Rolling of eyes
Eggs, grandma teach and suck come to mind, but not in that order.
The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise. Cyber Streetwise is urging people to take five actions in order to protect themselves and others from cyber crime: Use strong, memorable passwords Install anti-virus …
Eggs, grandma teach and suck come to mind, but not in that order.
Grandma come to teach mind, and suck eggs?
But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card
Given the periodic stories that turn up in the news media, it's also "do as we say, not do as we do".
Although to be fair the list should be extended to add encryption of sensitive data (or storing it in a suitable place which is safe and under your control) and not leaving devices in compromised positions (such as laptops and phones left in taxis or on Starbucks tables unattended to be nicked).
And it comes within two articles in the main page of an article about WinXP and HMRC/govt and hacking/security after the end of XP support...
And she's all out of eggs.
@NightFox: indeed - except the site fails at the usual password hurdle of confusing complex (i.e. unmemorable) passwords with strong passwords. Hence the password checker states that single words that include a number and a capital like Gr4ndmas is good whereas a multiword password like "eggs grandma teach and suck" (thanks Rono666) is weak.
So with this advice we end up with important things like online banking sites requiring complex unmemorable passwords which leads to users creating relatively short (machine-crackable) passwords and re-using them on multiple sites. Password safes I hear you say? Good advice but how many non-geeks do you know that use password safes?
"But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card"
I like the fact it does not require a)Squillions of £ of advertising and b) Several new laws and a Statutory Instrument (the Dark Lords favorite device) to implement.
People see the Mission Impossible antics but 99%of the time it's the simple (stupid) stuff that's not done that f**ks most people up.
....Getting Cool With Kids or whatever.
Getting hit by a virus etc. is like broken windscreens. You can go years and years without one and then get two in as many weeks.
>Getting hit by a virus etc. is like broken windscreens.
But unlike a broken windscreen, get a virus and the repair and cleanup is no where near as quick and simple.
What is the point, the security service(with the help from their so called oversea friends) are ensuring that all systems are hackable, providing this information to the Americans who then broadcast this to the world either via virus/worms or making the documentation available via contractors like Snowdon.
May-be help provide some thing secure first before we go down the Eggs & Grandma route.
Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken. I imagine a lot will be put off by the impression that it was designed for Tellytubbies viewers.
6/10 for trying, I think.
One note : under "Keep your devices safe and up-to-date" no advice is offered for Linux users. Are we to assume that Linux is problem-free? Or doesn't it exist to these people?
(a) The sort of person who needs this advice won't have installed Linux, and if they are using it chances are someone competent set it up for them.
(b) Assuming (a), then the system will have all applications installed via the package manager, and that will be set to auto-update which mitigates a large proportion of problems.
(c) As a small percentage of desktop use, Linux gets far, far, less attacks anyway via the phishing/web-malware route. Linux may have other serious annoyances, but that is not a common one...
All good points. Maybe they thought that going for completeness by mentioning Linux would overcomplicate things for no real gain.
That said, it could be taken as implying that Linux is totally safe (not true, of course).
>That said, it could be taken as implying that Linux is totally safe (not true, of course).
Indeed, not "totally" ... Every week, Windows sees more new malware than GNU/Linux has managed to collect over the last two decades ... and it is only slightly worse for Mac OS X.
I am not saying there are no security issues in GNU/Linux, just that nobody seems to write shit to take advantage of them.
On the other hand one thing that needs to happen is OEM versions of anti virus software must vanish - they are the single worst source of problems. When after a month they expire, hardly anybody renews them. What happens next is that ppl either ignore the messages or install some other anti virus software alongside the expired OEM version ...
I used to install Avast on windows boxen I would repair, but they require you to re-register every year, which ppl tend to forget to do ... now I go with Security Essentials, which is better than nothing and certainly better than an expired Avast.
I fully endorse your sentiments on the use of 3rd party security products, especially the point about lapsing registration - I have the same experiences.
The inherent weaknesses of the OSs are a major reason why public education is needed. At the same time, they are a reason why such education will probably prove futile.
"Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken"
You have to understand this is information to be understood by even the thickest Daily Fail reader. It's to step those people in the right direction, not for us Reg readers that (should) know better. In this regard, this simplistic approach does what it is designed to do
Definition: cyber (ˈsʌɪbə) : adjective
"To undermine one's own credibility or indicate a lack of IT understanding (esp. security)"
"if an offer looks too good to be true, it probably is"
That's a lesson that applies just as much in the real world.
Guys over on hackaday.com are in the process of creating a rather interesting open source USB device they're dubbing the 'Mooltipass', which will act as a password wallet that can automatically enter in the password of your choosing.
Handy if you have many passwords to try and remember and want to keep them long with random characters.
I look forward to seeing the final outcome of the project.
KeePass have been there and worn out the T shirt already
KeePass is what I'm using, due to that...
•Use strong, memorable passwords
is a moot point, I have no idea what my facebook password is, and even if I did I couldn't actually type it out! It's something along the lines of:
Totally memorable, naturally only works on websites that accept any character and not the usual "numbers and letters only please", or worse, websites which don't let you paste your password into the "confirm your password" box so you have to have a weaker password.
The first problem I have when I get to the site is the message 'Java script is disabled'.. yes it is for security?! Fail already.
"The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise."
Huh, being the UK and all, I figured they would have passed legislation (based on one horror story) called 'Cyber Streetwise', then prosecuted those who did not comply. That said, here in Canada things are not much better.
I just hope the government heed their own advice. Although I doubt it.
Perhaps a standard of suitable password options should be enforced because the times i have had to use a weak(er) password as some sites wont allow special chr$. If you want us to use strong password then don't limit those password to letters and numbers only.
Yes! It really annoys me that some systems insist on you including certain characters, while others won't let you include certain characters, etc, etc. It would perhaps be useful if the government or some standards organisation could officially advise as follows:
By all means warn users if a password appears to be weak, but allow any password consisting of 1-32 printable ASCII characters. (This is because I am sick of having strong random passwords rejected when they happen to contain three instances of the same letter or something stupid like that. Forcing people to include a digit, or whatever, just makes them add "1" to the end or replace "o" with "0" or something similar that adds almost nothing to security. A warning is more likely to have a good influence on user behaviour, in my opinion, than enforcing a stupid rule.)
Calculate a salted hash of the entire password (rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly).
Also, see: https://xkcd.com/936/
Good points, but your reference to the xkcd.com/936/ cartoon, draws attention to an obvious failing of the government website - it's failure to use humour!
Yes it uses nice animations, but just tells you for example how to improve your password. However the xkcd.com/936/ cartoon uses humour to tell you both what a secure password is and what it could actually look like.
"rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly"
My own favourite was a UK public body whose accounting system gateway for suppliers required (in 2013) a password that was "at least 1 character long, but no more than 8". Oh dear, oh dear.
(Anon because I'm still working for them.)
So they where using the Unix crypt function then
"Perhaps a standard of suitable password options should be enforced because the times i have had to use a weak(er) password as some sites wont allow special chr$. If you want us to use strong password then don't limit those password to letters and numbers only."
Only a week or so ago I encountered a badly designed system that not only put stupid restrictions on passwords, but didn't check the validity of those passwords properly and, in some circumstances, would let the user carry on as though a password had been accepted when in fact it hadn't.
(Also: A massive three choices of security question. Wow.)
Waits for news that someone hacked in and replaced the java based header with a virus dropper..........
[quote] "always ensuring to check online retail sites are secure" - Presumably this makes Mrs. Potter of number 92 'The Willows' a world-class penetration tester?
Only when her husband is at work.
If ever there was an oxymoron!
As soon as developers start building systems that will accept something like "Correct Horse Battery Staple" as a strong password, I will!
"Use strong, memorable passwords" doesn't withstand the reality of using the internet for more than five minutes. Instead, the government should recommend the use of password lockers like Keepass which is a far superior technique for password management.
2 issues i see with password lockers.
1. If your very forgetful, (as i am) if you forget your password locker password, then you're stuffed.
2. What if the password locker gets hacked?
You can always write your password locker password down on paper and keep it in a file. It is still more secure than reusing passwords or using memorable passwords.. If you get burgled, just change it.
If lastpassword of 1password get hacked and expose user details it is their entire business down the toilet, so I am inclined to believe them when they say that only you can expose your data. I still won't put everything in it, but you can also add a multi factor authenticator to beef up your login password.
>As soon as developers start building systems that will accept something like "Correct Horse Battery Staple" as a strong password, I will!
Trouble is that some developers/sites do; however what they don't tell you is that they have only accepted the first n characters of your password (typically 8) and so when you try and use your strong password it will fail as you have typed too many characters...
But the real problem is that many passwords are tied to a person's email address (a subject that has been discussed before on these forums) ...
Is accepted by most password regimes. Just pick a special character to use as a space.
In the section on online banking, Cyber Street's first recommendation is to "Sign up to security software provided by your bank, such as Trusteer Rapport". Just a few months ago Reg readers seemed to suggest this may not be all that good.
My only experience of it is from sorting out a pc which was seriously snarled. Can other readers comment?
I've tended to avoid it because in general it seems you need the version provided by your bank - which is a problem if you use multiple banks... Also it did get a poor reputation as once installed it was very difficult to remove which was an issue if it conflicted with previously installed software (although Trusteer have become more public about such matters).
I've used instead third-party browser security products that can be used across multiple websites but unfortunately require configuring by a knowledgeable user.
Specific products I've used: Prevx SafeOnline (now part of Webroot) which was also provided by some banks and for several years was available as a free download from Facebook (it also protected against a number of live banking exploits that Trusteer Rapport didn't...). Kaspersky Internet Security - Barclay's provided this free to their online customers for several years, but annual re-registration was required, also Barclay's provide no information on how to configure KIS to enable it to fully secure their internet banking...
Another good tool is Zemana AntiLogger, however the challenge I've found with targeted security products is ensuring they play nicely with more general security products, both on initial install and after subsequent auto-updates...
So I can understand why Cyber Street would effectively recommend "Joe Public" users download the (hopefully) preconfigured security software from their bank. Also with the banks effectively backing Trusteer, there is an incentive to ensure it does work with third-party security software and that third-party security developers include it in their DB's of 'safe' applications.
the government would be better off starting with campaign aimed at the civil service first.... you know something simple like "DO NOT LEAVE YOUR UNSECURED LAPTOP ON THE F***ING BUS AGAIN!"
Another waste of [our] money.
Who came up with that name? Are they hiring funky vicars for PR duties now?
What would Edward Snowden do?
"Sign up to security software provided by your bank, such as Trusteer Rapport
"You can download Rapport from the following locations: PC users: http://download.trusteer.com/U3uxFr8Ib/RapportSetup.exe"
So, I have to download and install an executable in order to keep my 'computer` safe?
Why on earth is it a .com address?
It should be .gov.uk. My internal alarm bells go berserk when a URL looks wrong and a UK Govt related/sponsored/whatever website with .com on the end looks wrong.
Exactly, that is inviting fraud. I've already posted on The Guardian saying that anybody who thinks a website without a .gov.uk address is the HMRC deserves to get all their money stolen as a stupidity fine, so here we have the government actively promoting scammers' activities.