Briefly, the law makes it a state crime for any “unauthorized user” to deceptively add software to your computer without your consent, prevent you from removing their software, changing your computer settings or hiding their own software. It’s a pretty good list of all the bad things that people were doing to our computers in 2008.

Unfortunately, the hackers have moved on and are using different tactics now. But I guess it never hurts to outlaw the old bad stuff. You might at least catch the stupid criminals who haven’t stayed with the times. The real problem, though, is that cybercrime is rarely investigated, much less prosecuted. If this law gets legitimately used a dozen times in the next five years, I’ll be surprised.

Which brings me to my real cause for concern – what are the ways this law could be twisted beyond its intended scope?

This law makes it illegal to change settings, modify bookmarks, impose a homepage, disable software, prevent your own software from being disabled and use techniques like keylogging. All those are bad things when done by an outsider but potentially legitimate tactics for law enforcement, your own company’s IT Security investigations or for your responsibilities as a parent.

On the plus side, PA did include wording that the person adding the software and making the modifications must be an unauthorized person. That’s a good thing. Other states have left that qualification out, making it ambiguous whether the company’s IT department could impose software restrictions on a company-owned computer. PA’s law provides a safe-harbor for the IT Security department as long as they are also authorized users on the user’s computer.

Here’s the rub, though. Several courts have passed down decisions (such as Tengart v LovingCare, US v Ziegler, US v Simons) that make it confusing when the computer is the user’s and when it is the company’s. Similar decisions have made it ambiguous whether a computer is owned by the parent or the child. (And it gets really complicated when you have two spouses going at it as in White v White.)

If the ownership and privacy right is at the company (or family) level, I don’t see a problem here. The IT department (or parent) is an authorized user by definition. One authorized user can still change settings or programs on the computer without the consent of the other authorized user(s). Whether it’s ethical or effective is another question but it would pretty clearly be legal under this law. On the other hand, if the employee (or child) has a “reasonable expectation of privacy” to the computer, then the IT department (or parent) might not be considered authorized under this law.

The fix is easy. PA did a pretty good job with this law – we don’t need to tamper with the law. You just need to make it crystal clear to every other user of the computer that you are the primary owner of the computer and that no other user can have any expectation of privacy that excludes you and your right to monitor. At the company level, you should have that in your written policy manual and probably on the login splash screen. At the family level, you need to insist on having a copy of all your children’s passwords (my one exception to the never share your password rule) and use parental controls. Exert your rights regularly both to reinforce everyone’s understanding of the rules and so that you can show that your actions were a part of your routine security practice, not for example retaliation.

That sounds pretty simple but I predict at least one lawsuit testing the expectation of privacy and complaining about actions that in the non-computer world would be considered nothing more than good parenting. Make sure that everyone knows that you are an authorized user, then you can monitor whenever you find it necessary and you can impose changes on your corporate computers whether or not the individual user likes them.

Disclaimer: I am not a lawyer. I don’t even play one on TV. This is a layman’s interpretation of the law. I like to think it’s an informed opinion but only that – an opinion. If you need specific legal advice, contact a qualified lawyer in your area.

Well, a recent Wall Street Journal article changed the balance when they reported that Microsoft had the chance to completely reset the industry standards for privacy and deliberately choose not to. In early 2008 as they were planning for the Internet Explorer 8.0 browser, the product developers were building in tools and settings that would automatically defeat most common tracking tools unless a user deliberately switched to less private settings. Then marketing managers heard about the plan and, knowing just how much of their profits come from advertising, quashed the plan. The developers were forced to pull that code and changed the default setting back to the non-private mode. True, you can still make IE an almost safe browser if you know how but most people don’t have the skill or time to do so. Microsoft squandered a golden opportunity to take the moral high road and make the internet safer for all of us.

So what are your alternatives? You actually have quite a few – so many that the choice can be intimidating. Some people rave about Google Chrome. I don’t have much experience with it but given Google’s documented approach to privacy in their other applications, I’m skeptical. Apple’s Safari has its champions. If you’re already a Mac user, it’s probably a good choice. Opera also has its fans. Opera first introduced many of the features that are now considered standard for browsers and have some of the best features for users who have visual or motor impairments. They have a lead in mobile software (smart phones, Nintendo, WII, etc) but have never really caught on for mainstream users.

My preference, though, remains Mozilla’s Firefox. It has more users than any of the others (after Microsoft) so it has more developers watching for and fixing bugs. And it’s an early and prominent player in the open-source movement, a cause that I believe deserves support. (By the way, that means it’s FREE! Really. No strings. These people do it because they think it’s right.)

That said, there are a couple of features you need to turn on in order to be properly secure even with Firefox. In particular, here are two add-ons I strongly recommend – Adblock Plus and NoScript. They take a little getting used to but are well worth it for the added security they bring. You also have to make some choices in the Firefox settings themselves. In particular, you need to choose your cookie settings. I don’t think it’s realistic to disable all cookies. Too many are used to remember login information and make the websites work. Under Tools/Options and the Privacy tab, check “Accept cookies from sites” but then change the Keep Until setting to “I close Firefox”. I also recommend checking the “Clear history when Firefox closes” button. Use the “Exceptions” button to permanently allow the common, reputable sites you visit such as Yahoo, Amazon, Google, etc.

Do all that and you’ll have a reasonably secure browser. And maybe someday the bureaucrats at Microsoft will realize that they are squandering a chance to be the good guys for a change.

Several years ago, I was using a thumbdrive as my backup. It was plenty big enough and it was often more flexible to keep the originals on the thumbdrive, especially for the financials I was keeping for the local bee club. I might never know what computer would be handy but with that thumbdrive in my pocket, I always had access to the records.

As you might expect, the drive eventually went bad. All the data lost. (Root cause – pulling it out of the machine too many times without going through the correct shutdown procedure.) That was when I discovered that my manual backups weren’t as good as I’d thought. It’s way too easy to procrastinate. Before you know it, well, my last backup had been almost a year and a half earlier. I recreated some records but a lot of hard work was lost nonetheless.

I was angry and frustrated – mostly with myself. I resolved to never let this happen again. Spent over a grand on a dedicated backup drive that would back up not just my files (and the bee club’s) but also the rest of my family’s – other users on the same machine and other computers in the house as well. I had to set up my own mini-network, but if it prevented that heartache again it would be worth it.

Well, I never did get it completely set up right. The network was accessible but the automatic backup software never worked as advertised. Nevertheless, it was an easily accessible backup space and I was much more diligent about making manual backups. And the drive actually spreads the data over several disks so even if one disk goes bad, you pop in a replacement and the drive self-recovers, hopefully with no data lost. (Wikipedia has a good technical explanation of how it works.)

Over time, I began to rely on it as the primary storage for some kinds of files. (I’m seeing a pattern here.) And again, the backup drive failed. I’ve been working for several weeks now to get it restored. Naturally, the failure is not in one of the replacable drives but in the central chip that runs the whole box. The root cause again appears to be the cumulative effect of improper shutdowns, this time the result of power outages. (The service in our area is … not great.) This led to more than my share of frustrating, late-night calls to the drive maker’s Tech Support.

I wish I could say that it’s either my fault of the drive makers. But other than living in a better neighborhood with more stable power or spending way more than it’s worth on a power-cleaning box, I don’t know what I could have done differently. So I’d like to say it’s the drive maker’s fault. The brand, by the way, is TeraStation. I started this post ready to slam them for the failure. I remain more than a little frustrated with their technical support team, a few of whom tried to be helpful but several of whom came across as supercilious and condescending. In their defense, though, two of my colleages have had the same brand for years with no problems so far.

The story’s not over yet. I am still attempting to restore the backup drive. I can restore most, though not all of the data from other sources if necessary. The biggest lesson for me is that despite all the marketing hype, a RAID Array (that mechanism that distributes the data across several drives) is still one device and therefore a single point of failure. I still need a better backup routine…

First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.

