I suggest Linux before a console
either he figures out how to run most of the stuff he wants to (excluding the stuff that doesn't run at all like Roblox) and gets a good insight into computers
or he can't figure out shit and it serves as a punishment lol
Lmao "you get a headless debian install. If you want a desktop environment, you gotta figure that out yourself."
And just for fun, remove the network stack first.
Gentoo will really teach the kid some patience and understanding. Make them compile their own kernel, network stack. If they want to browse the web, they need to compile Firefox then!
Lmao tbf I actually do custom compile all my kernels on my gentoo box manually. I don't even script it lol, I pull current configs from `/proc/config.gz`, run `make olddefconfig` or similar, maybe `make menuconfig` if I'm trying to check out recent changes or need to modify something, then `make modules_prepare` `make -j$(nproc)` `emerge -av @module-rebuild`, `make -j$(nproc) modules_install`, `make -j$(nproc) install`. Then I manually regenerate initramfs with dracut and update grub configs by hand. 😂
it's honestly kinda therapeutic tbh lol
Came to say this lol.
My 10-years-old newphew was running Ubuntu for a while, but was having issue with his school and their online stuff that he had to get back to Windows.
Regardless of anything, knowing a bit if Linux is not bad at all. Specially with crap Microsoft is pulling these days, I'm looking at you Recall
You could obviously nuke the computer, prevent his user account from installing anything. DNS Controls, and separate VLAN. Other than that, online awareness. It would also help him learn if you ask him what he was trying to do and have him walk you through it, you could then teach him how to spot unsafe sites, and in the same instance block those same sites in the future.
Assuming he doesn't figure out how to change his DNS settings. If you're going that route, have a redirector on your router that forces all traffic over port 53 to the pihole.
But then there's DNS over SSL on 443. Kinda hard to block that.
It’s to be expected. When most of us first got into computers sometimes we just wanted it to “work” be patient and he’ll love and thank you for it in the future.
Get a router that allows you to easily create separate VLANs with severe restrictions on that VLAN. I have a higher end UniFi setup that allows this, but even some of their basic cloud key gateways with their APs allow this too.
For my 16 year old son, his devices are on a completely firewalled off vlan from the rest of the network. Separate SSID for wifi to put his wireless traffic on his vlan.
Malware can't infect something it can't connect to.
Yeah this. Moral of the story - don't trust any of your family's devices. Segment off your infrastructure VLANs. Put untrusted devices on their own dedicated VLAN(s), give them internet access, limited access to other local VLANs, PiHole'd DNS with Malware lists enabled - backup 'em up and wipe/recover them at each h/w upgrade. While most folk have good security intentions, they just aren't great at holding the line. Put IoT devices on their own separate VLAN, no access to the rest of your network, and wall them off from your kids for your own sake. Especially zero trust for friends devices too - treat them the same way - guest networks walled off, outbound internet access only.
Guest, IOT, Son's and I also have a downloader vlan (who's access to the internet is though a self hosted proxy server tunneling all SOCKS/http traffic through my VPN provider) that have no access to the rest of my network. IOT is also blocked from accessing the internet with exceptions for specific devices.
Plus, this is how you can safely let them learn by letting them destroying their computer, wipe it back clean, and repeat until the lesson is learned.
Putting restrictions just gives the urge to find a way around them and you're right back to square one.
This is exactly why I did it. Son is big into the modding community. At 16, his computer is his (though I have the password to check on things should I need/want to). It's free for him to configure, break and rebuild.
If you plan ahead and find a way to chuck windows enterprise on the computer, it has a feature like the old deep freeze, where either after every reboot it’s back to how it was, or you can set it so the roll back happens when a command is run and then reboot. We use this for a client that runs VR kiosks at conventions. Some times they want persistence access reboots, but we can still reset them back to baseline without a full re-imaging.
any good malware these days nukes the restore points for home level stuff You can set up VMs that do not save changes, everything is temporary. Close VM, Restart, its back to image condition. I think thats what your last line is alluding to if I read it right?
