Paranoid about security? How can you tell?

[Sully]

In another thread, this small statement was made

Quote:

But I don't know what is the best tool to check hashes on Windows 7 - I don't waste my time with this boring practice. If I did, I would see myself as a paranoid, because I already maintain a very small set of selected software installed, to avoid vulnerabilities and other problems and, usually, I don't download alpha/beta software, neither new unknown software and I prefer to always download from the developer page when possible.

This left me pondering the question to myself, "am I paranoid about this". Then I asked myself, what exactly is my description of paranoid? Is paranoid using LUA only with a firewall? Or is paranoid using whats-its, who-dats and wazzups?

What is paranoid then? Is it running many tools to stop what you have already downloaded and executed, or is it attempting to ensure the thing you download is as the authors intended, which is hopefully malware/virii free before you even execute it?

I see paranoid as desiring to trap every little action that happens with powerful HIPS type tools. I see paranoid as using multiple scanners to sweep files for suspected ill-wills. I see paranoid as making a backup incrementally daily/weekly when there is nothing "mission critical" to maintain.

I don't see using built-in OS features as paranoid. I don't see a 3rd party program or two as being paranoid. I don't see checking the hash of a file just downloaded as paranoid. I see these things as prudent.

So, what is paranoid to you?

This is not a serious question BTW, nor is it aimed at the author of that snippet. It was just something that made me stop for a moment and examine how much effort I put into a security scheme and how much effort may be wasted due to being paranoid.

And as usual, I wanted to hear other opinions to gauge my own by.

Sul.

On the case of hash:
I see checking hashes as a practice that would make me look like a paranoid (that's why I said "I would see myself" and not "I would feel myself"), because I adapt some practices that should already reduce considerably the risk of downloading hijacked files to the point that checking hashes everytime becomes irrelevant.

"Look like" is different from "Be like" - I don't really feel the irrational fear that characterizes a paranoid, so I can't really be like a paranoid, no matter how hard I try to look like a paranoid on my actions.

The only way to be like a paranoid is if I find a way to make my brain starts to feel emotions like a paranoid feels (where it is relevant).

PS.: my use and view of the word paranoid is the same of a common dictionary.

Quote:

Originally Posted by http://www.thefreedictionary.com/paranoid

par·a·noid (pr-noid)
adj.
1. Relating to, characteristic of, or affected with paranoia.
2. Exhibiting or characterized by extreme and irrational fear or distrust of others: a paranoid suspicion that the phone might be bugged.
n.
One affected with paranoia.

paranoid [ˈpærəˌnɔɪd]
adj
1. (Psychiatry) of, characterized by, or resembling paranoia
2. (Psychiatry) Informal exhibiting undue suspicion, fear of persecution, etc.
n
(Psychiatry) a person who shows the behaviour patterns associated with paranoia

[Mrkvonic]

Paranoid probably indicates exercising an action against clear evidence indicating such an action is unnecessary. Now, interpreting the evidence is entirely subjective, which is why paranoia is usually associated with medical thingies that can be measured rather than stuff like computing.

But paranoia can be believing in technologically impossible stuff, like wireless transmission from your cd-rom, for example. However, whether running two or three programs constitutes paranoia, hard to say.

I think what we call paranoia is more: compulsive behavior and fear of unknown stemming from ignorance, lack of knowledge, hearsay, and other people's experience. Most people overcompensate for their lack of computing skills. It's the separation of tactics from strategy, understanding that tools and programs do not translate into security, but the other way around.

I would say most people with zealous security habits are: hobbyists who like that kind of thing, people inflicted with OCD and such, people with little knowledge but perceived high knowledge due to abundance of security tools, people with bad experience, and finally, people who do not really know what they need, so they go for everything.

Does that answer the question?

Ah, yes, while i disagree with 99% of all security tips given, including anti-virus, ant-whatnot and such, I don't think it's paranoia.

Mrk

I finally completely agree with a post made by the dedoimedo guy.

[blacknight]

Quote:

Originally Posted by Sully

What is paranoid then? Is it running many tools to stop what you have already downloaded and executed, or is it attempting to ensure the thing you download is as the authors intended, which is hopefully malware/virii free before you even execute it?

I see paranoid as desiring to trap every little action that happens with powerful HIPS type tools. I see paranoid as using multiple scanners to sweep files for suspected ill-wills. I see paranoid as making a backup incrementally daily/weekly when there is nothing "mission critical" to maintain.

