Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How did you set up a secure computer for your parents/grandparents?
13 points by mlac on June 6, 2019 | hide | past | favorite | 16 comments
Alright. I'm fairly technical with non-technical grandparents. My grandpa keeps getting malware on his machine and is starting to fall for scams. Most recently his Chromebook got a Windows virus so he called the number and was about to pay $300.

I don't live nearby so I need a remote option. I've thought through some approaches I'm going to try next time I visit so I can have easier remote access, but I'd be happy to hear from anyone with recommendations or advice. What's your solution for your parents and/or grandparents?

I'd like any general or specific recommendations for Chromebooks / iMac.



This thread wasn’t exclusively about computer security, but has some ideas: https://news.ycombinator.com/item?id=20015775


Update: thanks for the suggestions and the other thread.

I did the following: - blocked anonymous callers from calling (unrelated but related)

- created an admin account on his machine and removed his admin privileges (his use case for the computer hasn't changed in 10+ years and he can call me if he needs to install something)

- set up a router with a static IP that I can VPN into and SSH into his machine to make changes if necessary

- froze his credit (unrelated, but again...)

- set up two factor authentication on bank and email

- set up pihole DNS in Google cloud with ads and malware blocked. I'd consider a whitelist but don't care to review his "normal" urls. DNS is set from the router.

- block extensions on chrome

I didn't get a chance to configure the DNS on the Chromebook. Overall a fun weekend project.


Are they just browsing the internet? Easiest option would be to get them an iPad.


That's a good call. He never got into iOS and is used to using pages and mail on OS X to get edit documents and read email. But maybe that is the best option...


You may want to reconsider an iPad (or anything touch-interface). Tried it with some older relatives, and the UI differences ended up being too much. Additionally, even though my grandfather is a hunt-and-peck typist, an on-screen keyboard was far more frustrating for him to use. At least have him try a tablet first. Consider that touchscreen keyboards in general are harder to use for people with poor dexterity, especially for new users.

Chrome book with an adblocker should be reasonably secure, if you're worried about scammers there are other possible attack vectors that having a secure computer won't defend against. Consider that if he could fall victim to a windows virus scam, he can just as easily fall prey to the myriad scam telephone calls. Unfortunately, there is no easy tech solution for this; either educating them or setting up financial safeguards through the bank will solve that problem.


Fair point... And I get that education is key, but I'm trying to throw up technical solutions as best I can so they can maintain their online freedom.

I'm thinking routing their DNS to a pihole, getting them a static IP so I can VPN in and access their Mac, routing their Chromebook to the home network with VPN so it goes through the pihole as well, and then locking down permissions even further on their accounts. If I have solid remote access through VPN I'm comfortable having him call me when there is a need to install something... Their use case for the computer hasn't changed much so I don't anticipate they would need to make a significant number of installs.

And in terms of banking maybe we can make a few calls to their institution.


It won’t stop the “Windows Virus” problem while they are browsing the web but an adblocker helps a ton (either via popup blocking, content blocking and or DNS blocking - atm I’m using 1Blocker X for content blocking and NextDNS and their TestFlight DNS via VPN app and blocking malicious domains for DNS blocking - benefit of NextDNS is that it easily allows me to config those settings remotely).

But something will always get through those blockers as they are only reactive. So just let them know if it starts asking for money when they never intended to spend money to give you a call (you can also set up TeamViewer on the iPad to help you “fix[1]” the issue which will be just closing the tab 99 times out of 100).

Source: Brought my technophobe mother an iPad a couple of years ago. At the start I had to hand hold her though everything, literally everything. These days she is ordering online and even having her groceries delivered using it and I’m just doing preventative maintenance on the thing by making sure everything gets updated in a timely manner.

[1] iirc TeamViewer doesn’t allow remote control of an iPad just remote viewing unless something changed recently, but it will allow you to see what they can see and guide them though what and where to press via the phone.


I just noticed by chance last week that when my father entered a URL in Chrome, he entered it into the google search field instead of into the browser's address bar => not great as at that time he was trying to connect to his bank's online banking site so if anybody manages to show in Google's top results some fake site he would fall for it no matter how much "hardened" his PC could be => now I'll have to explain him the difference, and the fact that you can as well submit a search directly in the browser's URL address bar definitely does not make this more simple, pfff... .


Yeah. He's on a Chromebook now but there are still ways it can go sideways. And toolbars continuously get installed (I need to lock that down next time I'm there).

This could be a benefit of banking by App using an iPad like another user recommended, but I'm not sure. I guess if iPad OS has mouse support then a keyboard and mouse could be the best of both worlds...


I know your question is about the assumption that a Windows machine would be insecure (understandably so) but a properly configured Windows workstation (using a Limited User account along with Software Restriction Policies) has kept my parents going just fine for about 7 years now.

Why?

Don't allow directories the logged in user can write into to also be marked as executable. Do that and it's smooth sailing.


It's not so much that. I had switched to Mac in 2007 and got them to switch. At the time it was much different in terms of viruses, and that machine ran smoothly until 2018 (I added ram and swapped HDD to SSD along the way I think).

I had them upgrade last summer due to their old machine no longer receiving updates, and ever since it's been hit or miss. I guess they can do more on the new machine because it is faster?

I think a good Windows 10 machine that is locked down would be solid, but at 84 transitioning back to software you haven't used since you were 72 is a challenge. They've had the Chromebook about 5 years and still haven't learned it all (not that there is much to learn, but they still aren't clear on how webmail on chrome lines up with the mail client on Mac, or how to get to the Gmail web interface from the Mac, even though they've done it a few times (and I've shown them). I convinced them to get a Chromebook so they wouldn't have to take the iMac with them while traveling and it would be easier if it were lost or stolen.

I would say it's time to just quit the internet and computers, but it's part of their freedom that I think they'd like to preserve and they do use it for light document editing, viewing photos of great grandkids, etc.

I guess I'm looking for guardrails / bumpers that I can put up to keep them on track. And honestly if this problem was solved in a non-patronizing way it would probably be a very successful security company that could be applied elsewhere. At the end of the day it is least privilege and fighting adware / malware / all the crap that most users run into who don't have good security hygiene.


For more context - I was thinking of setting up a pie hole on their local network and forcing a VPN from the Chromebook to home network, but this has some availability downsides.

For a weekend project I was ocnsidering an AWS solution that I could use to filter traffic. But again, something easier with less overhead would be preferable. Happy to know what others did.

Then


I got tired of the work to keep my elderly mother's windows laptop in trim, so I had her get a Macbook. It's been smooth sailing for over a year now. No more "can you look at my laptop" Mad Max virus of deth incidents. I'd have her use OpenBSD, but she seems to lack the gene to roll with i3.


I fear any access to the internet could result in a scam popup... there isn't anyway around that expect some sort of instruction to call you or someone before they do anything, like pay money.


How did his chromebook get a windows virus?


It didn't. It was a fake add pop up that said it had a Windows virus. It was convincing enough for him to get on the phone and be ready to pay $300 to Windows to fix the virus until my dad walked in the room and stopped him.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: