Lessons From The Past: 10 Immutable Laws Of Security (Version 2.0)

We looked at the 10 Immutable Laws of Security before. Then Microsoft security researcher Scott Culp posted a list of principles to keep in mind when considering computer security. Whether you are a novice user or an advanced user, it is sound advice to continue to use. In 2011 Microsoft decided to update the laws. As technology and the threat landscape keep evolving, so must our thinking and mental models. Below is the updated list. The differences with the old laws are bolded.

10 Immutable Laws Of Security (Version 2.0)

  1. If a bad guy can persuade you to run his program on your computer, it’s not solely your computer anymore.
  2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
  3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
  4. If you allow a bad guy to run active content in your website, it’s not your website any more.
  5. Weak passwords trump strong security.
  6. A computer is only as secure as the administrator is trustworthy.
  7. Encrypted data is only as secure as the decryption key.
  8. An out-of-date antimalware scanner is only marginally better than no virus scanner at all.
  9. Absolute anonymity isn’t practically achievable, online or offline.
  10. Technology is not a panacea.

The old list of laws can be found here: https://www.modernsamurai.info/laws-of-security/

Lessons From The Past: 10 Immutable Laws Of Security

A long time ago I found ten rules for computer security on the Microsoft website. I thought the first rule said: “When someone else is at your computer, it’s no longer your computer.” At some point the article disappeared so I couldn’t verify if I remembered correctly. As it turns out, I didn’t. It is still a valuable rule. Physical access to your device is a serious security concern. Where malicious software installs remotely via your web browser, now it can be installed directly via an USB device, for example. This is also the perfect opportunity to modify your hardware. This could be installing a key logger or a tracking device, for example. The rule I remembered the principle of, is rule number three. The original laws were written fifteen years ago by then Microsoft security researcher Scott Culp. Keep the laws in mind as you work out a strategy and tactics for your digital security.

10 Immutable Laws Of Security

  1. If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore.
  2. If a bad guy can alter the operating system on your computer, it’s not your computer anymore.
  3. If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.
  4. If you allow a bad guy to upload programs to your website, it’s not your website any more.
  5. Weak passwords trump strong security.
  6. A computer is only as secure as the administrator is trustworthy.
  7. Encrypted data is only as secure as the decryption key.
  8. An out of date virus scanner is only marginally better than no virus scanner at all.
  9. Absolute anonymity isn’t practical, in real life or on the Web.
  10. Technology is not a panacea.

Blocking Chrome Software Reporter

Chrome Software Reporter installs with the Chrome browser. It reports on tab crashes, modified tab pages, unwanted advertisement in the browser etc. It can also remove programs that it finds malicious to the browser. Many times this uses too much RAM when scanning. As it reports to Google, it is also a privacy concern. Ideally, don’t use the Chrome browser. Sometimes, for example at work, you have to make do with what is available. Unfortunately privacy and security aren’t always a concern of businesses or employees. Too often, functions stop working when you opt for the hardened browser. At least we can mitigate some of the impact on privacy and security. This guide explains how to block the Chrome Software Reporter tool from sending details to Google.

How To

Open File Explorer. Either navigate via the menus or press Windows key + E. Navigate to this address. Replace “USER” with your username. If you can’t see the “AppData” folder, enable hidden folders to show.

C:\Users\USER\AppData\Local\Google\Chrome\User Data\SwReporter

swreporter

The folder at that location is named after the version number of the Reporter tool. If you delete this folder, the tool also gets deleted. This solves the problem, but only temporarily. When Chrome updates, it install the tool again. We have to revoke the tools permissions to block it completely from reporting to Google. At least without the administrative burden of deleting the tool every time it installs. To do this, enter the version number folder and right click on the .exe file inside, namely software_reporter_tool.exe. In the popup menu, click on Properties.

Properties

Select the Security tab and then click on the Advanced button.

Security

The Advanced Security Settings window appears. Click on the “Disable inheritance” button at the bottom left side.

Advanced

Confirm by clicking on the “Remove all inherited permissions from this object.” button.

Confirm

Confirm the previous windows by clicking the OK buttons until the Properties window closes.

The Chrome Software Reporter tool is now blocked. However, a fair note, now it no longer reports about potentially malicious programs. If you do all the necessary browser and system hardening, this won’t be an issue. Antivirus, malware removers, security suits, isolation, compartmentalization and conscious browsing habits are all part of a privacy and security conscious device.