Paranoid these ? It's normality.

[Sully]

Umm, I really didn't think anyone would take it as the literal "paranoid". It is just a bit of slang to mean "are all these things I am trying to protect against really a worry for me" which may lead to evaluating what you do and why you do it.

I was hoping for maybe something like this...

I think it is prudent to use XXX because the threat is real that website YYY might be compromised and the authors don't even know it. It has happened before and just using ZZZ was not enough to protect you, so I do this and that now. It might be a bit paranoid, but I see the threat as very real because it has happened, so now I play it on the safe side.

and the other side...

I used to worry about 123 because 456 happened to a lot of people. But after so many 789's and 10 11 12's, I realized my use of 13 14 15 really was all I needed. I stopped being paranoid about it happening to me becuase data 16 17 18 state this and that, which I am comfortable with.

As a real world example, I stopped being paranoid about what software was communicating with whom, so I stopped using a firewall. More than 10 years went by using one, and always creating very strict rulesets. And in more than 10 years, there was nothing worthy of note, nothing that without it running I would have had real problems with. I used it to stop some programs from updating. Used it to stop some programs from communicating on startup that caused a noticable delay while they waited for replies. Used it to find out what was doing what. But never once did I really need it. Granted, it is probably due more the my practices than the lack of threats, but still, I thought I was being paranoid about a problem that for me just did not exist, so I stopped using them unless special needs arise.

Sul.

[dw426]

I don't know if "paranoid" can actually be used here, overly cautious, yes, for sure. I think that if you are the type to purposely play with and test malware (and someone has to, or else no one ever finds out about the newest threats), then talk of firewalls, multiple scanners, hash checks, HIPS, and any other security measures, are warranted. Otherwise, no, it's a waste of time and resources. You don't even have to practice "safe hex" (which is a ridiculous thing to begin with as you can be jammed up on a legit website or download these days, just as easily as you can surfing and downloading from the "seedy" side).

I don't understand all these "what's your security setup", "Is this too much?" best this, best that threads. If you want tight, yet reasonable security, here you go:

1. An updated, good browser. After all, the browser is the most used door for malware.

2. Sandboxie. Properly configured, this alone solves 99% of your security issues.

3. KeyScrambler. Purely optional with Sandboxie on board, but, heck, why not make the day even worse for a keylogger you may get?

4. Anti-virus. Unless you can spot a malicious program with just your eye, this little fella is still needed.

5. Backup Scanner. ONE, ONE scanner. If you pick a good AV, you don't need Malwarebytes+Hitman Pro+A2+...good grief. Pick a scanner you like, keep it updated, and there you go. Don't bother with real-time either. Think about it, if malware is in Sandboxie, and any downloads you retrieved are clean, what do you think is going to happen when you clean the sandbox? Why do you need a real-time program to block something that Sandboxie is going to kill anyway? I didn't think so.

6. Don't click on "warning" messages when you're surfing the internet. Malware is moving past being embedded in downloads. Social engineering is where it is at. Why should the bad guys risk your security software picking them up, when they can just lure you in with an email or a warning message to log into a website to "clear up a problem"? They want your identity and money, and the best way to get that is by tricking you into giving it to them yourself, not assaulting you with keyloggers, rootkits and trojans.

So, there you are, 6 simple things that will keep you secure and happy, and let your system keep its resources for more important things like music, movies, playing with photos, gaming, and seeing how much more trouble Lindsey Lohan can get into

[vasa1]

Paranoia also involves unhappiness and I'm happy behind me firewall (GRC-approved)

[vasa1]

And a nice sister thread would be "Paranoid about privacy". (I'm going to get a lot of stick for this. I just know it. )

[Page42]

I see in this world all around me, people who are in active pursuit of what doesn't belong to them. If it is yours and not secured, it might well easily get owned, shared, stolen, damaged or destroyed.

I see the need and desire to secure computers as nothing more than the response to this criminal element who believe that if you want to make it, you got to take it.

I would say that while a healthy concern is always justified, even a slightly unhealthy concern is better than not enough security. I view the people who say that they don't need much security with the same degree of skepticism that I view the shills who say you need everything under the sun in your arsenal. In truth, we are being attacked from both sides... the AV and security companies are doing all they can to drum up business by touting the baddest threats alive, and the social engineering clan is constantly at work trying to separate us from our possessions.

In everything that we do in this world, we are faced with moments in which we are asked to navigate some leap of faith. My focus has always been to keep the leap more like a crack in the sidewalk, instead of as large as the Grand Canyon. I have reached a very contented point wherein I am satisfied that with my computers, I have done all I need to do in order to keep the bad guys at arm's length. From all that I have read, ownage is always possible. I have decided to take some essential steps to fend off most instances, and beyond that, I am not stressing over it one bit.

[Kerodo]

I think a lot of the paranoia comes from people grabbing OS's and apps via p2p networks and not being sure if what they got is really clean or not. Not knowing because you didn't buy or get it in a legit fashion can make one paranoid real fast.

Then there are those who just load up on apps because it makes them feel more secure. I would call this mostly lack of real knowledge. As we all know, you don't need all that stuff to be secure and live free of fear and paranoia.

[dw426]

Quote:

Originally Posted by Kerodo

I think a lot of the paranoia comes from people grabbing OS's and apps via p2p networks and not being sure if what they got is really clean or not. Not knowing because you didn't buy or get it in a legit fashion can make one paranoid real fast.

Then there are those who just load up on apps because it makes them feel more secure. I would call this mostly lack of real knowledge. As we all know, you don't need all that stuff to be secure and live free of fear and paranoia.

Actually, as far as P2P is concerned, if it passed my AV and MBAM scan, I deemed it clean. There comes a point when you cross the line from being careful to wasting your time. Your second point I wholeheartedly believe. When I see someone with a long list of security programs, I think one of two things. Either they are malware testers/hobbyists, or they comb through a forum like this, see all the threads of bypasses and "badass" malware, and panic. This second group end up causing more problems for themselves than malware does, imho.

Quote:

Originally Posted by Sully

Umm, I really didn't think anyone would take it as the literal "paranoid". It is just a bit of slang to mean "are all these things I am trying to protect against really a worry for me" which may lead to evaluating what you do and why you do it.

Ok so, to the slang use. Personally, I consider any boring task to improve computer security/privacy to be something that would make me look like a paranoid. Here is what I have and do:

• All passwords and the like must be secure, according to several rules, but the ones I need to manually type have an obvious limit of extension;

• Properly updated drivers (here, Win7 detected automatically all devices), and a properly configured router with updated firmware from the developer;

• Leave all built-in Win7 features that can improve security/privacy ON by default, with small tweaks here and there to improve usability (like a less annoying UAC);

• Fully enabled Antivirus: Microsoft Security Essentials;

• Maintain a small set of trusted software installed, updated and properly configured;

• Maintain a small set of online accounts properly configured;

• Maintain secure online backups of important things;

• Never follow untrusted links;

• On internet cafes and other public networks, I avoid to access online accounts, but if the necessity is big I use SafeKeys and then change passwords when possible.

Quote:

Originally Posted by Sully

I see paranoid as desiring to trap every little action that happens with powerful HIPS type tools.

Maybe in most cases, but in my own when I used them it was to observe the interactions of the O/S' processes so I could learn something.

Quote:

I see paranoid as using multiple scanners to sweep files for suspected ill-wills.

Agreed 100%. This has got to be, imo, the most ridiculous routine of those who do this.

Quote:

I see paranoid as making a backup incrementally daily/weekly when there is nothing "mission critical" to maintain.

To a point I agree but I backup/restore images frequently because I feel this is one of the most, if not the most important computer skills one can possess, which based on the many posts I've seen here over the years, far too many don't do this, and as a result face gut wrenching ordeals when something goes seriously wrong. For the record, I have become disturbingly proficient in this area of computer maintenance/security BTW Sul, did you know I also do things to my pc because I know if I trip up, I can easily restore a recent image with uncanny proficiency

Quote:

I don't see using built-in OS features as paranoid. I don't see a 3rd party program or two as being paranoid.

Agreed 100%.

Quote:

I don't see checking the hash of a file just downloaded as paranoid. I see these things as prudent.

Mostly I disagree here. Obtain downloads from known, trusted sites. It's that simple. If there is some uncertainty about the site's reputation, then okay, I can see checking the hash as useful.

Quote:

So, what is paranoid to you?

The first point you made about running multiple scanners, and changing one's antivirus/security suite for the sole reason it fell from first place in the latest rankings to third place.

