Re: My Solution to Securing Windows 98, ME Against Network Modification and Spying, using Linux.
From: grunes (grunes_at_yahoo.com)
Date: 26 May 2003 09:36:20 -0700
First a correction:
My backup.sh included the following lines
echo "rm -f /hda1/junkzero*"
rm -f /hda1/junkzero2
That "junkzero2" should have been "junkzero*", else it would have
filled the available space in the windows directory with a large
zero-filled file, making it hard to use.
I appreciate the various replies offered. But let me mount some
defense for acting reasonably paranoid.
>From: n1pop (email@example.com)
>Securing a system from most attacks takes only a little effort and
>some knowledge. You need to know how attacks could be made and what
>you can do to stop them.
Microsoft patches a "new" hole every few days through
support.microsoft.com. If you get on Redhat's mailing list they patch
a "new" hole several times a day. (Not that patch frequency relates in
a reliable way to error and backdoor inclusion.) Each of those
represented a possible way into your machine. Besides, backdoors
exist, so evil-doers may be playing with your system regardless of
>For example, no hacker in the world can get
>to a computer that doesn't seem to exist on the net, and a decent
>firewall can do that.
Java and Active X, including some of the ones I find professionally or
personally very useful. These have all been known to open holes that
might get through a firewall. Other holes probably exist in Windows
itself, thousands, if my theories are right.
A firewall can close specific ports. But personal info and external
control instructions can go through any port, if there is bad software
to receive it. Even the timing and details of http requests can pass
encoded information. A firewall can block specific sites, and known
threats, but not all are known. If my theory is correct, most are
known only to the malicious few. Your browser has to be configured to
get through the firewall, and may itself be delivering the needed info
to the remote site. The fact that remote hackers don't have a specific
IP for you can't stop holes that are built into the system. We use a
seperate hardware firewall at my home, configured by someone more
knowledgeable and paranoid then myself, who seems to love tracking
down hackers. Zone-Alarm still finds a few things. Someone who worked
for one of the best known router companies told me that people find
new ways to break into them a few times a day; the same might well be
true of firewalls. Firewalls are sometimes useful, but they aren't a
>You need to develop safe surfing habits; don't open attachments from
>people you don't know, don't fall for scams like the MS security
>update email (MS never sends unsolicited email containing a fix),
>don't accept default program configurations.
There are times when all of these things are convenient. My way lets
me do all these things safely.
I figured out that MS security update scam. It was confusing, because
my workplace sends out a few security warnings a week, and this was
worded in about the same way, but it became pretty obvious when I
looked at the wierd return address. Pretty dumb hacker. A hacker that
made himself look exactly like the security memos from a large
organization would probably contaminate a lot of people's machines. Or
a hacker who broke into a router and made their machine look like the
update servers for Microsoft or Redhat. You'd never know, if they were
Some very useful free or commercial software contains spyware or
worse. For example, Adobe Reader is needed to read the documentation
for a lot of commercial software, and for many of the posts I get for
work. But recent versions of Adobe Reader start up a superfluous
resident "Download Manager", one of the more obvious halmarks of
spyware. Some useful web sites need Microsoft Internet Explorer or
Netscape to be viewed, both of which are known spyware and malware.
Again, I recently bought a common program called "TurboTax" from a
Intuit. It contained big-time spyware and malware (in my case the
video driver malfunctioned when I deleted the spyware, other people
have had CD writers fail, or boot failures altogether), a fact that I
should have known if I had looked at relevant web sites. Time being
finite, I just assumed that a well-known software package from one of
the biggest companies in the financial software arena would have to be
My home computer exists largely for recreational purposes. Some of the
clubs to which I belong post through web sites and mailing lists, and
I frequently go looking or shopping for things by going to a search
engine, and clicking on anything that looks good. I would rather not
worry much about it, then restore it back to safe state before doing
anything like using a credit card, and leave a seperate operating
system load without network access to handle private info.
>From: Susan Bradley, CPA aka Ebitz SBS Rocks [MVP]
>The number of Linux vulerabilities are on par with Windows
>vulnerabilities...both suffer from the same fate:
>SCU's. SCU's are the bane of every company, cause all security
>all vulnerabilties, and are the root of most security issues.....
>SCU's? Stupid Computer Users.
We are all sometimes stupid computer users. One mistake is enough to
let in the bad guys. A way of easily recovering from a mistake is
The indicated solution is not appilcable to my personal work site, as
we manipulate too many gigabytes. But, most people in any given
worksite don't even care about security. Trying to stay up with
security is a full time job, often a loosing battle. Most of us are
paid to do real world jobs too.
>From: Lanwench [MVP - Exchange]
>In addition to the other comments, nobody ever said Win9x/ME were
>they're not, weren't designed with security in mind. Anyone who
>about security and wants to run Windows is going to be using NT, 2k
>also with all patches, firewalls, and angry guard dogs installed....
Things get past those operaitng systems too, for most of the same
reasons. XP, if anything, is viewed by large parts of the security
community as the least secure and least private of the entire Windows
There is another major issue. You can go to a computer show and buy a
perfectly good new computer system for under $300, a used one for a
lot less. (I assume you have an old monitor already, and that you
don't need gigaflops of processing speed.) The retail price for
Windows 2000 Professional, arguably the most secure Windows member, is
a fair bit more than that, especially if it is not bought as an
update, and does not come with the machine, and you are trying to be
completely legit. I feel that paying such prices is basically
unethical, because it encourages Microsoft to continue over-pricing
their product. Anyway, we use NT, 2000 and XP at work, and they suffer
most of the same problems, based on the security notices our work
In summary, the world is not a secure place. Finding a way that lets
you close holes in a few minutes is not unreasonable.