Personal Data Privacy

WOT (Web of Trust) is a free Internet security addon for Firefox and Internet Explorer that is designed to warn you about online scams and risky websites that try to deliver malware or send spam. Here’s what they say about themselves:

WOT… is a community whose members exchange knowledge of websites: Can they be trusted? Are they safe to use? Do they deliver what they promise? If a site has a bad reputation, WOT will warn you – and save you a lot of trouble. By joining the WOT community you can protect yourself and help others. Our mission is to make the Internet safer by giving our users a way to share their experience of websites and the services they offer. WOT is a powerful tool – and it’s free! We have information on 21 million sites. Join us today and make the Internet safer for us all.

Sounds attractive, doesn’t it? I gave it a try for several days. In my experience, it wasn’t very useful for two reasons:

1. Firefox started crashing soon after installing the addon and returned to stability shortly after removing WOT. I have no idea why this happened, but I’m not going use any addon that behaves this way.

2. After installing the addon and creating my WOT account, I started providing feedback on the sites I visited. But with my web browsing habits, I guess I don’t go to sites dodgy enough to be a real concern. I rarely went anywhere that didn’t already have a trusted rating. And when I did, I already had a high degree of confidence it was a trustworthy, although obscure place. Very quickly, WOT became all work and no play.

Still, I probably would have kept contributing to WOT except for #1 above. Putting all this together, WOT isn’t ready for the average Internet user.

I recently stumbled across Bleeping Computer, a community-based computer support web site. Of the many things you can find here, one very useful page concerns virus, spyware, and malware removal. I haven’t had the need to try out any of their receipes, but I really like the idea. It’s exactly the sort of thing I’ve previously talked about.

Computer security is a major support pillar of personal data privacy. The folks over at Mahalo (self-described as “a human-powered search engine built collaboratively by a team of editors and a community of dedicated users”) have a useful resource page on computer security.

For our purposes, I think this page comes up a little short. For example, on the right-hand column is a short list labeled “5 Suggestions For Home Computer Users”. Here’s what they say:

1. Use an  anti-virus program (I suggest using “AVG Anti-Virus Free Edition”).
2. Keep operating system up to date.
3. Don’t open or download unfamiliar e-mail attachments.
4. Never send confidential information over e-mail.
5. Use a firewall (use caution; it’s easy to get overwhelmed using either ZoneAlarm, Comodo, or similar).

These are good ideas, but the implementation details aren’t directly linked. On this page I’ve fixed that for four of the five items.

I think number four is overly-broad and unrealistic for most people. I’ve spent about an hour searching for an existing page that would help, but I can’t find one. May just need to write it myself!

Although ordinary people are targets of cybercrime, the US and other countries are also targets. On Friday, May 29th, President Obama talked publicly about the costs of cybercrime at a national level:

…in the last two years alone, cyber thieves have cost Americans more than $8 billion and that last year worldwide they stole data worth up to $1 trillion. He described how even his own presidential campaign network had been compromised last fall, with hackers gaining access to policy position papers and travel plans. (The Washington Post)

From a cyber defense perspective, in 2007 the US Department of Defense detected about 360 million attempted attacks against its computer networks. That’s up from just 6 million in 2006. The cost to defend against these attacks was $100 million over the last six months.

I have to say: If the DoD can’t keep cyber criminals out of its computers, what chance has an average Internet user?

Since I’ve been thinking about how not using Windows can reduce the risk of being a victim of cybercrime, I found myself reading this somewhat old article (2006) at a site called PCMech about transitioning from Windows to Ubuntu Linux. I like the subtitle of this site: “Helping Normal People Get Their Geek On”. That resonates with me, for obvious reasons. Interestingly, the article must be resonating with others because the most recent comment was on May 9, 2009 (that is, before I added one today).

In my recent post entitled Reactions to interview with an Adware Author, I suggested that, if possible, it was a good idea to stop using Windows on your personal computer to lower your risk of being a victim of cybercrime.

To that end, I recently stumbled across this article on the Berkeley Linux User Group that tells Where to Buy a Preinstalled Linux Desktop/Laptop. This is useful for people who can’t (or won’t be bothered) to learn how to install and maintain Linux on their existing hardware.

