Thank you, good to know.
I'll go take a look at the manual again - thanks for providing this resource.
When it is a fresh Install, I would suggest to turn on the Firewall. Tools like rkhunter and chkrootkit (Commandline Tools) can help for scanning for Threats. ClamAV has a graphical Interface called ClamTK which I use, too.
In common: Don't download ramdom Stuff from random Websites. And don't use random Commands that You find in the Internet.
When You have downloaded something, You could use VirusTotal to scan the downloaded File. All this doesn't give you 100% Security - that is not possible. But it can increase Your Security.
And for the worst Case, You should have a Back Up of Your Data. What Form You use, is up to You.
1 Like
A lot of the news that you see regarding IT security are only published after there's a fix available. Many of them are also theoretical or feasible in highly specific conditions. One of my favorites is a study where the researches were able to read CPU instructions straight out of the surrounding air, using a thermal camera and reading the heat signature the hardware emitted. Pretty scary, and cool, but also insanely specific that could only happen on very controlled scenario.
For pretty much any regular user, those are the most important things to do. And that's already more than enough to shoo away most hacking attempts. Keep in mind also the cost/benefit analysis that someone has to consider before trying to hack a random person on the planet. It's costly, it's difficult and is rarely worth the effort.
In fact, security as a whole follows the "weakest link in the chain" principle. Take encryption for instance: encryption algorithms are so strong that is not feasible to break them by brute force. It's far easier to trick someone into giving away the information they're hiding behind encryption, through social engineering or "phishing". With the advent of AI this has gotten a whole lot more serious threat.
If you have services exposed to the public internet, like a Plex server or something, that is a far more juicer target. Maintaining a server is costly in terms of time and expertise, and there are far too many of them where people neglect to keep them up to date. I happen to know of one case personally from someone who got hit with ransomware, although the best cure was a trusty backup.
This is also true of IoT devices. Your "smart" toaster is a huge risk to your home network. Even assuming that the manufacturer had security in mind when developing the product (not the case), this requires costly ongoing support in form of updates which never arrive or are drop while the device continues to run for years. The same goes for even your router issued by your internet provider: rarely do these devices see any updates.
This is all to say that security is not a binary "I am secure" vs "I am not secure" state. You need to understand the vulnerability, how it works and how does it apply for your use case.
As for some advice, in addition to what has been mentioned, I'd suggest reading about password managers and multi-factor authentication to protect your accounts, as that is how we mostly interact with the world these days. A good read on the topic (and a great site overall for privacy and security tips):
2 Likes
Thank you zenzen for this sensible advice.
Aye, I have no IOT devices, I see no problem which they solve (for me).
My NAS is on LAN only.
My router is ASUS and locked down as much as I know how.
My question was geared towards guidance on good practice for the average user, and to see what additional steps the more knowledgeable forum users suggest, so thank you for these responses.
1 Like
I have a lot. I mean a LOT. Sometimes they solve a problem for me, sometimes they're just a convenience, and sometimes they're a fun toy, but no more than that. This is less for you than for anyone else in my boat who likes their IoT devices: Pay for a router that lets you set up VLANs and learn to use them. The Synology RT6600ax isn't perfect, but it makes VLANs comparatively easy and provides above average security for a consumer product. I also find that its firewall is easier to configure meaningfully than routers I've owned in the past.
That said: VLANs. VLANs are a means to have separate virtual LANs on a single router, which are ordinarily not allowed to talk to each other. I don't want a vulnerability in my IoT devices to let someone on my network, and I don't want my own mistakes to affect my work computers, so I have a main VLAN for full blown computers, smartphones, and tablets; an IoT VLAN for all devices that are connected, but which I don't trust to have security patched as it should be; and two work VLANs, since I don't want anything on my home network interacting with work, my work network interacting with home, or either work computer interacting with each other.
This keeps the most vulnerable devices segregated, so they can't provide a window into the rest of my network, and the router is configured not to allow devices on anything but the main VLAN to configure it. Naturally, that means that my main VLAN has all the eggs in one basket so to speak, but that's what the other tips in here are about.
1 Like
An interesting read about Firefox and Thunderbird. With regards to the former, there was reference to javascript - this is one of the key elements that Stallman opposes, websites that use java, and hence its lack of support in the IceCat browser.
Hi Swarf, I'm not sure what article you were referring to, but I found this : https://www.gnu.org/philosophy/javascript-trap.en.html
Be careful not to mix up java and javascript, they are different entities. As a web developer who always aims to be ethical, I find his article interesting. I have always minimised use of javascript in my work, preferring always to find solutions in pure HTML+CSS although these generally lack somewhat the simplicity and smoother operation of javascript solutions. I am only talking here in its use to enhance the user experience.
I find his definition of trivial/non-trivial very hard to differentiate in practice. I use elements of what he calls non-trivial (eg ajax calls) which can greatly improve website experience to the user. My clients desire this usability - and this is a highly ethical organisation.
I agree where he is referring to websites such as google docs where we can be sure that data harvesting is going on. I feel that integrity of one's data should be the main criteria, something I am highly responsible with. There is no need for my websites to do anything other than present the information requested, so that is all we do.
However, to push against javascript now is an uphill struggle. Try navigating modern websites with it turned off, the experience will become somewhat degraded, often inoperable. Modern web interfaces need javascript, or something like it. And I write as someone who minimises and avoids its use other than where it really is necessary to support or enhance the visitor experience.
