out. Let me explain; in the world of IT or online connectivity generally, the terms blacklisting and whitelisting are commonly used but rarely by ordinary home users of Internet connected equipment or software but in the real world you will at least understand blacklisting - a list used to prohibit or bar people in some way. On a PC email client you may have a list of email addresses on a blacklist you don't want to be downloaded onto your PC, which means that every other email address in world is acceptable. With a whitelist only email addresses on the list will be downloaded, every other address in the world will not be. Assuming that every email you receive can constitute a threat (and they can), which list is safer? A good email client or client add-on or plug-in that can provide whitelisting facilities will prompt when it sees an email address not on the list and ask if you want to add it to the list.

The point is with whitelisting you are completely in control of your own safety. It is analogous to organ donor cards and the debate over opting-in or out so that if you have to opt-in and you have an accident, the emergency services don't know if you wanted to donate your organs and have to ask somebody else if you are not carrying your card. If we have an opt-out system, it is assumed that you don't object to someone else benefiting from your organs if you don't need them any more. In order to be completely in control of what happens to your body when you die, you have to support an opt-out system, provided nobody is given a legal right to overrule your decision. Some would say that when you are dead, it is no longer your body or decision. They might be right but, for the purposes of this analogy, let's assume they are wrong.

If you want to be safe online why would you assume that the whole world is your friend before you expose yourself to danger. Why on earth would you trust all your relatives to treat your corpse as you wished? All the people you do trust might die in the same incident that you do. Opting-in to organ donating (without legal guarantees) and email blacklisting require that you trust everybody except those you have learned not to. In both scenarios that means, after the damage has been done. So, you may ask me, why have I never heard of whitelisting (or blacklisting for that matter). That is the point of this article.

I don't know if there are any reliable published figures but I personally don't know anybody using IT to access anything online who uses a trust-no-one approach despite endless reporting on the consequences of poor internet security. Most people I know have no idea how to go about conducting email communications safely never mind everything else that should happen before you ever set up an email client. What the hell's an email client, I hear you shout. Yep, you are not alone. I hear you demand that you be able to turn on your brand new PC/tablet/smartphone and do emailing, online shopping, banking and 'socialising' without having to worry about all that geeky/techy/anal detail. We are talking about your privacy, the protection of your ID, your bank details, your total finances, your livelihood and you think you should simply trust the PC manufacturer, your ISP, your other hardware manufacturers and software developers, each in turn and that they will have collaborated systematically to ensure your safety. They don't, they don't say they do and they never will. Read on.

You need a licence to drive a car, a much less complicated system than surfing the web securely. You need a passport/visa/security check to cross borders and expect to able to do that with your PC without taking precautions. You will call the police if somebody tries to force their way into your house but you have left many doors wide open on your PC/tablet/smartphone because that is how they are set up on delivery, even worse if your machine used to belong to somebody else. So, having got your attention, you can forget everything above now and we can start at the beginning.

Re-inventing the wheel

Everything you read from now on is as old as the hills and the useful half of the world wide web is filled with as much detail as you want to read about it. Despite a tendency towards verbosity, I will try to be as succinct as possible. The first question I have to ask is, have you taken any steps towards making your online life secure before finding this page? There's a catch-22 if ever I saw one. For you, it might already be too late to take full responsibility for your own safety but perhaps you could print it out and give it to a friend. Did you think Dell, Microsoft or BT (and the rest) would care about your security. They care about making money. Giving them or their agents money doesn't even necessarily give you ownership of their wares these days. I bet you think that you own that copy of Windows 7 (or Windows 8 if you are a masochist) you are currently using. You don't, anymore than the last the film you bought on DVD. Take responsibility for yourself and read the small print. The whole IT related industry now thinks it is OK to use end-users to test their firmware and software, promising quick updates/upgrades/bug fixes when they find out why their lack of reliable software/firmware specification and poor development process has ruined peoples' lives. Most of them don't even bother. Therefore, it is up to us consumers to mitigate for their shortcomings. Let's do that.

I might write about smartphones and tablets later (Android based in any case) but for now I will concentrate on a typical humble Windows based PC/laptop because it is the most common setup and the most vulnerable. You may not even realise that there are other personal computer configurations. When you have made it safe to do so on your setup, search for Linux, PCBSD, OSx, Opera, Firefox on the internet and look at some of the links on the Ingrate Links page - enlightening but too late for you. Here's a non-exhaustive list of likely weaknesses in the system you are using to view this page:

  1. Anybody can switch on your PC and lock you out of it. They can also change its fundamental hardware settings rendering it completely useless.
  2. You are not even aware that the router/modem combination you are using has a built in web page that you and the whole world can access to change its security settings if you haven't logged on to change the defaults, as instructed by a sticker on the device or on the instructions that came with it, which you ignored.
  3. You also haven't logged on to the same device to change the wi-fi security settings, allowing passing cars and your neighbours to download massive movie files/games/porn via your account.
  4. The web-cam above your screen is on right now, watching you read this page because a hacker taking advantage of the above (and other weaknesses below) can do that and will do that.
  5. Anybody with access to your physical PC can switch it on and use it as though they are you and they can do what they like to your settings and files.
  6. Your emails and online file transfers are completely unencrypted while the travel across the internet. They are easy to intercept and read.
  7. Emails you receive, apparently from your bank, microsoft and other believable sources, contain links to malicious websites that will infect your machine and turn it into a source of spam and other devilry and will carry out their organised criminal activity in your name while you go about your usual business, blissfully unaware. If you receive emails with your name in the body of the text, you may delude yourself into believing this is because you gave the sender your details thus, in your mind, legitemising the message because you don't realise how common and easy it is to guess your name because your email address is simply 'john dot smith at a well known ISP domain' and clever criminals will send out millions to random 'somebody dot something at a well know ISP domain', catching out the lucky few coincidences. That's all they need.
  8. Your friends' PCs are likely infected and passing on dodgy emails and files.
  9. Your browser (the window you are currently viewing this page on) has many security settings under the hood, which are not necessarily set in your best interests and your browser is likely not to be the most secure available.
  10. Many of the 'freeware' products your friends recommended you install to protect yourself are not what they seem.
  11. You have not updated your operating system recently (or ever) or your motherboard firmware, the rest of your software, your router/modem firmware or anything else you connect to the PC or internet. Most updates include security fixes and are utterly essential for your safety. Even if it is all brand new it must be updated, it's been sitting in a warehouse for months while the criminals have not stopped working.
  12. Most websites are insecure and registering with them is just like advertising your personal details in a global newspaper.

So the question for you is - "Do I feel lucky?" Well, do ya, punk? because right now, if you have read this far, you might as well be staring down the barrel of a 44 magnum. Right now, because its inventors' intentions have been ignored and because improvments have not been applied by default the www is the wild, wild west.

