A couple of years ago I wrote an article at SecurityFocus.com about my security paranoia, which ended up in a lot of people thinking I went way too far and perhaps needed some mental help. In the article I wrote that instead of the word paranoia, I prefer meticulous precaution.

With astronomical growth in spyware and an increase in search engine poisoning, how is my meticulous precaution doing? Well, it’s just plain paranoia now.

So in addition to all the well-known best practices and the stuff I mentioned a couple years ago, here are some additional precautions I feel compelled to take:

1. I have an isolated virtual machine always open that I use just for e-mail and instant messaging. This machine is a member of my domain because I need to move stuff in and out of there so often, but firewall rules and other precautions limit its exposure. Plus I never browse the web from this machine.

2. I have another virtual machine always open for general web browsing and downloading. In this VM I have IE7, Firefox, Netscape, Opera, and Safari installed, as well as all the file downloaders, proxies, filters, and anything else cool I find. The browser security settings themselves are moderately secure, but relaxed enough for good web compatibility. This is where I do all my web 2.0 stuff.

3. I have another extremely isolated and extremely hardened virtual machine for more adventurous web browsing and other risky internet stuff. Just IE7 and Firefox here but lots of scanners, blockers, filters, and just about every security-related add-in I can find. I usually keep scripts, active content, and even images turned off in the browsers. Oh yeah and this vm isn’t even on my physical machine here, it’s at my data center and I connect to it via Terminal Services.

4. And of course I have a separate virtual machine on standby (suspended) for all my financial stuff. There are also a few other VM’s I keep on standby for other dedicated and potentially sensitive tasks. All these virtual machines means I need 4GB RAM and 3 monitors to get any work done.

5. Speaking of financial stuff, whenever I create a new financial account, I set up a new e-mail alias just for that account. In the case of PayPal, I created the account under that unique e-mail address but I added several other e-mail aliases that I can give out to people when they pay me so I never have to reveal my secret login address. When I get an e-mail from PayPal to any address but the secret one my Outlook rules will automatically discard it. And speaking of PayPal, I highly recommend spending five bucks to get a security key for your account.

6. I also use secret e-mail addresses for handling sensitive information. The fact that GMail keeps every e-mail forever is kind of scary, especially since it is a web-based app that could so easily fall prey to a cross-site scripting or similar attacks. This is especially a problem because so many web sites insist on sending you a plaintext e-mail with the account information you just barely set.

So I have an incoming mail filter on my GMail account that looks for words like “password” and “login information,” automatically forwards them on to another non-public e-mail address, and then deletes GMail’s archive copy. If you use Gmail, do a search for “password” and see what it comes up with. In case you were wondering, yes I do need a spreadsheet to keep track of all my e-mail accounts.

7. I frequently exit out of then re-open my web browsers, which are set to clear cache, history, and cookies upon exiting. I don’t want some cross-site scripting attack stealing any session cookies. And I never log out from a sensitive web site, I always exit the browser.

8. Occasionally I use the snapshots feature of VMWare to roll back the OS partition of my most sensitive machines. It’s my version of a Crazy Ivan.

9. And most importantly I back up frequently so I have no problem wiping a machine and starting from scratch if I suspect a malware infection or security breach.

10. Ok, well I’m withholding number 10 because I’m just too paranoid to tell you about it.

Today I was driving on the freeway and couldn’t avoid driving over a flattened cardboard box. I looked in my rearview mirror waiting for it to fly out behind me but it never did. Great, I was driving down the freeway with a box stuck to my car. Read the rest of this entry »

I have a problem with my two-year old: he keeps getting out of his bedroom. This morning it was 4am and he was climbing over me and my wife, patting us on our heads.

It’s not like we haven’t tried containing him. It started when he wouldn’t go down for naps. As a quick fix I just hooked a bungee cord from his door to the closet door in the hall, which really didn’t work and was probably kind of dangerous. Read the rest of this entry »

I thought I would write about a technology introduced in Windows Vista called Mandatory Integrity Control (MIC), which is an access control scheme that Microsoft developed partially based on previous work by others, in particular the Biba model.

Read the rest of this entry »

This morning, after being startled by two of my sons arguing over who had the longest turn playing Guitar Hero, and still not quite ready to get out of bed, I grabbed the remote control and started up the DVR recording of the Super Bowl. As my eyes were still trying to focus, I sped forward to the first commercial break then hit play.

Read the rest of this entry »

For those of you who have been waiting for SP1 before you move to Vista, that time has come:

http://windowsvistablog.com/blogs/windowsvista/archive/2008/02/04/announcing-the-rtm-of-windows-vista-sp1.aspx