Common sense advice for parents of networked kids

Just lately I’ve discovered Common Sense Media and am quite impressed with their tools and advice for parents that are soundly based on, well, common sense. Anyone who has read earlier posts on this blog like this one or this one knows that I’m really big on the idea that security begins with don’t be an idiot. So I was quite pleased when Common Sense had this featured article by Liz Perle in the Common Sense Newsletter entitled Rules of the Road for Parents in a Digital Age. She had me at the first line: “Even if you’re clueless, you’re still your kid’s teacher“.

Common Sense Rules of the Road for Parents

  1. Model good behavior. If we’re on our Blackberries or iPhones at dinner, why will our kids listen to us when we tell them to turn theirs off?
  2. Pay attention. We have to know where our kids are going online – and what they’re doing there.
  3. Impart our values. Cheating, lying, being cruel – they’re all non-starters. Right and wrong extends to online and mobile life.
  4. Establish limits. Phone time, video download time, destinations. There’s really a right time and place for everything.
  5. Encourage balance. Get kids involved in offline activities – especially where there’s no cell service.
  6. Make kids accountable. If they have a privilege, make sure they earn it.
  7. Explain what’s at stake. Let kids know that what they do today can be abused by someone tomorrow.
  8. Find ways to say “yes.” That means we have to do some homework and know the sites they visit, the songs they download, etc. – and find ways to use technology that lets us say “yes” more often than we say “no.”
  9. It’s not rocket science. Learn to text, send a mobile photo, set up a Facebook page, upload a video. Or have your kids show you how. It’s impossible to guide what you don’t understand. Not only that, but think of all the anxiety you can avoid by knowing how things work.
  10. Lighten up, embrace their world, and enjoy the possibilities together. None of us want digital divides in our relationships with our kids. It’s up to us to join the fun and help them seize the potential.

Some great stuff here. I think the main point (well at least the point I’d like to make) is that for a parent being clueless is normal, but staying clueless is not an option. And I’d also like to draw particular attention to #5  (Encourage balance). This is where kids – and parents – discover the actual purpose and utility of the online world. Yeah, that’s right – it’s way too easy to get caught up in the fiction of  “socializing” online with people we’ve never met when in fact most of those people are not at all who they pretend to be. And some aren’t even people. The point? Social media is a powerful tool to collaborate and stay connected to real people you actually know, but to just be a poser interacting with other posers never accomplishing anything tangible in the real world is not only pointless, but boring. How do I know this? My son Nicholas is an avid gamer and web designer. So he has spent a good deal of time online since he was fairly young. Several years ago we (Nicholas and I) started volunteering for the FIRST Robotics challenge. In the real world. He now helps mentor and judge the web sites for the teams as well as doing crowd control and other jobs at the actual event. This requires collaboration and communication with other volunteers, the teams and challenge coordinators. Nicholas – and I – now have practical experience collaborating via social media with others folks who are involved in doing something that is very real, very tangible and wicked cool. Needless to say neither of us are interested in wasting time gossiping with posers when we can connect with interesting folks doing amazing stuff. Real stuff.

So if you are a parent, think about these 10 rules. It really all comes down to this: If your kids see you not being an idiot and doing cool stuff that’s what they will pay attention to. And everybody will get a clue in the process.

Security ideas for your mom part 3

In part 1 we started a foray into security ideas for your mom with this (highly abbreviated) list:

Security Ideas for Mom

  1. Think. Use common sense.
  2. Learn how to use your hardware and software. Don’t use something you don’t understand.
  3. It’s your computer. Show that machine who’s boss – who’s your mama!
  4. Your friends are clueless.
  5. In part 2 we explored the threats that mom is likely to encounter and some general ideas of how you might manage that risk.

    Now in part 3 we’re back to the list.

    In the post “NAC: Answering the right questions” I gave Joel Snyder a pretty hard time, but being a really classy guy (his primary issue was my use of the Dr. title, which he finds pretentious) he responded with some insightful comments. One of which is apropos to this topic:

    My main reason [for discussing agent based solutions] is to make sure that people don’t labor under the misconception that  “agent-on-endpoint” is always the right answer — I’m trying to undo the marketing harm that some of the end-point security vendors have done…

    “Well said”, you might be thinking but what does this have to do with mom staying safe while surfing the web with her new PC? Surely, you’re not going to suggest that mom deploy a NAC system on her laptop? No. I’m not going to suggest NAC for mom, but this is exactly the segue we need into the next idea.

  6. Security software is not magic – in spite of what the vendors may claim. Anyone who has ever had the unforgettable experience of buying a used car from a used car dealer knows exactly what this is about. I had a friend who was wont to say “a software salesman differs from a used car salesman in that the used car salesman knows he’s lying”. The bottom line, as Joel points out, is that end-point security vendors have seriously over hyped their products. And yes, your mom’s new PC, or mac, or mini laptop or wifi-enabled cell phone is a network end-point. The problem is that, while the software will technically do what it claims, it certainly won’t do what it implies without a liberal application of steps 1 – 4. Take, for example, this partial list of features of a leading PC security suite (emphasis mine):
    • Connect securely to any wireless hotspot
    • Exchange documents freely using email and instant messaging
    • Surf the Web and play games online without worry
    • Bank, shop, and invest online with confidence
    • Guard against online identity theft
    • Inspect Web sites to make sure they’re not fakes
    • Safely download photos, music, and software

    Certainly the software has capabilities that can help mitigate some of the threats discussed in part 2, but the implication that all you have to do is install this amazing technology and you are completely safe and secure is balderdash. Hogwash. Crapola. Again, I’m not suggesting that end-point security software is useless, or that you don’t need it or shouldn’t use it. On the contrary. I’m saying that when you do use it – and you should – you must understand it’s limitations and what mom (the user) must do to make it actually function properly.