• Operating system – Macs are fun but they don’t have the market share. Linux is great for the tech-savvy but not for the rest of us. That leaves Windows, buggy as it is. And Windows 7 is about your only option right now. Luckily, it will come pre-installed on the machine. Set a password on the machine, though.
• Anti-virus – I don’t have especially strong opinions about which one to use as long as you have one and keep it current. I’ve been using AVG which was free and has been good enough, I think.
• Patch management – I am a big fan of Secunia PSI. It’s easy to use and can be set on autopilot for the most part.
  The Windows updates should be set to automatically load themselves. (For most of us, the risks of running unpatched outweigh the risks of a hostile “patch” installing itself.)
• Firewall – Again, have one. Which doesn’t matter that much. A wireless router that’s properly locked down will serve as a hardware firewall.
• Web browser – I really like FireFox with the following add-ons. Adblock Plus, Image Zoom, NoScript, SearchPreview. It resolves many (though not all) browser vulnerabilities.
  You can’t uninstall IE but you can kill all the IE icons and set Firefox as the default browser.
• Email – A free account with Yahoo, Gmail or one of their competitors is good enough. You’ll be able to piggyback on their spam filters and will have much better data backup than if you try to do it yourself.
• Word processor, spreadsheet, etc – I recommend OpenOffice. It’s as capable as MS Office but hundreds of dollars less and there are far fewer security patches to manage. And unless you are using really esoteric spreadsheet functions or advanced formatting, it’s fully compatible with MS Office docs.
• Adobe reader, flash, etc – You need to load them to read many things on the internet.
• Google Earth – just because it’s sooo cool.
• All the rest of that demo software – Go to the Windows Control Panel, find Add/Remove Programs and delete all that unnecessary garbage. I was reluctant at first, thinking that I might someday want to try the program but the software brings vulnerabilities and patching requirements that are impossible to keep up to date. Kill it all. Buy what you want once you really need it.

I also strongly recommend that everyone create a “computer maintenance” folder where you keep track of what you’ve and what you’ve loaded on the computer. The list doesn’t have to be perfect but the more you can record, the easier it will be when your niece comes in to update the computer.

So what’s missing from that list? I have to admit that I haven’t yet found a picture-management program that I think is worth the money. And I’m not completely happy with my data-backup routines. Any suggestions?

• When shopping online, type the merchant’s URL in by hand instead of following any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
• Look for the prefix https in the address line. This indicates that you are on an encrypted connection to the merchant’s website. You can also look for the little yellow padlock icon in the bottom right of the browser. Be careful, however. Sophisticated hackers can spoof these signs
• Read the site’s privacy policy carefully and use common sense about the offer. If it sounds too good to be true, it probably is. If you don’t trust the company to protect your personal information, shop somewhere else.
• Make sure your own protections (anti-virus, firewall, patches) are up-to-date and running.
• Use a credit card, not a debit card. If your credit card is stolen or the number misused, federal law limits your liability to $50 (as long as you comply with the notification requirements). If a debit card number is compromised, you could lose the entire amount in the account to which the debit card is linked.
• Check your statement carefully for charges you don’t recognize. Report any anomalies to your bank and report a lost or stolen card immediately.
• Consider keeping a separate credit card with a low credit limit just for internet purchases.

And in the theme of Cyber-Monday scams, here’s one that isn’t.

There are allegations online that a Facebook-based promotion being run by Westfield, the Australian mall company. They are letting Australian customers sign up for a lottery for a $10,000 gift card in exchange for all kinds of semi-confidential information (basically the same information you’d give up for a discount card, though) and the inclusion of a Facebook app to your account. Many people have accused the Facebook app of being virus-infected and/or the sign-up of being a phish. It actually checks out, though. Despite the skepticism (which I consider entirely appropriate and healthy in our current online environment), the mall’s promotion has been confirmed. Hoax-slayer.com has a good writeup describing their confirmation of the promotion.

Whether you shop with the Westfield mall is up to you. Take a few minutes to research any such offer and company before you sign up, though. Being suspicious of an offer that seems too good to be true is an excellent habit to build.

As we’ve said often before, electronic files don’t really go away when you hit the delete button. In many instances, they can be recovered, often with frightening ease. In a study conducted last year by Kessler Int’l, 40% of the hard-drives purchased on eBay contained sensitive or private information from corporate financial data to the web-browsing history and personal pictures. And while a small proportion required forensic analysis to recover, most was easily visible to any casual user.

Here’s what happens when you “delete” a file in Windows.

1. Since Windows 95, deletion merely moves the file into the Recycle Bin. The file is not deleted and can be recovered by simply opening the Recycle Bin, finding the file and clicking Restore.
2. When you empty your Recycle Bin, the file is still not deleted. Windows merely erases the tiny pointer that told the computer where on the hard drive the file is located. That makes the file invisible to the operating system but it’s still on the disk. It will eventually get overwritten if/when the computer needs to reuse that space but it’s completely random when or even if that overwrite will happen. There are any number of utilities which can search and recover files in this state including many that can recover partial files.
   Okay, it’s actually a little bit more complicated than that since, for example, files on your flash drive go straight to step 2 and the Recycle Bin will automatically age files off based on size but the general principle remains – files aren’t really gone just because you hit the delete button.

So how do you make files really go away when you’re done with them?

• If you are done with the computer, the simplest and most secure way to be sure that your data is safe is to pull the drive, take it into the parking lot and hit it several times with a big hammer. It’s easy, it’s perfectly secure and (guilty pleasure alert) it’s kind of fun. The downside is that you won’t get as much when you donate or resell the shell afterward.
• To wipe all your data without physically destroying the drive, you can reformat the disk. The easiest way is to click the Windows Start button, then select Run. When the box opens, type “cmd” to open a DOS command prompt. In this new box, type “format c:\” and hit Enter. Note: This will not only kill the data but will also wipe the operating system and all your programs. (It’s also a good way to kill really persistent viruses.) Be sure you’re running a full reformat, not merely the “Quick Format”. Quick Format merely rebuilds the file index mentioned in 2 above.
• If you’re feeling truly paranoid, you can download any number of eraser or “disk sanitizer” programs that perform DoD grade wipes and overwrites. These will not only delete the data but will overwrite it multiple times, either with all 1s, all 0s, random data or some combination. Good programs are available on the internet for free.
  A few years ago, these were important because a really good forensic expert with an electron microscope could look for small inconsistencies in the drive and recover even overwritten data. Nowadays, that’s not an issue. The tolerances for harddrive heads have become so tight that there are no inconsistencies to exploit. According to recent research, even a single overwrite is sufficient now.
• CDs, DVDs and older floppies can be run through the disk-slot of a home shredder. (Shredders with that slot are a little heavier-duty and can handle the resistance. If you don’t have one, look for that feature when it’s time to replace the shredder.)

If you only want to eliminate some files without wiping the entire drive, you’ll need specialized software. I downloaded a program called Eraser but I have to admit that other than a few tests I haven’t used it. I figure that whole-disk encryption is good enough to protect my information until it’s time to get rid of the computer – and then I want to get out the sledgehammer and have some fun.

Unfortunately, wrong. The average PC gets attacked within 11 seconds of being connected to the Internet. And while we’d like to think that a new box comes with all the necessary protections turned on, too often that’s not the case. Even if they have all the right basic software, they’ll need dozens of patches right off the bat.

Bill Brenner of CSO Online recently wrote a great column on protecting a new PC. Here’s my take on the recommendations. Note: Some of these are steps you should take before you connect the computer to the internet. It’s tempting to just plug in and start playing but your work at the start will save countless hours of cleanup later.

