Looking over these forums occassionally, and especially seeing the signatures listing enough software to fill a truck, I do worry that many people are losing the joy of surfing and straight-forward use of the 'net. It seems to me the agenda is set by many large commercial vested interests and so-called security experts making unknowledgeable users fear attacks and infections of various sorts in order to get us to spend money on bloated and resource-hungry software requiring tens of megabytes un-necessarily, that also gets in the way of what I want to do today. I have been using the Internet since the late 1980's intensively and have never been compromised by network attack nor had systems infected by virus or spyware - unless I was testing in a lab environment. According to the experts thats apparently through luck rather than judgement. It all comes down to common sense measures. Don't download software that has dubious pedigree - resist the what-if urge unless you have an isolated PC to do such things. Use a web browser that will not execute code without your permission (e.g. Mozilla Firefox), or turn such features off (in IE, disable Browser Helper Objects (BHOs) and disable ActiveX. Employ an email server that can detect and reject connections from suspicious servers before email is delivered into your network (e.g. Netwinsite's Surgemail) Use an email application that will deal with messages as pure text (which is that they are) with the option to view embedded HTML versions only when you've satisfied yourself as to the contents (e.g. Mozilla Thunderbird) If you're using Windows don't do your day-to-day work with an account that has Administrator privileges. I don't want to sound holier-than-thou, but I do want to encourage people to realise that if they follow some basic steps they do not need to spend a great deal of money nor worry endlessly about the issue. I'm a deep-down dirty hacker techy type working with Windows and Linux network systems in business, research & development, software development and leisure use. I spend a lot of my time downloading and testing new software, as well as trawling the 'net looking in odd corners for interesting tid-bits, so I go places where there's more risk. Adminstrator Permissions This is probably the biggest single change users (especially home-users) could make to protect themselves. In stand-alone settings Windows XP by default puts the users in the Adminstrators group, which allows them to do anything. This means any rogue software they inadvertently download and execute will run with those privileges. Make your regular account part of the Users group, which doesn't have privileges to install software. Use another (Administrators group) account for installing software or managing systems, or have a script that temporarily adds your account to the Adminstrators group, or else use the Run As... option to run particular programs with elevated privileges. Firewalls A recent corporate change I made brings the whole bloatware / money / functionality issue into sharp relief. My businesses have relied on Internet access and have predominantly used Windows for desktop and back-office where the focus was on main-stream non-technical customers. So we adopted Microsoft-style responses... Microsoft's Internet Security Accelerator (ISA Server) 2000 and 2004. Through-out the time we used and mostly recommended it I hated the thing with a passion because it got in the way and prevented many of the more creative things we needed to use the net for. Last year ISA Server 2004 was getting particularly annoying - unbelievably it is not possible to create a simple server-publishing rule where the server service (web server, say) is on the same PC as ISA Server. I also discovered it silently installed SQL Server in the background to store logs and fairly took over a dual-CPU server's memory and CPU cycles. There are other more subtle issues like it blocking RPC and epmapper traffic even when its policy said it wasnt, but thats getting techy. Anyhow... I was getting increasingly fed up with being told you can't do that by the software and, when I talked to Microsoft Private Support, by the supposedly intelligent technical support staff. I knew what I wanted all along - something like Linux IPtables where the packet filter/firewall works with me, not against me. Without much hope of escaping this feeling of being stiffled I decided to look around and somehow discovered IDRC's (now Third Brigade) CHX-I 2.x suite and it was, in many ways, a perfect moment. In all the MS Windows world it was the first time I'd found something that would do what I wanted easily, without fuss, without taking over most of a PC, and without telling me I wasn't allowed to do something! Now, with a few simple rules, I can protect individual PCs or entire networks (packet filters), intercept and manipulate the data as it comes in and goes out (payload filters), trigger reactions to events to open and close ports only when necessary (triggers), and log as little or as much as I need depending on circumstances without needing a bloody great database! And all that from a few hundred kilobytes of well-crafted code. Whats even better from my perspective is, in email conversations with one of the guys that developed CHX and owned IDRC (Rares Stefan) it appears they intend making the core code open-source at some point after 3.0 release! Thats the kind of action that creates respect as well as confidence in a product, where peer-review of key security code is possible, other developers (like me) can contribute code, and generally the product gets the benefit of thousands of individual techies looking over it. It also means I can develop vertical-market extensions on the common core for particular issues I face, and contribute that code back to the community. Email On the subject of love-hate with Microsoft server software... next up is Microsoft Exchange Server 2000 and 2003. I spent many hundreds of frustrating hours over the years trying to ensure this beast kept things ticking. The most annoying part was being unable, despite spending a lot of money on external add-on software, to block the mountains of spam most corporates receive. Like many email servers it suffers from a major failing - it will accept email before deciding it is spam. So it will allow the spammers to eat up server resources and cause headaches for the IT guys later, because unravelling a corrupted Exchange database is not something I'd wish on anyone. Then along came Netwinsite's Surgemail. Talk about a revalation! Out-of-the-box it reduced spam problems by 95%, simply by using some common-sense measures like SPF as well as an intelligent spam filter called ASpam. It also has an integrated virus-scanner that gives me confidence, although once the ASpam engine has rejected so much the anti-virus rarely has anything to do. Its managed via an easy-to-understand web interface and with integrated web-mail, POP3 IMAP4, it makes providing email service a pleasure not a pain once more. In Summary A few simple measures can save you spending thousands, and give you more flexibilty and confidence in the solutions. Don't go for the biggest or the loudest or the most marketed... on those criteria I'd never have discovered CHX, and it is in my opinion the single best change I ever made. When in doubt, remember what the definition of an expert is... An ex is a has-been, and a spurt is a drip under pressure Don't let the buggers get you down ----- TJ.