Start Up Programs

Difficulty Level (2/5) ---
Risk (2/5) --------------------
Pay-Off (4/5) ----------------

Do you have a bunch of icons in the system tray? Does your computer take a long time to start up? Many "gadget" programs want to load automatically at start up and each one sits in memory chewing up resources including memory and CPU cycles. Even worse some programs load at start up and never even let you know they're doing it. I've worked on computers that have had in excess of 100 start up programs (including necessary Windows processes).

Get rid of them! Most of them were probably install once and forget and you'll never miss them. Identifying them is another story but there are alternatives that will help you track them down.

Windows includes a program called MSCONFIG that will identify some start up programs. Click start, run and type in MSCONFIG and that'll get it started. Msconfig is kind of bare bones and won't give you the full story but if you don't have a lot it might do the job.

Next is autoruns which is an excellent and free tool from Microsoft. A word of warning. It is powerful and will not stop you from removing a critical Windows process. Be careful of what you're doing.

Registry Fixers

Difficulty Level (1/5) ---
Risk (1/5) --------------------
Pay-Off (4/5) ----------------

The registry does a boatload of work in Windows being where just about everything about any program or process is stored and most remove program routines don't do a good job of cleaning up when they are uninstalled. If you've removed even a few programs the registry can become full of useless information. Why does this affect performance? Every time that Windows has to access the registry it's thrashing through a load of useless data to find the right info. I've worked on machines where 25% of the registry was useless junk.

You can avoid this by using a complete uninstaller like Your Uninstaller which works great but it won't fix anything that was uninstalled prior to it being used. For me it's far easier and less expensive to use a registry fixer. I like Registry First Aid as it will not only removed obsolete junk but also fix registry errors which can cause errors and put Windows into slow mode. There are a lot of good registry fixers and Registry First Aid is my choice but it's mostly a matter of style.

Hard Drives - Fragmentation

Difficulty Level (1/5) ---
Risk (1/5) --------------------
Pay-Off (4/5) ----------------

There are two factors in hard drive performance.

First there's fragmentation. Data is stored in "blocks" with a file being saved in the first block available and then the next. It might be easier to see a graphical representation.

Keep in mind that these "blocks" of hard drive space can be all over the drive.

You go to load "Mom" or "MP3" and the hard drive read/write head has to jump all over the disk. Now think of how much faster it would be if all the "Mom" or "MP3" files were in contiguous blocks. Conversely if you create a new file if all the "empty" blocks were contiguous.

But says you "I don't do that much file creation" so everything should be grouped together at the end of the data. Actually you might not do a lot of file creation but Windows and your applications do. First there's the browser cache writing all sorts of files to your hard drive. Then there are system checkpoints and the indexing service. Believe me, there's a lot of file activity.

The term for non-contiguous files is called "fragmentation" and there's a tool in Windows to regroup files into contiguous blocks. Right click a drive in My Computer, select properties and then tools then the "Defragment Now" button.

Like all of the utilities that comes with Windows the defragment tool is okay but not great. My choice is to use a third party tool like DiskMagik and let it run as a service for a while. You will never escape fragmentation but DiskMagik will keep you on top of it.

Oh, and regardless of the defragment tool you use run it several times as after you do the first pass it will cause other files to become fragmented. It may seem like a vicious cycle but eventually you'll have a fairly clean drive.

Hard Drives - Better Hardware

Difficulty Level (4/5) ---
Risk (2/5) --------------------
Pay-Off (3/5) ----------------

Many computer vendors will try and save a few bucks with a slower rotational hard drive with a rotational speed of 5,400 RPMs. Consider upgrading to a faster (7,200 or even 10,00 rpm drive) as the faster a drive spins the better the performance. It may sound like a lot of work but it can be fairly easy. Simply get the new drive, install it and then use something like Image for Windows to make a disk image and then restore that image to the new drive. Even easier is to use True Image and "clone" the old drive onto the new. Once you have the new drive booting and working you can use the older, slower drive for drive image backups.

Firefox extensions than will keep you safer

Difficulty Level (1/5) ---
Risk (1/5) --------------------
Pay-Off (5/5) ----------------

Web 2.0 has (re)introduced a wide variety of attack vectors that can be used against Internet users to steal sensitive information, control the web browser, and more. The security industry has seen a shift from concentrating on the servers that house data to protecting the data itself. Many web applications and social-networking sites today exhibit flaws that expose them to all sorts of attacks, with much focus on XSS, CSRF, exploiting the same-origin policy and malicious code execution.

With insight from a couple of web security experts and some further research, I’ve compiled a list of must-have Firefox extensions that help ensure safer and more secure browsing with Firefox. Many of us have agreed that the security “functionality” these extensions provide should be built right into Firefox (*cough*Mozilla Security Team*cough*). Below, I outline the risk and how each extension goes about mitigating it.

Adblock Plus

• Risk: Spammers and advertisers are increasingly using more malicious ways of getting advertisements to you. We saw in the past hacked ads on MySpace and other sites serving malicious code to infect users.
• Use Adblock Plus to block advertisements. You can right-click an advertisement (or image) and add it to your blacklist. There are also subscription filters you can subscribe to that will remove almost all advertisements automatically. The subscription filters are maintained by individuals like you and I, who hates ads just as much.

CS Lite

• Risk: Some sites set cookies for tracking browser behavior of their users across multiple sites. These are cookies usually set by third-party advertising companies that have banner ads on the site you visited. This can be a privacy risk for Internet users who accept cookies globally and are not more selective in which sites they allow to set cookies.
• With CS Lite, you can easily control cookie permissions on a domain basis. You can allow, block, or termporarily allow a site to set cookies. Initially, set CS Lite to deny cookies globally, and then enable them on a per site basis. Using this method, you can eliminate all those pesky tracking cookies served by third-party advertisers.

FoxyProxy

• Risk: When you visit a website, your IP address is recorded in an access log (unless the site specifically does not keep access logs). Sites such as Google tie your search records to your IP address. That means every search for information, be it medical remedies, hobbies, porn, etc, provides some piece of information about you. This poses an ever greater privacy threat than tracking cookies.
• Use FoxyProxy to manage proxy settings within Firefox. FoxyProxy can also be used with Tor, which tunnels your browsing sessions through multiple servers around the world. It is much harder to trace your browsing habits back to your original IP when you proxy through multiple systems as you do on the Tor network.*For more information on proxies, see the Wikipedia entry.

LocalRodeo

• Risk: Anti-DNS pinning is an attack vector that has seen been mentioned a lot recently in the press. Essentially what happens, is malicious JavaScript can tell a browser to connect back to a site with a different IP address than originally set. This is especially dangerous when launched against sites with areas that are non-public (corporate intranets).
• Protect yourself from malicious JavaScript using LocalRodeo. You might be thinking, “but doesn’t NoScript protect me?” See the section on NoScript below for more information.*A more general anti-CSRF solution is being worked on here.

RefControl

• Risk: When you click on a link or open a tab to a new site, that site can see what page referred you to them in their logs and analytics software. This can be a privacy risk since this site now knows where you were coming from. Some sites instruct users to post non-clickable links or disable HTML in posts to prevent their site from showing up in other sites’ referrer logs. This could even be a liability for some sites, especially those that host links to questionable material.
• Use an extension like RefControl to disable Firefox from sending information on the referring site. You can enable referrers on a per site basis, if you need too. I have enabled for just such an occasion, on digg.com, since clicking on a link to duggmirror.com relies on the referrer to redirect you to the appropriate site mirror.

NoScript

• Risk: Web sites using various scripting languages to increase functionality of their websites. Unfortunately, these scripting languages open us up to a wide range of attacks such as XSS, XSRF and CSRF. Since the script is executed locally versus server-side, malicious scripts can be used to compromise the web browser.
• Use NoScript to block scripts globally. NoScript can be configured to allow scripts to run on a per domain basis. NoScript can also help prevent XSS attacks because it can identify when a non-trusted site tries to inject JavaScript into a trusted site and filters it. But what about LocalRodeo? Well, NoScript isn’t perfect. It can’t be. If you allow scripts to run on a domain basis, you risk running malicious code. If a site you “trust” is compromised (e.g. cnn.com), any code on that site is run. If an attacker has inserted malicious JavaScript into the site, you’re pwned. With LocalRodeo, you are more protected against malicious attacks, such as anti-DNS pinning.

SafeCache

• Risk: Your browser caches various files when it visits a website to make subsequent visits load quicker. What we’ve seen though, are ways of tracking users via caches and cache timing attacks.
• SafeCache segments browser cache by the originating document, preventing Site A from using a timing technique to determine if you’ve visisted Site B.*

SafeHistory

• Risk: CSS can set the color of a link based on whether you have clicked or visited the site previously. This can be used against you in a CSS History Hack as demonstrated by Jeremiah Grossman.
• Like SafeCache, SafeHistory segments the marking of visited links on the basis of the originating document.* You might notice that NoScript protects you in the POC for both SafeCache and SafeHistory. That’s true, but go ahead and disable NoScript for the site and you’re not protected anymore. We need to be careful which sites we trust, because though the author may be ethical doesn’t mean an attacker who compromises their site will be.