1. Set up user accounts. Even if you are the only person who will use the computer, set up a password-protected account for yourself. This will limit the damage in the event that the account is ever compromised.
2. Uninstall all the junk you don’t need. Modern computers come loaded with all kinds of gadgets, samples and options – most of it you will never use and certainly didn’t order. It’s tempting to keep some of it because, hey, who knows what might come in useful someday. All that ‘bloatware’ carries risk (unpatched holes and vulnerabilities in the software) and adds complexity. If you don’t have an active need for the program, get rid of it. You can always add it back later.
   When you first turn on the computer (still not plugged into the internet), open Control Panel/Add and Remove Programs. Uninstall all the junk you didn’t order. In particular, get rid of every piece of trial software except your trial anti-virus. All the remote help, AOL interfaces, games and even MS Office have to go.
3. Turn on the trial anti-virus. This should be on by default but you want to make very sure. Once you’ve double-checked, it’s time to connect to the internet. Once online, the very first thing you need to do is update the anti-virus definitions. The second thing you need to do is replace the trial version of your anti-virus program with a permanent one. You can subscribe to the same service that came with the box or replace it with a new one but either way, make very sure that you have anti-virus locked and loaded for more than the 30-day trial period. You’d be amazed how many people put this step off and end up without any protection at all on day 31. Do it now while it’s still fresh in your mind.
4. Replace your browser. Some people disagree with this step now but I still think Microsoft has a long way to go before they are really secure. Mozilla’s free Firefox browser has, in my opinion, better built-in security. It also has far better options to enhance security through free add-ons. I strongly recommend immediately activating NoScript and AdBlock Plus.
   NoScript disables all java-script on webpages that you visit unless you explicitly allow the script to work. It kills most pop-ups and blocks most cross-site scripting attacks. You have the option to whitelist any page that you trust (like your bank) by right-clicking the security icon on the bottom right of the browser window.
   AdBlock uses a blacklist to block known ads from displaying on your webpage. It also blocks lots of cookies and other intrusive software.
5. Replace MS Office. Again, I wish I could say that Microsoft did security better. And the truth is that they’re not all that bad but they are the big target and every hacker in the world tries to exploit their holes. Not as many people are attacking other software. Sun Microsystem’s OpenOffice is a free alternative with fewer reported exploits. It doesn’t quite look or feel the same as the MS Office suite but it’s close and it’s highly compatible.
6. Patch all your software. This is almost impossible to do without help. I’m still quite happy with Secunia PSI’s patch management program. Once you install the program, let it run, then follow the instructions to bring your other software up-to-date.

That should get you a good start toward security for your new PC. Enjoy.

Give the article a read, especially if you are a Windows user. (Note: His recommendations are based on Windows Vista. If you’re still an XP user, some won’t apply.)

By the way, even if you’re a Firefox user, you should follow recommendation ten (remove old versions of Java) but if you downloaded a patch management program like Secunia, you’re already being prompted to do that.

If you don’t want to read the whole article, here is the short version of his recommendations. Go to:

1. Tools/Internet Options/Security tab/Internet zone/Custom Level/XPS Documents: disable (Vista only)
2. Tools/Internet Options/Security tab/Internet zone/Custom Level/Font download: disable
3. Tools/Internet Options/Security tab/Internet zone/Custom Level/Include local file directory path when uploading files to a server: disable
4. Tools/Internet Options/Security tab/Internet zone/Custom Level: change Prompt to Disable
5. Tools/Internet Options/Security tab/Internet zone/Custom Level/User Authentication/Logon: Prompt for username and password
6. Tools/Internet Options/Advanced tab/Use SSL 2.0: unchecked
7. Tools/Internet Options/Advanced tab/Use TLS 1.0: checked
8. Tools/Internet Options/Advanced Tab/Search from the address bar: Do not search from the address bar
9. Tools/Internet Options/Programs tab/Manage Add-ons button Disable any you no longer use or don’t recognize
10. Start Menu/Control Panel/Programs and Features Remove old versions of Java