Prophylactic antics and being pedantic

  1. When you switch on your PC a message will flash before your eyes telling how to access the BIOS or settings menu, usually by pressing F2 or Del. Do it and change the password. If you are really wise, you will make it necessary to enter a password everythime you switch it on. This is relatively easy to overcome for anybody who knows how but to prevent casual curiosity it is a no-brainer.
  2. Your Internet Service provider (ISP) supplied you with the necessary equipment to use their service to access the internet. Here, I will talk about making it secure. If you went out and chose better equipment or carelfully selected your own in the first place, this page will be unlikly to help you. Whether you have a single router/modem or two separate devices depends on your ISP, whether you have a traditional copper 'phoneline' connection, 'fibre to the box, optical fibre or a co-axial cable connection. Whether or not it is necessary to setup the device/s with your broadband service account details will also depend on the same list. The installation details will, at least, explain that part. Beyond plugging them in and basic connecting to the service, you have to make your device/s secure. If you have separate modem and router devices, the modem will take care of itself. If you have a single unit, probably referred to as the router, it is probably really a modem/router/wireless-access-point combined device. In either case, in order to be secure on line the first thing you have to do is log on to it and change the access password. You will have received a letter with the eqipment telling you how to do this and the details are also likely to be printed on the back of the 'router' unit. The router is also a web server with a built in website where you can control many of its settings. For now, just change the 'administrator' set-up password; it shouldn't be hard to find. Really, don't change anything else yet! Connect to the router with a network cable from your computer and type its web address into your browser. It will be something like; that's right numbers and dots, not words and dots, which are aliases for the numbers and dots. Give it a go and take the first step towards securing your online life.
  3. Once you have set up the 'router' password above, use it to log on again and navigate through the options to find the wi-fi setup page. Here you will be able to change the name that the device transmits and its 'passphrase', which helps restrict access. Don't call it John and Jane Smith's wi-fi and don't leave the default so that it is one step easier for hackers to identify the unit. Make the name bland and anonymous and don't bother ticking the 'hide SSID' box; it won't help. Make the catchphrase as long as possible. On some routers it is possible to allow access to individually identified hardware and nothing else. Use this option if it is there. You will need to identify the 'MAC' address of the wireless device in each of the PCs, Tablets, Kindles etc. that you want to give access to. It is possible for hackers to spoof MAC addresses but it is not easy and why spend the time doing it when there are always other less secure wireless access points nearby.
  4. If you have a built in webcam in your computer screen, it might be on and someone on the other side ofthe world could be watching you. Don't let programmes that use the webcam run in the background when you are not using them. Look at the settings of Skype and any other programme that could conceivably use the the webcam and don't let them run on startup. Even better, particularly in Windows, find the webcam on the device list and disable it.
  5. If you are reading this, you probably have Microsoft Windows as your operating system and you use as it came already setup. You switch it on, send and receive emails, browse the web and install programmes. This is all possible because by default you have administrator privileges, allowing you and anything else you have installed to install other malware on your computer. Equally insecure is that not forcing yourself or anybody else to logon to your computer and controlling their individual priveleges allows anybody with access to the physical PC to do what they want with it and with your files and probably with your online access to banks etc. This is likely to be the case because if you are as trusting with the physical PC, I excpect you also ticked the 'remember me on this PC' when last logged onto any website. Find a way to change that setting on all the sites you have done it on. Download a reliable open source password (Keepass, for example)safe and keep them there so you can recall any you forget. Go to the users section in the windows control panel and force users to logon. Set yourself up an non-administrator account for everyday use and give the administrator account a secure password for when you need to update and install software. Don't be lazy and don't assume everybody you allow to use your PC cares about your safety or is intelligent enough not to compromise it.
  6. Securing emails so that cunning busy-bodies, criminals and other miscreants can't read their contents is a more difficult area because you can't be truely secure when you email people unless you can get them to cooperate. You might be able to do this with friends but websites will still send your logon details in plain text. Email clients such as Outlook from Microsoft are perfectly easily set up to use encryption but you those need those you communicate with to do the same. Other and often better email clients are available. No advice here other than to read more on the subject.
  7. Designed to catch out the innocent and unwary, the hidden threat to your safety in many emails is far easier to defend against. Use the PC between your ears before you click on anything particularly in emails. Use that moment's hesitation to ask yourself a couple of questions. Who sent this email, not just who does the email say it is from? Was this email really sent to me or have they guessed my email address? Does my friend know they forwarded this message to me and if they do, do they know enough about the online security to trust them with yours? It can be quite complex in some email clients to determine who really sent an email so use your brain. As a default never click a link in an email and never allow pictures to be displayed by default. When your PC downloads images to an email the server it gets them from knows you have asked for them and that was the purpose of an email scam. It means that the guessed email address the scammers used is a 'live' one and they will bombard that address from then on until you fall for one of their scams and visit one of their links. They will pretend to be your bank, almost any online retailer, government organisations and any other organisation you can think of with various levels of sophistication. Ask yourself if you gave them your email address or registered with them before you click anything. Hover over the wording of the link before you click and look at the real web address that appears somewhere on your screen. Is the address what you would expect it to be if it is going to take you where it says it will? Don't assume everything that arrives in your inbox is what it says it is. You have ininitely more enemies online than friend; a never ending queue of thieves waiting for you to give them an opportunity to pounce. If it sounds too good to be true it is, always. Did you ever enter the lottery they say you have won? Do you really have an unknown relative overseas whose representatives happen to know your email address? Would your bank really ask you to do that? Think!
  8. Just because it comes from a friend, it doesn't mean you should trust it. Even if they are passing on an 'innocent' joke, piece of philosophy or amusing images, especially if the message cajoles you into forwarding it on, it doesn't mean it is not a threat even if there are no links in it. Very often it is way that less talented mischief makers can have an effect on the internet. In these days of faster broadband speed and cheap capacity, it is less of an issue but these emails can clog up servers and slow down everything for the rest of us. Let people find their own online amusement. More worrying is the possibility that your friend doesn't know they sent it because they have an infected computer, ask them.
  9. The debate over which browser is most secure, fastest or reliable will never end. This is a good sign; it means that there is competition and providing it takes place within the bounds of agreed international standards, it can only lead to improvement. Unfortunately I suspect you, dear reader, are unware of the competition, which puts you in a vulnerable position. This link provides some good tips to get you started and introduces you to the inner workings of Internet Explorer. On my part, I use Firefox with the Noscript extension, giving me complete control of every website I visit. You could do worse.
  10. Find your own free software. If it is opensouce the author can never be sure that any intended malice will not be detected and innocent mistakes are likely to be spotted and fixed before they can do any damage. Most open source software is free and large groups of people work on it across the globe, increasing security potential. No one can ever be sure of what make up closed source software except its authors, decreasing its security. An additional benefit of open source is your opportunity to look at and play with the code yourself. If you don't like any aspect of the software, make your own version. Sourceforge is a huge open source resource.
  11. Now I'm getting bored, surely this stuff is obvious by now. Updating software/firmware is equivalent to responding to a manufacturer recall. Why wouldn't you do it? On most operating systems this can be automated. Equally on other software but, if not, look around the application's menus for an update button. You will have to make an effort to update firmware on all you computer's hardware components. Visit the PC manufacturer's website and see what they offer. Be very careful to follow all firmware update instructions to the letter.
  12. By now, in your extensive online experience, you must have become familiar with the browser's address bar padlock and/or https:// indicators. These tell you that the web page you are on transmits and receives data fully encrypted between your browser and the server. Snoopers can't see what you are doing and can't get to your data. That does not mean that the page you are on is legitimate. Any web page can encrypt the link, even the malicious ones. If the S or the padlock is not there, don't fill in the web form. If you know the site belongs to a bona-fide organisation warn them that their site is collecting your data on an insecure link. Do your little bit for the rest of humanity. If you find a form on an insecure link, try adding the S manually to the address. Sometimes a secure link is available but wasn't in the link you clicked.

Remember it really is dangerous out there and if we have to rely on big brother to protect us, he will go too far.

© 2016