He argues against the use of minified code and says this makes it non-free. The reason this is employed is because it reduces file size, so the site uses less bandwidth. Its a better solution. Obfuscation is another step, I agree, making code near-impossible to analyse.
I think we are much better to push strongly on data integrity than on specific technologies which are now a long-established part of the modern web.
1 Like
Apologies, my bad. Made this mistake before methinks. In the meantime, an interesting read here:
CISA changes vulnerabilities updates, shifts to X and emails • The Register
People having issues with their emails being blocked even though recipient has you as a trusted sender? Things have just got worse:
You don't have to visit Google directly to have a website download megabytes' worth of scripts that provide no value to you.
The issue is not the technology per se (it rarely is), but there are damaging consequences in the exaggerated misuse of it, that opens users to privacy violations and security vulnerabilities.
Considering that article was written back in 2009, before the boom in JavaScript framework and libraries that followed shortly after, I'd say that this was an excellent judgement call on his part.
Even as a web developer, can you actually vouch for the Nth dependency that you use in one of the dozens of packages that are included in the bundled JavaScript that you send with your website?
Most developers can't, or won't, even when the problem is easy to solve by hand; they've been taught to reach for a package that can do it for them. This in turn can have other unexpected consequences, like with that left-pad incident that broke thousands of projects.
Another example of a damaging consequence on this over-reliance in JavaScript is the control that it gives big companies like Google. For instance, by introducing artificial incompatibilities to funnel traffic to their own products and services. And once again this can happen without people being aware of it, like when a website making use of some script they don't understand prompts the user to change to Chrome when they're using Firefox.
I don't disagree with you in that, as of today, it's unrealistic to speak of a JavaScript-free web. But the dangers that Stallman talked about have proven themselves to be very real, and detrimental to the user experience in many ways. Again, this was 16 years ago!
Personally, I'd be happy to trade all those conveniences and flashy animations away for some privacy. A lot of that is jut junk anyway, and you can still browse the web normally without it.
Luckily, CSS is coming with some really cool stuff and the reliance on JavaScript for a lot of things is going to diminish. Although, those coding AI assistants are trained with data that makes heavy use of JavaScript for a lot of things, so... still some way to go.
2 Likes
I agree. I always attempt a solution in CSS first, even if is a little less performant than the javascript version, and I only employ javascript in tiny amounts, all hand-written, so I can vouch for its credentials. There are instances where javascript makes for a much improved user interface, while of course having it as an enhancement rather than a replacement, so the non javascript version still works. I have spent days attempting to create a CSS solution in some instances.
1 Like
I would think that the CSS option to perform better since it's running right in the browser, doesn't it?
If you need dynamic UI that responds or a complex chain of UI interactions, javascript provides the better solution than CSS. CSS is simpler, can follow one element at a time and cannot perform dynamically as Javascript can.
What you said here applies:
Developers are competitive. And consumers are less discerning.
Webpage developers do not prioritize your privacy (in most cases) and their primary concern is anything that gives their page an edge against any competitor's page.
It it can respond dynamically to customer inquiries, provide complex options faster - that is what they will do and consider themselves foolish not to.
This leads us to:
I would say Sisyphean.
This is a response to a question; not an endorsement. I acknowledge a sad reality, I do not condone it.
I do agree with the points made by all three of the members above.
But we lack the kind of strong public support needed to affect change in this.
Looking at the Mozilla Policy Change is an excellent example: Even when publicly called out, the Mozilla response was to dodge and stay the course because they know it will blow over.
2 Likes
Sisyphean refers to a task that is endless and futile, derived from the Greek myth of Sisyphus, who was condemned to roll a boulder up a hill only for it to roll back down each time he neared the top. It symbolizes efforts that are laborious but ultimately without success.
That may save some websearches by other users, I have done it for you 
Good that one word can efficiently replace many as in kicking a brick wall
1 Like
Another is a Pyrrhic victory! [ a victory that inflicts such a devastating toll on the victor that it is tantamount to defeat.]
I will give an example from my programming of my Casio FX-502P Programmable Calculator. I discovered that the calculator had a built-in pause function. I decided to create a countdown timer, which ironically was easier to create than a chronological timer. The issue? The pause function was not exactly to the second, so when I did finally manage to create forward running timer, I had to add 30 seconds for accuracy to reach a minute!
As does Javascript. CSS can do some clever things but as @Aravisian pointed out it is not dynamic. CSS simply cannot address page elements in the same way. For simple transitions, fades, little visual elements, yes.
I have spent hours (days in some cases) attempting to create a CSS solution that could be achieved in a few lines of Javascript. I did this for my own discovery and learning, pushing the boundaries. The solution didn't achieve its goals and was terribly hacky, not a thing I could ever use in a client project. I can't go harming my client's business by making the visitor experience less than it could be. But I can act ethically with user data.
1 Like
Worryingly there's a dangerous rootkit about called Curing. It bypasses most existing security monitoring as it doesn't use any syscalls. Find out more at:
[Source: Page 78 of the final issue of LXF]
The best security is to get off the internet, and return to a 1980's lifestyle using a landline phone. Unfortunately, society changed so much, that much of what we do, whether it be in sales, service, businesses, schools, government, all require an internet connection, and sometimes a cell phone as well.
Society interconnected us for the greater good in 1995. Unfortunately, due to bad actors, its not always for the greater good. And due to this major push for the newest in technology, elderly boomers are left behind, without their grandkids helping them out.
2 Likes
New for me:
text/code that you see and want to copy from a webpage can be very different from the one that actually gets copied and then pasted: