I Am. When?

Computer Security 101 - Part 6 - User Permissions

nospam@example.com (Andrew Maxim) — Thu, 25 Jun 2009 23:32:00 -0700

I skipped ahead in Part 2 of my Computer Security 101 entries to cover passwords, or rather passphrases, despite it falling out of line with an outside-in approach to security. Entering into the actual desktop arena, I am going to skip ahead of a few items to cover the important field of User Permissions.

Assuming you have followed the best practices I have outlined previously in parts 1 thru 5, in order to gain access to a desktop a malicious person would need to either bypass your firewall, hack your wireless, plug a hard-line into your network or be sitting directly at a workstation. From there they would then need to begin cracking the various passphrases on your computer or network to do any major damage. While these are all possibilities, they fall in the realm of highly improbable; again, assuming you have followed the prior posted best practices. Instead the real threat comes from you: the user.

I'm not referring to malicious users, but rather the unintentional threats presented by your own daily activities, curiosity and, to a lesser extent, lack of knowledge. It is here that the greatest potential for attack on a computer system lies. It is here that most breaches in a system occur. Here be users.

User permissions are probably the most under managed and over looked area of computer security, both at the home computing level and within enterprise organizations. Users break things. Users also bring in spyware, adware and viruses. The sad thing is that with proper user permissions most problems can be averted.

I will give an example of just how effective proper user permissions can be:

A while back my daughter had started to use my laptop to work on school projects. Being a person in general and a teenager in particular, she used the laptop for other things as well, such as going to her MySpace page. One thing lead to another and I was removing all sorts of spyware and trojan viruses from that laptop by the time she left that weekend. Yes, one weekend and the laptop was a cesspool.

Now, to put things in perspective this laptop was running the latest in enterprise level virus scanning software, as well as several anti-malware programs. All software and definitions were up to date. Yet, in a short 48 hours it was covered with all sorts of nasty little buggers. The reason? The account she was using had administrator level permissions. That was it; that was the security breach.

Mind you, the rest of my home network kept that laptop from "spreading the disease" or becoming a bot for malicious users, but it was a reminder to myself as to just how important user permissions can be. Since that time she has been setup with a user level account and there has not been a single instance of reinfection. If that is not enough convincing, let me point out that because she has effectively commandeered this laptop, the only account to logon for weeks at a time is hers. She is also not one to update the virus definitions, nor can she with her user permission level (as I said, enterprise antivirus software). But the laptop remains clean as a whistle, all thanks to reduced user permissions.

The lesson to be had here is that everyone should be performing their day to day computer activities with a computer account granted as minimal of permissions as possible. In the Windows environment this means being part of the "User Group", as opposed to the default in a home computer that dumps accounts automatically into the "Administrators Group."

To be completely clear, when I say "everyone," I mean everyone. At the home level a simple user account should be used for 99.999% of your activities. At the corporate level, every employee should be performing their work using a simple user account. This includes department heads, vice presidents, and even IT personnel. Especially IT personnel and most especially developers. 99.999% of all your activities at your desktop can be accomplished using a standard user account.

In order to cover the 0.001% of the time where less restrictive permissions are required, companies have an IT staff to handle things. And those IT personnel should have a second account with appropriate permissions to be used strictly for performing these 0.001% tasks. Home computers should be setup in the same manner as IT personnel: one User level account for everything and one Administrator level account for stuff not covered by everything.

I have heard all sorts of complaints and excuses in the past as to why "so-and-so" is a local administrator on their desktop, or why a developer needs to be an administrator, or why it is inconvenient to have to switch user accounts. To these excuses I say a nice resounding "Bull Shit."

Inconvenient is a home user having to spend $65 an hour to clean all the malware off their computer. Inconvenient is trying to fix your credit after your identity has been stolen. Inconvenient is having your company blacklisted on Spamhaus because a developer's computer is sending out spam thanks to a virus. Inconvenient is having to explain to your customers how their personally identifiable information might have been lost as part of a recent security breach. Inconvenient is going before a judge to explain your company's negligence. These things are inconvenient; having to log off your computer and back on with a different account to install new software is not.

There are other areas of user permissions aside from the simple User versus Administrator, but that really becomes a case by case kind of thing. The best rule to follow is to start off with the most restrictive level of permissions for each person possible and then tweak things as needed. You might get yelled at for a person's lack of access to something, but you are not going to get subpoenaed; and any yelling stops when you fix the problem.

Tutorial and Other Updates

nospam@example.com (Andrew Maxim) — Tue, 23 Jun 2009 11:41:58 -0700

As promised, I have finished up the Omnidirectional Tactile Whisker Sensor tutorial. Complete instructions are available in the tutorial section (linked in the main bar above). I think when all is said and done, each sensor comes out to a price of about $0.75 (yes, 75 cents) or less. I have made about a half dozen of these Whisker Sensors thus far and each has come out working quite well with little to no problems. The intention is to post this tutorial up on the Society of Robots website as well. Good stuffs all around.

Speaking of the Society of Robots (linked in the side bar over there <-- ), the website received much love in the July/August edition of Robot magazine. To be honest, it is about time the website got this attention, as there is so much information available at the Society of Robots for every level of roboticist. It really deserves a full featured article, or at the very least an interview with founder John Palmisano. Congratulations SoR! Well deserved.

I am also in the process of updating my Science Scout badges page to include my latest badge, as well as updating all the image links to the new Science Scout page. Even if you have no interest in sciencey stuff, I do recommend reading the badge page. It is quite the humorous compilation, if I do say so myself. It is linked off my About Me page (main bar above) or directly by clicking here.

The last update here is that I am hoping to have the next in my series on Computer Security up before end of week, where I will be covering User Permissions. Stay tuned...

Dead Power Supply

nospam@example.com (Andrew Maxim) — Wed, 17 Jun 2009 11:09:25 -0700

Following a loud pop that caused my heart to stop for a moment, my computer power supply decided to head on to greener pastures. Being who I am, I figured I would rip it apart to see the reparability of it all, thinking it was likely a blown capacitor or transformer. Capacitors that make that exploding sound usually show some outward sign of such action, where as transformers are generally more subtle. Worth a shot at the very least, right?

With no signs of capacitor damage and 16 transformers soldered into the circuitry, it was apparently a waste of my time. I suppose I could have started desoldering parts to test them individually, but even were I successful in locating the culprit (and hopefully the root cause); I would have to locate some oddball replacement component. Hardly worth the time for all of that.

Instead of jumping through all the self-repair hoops, I looked online for an aftermarket replacement... with no luck. It would seem this is a proprietary power supply specific to this model of Dell. And that just sucks. The good news is that everyone and their brother seem to carry this power supply as a refurbished unit, including Dell. That meant two things to me: first, this particular type of failure is likely a common problem with this power supply, and second, they are likely replacing the bad component with a better one. That last part is just a guess, but makes sense when you have a common source of failure.

Anyway, the moral of this story is that I am without my main computer until sometime Friday when my replacement power supply arrives. The big problem is that my life is on that computer, including all the pictures and notes for this here blog thingy of mine. I do have backups (and the hard drives are obviously still OK), but with under a weeks wait for repair time it hardly seems worth the effort to build out a computer just to restore a few files for a couple of days use. At least that is my thought.

While we wait for a real blog entry from yours truly, you can just sit back, relax, and enjoy the music. What? You can't hear that music? Sorry, the voices must be singing again. They really are getting pretty good you know. Just skip that last part about enjoying the music. I'll get something more entertaining up as soon as I can. Until then... Ciao.

Pull And Pray Is Not The Way

nospam@example.com (Andrew Maxim) — Fri, 12 Jun 2009 10:48:51 -0700

Oh my dear God. I found this article on birth-control from over at LICD Webcomic who got it from one of his readers, and I am just shocked. It seems every time I think there might be a glimmer of hope for the scientific community, they throw a curve ball over to the stands.

Seeing as I know (thanks to Google analytics) that most of my readers won't bother to click the above link, I will say that the article is about medical doctors wanting the withdrawal method, better known as the pull and pray method to be considered a viable form of contraceptive. And by "viable", I mean one in which the doctors should be discussing as a possible contraceptive method between partners. I will give them one tiny mark for admitting it is not a full-proof method, but just to acknowledge it is ludicrous to begin with. You know it, I know it, but apparently some doctors don't know it.

So how on Earth did they decide it should be a viable method of contraceptive? The answer is statistics. Many people have been using the pull-and-pray method with some success, which makes it statistically viable according to the doctor in the article. But what they never seem to teach in school is that statistics lie. Statistics are biased and opinionated and they, well, they lie. Except for the statistical correlation between the decline in Pirates and global warming. That one is truthful.

In order to see just how bad statistics can lie let's take a look at two examples of other methods of birth-control that should be thrown on the table from a statistical point of view. The first is an old wives tale that you hear from time to time and which has even made it into various movies: You can't get pregnant if you are a virgin. I will bet my life's savings that if you were to do a study on the number of teens who have practiced this method of birth-control, there would be less than a 50% conception rate. Probably somewhere below 20%. I can make that statement because of the next method of birth-control that should receive equal time with the withdrawal method.

The Just Have Sex Method of birth-control. Poll any couple who has tried to have a baby as to the frequency of their "unprotected" sexual activity prior to conception and you will be seeing averages of 30-60 days. Even on the low end of that, 30 days of "unprotected" sex, assuming an average of once per day, means that the couple had sex 31 times with one instance resulting in conception. That is a 96.7% effective rate for just having sex as a viable form of contraceptive. That's almost the level of condoms for FSMs sake. Statistically speaking of course.

Not buying it? Well, let’s look at the facts then. The average menstrual cycle of a woman is 28 days. Of those 28 days, ovulation occurs around day 14, which is when the egg comes flying down the fallopian tube (the process starts around day 12). The egg is viable for about 2 days after that, meaning it can be fertilized by a sperm. Looking at the statistics for this, and being generous by allowing for 3 days of actual conception, we can see that for 89.3% of the days in a menstrual cycle conception is not going to happen.

"But Andrew," you say, "the most fertile period of a woman is from 5 days before to 2 days after ovulation. Wikipedia told me so." And you would be right. The reason for this is that sperm can actual survive inside a woman for 5-6 days or so. Meaning they can be waiting for the ovum like well trained Ninja, ready to strike at first sight. One would think that this would increase the odds of conception to something higher than 11%, right? Wrong.

Sperm are not well trained Ninja. At best they are undertrained Ninja. And Ninja are weak when compared with Pirates. Instead of swimming up to wait for the ovum to arrive, sperm, in their Ninja fashion, wander around aimlessly without a well thought out plan of attack. Most actually drip out of the woman after sexual intercourse is complete (hence the need for towels). The rest crash into each other, try to swim through the walls of the uterus, and general look like the three stooges. Basically, Ninja-like. This behavior greatly reduces the chance of conception overall.

Some do get lucky, however. This is why the human race has not died off, and the reason that there is a slight chance of conception. It is also the reason it is still called the "miracle" of life. This leads me to my last point regarding the so called withdrawal method of contraception.

When a man is sexually excited, even before intercourse, small amounts of semen are released from the penis. This helps in providing lubrication during intercourse. This semen contains viable sperm. It is just as likely that one of these viable sperm, released prior to ejaculation, could blunder upon the ovum and result in conception. Notice this little part: released prior to ejaculation. Meaning before the pull-and-pray method has even had a chance to take place.

If you put all of this together, you will see that the withdrawal method has roughly the same chances of conception (or prevention) as sleeping with only virginal women and just going for it (or the anti-withdrawal method). Stealing from my Pastafarian brothers and the Prophet Bobby Henderson, if you are going to teach the withdrawal method as a viable form of contraception, the other two methods listed here should receive equal time. Either that or some doctors need to go back to school to learn about reproduction and statistics. Thank You.