I don’t have any experience with buying Linux pre-installed from any of these vendors (although in late 2000 I did buy Red Hat Linux pre-installed on a beige box from VA Linux, who is no longer in business). Most of the vendors on the Berkely list appear to be small businesses, so I would suggest finding one close to your home if you went this route. But I would feel comfortable trying Dell with Ubuntu based upon my 10+ years of using their Windows-based laptops.

Ever heard that answer from a friend who knows something about computers? If you are an average Internet user, you probably depend upon your computer-savvy friends to get you out of a jam from time-to-time. If you have heard that answer read this article if you’d like to know why you sometimes get no help from the neighborhood nerd. (Hint: does your computer-smart friend fix computers all day at work?)

Hopefully, you’ve taken a few moments to read the article I pointed to in my last post. I’ve read it several times now, as well as many of the 113 comments the article generated. For the most part, I found the comments of Matt Knox (the interviewee) to be enlightening and consistent with my own personal and professional experiences. Although he said a few things that raised at least one eyebrow on my forehead, here are my take-aways:

• Matt Knox was motivated to write this piece of adware because he needed money; he wasn’t seeking fame nor pursuing any other agenda. It was just a job to him.

• The adware he wrote had many self-protective capabilities; it actively resisted efforts by the machine owner to remove it. Knox described using one particular advanced tactic: “We did create unwritable registry keys and file names” by exploiting backwards compatibility functions in Windows. This meant it was impossible to even see the adware’s registry keys with regular tools, let alone alter or delete them.
• It also removed any viruses and other adware that happened to already be present so as to have the resources of the machine available to do its work.
• The adware this guy wrote was typically installed by people who thought they were getting something useful for free (e.g., a funny screen saver).
• Knox’s company aimed for the biggest, easiest target: “Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market.”
• Here’s the obvious follow on question: “In your professional opinion, how can people avoid adware?” Answer: “Um, run UNIX.” (e.g., MacOS X or possibly Ubuntu Linux.)

Clearly, adware authors like Knox count on infecting those people using the dominant desktop operating system (Windows) and web browser (Internet Explorer) while at the same time relying upon old-fashioned confidence schemes.

For the “average” Internet user (and I have some stats on who this person is that I’ll share with you soon) I’d say the easiest way to avoid malware in general is to stop using Windows computers. That means they need to take up MacOS X or possibly Ubuntu Linux. If they buy certain netbooks, they will get an easy-to-use version of Linux that would give them the same protection.

If they can’t or won’t give up Windows, they need to switch to Firefox. And then install effective malware control software and adopt a more critical mindset that is more resistant to being swindled online.

As we go forward, I’ll have a lot more to say about how to avoid adware and all kinds of malware. What do you think?

Here’s a fascinating interview with an Adware author.

Wikipedia says “Adware or advertising-supported software is any software package which automatically plays, displays, or downloads advertisements to a computer after the software is installed on it or while the application is being used. Some types of adware are also spyware and can be classified as privacy-invasive software.”

Take a look at the interview. There are sections that get a bit technical; skip over them if you like and you’ll still learn a lot. I’ll give you my reaction in my next post.

The June 2009 issue of Consumer Reports contains a recurring report they do assessing the state of the Net with respect to cybercrime (last such report was in November 2008).There’s lots of great information describing the cybercrime problem: For instance, they estimate viruses did $5.8 billion in damages. That works out to an average of $66.51 per Internet-using household in the US. Among other useful things, they have published a short article describing five ways to stay safer online.

Given the audience, which I believe is similar to those I am trying to reach in this blog, I think the advice is reasonable and simple enough. Trouble is, the average Internet user probably won’t be able to follow every suggestion.

For example, here’s tip #3: “Control the privacy settings on your social-networking sites.” OK, now how do you do that? What settings, in particular, should be changed? Where do I find them? What values should I select? Without that site specific information, or a pointer to it, I doubt many people are going to know what to do. So the article seems to put a little wind in your sails to get you moving, then you abruptly come to a stop.

Taking a quick glance around, I’m overwhelmed by the number of details on social network privacy, such those provided by EPIC, the Electronic Privacy Information Center. I found one page at the Illinois State University site that appears authoritative to me, but how would an average Internet user know if it was reliable?

The upshot is I believe my blog would be more impactful if I provided authoritative advice on the technical settings you should make from your computer to guard against cybercrime. What do you think?