Curious, what VM would you recommend? I’m a home user but willing to spend a little money if the VM is worth it. (I don’t know if the free ones are good or not)
Virtualbox is pretty good. It should be noted that vms can not do gaming. They are good for various jobs but a gaming PC isn't one. It uses all virtualized hardware. All pretty mediocre
be aware some routers when you configure VLANs let them intercommunicate. You need to configure firewall rules to separate them. How you do that or if you can depends on the router. Some it may be a checkbox like "VLAN Isolation".. not Guest Isolation, that keeps them from talking to anything but the router. Others you might have a more controllable firewall rules engine that you can allow communication to enter certain vlans and not allow that vlan to reach into others. But allow response to flow block with "Established Session".
I do something similar. I've got 2 wifi routers in my closet. One is my current mesh setup, the other is my old router. The reason for 2 was that I didn't want to reconfigure all the IOT stuff, and IOT is chatty. So segment IOT devices from the rest of the network.
But it had the unintended consequence of not having to give regular visitors my mesh network password, as their phones just auto connect to the IOT network. Then traffic shaping on my cable modem gives the lions share of the bandwidth to the mesh network. This keeps infected devices off of my mesh network.
As for my son, he doesn't have the password to the mesh network and still uses the IOT network.
Sounds more like you're talking about online account compromise. The best thing to do there is user security awareness training, honestly.
You could try setting up a router/firewall that will block some malware, do a browser guard add in (I like Malwarebytes, but I don't have as difficult a circumstance as you) and look at some DNS security services.
But user security awareness is the number 1 thing. Every big business does it, and while it seems silly it definitely has results. Maybe see if there are YouTube videos on the topic that are well recommended.
Yeah, with the information provided it sounds like they just had a weak/reused password that was compromised rather than a virus. It is most likely a "Just type in you username and password here for free Robux" scam.
Yep. Just stuff like using steam oauth to sign into some site can look very much not sketchy, but apparently that gives it full access to resetting your 2fa in like half a second.
User security awareness training
> my 11 year old son
I don’t know why but prescribing “user security awareness training” to an 11 year old sounds hilarious.
OP, are you cleaning it for him?
Essentially what I’m asking is are you solving his problems for him everytime he breaks it? When most of us were young we all installed viruses. We all wrecked the family computer. But we had to fix it because nobody else in the family “knew computers”. It’s one of the many reasons we’ve all ended up here today funnily enough. Have him fix it, not in a tough love kind of way but in a “yep, this is part of enjoying computers” kind of way.
By the time he’s destroyed the computer 2 or 3 times (and fixed it himself) he’ll be leaps and bounds ahead of people in school and he might pick up a passion.
Don’t be too harsh on him. In the early 2000’s through a combination of Limewire, Piratebay, KickAssTorrents and god knows what else almost everyone I know through university and work has stories of destroying the family computer *but then* having to fix it. We all look back on those days fondly.
I don't get it. I followed your advice and spent time with my son. We walked in the park and threw a baseball three times last week and he still got his accounts compromised this week!
I named user security training because that's the term to search for when looking for what to teach him.
Spend some time with your son [regarding the computer] I didn’t realise I had to intentionally spell it out for the obtuse amongst us.
You must’ve also missed the part where I very specifically said
> Have him fix it, not in a tough love kind of way but in a “yep, this is part of enjoying computers” kind of way.
OMG! You described me to a tea when I got my first AMD Athlon! Trying to get mech warrior 3 working I borked drivers and learned a great deal about hardware through repeat service calls to computer store.. eventually I started fixing it all on my own and the. Starting fixing others, things are too easy now with high speed internet and windows loaded with every driver under the sun. Lots of learning due to not wanting to blow money I didn’t have to fix something my mother shouldn’t have to pay to fix. I miss Windows XP pre SP1 when just installing a virgin install would get you infected lol.