[TonyW]

I think it boils down to what you do online. It's been said so many times before. There are users who go about their daily business without getting infected, but by the same token there are others who do.

It's usually the group who fear getting infected that employ layered approaches or add security app upon security app: when it comes to computer security, is this what is meant by 'paranoia'?

[Sully]

It goes without saying that backing up or checking hashes or anything, there are really good reasons for doing it and some really ridiculous reasons. Stepping back and examining your tactics can often lead to simplification. When others give thier own sage advices and opinions, you have other angles to explore.

How strange it is that the word Paranoid is taken so differently from person to person. I have seen paranoid thrown around in many genres, and generally take it to mean, per topic, one is too worried about some aspect of the topic.

The hash topic really does make me ponder about security paranoia. On one hand, you have the view that if I know the vendor/author, and trust them, why should I bother with checking a hash. It is like installing an extra dead-bolt on the front door-- isn't one enough?

On the other hand, when am I ever going to know if my vendors site has been compromised or just one file was tampered with. This has happened, as I am sure many of you are aware. Am I being paranoid now to think about using hashes more? Am I being paranoid to actually give any time/energy to thinking about what might happen if I don't use hashes and the files are tainted?

Now, not speaking specifically about hashes, because this is not a thread about hashes. But it is a good example. The odds of it happening are pretty slim from a trusted source, say maybe like Sandboxie. But what about some little guy, umm, maybe say Q-Dir. I believe that is a one-man-show. Great product, and I update whenever a new version rolls out. But is he saavy about his site or his files? I have no idea.

You see where I am going.. when I think about it, do I really worry about it, or is my worry just a bit of security paranoia? Afterall, it is a very valid question because I am going to give root to those items I trust, like Q-Dir.

Anyone following me here?

Sul.

[dw426]

I follow you. Just because I personally don't see a reason for so many "gates" to put up to keep the bad guys out, doesn't mean there aren't valid reasons for doing so. I'm certainly no well trusted security expert, hehe. Your example for a reason for hash checking is quite a good one, in fact, compromised websites are a big thing at the moment, along with other social engineering methods. I think a lot of my reasoning for how I feel is because I've seen so many of these "major threats" come and go without much fanfare, and a lot of that has to due with proper updating of software and operating systems, and not the addition of several security apps or painstakingly scanning and hash-checking every single thing one installs or lets run.

Now the major "huge deal" is this TDL/TDSS business. But, how many here can say they truly got infected by "running across it", and not actively seeking it out for testing purposes? I imagine that number being able to be counted with my hands. These "major deals", while yes, worrisome, just aren't that widely spread most of the time, and your average person isn't going to get hit. What they do get hit by are emails claiming to be their bank, pop-ups about their systems being unprotected, and social network infesting identity thieves.

That's why I choose to go "less armed for battle" because the vast majority of enemies rely on user stupidity and THEN holes in the armor. Once the brain fails, there's not much hope.

[ABee]

Quote:

Originally Posted by Sully

This is not a serious question BTW . . . .

No?
Other than that comment, your post seems serious enough to me. The responses you're getting seem serious enough, as well.
So I'm going to respond in a fairly serious manner with some various thoughts:

Just because you're paranoid doesn't mean someone's not out to get you, as they say.

One person's paranoia is the next person's standard safe operational practice.

Much of the fear-induced paranoia suffered by Windows computer users is the result of marketing campaigns and propaganda from anti-malware vendors.
A user with a high level of malware fear is going to spend a lot more money on A/V products than one without.

I see no point in spending a lot of time running scans, checking for signature updates, defragging the machine, making sure this or that is wiped clean after every use, making daily images or registry backups, and all of the inumerable other things of that ilk that so many "security conscious" people seem to spend so much time engaging in.

Which wasn't always the case for me, btw.
There's a certain process involved in learning how to properly maintain and secure a computer, and part of that process ordinarily tends to involve doing many of the things I mentioned above. I did them for a period of time, most definitely.
The thing is, part of the process is also learning how to move beyond that. To take some steps that ensure a secure enough environment, and then spend just a little time updating, maintaining, etc.-- not a lot. (I'm speaking in terms of the average home user here, not necessarily from a corporate environment perspective, where you would want a 'due diligence' approach to be at a higher level).

Nowadays, I want to use my machine for pleasure and enrichment-- and I don't consider that routinely scanning files or worrying that there's some possibilty that something, somewhere, might somehow do me a dirty if I'm not constantly on guard or concerned over it is giving me pleasure or enrich my life or my mind in any way.

On the other hand, if I were to rate myself on a paranoia scale of 1 to 10 (with 10 being the highest), I'd probably call myself a '7'.
I trust no one or no thing from a computer standpoint, generally speaking.

So, I don't really know if I'm truly 'paranoid' or not-- but untrusting, absolutely.
Because I don't see where being rootkitted or part of a bot would be giving me pleasure or enrichment, either.

But to each their own. Every user needs to handle their machine (or the machines they've been assigned) as they see fit.
Certainly there are some things where a person could say "that's just not necessary", but most things are in a grayer area where what's not appropriate for one is perfectly appropriate for another, and nothing more nor less than an available choice.

[Sully]

Quote:

This is not a serious question BTW . . . .

Quote:

Originally Posted by ABee

No?
Other than that comment, your post seems serious enough to me.

The original intent was to examine ones personal practices and contemplate whether one is being paranoid about any aspects of thier security.

As in my example, self evaluation of "is this really necessary or am I being paranoid".

Am I being paranoid about hashes as a specific example, or am I just overly concerned because it has been brought into the open that even trusting a trusted source is no guarantee.

So in my usual fashion, I went seeking what others have to say, how they tend to look at such a topic, how they guage whether they are being prudent or paranoid.

Not trying to make the word paranoid fit any agenda. Not trying to say those who use multi scanners are ignorant. Not trying to make others use my infallible and ever correct protocols over thier own, because I don't believe there is such a thing. Just kicking around a thought, and wanted to see how others might kick it around. I do have selfish motives though, I want to take your viewpoints and examine them against my own and others to find out if there is a better viewpoint or a viewpoint that I can assimilate into my own borg

Sul.

[Rmus]

Quote:

Originally Posted by Sully

Umm, I really didn't think anyone would take it as the literal "paranoid". It is just a bit of slang to mean "are all these things I am trying to protect against really a worry for me" which may lead to evaluating what you do and why you do it.

Well, Secuity and Paranoia was discussed almost two years ago, and I posted this:

Re: Security setup - are we being overly paranoid?
http://www.wilderssecurity.com/showp...9&postcount=18

__________________________________________________________________________

Regarding using words literally, or as slang: slang is fine as long as everyone understands what you mean. But in this case, using "paranoid" can be misleading. Many people on these forums have English as their second language, and will go to the dictionary when in doubt about a word. Using the dictionary definition of "paranoid" can lead many astray in this case. I know, having worked for many years with people and English as a second language.

I think Mrkvonic in Post #3 sums up best what people mean when they (mis)use the word "paranoid" with computer security.

__________________________________________________________________________

Ok, so about your topic:

Quote:

Originally Posted by Sully

It was just something that made me stop for a moment and examine how much effort I put into a security scheme and how much effort may be wasted due to being paranoid.

And as usual, I wanted to hear other opinions to gauge my own by.

Sul.

The first thing that comes to thought is that security is a state of mind. I've mentioned this numerous times, and here are some quotes from previous posts, which should summarize my opinions!

Quote:

Security is first and foremost a state of mind, and the way information on security exploits is presented, for the most part keep many people in a continous state of anxiety and concern.

............

This is all that matters. Security is a state of mind, and people take this and that security precaution to lessen the worry state.

Once the worry state is no longer a factor, then one can get on with her/his computing life!

..............

Regarding computer security -- I don't think that is any great mystery: it's no different than any other aspect of security. Some people put bars on all windows in their home. Others in the same neighborhood have very little external security other than locks on their doors.

Security is a state of mind, first and foremost. Once one has dealt with his state of mind, the security strategy unfolds naturally and easily.

.......

Security, first and foremost, is a state of mind. If you are convinced that you need a certain type of protection, then you will get it.

The important thing is to set up a strategy based on your perceived risks, then implement the tools you need. That puts your mind at peace. That is the important factor.

In seeking advice, for every person who has had a bad experience with a product, others will claim the opposite. Every system is different and reacts differently to any given product.

Careful users run their own tests and draw their own conclusions to compare with those of others.

By and large, most products in any given category provide good protection. It becomes a matter of choice based on factors that others have already mentioned.

----
rich

[dw426]

That's basically it, there's no right nor wrong way to approach security. It doesn't matter how much you care about security, it matters that you care at all.