Rule #1: Don't trust Microsoft.
Rule #2: See rule #1.

That means: 1. No Internet Exploiter. 2. No Outlook Express. 3. No MSN Messenger.

Beyond that, I'd try to explain to them how the default action to anything when surfing the net or reading email should be no/ cancel/ escape, and not yeah/ sure/ whatever.
posted by Civil_Disobedient at 2:46 PM on April 2, 2006

Unless you use encryption, when you're on the 'net, you're in public.

Don't trust the internet. Learn to distinguish between browser windows that look like dialogue boxes and real dialogue boxes.
posted by PurplePorpoise at 2:51 PM on April 2, 2006

Three major threats will give you headaches.

Virii. You know about this.
Malware. Hijacking your browser
Phishing. Invading your email/privacy.

Microsoft Software seems to be the major target.
So, no IE, no Outlook. Use open source equivalents (such as firefox + thunderbird).

Minimum:
Update your OS, anti-malware +Antiviral software weekly

Assume that any email from your bank/ebay/etc is suspect. Go to their site directly (do not click on the links)

Never ever, ever purchase anything that you get as an offer from spam.

Never purchase from unknown retailers (especially to save the 5%.) Generally the rule here is still true: if an offer sounds too good, it is too good.

Any sort of 'free music/video/software' downloading service is dubious - and may circumvent all that anti virus/anti malware you've installed.
posted by filmgeek at 3:03 PM on April 2, 2006

Answering the question in the form of a self link, I would say what I say here http://www.nintu.net/papers/faq1.html

(didn't actualy make that a link so people can't claim I'm spamming.)

This is basicaly just something I wrote to educate my friends, so it's by no means complete, but feel free to use it as a guide, if you want. It was written for people who were tech savvy enough to know that there were things they didn't know, but that's about all it assumes.
posted by tiamat at 3:03 PM on April 2, 2006

Never, ever, ever connect a machine to the Internet without having a reliable firewall enabled. Given the massive amount of malicious traffic bombarding every square inch of IP space, it only takes about five minutes for a self-propagating worm to turn a new box into a zombie. By the time you've run Windows Update, it's too late.
posted by Danelope at 3:07 PM on April 2, 2006

I teach basic Internet skills to seniors and others who are new to computers. I am putting together a safety class in a similar vein, so it's good to read this question. Here are a few of my tips:

- Always look for the logout button/link and make sure you click it if you've been using a site that asks for a user/password.
- Have a junk email address that you give you for sites requiring registration, check it once a week and otherwise forget it.
- Chat sites are not all full of pedophiles but some are. Your email is not written on the side of a barn but it might be.
- If anyone asks for personal information [phone, credit card, SSN] and you are not sure why, call the organization on the phone and ask if they need it or go to their website. Most reputable companies will not ask for this information over email.
- Solving computers problems is rarely something you can do with a 1...2...3... list, prepare to solve problems via troubleshooting and not working from a checklist.
- If you learn well from books, there are many good books at the library that can help you with basic information. Keep notes on new words and terms that you learn.
- When you get to a web page where you have to do something or enter information, scan the page to see where the "action items" are like a submit button or a next link. Learn to identify these things on other web pages. Be careful with your typing because if you do it wrong the first time you may need to do it again.
- Learn to "mouse over" links to see where a link is really going [good for phishing scams] and learn how to read a URL so they can see a URL like http://microsoft.com@iscamu.net/safety.html and know where it's going.
- Teach them how to close all the extra windows that may be open via pop-ups and new window spawning. Teach them how to find the desktop again. Teach them to always click the little red X in the corner on pop-ups and not anything on the screen. Teach them how to block pop-ups generally.
- "That pig with 50 piglets suckling at her? It's an ad. Most of that blinky stuff that draws your eye is an ad."
posted by jessamyn at 3:10 PM on April 2, 2006

Assuming you mean safe surfing, as opposed to securing the home network or firewalls 101 etc:

1. Talk to whoever's responsible for forcing you to use IE, and ask them why they're torturing you.
2. Don't open anything that's emailed to you. It's not what it says it is. Even if the person who sent it is someone you know, be suspicious.
3. Don't click on any link in any email. It's not really from Paypal / Chase Bank / AOL tech support, even if it looks real. If you must follow a link, copy it from the email and paste it into the browser (most phishing attempts appear to link one place but actually go somewhere else.) Don't bother following the 'unsubscribe' link in any spam, it'll just confirm to them that you're a real, spammable human.
4. If you see the word "ActiveX" anywhere, click No.
5. (The hardest one for novices to understand, IMHO): If a windows alert or error message or virus warning or whatever is appearing inside a web page, or in a browser popup window, it's not real. Don't click it.
6. Don't download and install software you've never heard of. If you want to install something, google for "[its name] spyware" or "[its name] trojan" first; this is usually a good way to find out if it's safe to run.

tiamat, self-links in comments are okay, especially when they're relevant to the discussion as in this case.
posted by ook at 3:20 PM on April 2, 2006

90% of problems:

1. Don't use internet explorer
2. Don't open e-mail attachments unless you were expecting an attachment from that person and know what that attachment should be.
posted by Hildago at 3:33 PM on April 2, 2006

Second the "Do not unsubscribe from bulk e-mail" link. If you are talking to relatively web-savvy users, demonstrate how easy it is to dig up information on users from their online presence. Show them the dangers of TMI (too much information) on the internet.
posted by Roger Dodger at 3:56 PM on April 2, 2006

The most insecure component of a computer system sits between the keyboard and the chair.

"Social Engineering" is the hacker's art of trying to convince unsophisticated users to commit computer suicide.

If someone offers you free software, the chances are excellent they're trying to give you more than you expect or want. (i.e. malware trojans.)

Beware of Africans bearing gifts.

Your bank never, ever, will send you email asking you to reconfirm your account information.
posted by Steven C. Den Beste at 4:09 PM on April 2, 2006

When selecting passwords, do not choose any of the following:

the word "sex"
the word "secret"
the name of any relative (first or last)
the maiden name of any female relative
the name of any pet (first or last)
the name of any rock group
the name of any sports team
the name of any famous actor or performer
the name of any recent movie or popular song
your own name
posted by Steven C. Den Beste at 4:13 PM on April 2, 2006

don't forget god

(although most passwords are required to be over a certain number of alphanumerals, right?)
posted by PurplePorpoise at 4:26 PM on April 2, 2006

Be reasonably suspicious of anything that seems too good to be true. You do this in your real life, just extend it to your computer life. You don't let door-to-door salesmen you don't know in your house, and I'm guessing you wouldn't shop somewhere that looks like they could move out of the whole place in two hours. On the other hand, don't be paranoid. More people that not are using computers every day without any problems or being taken advantage of. Remember, most people are NOT out to get you, just your money. :)

I'm with everyone else here re IE. Just don't use it. Use Firefox and learn how to (1) add sites you trust to the pop-up list and (2) how it tells you that you are connected to a secure site and (3) how to read the location field.

And ditto to just about everything else everyone has said.

Honestly, my best suggestion I have for people is that if they use Windows at work and they want a computer at home for home then get a Mac. They'll feel less like they are working when they sit down to do what they want to do. It may be a bit of a learning curve at first, but in the long run I think people end up having separate home and work computer lives that are more satisfying.
posted by smallerdemon at 4:37 PM on April 2, 2006

That security and convenience have been bitter enemies since the dawn of time. That humans will always be the weak link in an otherwise secure system. That users need good passwords, passwords need to vary from one domain to the next, and they can't be left on post-it notes stuck to the monitor. That trash-picking and social engineering attacks occur, and, thus, that there are good reasons for the inconvenient security measures.

Hmm. I started this out thinking about users in a work environment. If you mean home users, my emphases would more closely resemble previous respondents'.
posted by Zed_Lopez at 4:45 PM on April 2, 2006

For Windows users in particular:

Learn the basic methods of stopping execution. In escalating order:

• Escape
• Close button
• Alt-F4
• Ctrl-Alt-Del, select program from list, END TASK
• Power button

posted by Civil_Disobedient at 4:45 PM on April 2, 2006

If you're not using a firewall, you might as well sit naked on a unicorn falling down the grand canyon.
posted by furtive at 4:50 PM on April 2, 2006

My lecture: Don't purchase a Windows machine.