  7. Do your research up front. Before you go to the computer store. Before you even think about spending one dime. If you can imagine yourself taking mom to a random auto dealership and telling the sales guy to “show me what we should buy”, then you should stop reading right now and either start over with part 1 or call this guy I know from Nigeria (who has a whole lot of money he needs to get out of the country…). Otherwise, try to figure out what mom really needs to accomplish what she wants by doing some research. Search the web. Read magazines. Read reviews. Listen to podcasts. Read blogs (oh yes – especially blogs). See if there are users groups with the same interest as your mom (trust me, she doesn’t want to search Google for random stuff, she has something tickling her fancy). And don’t discount open source and free platforms like Linux – I’ll bet your mom grew up in the ’60s and she might really groove on the idea of the free software movement. Viva la Penguin! And when you do get around to buying something, I’m guessing you’ll find a much better selection, better prices and a whole lot less pressure online. I’m not opposed to electronic superstores – just annoyed by them.

So there you have it. An even half dozen security ideas for your mom and not one single product plug in the lot. Lest mom neglect to remind you, always remember who’s your mama!

Security ideas for your mom part 2

Let’s recap shall we?

Mom wants to get online to read email, surf the web and Google stuff that you don’t even want to know about. We’ve already presented 4 ideas – which essentially boil down to 2 themes:

  • Use Common Sense
  • Know how to use your stuff

Okay, now we’re ready to get serious and specific about helping mom manage the risks of her internet behavior. So let’s look a little closer at each of the things mom wants to do:

Send and receive email – This will clearly require an email client, but what else? Well, let’s assume that mom wants to check out pictures of you and your significant other frolicking in the surf on your last vacation. And of course there’s Uncle Edgar who sends out those swell PowerPoint presentations and Aunt Thelma who sends MP3s of the latest hymns (at least that’s what mom says they are). So far all of this  can be handled by any personal computer (and most cell phones) running any OS with either built in or free add on software.

Email risks fall into 2 categories, cyberfraud (e.g. phishing scams) and attachment-borne malware (e.g. worms or trojans embedded in attachments). While there are virus scanners that can scan your email for malware attachments, these will never sufficiently mitigate the threat without a judicious application of the first 4 ideas. Unfortunately almost all cyberfraud is undetectable by virus scanners, simply because there is nothing wrong with the email format or data itself. The fraudster relies on the recipient to actually take action to fall into the trap. So the only way to mitigate a cyberfraud threat is by using the first 4 ideas. While there are “anti-phishing” mechanisms built into most browsers and some email clients these days, they are useless if you don’t understand them and they are certainly not foolproof.

Surf the web – This is going to require a web browser. Again, any personal computer and most cell phones will come with a web browser sufficient to the task. While the actual choice of browser is mostly a personal taste kind of deal (if there is a choice – which there may not be on a cell phone) some browsers definitely have better security features than others (more on that later).

Web surfing risks include cyberfraud (note that email cyberfraud will almost always utilize some web-based component like a malicious web site that the email links to), downloaded malware (e.g. a trojan embedded in a file you download), malformed images (pictures that are designed with intentional flaws to crash the browser – or worse), malicious active content (all those cute dancing hamsters are really little programs that can actually do worse than just annoy you), leakage of personally identifiable information (e.g. some web sites will collect personal information from you in exchange for some goodie – and then sell it to spammers or phishers) and privacy invasion (e.g. tracking your surfing habits using third-party cookies). The right choice of web browser software and associated “plugins” will go a long way toward mitigating these threats, but again you must apply ideas 1 – 4 to achieve a decent level of threat mitigation. It should be noted that your web surfing habits have a dramatic impact on the risk you incur. Specifically if you intend to visit adult (porn) or warez (pirated software) sites your risk is increased exponentially. Whereas reputable sites like legitimate shopping sites or wikipedia are relatively low risk, a trip to the typical warez site can almost guarantee several of the above threats being real and present. So the moral of this story is don’t even think about stealing software or surfing for porn unless you really know what you are doing and take extreme measures well beyond the scope of what I’m going to tell you about in these posts.

Using search engines – Usually all you need is a browser for this, but almost invariably search engines like Google are way more than just search engines. Google, for example, is an entire suite of web services. They have portals, email, calendar, instant messaging, contacts, office tools and a whole lot more. And they are not alone. Yahoo has similar offerings as does AOL (to some extent). And each and every one of those bad boys wants to install some kind of browser toolbar and desktop application on mom’s computer. My advice is (again see the first 4 ideas) decide on single search provider and use only what you need. Otherwise you will subject yourself to a cornucopia of conflicting crapware. Trust me, it bites wind and mom won’t like it.

Search engine risks include all of the web surfing risks listed above (well Duh! search engines raison d’être is to allow you to surf lots of places really fast). But in addition there is a search engine specific risk of search engine gaming (e.g. a porn site will intentionally embed words like “angels” or “family values” into pages just so the search engines will direct you there when you search for those words). Luckily if you are a firm adherent to the first 4 ideas, this can usually be minimized to simply an annoyance. Also most modern search engines do a pretty good job of filtering out gamed results.

Throughout this post it may seem that (in addition to not adding anything tangible to our list of ideas) I’ve been using the terms risk and threat interchangeably. Just so there’s no confusion let’s go right to the definition of the relationship between them:

Risk management is a structured approach to managing uncertainty related to a threat.

This seems like a logical place to break so we’ll pause here for station identification and finish this up in another post.