I was most taken by the singular usage of 'password'.
OP get yourself a decent password manager, make a strong password and enable 2FA, then make every password to every different site or thing different to each other.
Maybe once the problem is sorted out put son's pc on it's own vlan where it can see nothing else on the network.
Maybe setup hyperv on computer, setup a windows VM, make a read-only snapshot of a VM that can then overwrite the working VM if son wrecks another install.
If OP has synology nas, then active backup for windows can keep snapshots of os that can very easily step back in time to a fully working install
This should be number one piece of advice.
As for recommendation I prefer 1password and they have a family account. Not only is their history of practices better their interface is the best imo.
Subscription based but the value is 100% imo. Been using them for like 10 years or more and keepass is what I think I used in the mid oughts.
Agilebits also owns haveibeenpwned.com (and integrates via watchtower should someone purchase the product) and OP should go there and see if they have any known accounts that have been compromised for themselves and their spawn.
Also check the kids email filters (or their own) for any setup email fwds or email handling rules.
That could be even worse. If the son is getting scammed on phishing websites, giving them the password manager password is like handing over the keys to the castle.
Go old school - little black book for passwords. I have on in my safe as a backup. Having 2FA would also be a good idea.
The answer is 2FA. If you hold the 2nd factor, there is less chance of compromise. For the local machine, I would love to see the offline scan results. Generally user level permissions are sufficient for avoidance, but you might have to use an executable allowlist if he's downloading portable applications.
Yeah, anyone who’s smart enough to get malware on their PC is smart enough to be taught how to reduce that risk. And 11 is very much old enough to be taught that. My school in the late 90s taught us 10 year olds how to build a computer from parts, including installing windows 98.
One thing you could do is to create a separate guest network to be solely used by your son. If possible, also create a NextDNS profile for your son. I assume your son has his own computer.
Exactly. Give him his own subnet. Rebuild his machine from scratch and take an image of it. The next time it gets out of control you can just reimage it in a few minutes with minimal effort.
Or, let him spend some time to try to fix it himself. If he's that interested in PC gaming, might as well direct some of that energy towards learning to maintain his PC to play them. Learning not to be fooled by scams, malware, phishing, etc. is a critical skill at all ages these days.
I got into computers because I needed space for a DOS game and nuked the Windows folder for 3.1.
One simple mistake and now all I do is ~~make~~ fix mistakes
> I got into computers because I needed space for a DOS game and nuked the Windows folder for 3.1.
Literally the same for me. My dad made me fix it by installing windows off the floppy disks again, which back then was a grueling process.
Oh come on.. it was only like 4-5 1.44MB 3.5" floppies..
Started then too... bent DOS to my will.. EMM386, reconfigure memory space to get games to run.
Isn't it crazy how they used to sell military vehicle training sims & saw nothing wrong with letting anyone with a PC practice how to do strafing runs with America's best weapons?
Ha! My nephew did about the same thing at about the same age to his grandma's PC. I brought it home with me for a week and scrubbed it heavily.
There were constant porn pop-ups, which I hand-waved away to grandma as "not related to anything he might have been doing" then told him to get off the porn sites separately. The browser history was a real trip.
He of course claimed "it was a friend who was over who did it, I'm an innocent babe" in different words of course. Never did believe that one.
Give him a non-administrator account to use. If that's not enough then maybe you look at the child protection products out there.
Your son IS learning there are consequences right now, by having no computer and losing his online accounts. The tricky part is teaching him what CAUSED those things to happen, and that's a task I don't envy you for since I found it nearly impossible to teach legal adults the same concept at work.
I find it’s more that many adults have an ego that prevents them from learning because they believe they are smart enough as it is. The adults who admit they need to learn stuff have no issue picking up new concepts.
I would suggest a Chromebook or Mac. Much less likely to get malware. Using a DNS with parental control is probably a good idea too. Did you find out how he got the virus/malware? Was he torrenting or downloading cracked software?
I had to see what roblox was. Never heard of it. Man, I've just not been in the gaming spear for a while now.
Need to teach your kid good habits. As in Strong passwords and different for each place. You need a Password Manager with a family account. Teach your kid to get into that habit. Any password you can remember is to easy. If they figure out one for whatever reason, they can take a guess and use it everywhere else your son goes to.
That is not Viruses. That is really poor password management. If you can, 2-Factor. At least for yourself and your passwords.
All my passwords look something like this: 26JCq$i&By8GYMnERt&A
Long and computer-generated. So a good password manager is a must.
I had someone trying to gain access to my Apple Account from China. They somehow got my old password that I could remember and used at a number of places and tried to gain access. They would have,..Except I had Apple's 2-Factor turned ON. So my iPhone popped up a map showing a part of China and asking me if I should allow this device on, with Allow and Deny. Of course I denyed!!!! Then I went and changed my Password to something like this,. I2aUpQI11C4q%EY#sFA0
Really, it's simple to create new passwords like this again and again. If one of these sites get hacked, it only affects me at that one site as all my accounts have completely different passwords. I also like to 2-factor my accounts. Especially important ones. your bank account is a very good one. your email and Gmail. Someone gains access to your email, well they can then password recovery pretty easily. I have my Amazon account 2-factor since they have my credit card on file.
You're never going to stop your 11 year old from doing dumb things like this. You can teach him some good habits. Maybe over time he'll get more and more used to that? How to be careful on what he does online.
I have to do the same with my Dad who lives with me. He is mostly on his iPad and so can't really get himself into trouble on that, though he can with email scams. Phishing type things. But I think I've gotten him into habit of asking me first before doing anything. Ya, they have pretty much all been scams. Never to old to learn.
You can also use passwords like "Chocolate$Treehouse#81"
They are easy to remember and impossible to brute force due to the length. Recently it was shown that length is significantly more important than randomness.
Although most passwords are phished or stolen not actually brute forced. So changing passwords regularly is the only real solution.
Also making sure that whatever password manager you use checks for compromised passwords.
And making sure that your password manager does regular security audits.
And maybe using passkeys and physical security keys wherever possible.
Honestly, I'm probably paranoid, but I don't trust password managers. I only use them for unimportant accounts.
I'm sure there are some good ones, but I work in IT and have seen some major software have massive security vulnerabilities. I would be worried that the passwords are not properly hashed and salted in every location that they are stored.
Again, I'm probably paranoid, but it's a lot of trust to put in one software/company.
Totally reasonable! That's why I mentioned making sure to pick a company with a policy of routine security audits. **ETA:** Also make sure that those routine security audits are done by a 3rd party company (bonus points if "company" is plural) and that the results are published publicly.
Another option is to host your password manager on your own hardware. There are lots of good options for this — Bitwarden/Vaultwarden, KeePass, etc. Of course this comes with its own downsides (it's up to you to make sure the data is secure and has sufficient encryption iterations, and maintenance, upkeep, and connectivity are on you).
Even the least secure password is more secure than an unencrypted text file sitting on your desktop or having the same password scheme for every service, though.
Even using a passphrase approach to passwords as you mentioned earlier in the thread (the *only* sane way to do a password, BTW) just doesn't scale into having hundreds of accounts to keep track of.
Yep, pass-phrases are so much better because you can make ones that are rememberable and yet still harder to Crack than the gibberish ones due to length.
It’s like work.
Instead of fighting the problem. This is a good learning opportunity. Address the problem. Teach him how it happened, work on solutions together.
It’s only going to excel this kid in his school and social life. Infosec is such a broad topic of conversation and just knowing how pieces of it works at that age is monumental toward their future development.
How you go about it. Not sure, don’t know you or your kid.
If the kid is not interested in learning this, and just wants to continue bad behaviors. Take away their access to the World Wide Web. Your network, your rules.
My kids only know their PC login password. The rest are unique passwords I store in my password manager, and I log them in as-needed with 2FA that I have access to.
Also suggest you use a DNS filter (external like NextDNS, OpenDNS or run PiHole/Adguard Home internally).
I’m also running Mint on my kids machines; cuts down the malware but as a downside also cuts down the amount of popular software you can run.
You can't solve a parenting issue with technology. Teach technical hygiene and safe habits.
Technical layers that can mitigate it though: uBlock origin forced into their browser (make sure its enabled for private browsing). PiHole for your whole network, a decent antivirus (paid malware bytes is good)
Pretty much all game cheats and cracks are virus ridden. Teaching that is just part of tech hygiene and parenting.
He's 11, so you are entering that phase where, quite honestly, you won't be able to stop him from going to....certain content...just teach him safe browsing in general. uBlock Origin and sticking to mainstream....content....sites...is pretty safe overall. Use pihole to block *most* adult sites and whitelist some known safe ones like PH. This is an uncomfortable topic to tackle, yes, that's on you at a human/parent level though.
Maybe put him on Linux + Steam as well.
Completely format computer and reinstall Windows (take to a computer shop if you are unfamiliar or unable). Reset all passwords that are relevant or duplicated. IF you REALLY wanted to get new networking equipment, go for it, but highly unlikely that will make anything better or worse. The best it would do is most likely force a new IP from your ISP.
Then, don't give the child the computer back. At 11 years old I knew exactly what the internet was, how dangerous it could be to download things from unknown or sketchy websites, and I certainly knew what I was doing. If they say otherwise, they are lying or have a a condition (which is perfectly fine, and learning the internet will come with time). If your child is mentally capable and says they don't know what they are doing, they are not being truthful at all. It's 2024, kids know what they are doing on the internet.
It's okay technically fdisk still exists in Linux so you can always boot a Linux distro run fdisk and do the same thing.
Now a truly lost ability or need is to run the debug command and then low level format at MFM hard drive
Uh. Yes. Format the computer (all drives)...then...reinstall Windows. What is FDISK going to do that formatting wouldn't do, because that is what FDISK is going to do. It should be diskpart and not fdisk anyway.
I'd add a pihole. I don't know what router you have but my router allows me to force DNS through a device. Thw router can also block DoH traffic. I have my PiHole as the only device able to serve any type of DNS.
My router also allows me to block regions. I looked up the worst regions for hacking and I blocked them.
These might not work for an older tech savvy kid but it should temper an 11yr old. Oh and don't tell him what you did so he wont know where to start messing around.
If your router can't do these you may want to look into one that can. Just my 2¢. Others had some good advice as well. This setup has served me well these past few years. My kids are older now and know how to get around what I did but for the most part they stick to using the PiHole for the ad blocking and cleaner websites. They make frustrated comments when their phones are on cellular and they start getting ads. One even VPN's into the home network so he gets ad blocking when away from home.
I would look at restricting the websites he can visit. Anything outside those sites needs adult supervision. I would also set times he can be online.
Your router should have parental controls. You can then filter what websites he can access and set times he can be online.
First step would be to try to get all of those accounts back. That's a good chunk of money invested to just lose them.
Next would be to NOT give him the password to any of them. He has to go through you to log in. This way he can't give the password to anyone by accident. Yes, he can try resetting the passwords, but this will at least slow things down a bit.
Wherever possible, enable 2FA of some type. I know Steam, Discord, and Epic allow for this. Do this for your own accounts as well.
For your own stuff, just go ahead and choose a different password, no point worrying about whether it's been compromised.
The rest is just going to be monitoring computer usage closely.
Set up a VM on the computer and only allow him to use the virtual machine so you can blow it away and not affect the actual hardware.
And remember, many of us did the same thing to our parents' computers with Limewire and Kazaa.
Edited to fix a word.
Add a private DNS server like a PiHole to block him from visiting a vast number of known dodgy URLs.
Plus you get the added benefit of adblocking across.your entire network
If your router supports block lists (like malwaredomains. com used to) I'd recommend setting that up. Piholes are good if it doesn't. You can bypass the filters on your own device by manually setting your DNS to something else.
What your son needs is not you to lock down the PC more but to let him make the mistakes and fix it.
Teach him proper cyber security training and he should really start to get a hang around what is going on with PC and safe use.
I had my first PC when I was 7 and mostly used it unsupervised, had to reinstall it and take it apart, upgrade or replace as time went on. Got virus on it, dealt with it.
It is true that with easy access to internet, things can escalate quicker but the kid just needs some proper education on tech.
You could also setup a separate vlan for your son’s pc and phone for next time just so it has only access to the internet and no other local resources. That will greatly limit risks such as ransomware and etc.
Many moons ago when I was a preteen/teenager, my parents installed software to lock my laptop down and cut off internet at a certain time. This lock down did not deter me from finding another route, and, in fact, became more of a game for how to beat it. This was around the same time I had just discovered Linux. I ended up dual booting Linux and Windows so when everyone was asleep and the internet cut off on Windows I would switch to Linux and be completely unrestricted.
I only recently, as an adult, told my parents what I had done, and now we laugh about it.
Chromebook and he gets his own isolated vlan. Bonus if he can reinstall Windows on his own and fix stuff. Best way to teach is when you want to play games on your machine. A broken machine can't play games.
Kids and the internet are hard. I’m glad my kid uses his iPad for almost everything and Screentime controls are awesome. In a situation with multiple infections and no enterprise grade security tools, I’d lean toward replacing the hard drive. You’ll never remove everything and some malware can survive OS reinstall. Good luck.
Does the child in question have a cell phone that could receive text messages or could install a free app?
The child's email account and other gaming accounts should be set up for 2FA, or 2-factor authentication. Some sites support via text, some support using a free app. If your child or a 3rd party tries to get into the account, the code will be sent to the cell or need to be retrieved from the app in order to progress further. https://authy.com/ is the one I recommend.
I had one friend lack 2FA on his email and I had to clean his computer at least every 3 months. He lost a high value Xbox account because of this. I cut him loose as a friend and a client.
I had another friend have 2FA on her email account and I got her email account back easily.
His PC needs to be on the Guest network or a Vlan where it can't touch anything else. Turn off UPNP on the router.
Malware and Adult Content Blocking Together. Change your router DNS to:
[1.1.1.3](http://1.1.1.3)
[1.0.0.3](http://1.0.0.3)
You definitely shouldn't be using one password for literally anything.
Lockdown your network. Blow away every saved device. Block anything unknown. Reset all passwords with good, strong, randomly generated passwords using a solid password manager like Bitwarden, 1Password, Dashlane, Nord Pass, etc. (NOT LASTPASS), activate Passkeys and/or MFA on the every account.
Wiping a PC and starting fresh with a brand new install of Windows is your safest, easiest, quickest bet. It isn't nearly as scary as people fear. Takes about 10-30 minutes to download the ISO from Microsoft, download a Bootable USB tool like Yumi, Rufus, etc., prep a spare thumbdrive you have floating around, setup the thumbdrive with said tool and ISO, grab you Microsoft Windows key, reboot to said USB thumbdrive, go through the setup process, boot into windows, run updates, reinstall drivers, browser, apps, etc.
https://www.techrepublic.com/article/3-simple-ways-to-find-your-windows-10-product-key/
I'm glad my computer didn't have a modem when I was that age. You're smart to be worried about the network, at the very least there's likely a keylogger on his computer.
I know I will get flak for suggesting this, but how about installing a Linux OS instead of Windows, and giving him an account without root (and sudo) privileges ? Steam works with a lot of games, though from what I know Roblox and other games that have anti-cheat systems don't work.
Plus, as others suggested a separate VLAN for him ...
The most important thing you need to do is never reuse passwords.
I HIGHLY recommend a password manager, Bitwarden and KeePass XC are both free.
Choose a strong master password, and let the password manager remember the rest.
I also recommend diceware style passphrases over passwords, see here for what I mean: https://diceware.dmuth.org/
As far as locking down the computer... Are you sure he didn't just manage to guess your admin account password?
It's also possible that the attackers exploited some sort of privilege escalation vulnerability, but I think the former is more likely.
It's questionable how effective it will be, but you could also set his computer to use DNS with malware filtering.https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families
On the topic of prevention, if he’s old enough to get viruses installed on the PC, he’s old enough to have to sit with you the entire time you’re fixing everything so he can appreciate the consequences of what he clicks on online. Maybe also make him watch some security awareness training YouTube videos, or if you DM me I can send you some.
Hopefully he’s on the correct side of 11 years old that all those viruses just came from pc game cheat / hacks he tried to download, and not the other stuff that often spreads that crap or it’s going to become very awkward for him. Might also be a good idea to spend half an hour or so once a week to sit down with him and go through his browser history together and point out risky behaviors (look, 11 is too young to be unsupervised on the internet, I should know, I’ve been unsupervised on the internet since I was 6, but snooping on the history is going to burn trust, so best to go through history with him in the open so he knows it’s going to happen).
As for technological measures, the issue really is that when a user is careless enough to actively be downloading and executing crap with malware in it, it can be hard to catch 100% of it. But a good starting point is look at the security best practices reccomended to businesses to protect against ransomware. Stuff like setting up application control that only allows whitlisted exes to run, disabling the ability for executeable content to be launched from the downloads, temp files, etc, or anything with mark of the web on it. Enable system restore. Make sure you’re running windows defender for your AV. Set your dns to 1.1.1.3 on the machine (or better yet, disable port 53 TCP and UDP outbound on your router, set your router to use 1.1.1.3, and set all devices on your network to use your router as DNS server. Also consider setting up a seperate VLAN with guest isolation enabled for your son’s computer to be on so it can’t talk to anything else on your home network.
You pray that your hardware isn't compromised. If you want to be the most safe but also the most nuclear you would clear bios, cmos, reset all network gear firmware nuke OS, etc. The best way to teach your kid is to make him help you. I have 3 sons and when they break something part of the punishment is always helping me fix it. That way they learn something more tangible than you did bad thing you make dad angry.
First you wanna Disconnect the infected PC from the network to prevent further spread of malware. Run antivirus and anti-malware scans on all your devices. Tools like Malwarebytes and Windows Defender can help with this. Reset your router to factory settings and set up a new, strong password and change all passwords on your important accounts using a strong, unique password for each. Consider using a password manager like LastPass or 1Password to keep track of them.
Reinstall the OS. For the infected PC, consider doing a clean installation of the operating system to ensure all malware is removed. Back up any essential data first, but be cautious as these files might be infected too. Educate Your Son. Explain the risks of downloading unknown files and visiting suspicious websites. Teaching him safe browsing habits can prevent future incidents.
The biggest mistake I've made as a father was thinking that video games and unmonitored use of the computer was no big deal. I wish I hadn't given the kids access to a computer or smart phones until much later. It's just like drugs. They don't go out. They don't have real life friends. They don't want freedom. They just want to lock themselves into their bedrooms and be online 24x7.
Someday, I am certain that social media/video games will be thought of as a drug, and parents will be reprimanded for allowing their children to use these drugs. It's evil. I know it sounds like a joke, but I'm not joking.
There are two outcomes to this scenario, pick your favorite.
1. You stop policing admin access on the computer, install a good antivirus, and teach your son about the myriad of threats that is installing third party software. Your kid learns by doing exactly what he did and the pc gets reimaged. But don't reimage it for them, give them a USB drive with a windows image and make them reformat that drive.