There's not much that's Window's-only these days that a n00b is likely to need. So don't even bother with it. Start fresh, don't make the same mistakes all us old-timers have made.

Go buy a Macintosh. It's secure out of the box. It's not susceptible to viruses and shit like that. It's easier to use and more productive. And more of its software is easier to use and more innovative than on Windows. Things like digital photography, media playback, that jazz.
posted by five fresh fish at 7:11 PM on April 2, 2006

Nobody is ever forced to use IE. Put Portable Firefox on a thumb drive and use that instead.
posted by flabdablet at 7:16 PM on April 2, 2006

Re the firewall coments:

If you're connected directly to the net, this sort of holds (there have been experiments that show it actually takes a while under most circumstances).

Most people can get away without a firewall if they're behind a router, and not in a DMZ. There isn't a lot of that'll get through a router before you have time to patch.
posted by devilsbrigade at 7:19 PM on April 2, 2006

I think many first time computer users are unaware that the computer hard drive and all of its contents will just "go away" in three years and never come back.

I also think many new computer users do not understand that sometimes the only way to rid Microsoft Windows of viruses, spyware, or cruft is to completely re-install the operating system every once in a while. And that this deletes all of your stuff.

So the first thing I would do is to help them figure out a way to make regular backups of things they want to keep, even if it's only their bookmarks from their web browser. I think most new computer users will have an amount of data that will back up to a CD very nicely. Send them a reminder email once every month or two to drag their My Documents onto a CD.

I assure you that this will reduce the amount of trauma they will experience when the inevitable happens.
posted by popechunk at 7:29 PM on April 2, 2006

devilsbrigade, I think you're mistaken. A router offers no protection whatsoever unless it includes a firewall.
posted by popechunk at 7:31 PM on April 2, 2006

I'd definitely speak about the shady ads on some sites. My (15 year old) brother was almost taken in by them a few times.

No, you didn't just win a new car. Or a vacation. Or $1000 in cash. Everyone who goes to that page sees the exact same thing.

Just because it flashes over and over again, that doesn't mean what it's saying is true. No, you don't necessarily have a virus.
posted by kingjoeshmoe at 8:07 PM on April 2, 2006

These suggestions are great for general computer/network security, but there's also the issue of the reliability of the information people get on the internet. Here's what I tell my mom:

1. If you are searching for medical information, go to Google and type '[the medical information I am searching for] site:edu'. Otherwise you get nothing but product spam.

2. If it is a comment in a discussion board, ignore it.

3. snopes.com
posted by nev at 8:11 PM on April 2, 2006

I guess if you follow my rule #2 you can just forget about my entire post.
posted by nev at 8:12 PM on April 2, 2006

It's not susceptible to viruses and shit like that.

That's just not true. Macs are less susceptible to virii and shit like that, but nothing is impervious. There are already Mac virii, and there will be more if more people use them. Which reminds me of a good computer security principle: avoid hubris.
posted by Hildago at 9:07 PM on April 2, 2006

"There are already Mac virii, and there will be more if more people use them"

No there aren't. The 'virii' that the media latched onto recently were nothing more than social engineering attempts. Definitely not a virus or a worm. Notice that we haven't heard squat about them? That's because they fell flat and did absolutely nothing.
But that's totally offtopic, since the OP said that the users will be using Windows and IE.

Since they're stuck with Windows & IE, they're pretty screwed. Seriously. Every PC I've worked on that had an IE-using user was loaded with spyware/etc. Firefox users? Not so much.

But otherwise, five fresh fish is correct.
posted by drstein at 9:35 PM on April 2, 2006

Go buy a Macintosh.

From the follow-up: they don't get to choose the O.S.

It's not susceptible to viruses and shit like that.

And no other operating system gives its users the same blissful sense of false security!

It's easier to use and more productive.

Highly, highly debatable. But let me pre-emptively avoid the debate altogether by saying, "I disagree, but different strokes for different folks."

And more of its software is easier to use and more innovative than on Windows.

See above point.

If the OP is in an office environment where the users don't get to choose their OS, and management has already decided on Windows, the best thing you could do is appeal to the accountants. Linux is free. OpenOffice is free. Firefox is free. There's 90% of your users' needs right there.
posted by Civil_Disobedient at 1:45 AM on April 3, 2006

I do this in a couple of sessions.

1) Introduction. What's the internet and how does it work? Computers both send and receive information, and it's up to the user to exert some control over how the connection is used. How? Firewalls, preventive software (anti-virus, anti-malware), etc.

2) Solutions via software. If I can, this is where I push Firefox, but a lot of users are in labs where they have no control over software (and thumb drives aren't always available). I talk about firewalls, keeping windows up-to-date, avoiding Outlook (which often means pushing webmail), etc. This is also where I talk about virii and malware.

I find that a lot of my students have a tough time with the whole concept of malware. "What do you mean this super-duper blinking awesome download accelerator is actually bad for my computer? It says it's going to help me download porn/ music/ whatever faster! Are you sure you know what you're talking about?" I usually let the lecture digress into a conversation about "trusted sources" and how advertising works on the net.

If I've got time after the digression, I talk about how important it is to run regular virus/ spyware scans.

3) Changing behaviors. What's "safe" surfing? How can the user protect himself? What should the "default" action be? I open up with a conversation about the types of information people transmit on the net, and why they wouldn't want anyone else to get ahold of it. Then I talk about the mechanics of some of this junx. Basically, it comes down to things already said: Don't give out personal info to people you don't trust. If it's too good to be true, it probably is. Don't download email attachments from sources you don't trust, and even then, check out the file extension. Don't click links in emails. Don't click on advertisements. Close pop-ups. Etc. LOG OUT! LOG OUT! LOG OUT!

I also use this session to talk about how to create good passwords.

4) If I can get a 4th session, I talk about how to verify sources via search engines and how to keep up-to-date, and most importantly, give a quick introduction to troubleshooting.

Anyway, if you've only got one lecture, I'd probably limit things to talk about why security is important (Bad Things Happen), then focus mostly on the behavioral stuff. How non-tech savvy is your audience? And how old are they?

I've got lesson plans and handouts already developed, so feel free to shoot me an email (it's in my profile).
posted by asnowballschance at 2:38 AM on April 3, 2006

You're just wrong about that, I'm sorry. You're right that there are far fewer virii, but completely incorrect in the statement that there aren't any, and incorrect in what I take as an implication of your advice to the poster, that there can't be any, or won't be any. All computer systems are susceptible to malicious code. Period.
posted by Hildago at 8:17 AM on April 3, 2006

(in response to drstein's last comment)
posted by Hildago at 8:18 AM on April 3, 2006

Sure, and all cars are susceptible to flipping over in an accident. So you might as well by a Geo Tracker, right?

There are good ways to avoid the problems associated with using the Windows OS. The best one is to simply not use it, just as it's best to not drive a Geo Tracker.

I missed the follow-up post that specified Windows OS.
posted by five fresh fish at 10:32 AM on April 3, 2006

Poor analogy. A Windows system that doesn't use IE or OE is as safe as any other OS. I've been using Microsoft boxen since MSDOS 2.0 and have never gotten a virus. But then, most virii are a product of social engineering more than system engineering.
posted by Civil_Disobedient at 3:26 PM on April 3, 2006

I don't even think the point is whether or not Macs are more secure than PCs. My point is that that's a red herring. Human stupidity is the real cause of security vulnerabilities, and that is platform independent.

Better to advise common sense behaviors which would prevent about 99% of vulnerabilities. Don't open e-mail attachments, keep your software patched, sit behind a firewall, use a separate, strong passwords for different websites, only buy from a trusted source, etc..
posted by Hildago at 5:07 PM on April 3, 2006

devilsbrigade, your post didn't say "a router running NAT", and presuming that all routers run NAT is incorrect.
posted by popechunk at 11:09 AM on April 8, 2006

This thread is closed to new comments.