The pillars of Defensive Computing

A cheat sheet for defensive computing.

Michael Horowitz

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.


Michael Horowitz
8 min read

Previous postings on this blog, like any blog, have been narrowly focused. Sometimes it helps to look at the forest rather than the individual trees. To that end, I take a step back here for an overall cheat sheet to Defensive Computing.


Perhaps the most important aspect of Defensive Computing is something money can't buy, skepticism.

Obviously this applies to email messages, many of which are scams. A relatively new approach appeals to your patriotism - emails from people claiming to be soldiers stationed in Iraq who need help bringing money home. Yeah, sure. Skepticism is not only needed with the body of an email message, but also with the From address. Never trust it. Forging the From address is child's play.

Did someone point you to a really interesting video that just happens to require installing new software before you can view it? Don't do it.

Scams aren't limited to email, read my introduction to voice phishing.

Web sites too, need a skeptical review. Are you a customer of AT&T's CallVantage VOIP service? If so, be sure to go to callvantage.att.com rather than callvantage.com. The later is a phony website (for lack of a better term). Interested in public transportation in New Jersey? If so, go to njtransit.com rather than the phony newjerseytransit.com. Read the Wall Street Journal? Which of these domains belong to the newspaper: wsj.net, wsj.info, wsj.org, wsj.biz, wsj.us, wsj.ws? Some do, some don't.* Does the website hope.net belong to Barack Obama? No, but a recent April Fools joke made it look like it did.

No software can protect the gullible.


Backup your important files to something you can hold in your hand. If they are very important, make two copies. Preferably, one copy should be a thousand miles away from the other copy.

Even having three copies of important files is not overkill. For example, I appear weekly on The Personal Computer Show on WBAI and we record three copies of the show. In the studio, we burn a normal audio CD, the radio station records all the shows all the time and I make my own recording at home from the over-the-air signal. More than once, we ended up with a single usable recording. Stuff happens.

Plan for the death of your computer

You wake up one day and your computer doesn't work. Or, it was stolen. Plan for this now. Beside a new/borrowed/backup computer running the same operating system, you need to recover your applications and your data files. This is a large topic, but a word to the wise: disk image backups.

Some people find the importance of their computer sneaks up on them. If you really need your computer, you need two. Same for a printer. It's like tires - a car needs four, so every car carries five. If your computer is nice to have but not really important, this blog is not for you.

Keep Software Up To Date

View a web page, get infected with malicious software. It happens, and one reason is that your computer has old software with known bugs.

A few days ago, Brian Krebs posted a cheat sheet on the latest version of 12 popular programs. Needless to say, the posting became outdated a couple days later.

The difficulty in keeping software on a Windows or Mac machine up-to-date is an industry disgrace. It happens because neither Microsoft nor Apple is motivated to help other companies, many of which they compete against, install bug fixes. Instead, every company handles software maintenance differently, big companies may even have more than one system for maintaining their software. In the Linux world there is more co-operation between software authors and thus hope for a single software update mechanism. That said, I've seen my share of Linux distributions that handled software updates poorly. A shout-out here to Firefox, whose self-update mechanism is excellent (at least when running on Windows).

What to do? For Java, see my javatester.org website. For Adobe's Flash Player, see their Flash tester page. Windows users with little technical background are best served by having Windows automatically install bug fixes. If you can however, I suggest installing Windows bug fixes manually a few days after they are released. For everything else, Windows users can run the excellent online Secunia Software Inspector. Mac users should nag Secunia for their own version.

There is a flip side to this though, when it comes newly released software, it is usually best to hold back. New software is always buggy, so waiting lets others find and report the problems and gives the software vendor time to fix them. In addition, newly released software may cause problems for other software on your computer. Waiting gives these problems time to sort themselves out.

Avoid Certain Companies and Software

Years ago, Jim Croce sang:

You don't tug on superman's cape
You don't spit into the wind
You don't pull the mask off that old lone ranger
And you don't mess around with Jim

In that vein, there are some companies and software that are best avoided.

A couple weeks ago, I mentioned that I won't install any software from Symantec on my computer or those of my clients. Although I use Windows XP, I avoid all other Microsoft software. Ed Foster's Worst Vendor Poll offers some other opinions on companies you might try to avoid dealing with. Microsoft topped the list, by far.

File sharing software, such as BitTorrent, LimeWire and the like, is not something that belongs on a computer you care about or one that has files you consider sensitive.

I'm also not a fan of all-in-one security suites such as Symantec's Norton 360 Version 2.0, McAfee's Total Protection or Microsoft's Windows Live OneCare. My point is not about these programs in particular (recently reviewed in the Washington Post) but the whole concept of a suite in the first place.

Windows users are best served by avoiding Vista, if for no other reason than it will suffer from more hardware and software incompatibilities than XP for quite a while. If you don't install any extensions/add-ons, you are safer with Firefox than Internet Explorer. Likewise, Thunderbird is safer than either Outlook or Outlook Express.

Technical Support?

If you call the tech support department of a company, take their advice with a grain of salt. Perhaps two.

In the last couple days I've been told many things by techies at Comcast and at ATT CallVantage (a VOIP phone service) that were not true. This is arguably the rule, rather than the exception. The entire tech support industry is broken. You are likely to be talking to someone who is not well trained, not well paid and reading from a script they are not allowed to deviate from.

Someone I know, who works from home, used to depend on AOL for email, both personal and business. This person had a huge email address book and depended on it. One day, there was a problem with the AOL software and AOL's tech support turned a small problem into a big one by wiping out the email address book.

Good tech support is so expensive that many people will probably never experience it. You may get lucky, someone reading from a script, much like a parrot, may solve your problem. But talking to a really experienced person with a good understanding the product in question is all but unheard of. The best tech support I ever experienced was with mainframe software. If I said how much the software cost, some of you wouldn't believe me. But, that's what it takes to get good tech support.

Learn From The Experiences Of Others

A couple days ago, I wrote about how a Comcast cable installer removed a crucial component of the VPN software on my computer. Take stories like this as a heads up. If someone comes to install a broadband Internet connection, realize they may not have much computer training. Watch what they do on your computer like a hawk. Make the installer explain what they are doing and why, especially if they change something. If you run Windows, make a Restore Point before the installer arrives. If it is a cable connection, there shouldn't be a need to install any software.


Stating the obvious: install anti-malware (malicious software) software and learn how to check that it's updated regularly.

Windows users, of course, need antivirus and anti-spyware software. These product categories are blurring though and some software does both. No matter what software you use however, the protection it provides is limited, the bad guys are just too motivated (see Anti-Virus Firms Scrambling to Keep Up).

Whether Mac users need anti-virus software is debatable and I don't know enough about it to have an opinion.

Windows XP users should install the free DropMyRights program. I blogged about this extensively back in August.


All computer users need firewall software - without exception. A firewall program that runs on your computer is called a "software" firewall. The term is used to distinguish it from a firewall program that runs outside your computer but still between you and the outside world. Consumers and small businesses typically run across these external "hardware" firewall programs in their routers. The best protection is provided by using both a hardware and a software firewall.

Bad software firewalls, such as the one in Windows XP, only provide inbound protection, better programs also provide outbound protection. Outbound protection is a nuisance to setup initially, but you are safer with it than without it.

For Windows users my preference is the free ZoneAlarm firewall. It's far from perfect, but a big step up from the firewall built into either XP or Vista. A big plus for ZoneAlarm is simplicity. Because it's just a firewall, configuring it is relatively simple. Perhaps most importantly, when it issues warnings and alerts, the language is simple, to the point and devoid of techie terminology. Even non-technical users have a good chance of understanding the issue at hand.

Initially, the Leopard version of the Mac OS shipped with the firewall turned off, an inexcusable design decision and one that Microsoft corrected years ago. It was also buggy and poorly designed. There have been fixes to it since then, but according to this article at ArsTechnica, it still leaves something to be desired.

There are many websites that let you test your firewall defenses, a good thing to do periodically. My favorite, from Sygate, was assimilated by Symantec and no longer exists. The first such site however, is still going strong, Shields Up! from Steve Gibson. It's a bit techie though.


If you use a router to share a single Internet connection, be sure to read my March 8th posting, Defending your router, and your identity, with a password change, about changing the password.

While staying at a hotel, whether using a wired or a wireless Internet connection, alway use a VPN. This also applies to public WiFi networks too.

And, finally, read this blog for a steady stream of Defensive Computing tips. :-)

Update. April 25, 2008: Added advice to wait before installing new software.

*Only wsj.net and wsj.us belong to Dow Jones.

See a summary of all my Defensive Computing postings.