Rookie Mistakes -- Answers

Yes, it's scary out there! Since this is long, I thought I'd post it instead of respond in comments. On your specific questions:

1. Opening files with the warning about security certificates. Generally this is okay, as long as you know the company whose certificate is being used. That's actually the point. Many of these things are "plug-ins" for your browser -- sort of mini-computer-programs that allow your browser to display stuff or play sounds. The purpose of the prompt is to let you decide if you want to install something from the company that signed it. The "certificates" are very closely controlled -- it's effectively impossible for a scammer to represent himself as Microsoft. Let's say you're looking at a web site for new joists to replace the rotting one, and you click on something that is going to show you a movie of someone replacing a rotting joist -- doesn't this just get you excited! To view the movie, you need a plug-in. The web site might be set up to try to install it for you, to make it easier. Before that can happen, you're asked if you trust content from whatever company provided the plug-in. Companies like Microsoft or Macromedia or Yahoo or Google won't screw you, because they depend on your business. However, there are a bunch of scammers out there who are trying to get you to install programs that will do bad things, like scan your hard drive for information and then dial-out and give that information to the scammers. There are only a few plug-ins that are useful, and they all come from respected companies. If you don't recognize the company and you're suspicious, you should not install it. You can always look up the company using Google. If it's a scam, you'll find lots of hits like for people trying to get rid of it, cursing the company, etc. The most common scam approach is to sucker you into installing a tool bar to "enhance" your browser experience. They enhance your experience by popping up annoying ads in your face for every page you visit. This kind of thing comes under the general heading of "spyware". Falling prey to these things is not just a rookie problem. If you find yourself with one of these problems, you can download a free program called (ominously enough) Spybot - Search and Destroy. It will scan your computer for all known forms of this scurge, and get rid of them for you. There are commercial products that do this, too, and some of the anti-virus stuff is starting to do a better job at detecting it and helping you remove it.

2. Cookies. Only paranoid people disable cookies. I'd recommend enabling cookies. If you "accept" cookies (which I do by default), then any web site you visit can put a little identifier on your computer. Then, when you visit that web site again, your computer sends the thing back to the web site, and they can recognize that you were there before. The way web sites use these things varies. Do you use Amazon to buy anything? When you log in to Amazon, they put some unique identifier for you in a cookie. Then when you come back, they can tell who you are and present you with things like "Click here to see the status of your account". When you buy something, you can enable "one click shopping". Since they know who you are, you previously gave them your credit card number (and chose to allow them to store it for one-click shopping) and previously told them what your address is and your shipping preferences, they can ship everything to you without having to put all that stuff in again. Without cookies, they can't do it so easily. The evil side of cookies is that there is a way for advertisers to track which web sites you looked at. There is also a possibility that one of those spyware programs can grab up just the right cookie from your computer, and then someone can impersonate you and buy their little heart out at Amazon. Scary, eh? Except in the Amazon case, everything would be shipped to your house, so it's not quite the dream scam. Furthermore, since everyone is aware of this issue, companies you do business with, like EBay, will prompt you for username/password before letting you do anything online that should affect your bottom line or personal information. My bottom line on cookies is that disabling them is so annoying that it's not worthwhile.

3. Doing secure stuff from Yahoo. I haven't heard that one. As long as you're on a secure connection (https:// means it's a secure connection, and your browser has a little lock icon usually), then no hacker can intercept the information you supply as it goes between your computer and the site you're connected to. The increasingly problematic scam that goes on is something called phishing. In this scam, you get an official looking EMail from your bank that says something like "To improve the security of our systems, we need you to log in and verify your account information. Please click on this link and do so now to avoid being ripped off by evil scammers." That little link they provide you might even direct you to your bank's web site, or it might send you to one that just looks like it. In the former case, your bank let some hacker get in and exploit their lack of security. EBay and CitiBank seem to be the most popular targets for this phishing scam, and I have seen some incredibly real looking EMails from scammers purporting to be EBay and CitiBank. (I've also seen ones that are so obvious they make you laugh). Now how that warning about opening things from Yahoo came about, I don't know. Maybe people are doing this phishing thing for Yahoo online bill pay or something. If so, the moral of the story isn't to stop using Yahoo online bill paying services. The moral is not to believe some stranger asking you to do anything, any more than you would if they came to your door at home all dressed up in nice clothes.

Google is your friend on a lot of this stuff. If before falling prey to that alluring Citibank mail, you type in "Citibank scam" to Google, or you go to Citibank's web site and look, or you send them mail asking "is this the right thing to do?", you will not be taken in. For example, here is the first Google hit on the words "Citibank scam". Now, it's time to leave my public geeky persona, and go back to my secret life as a gentleman farmer.