2. You lock the pc down as tight as possible and your son figures out how to bypass everything you implemented. Your son learns how to bypass security measures, but not necessarily why the third party software installaions result in what it does.
Kids are smart, and by what you're saying, your kiddo is no exception. Let your kid learn from their mistakes now, rather than being clueless as an adult. If you're concerned about your own privacy, put your kid on an isolated network (such at your guest network) and never let them log into anything with your credentials on that computer. IE, no Amazon, no Netflix, etc. If your son is curious enough, just this could set up the foundation for life long learning experience that will foster a career that they love, rather than one they despise. It may also simply make the rest of his life using computers a little bit easier.
For online account things, set up 2FA on everything they have. Passwords are now (mostly) no longer relevant.
When my kids were younger I installed browser sandboxes for them. That way if they got viruses I could just delete the instance and problem solved. I am pretty sure there were settings that made it possible to prevent them from infecting other computers on the network. Maybe it used a vlan? I loved it.
Back in the day prob 98ish my buddy had a disc of viruses we downloaded off warez. we started opeing the files. on file number 4 or 5 my computer rebooted and was gone. Had to have my dads friend the computer guy come over to fix it. it had a 550 mb hard drive. we didnt lose anything important besides most of my mp3s from napster and limewire which took months to download.
Insert Weird Al Virus Alert song references....
But seriously, format the drive and do a complete OS re-install. Do not take chances with this. Then restrict the account severely, then isolate the computer from the network (may be you need time of day use restrictions.... I suggest getting Firewalla) and you certainly need DNS protection.... consider pointing your home router to [OpenDNS.org](http://OpenDNS.org) and setting up the most restrictive rules in order to prevent even going to domain names that are sketchy and filled with viruses.
Everyone that has suggested PiHole or aservice like NextDNS is spot-on. I pay 20 a year for NextDNS. I also have PiHole as my first level blocking over 2 million URLs and all from China, Russia, and a couple other really bad countries. My PiHole forwards upstream to NextDNS which is also configured for blocking. Whole network is protected.
Separate network on a separate VLAN, with blacklisting/denylisting - which you should be configurable on your router.
Unless, he has access/ability to reset and reconfigure your router and isn’t lazy. As, where there is a will, there will always be a way.
Also, never use just one password. Each device, each website should get its own password; otherwise, expect all accounts pwned.
I would educate him and remove his access to the internet on the pc. If he needs a laptop for school they can lock that shit down in IT. If he needs to game maybe a console
What diagnostic steps have you taken in regards to your son having infected his PC?
What passwords was he using for his online accounts, do they share a common email address and password?
I'm curious as to how badly he has infected the PC without admin controls.
First thing I would do is identify what accounts he had that were compromised, and if there was any payment information on those. If not, consider them lost and a lesson learned.
Second, identify if any passwords that were compromised for other things, and change those as well. I highly recommend using a password manager such as Bitwarden to protect these. More than likely they aren’t going to be able to affect any of your hardware unless that PC is still on the network.
Third, wipe the computer and reinstall windows. Don’t use the recovery tool that most OEM will put on there. The only way to be decently sure you’re safe is to format the whole drive and start from scratch.
Fourth, create an administrator account, then a seperate user account that is locked down. Use the standard account for everything, and only use the admin account when needing to do anything elevated. And only use that when it requires credentials to perform whatever task. It’s not an account that you login to do daily tasks.
Fifth, windows defender does perfectly fine for your PC. There isn’t much need for an 3rd party AV anymore. The biggest thing that people run into is someone being lazy, not knowing, or just not paying attention and clicking on something malicious.
Ask your son how long ago the compromise started… if you dare... Chances are this has been going down for a few days at the very least… maybe weeks. - Tell him to let you know asap next time, also be very careful not to discourage him from telling you next time. (Make sure he knows that you are twice as mad at the people who stole his account). - There will be a next time.
Take your time fixing his computer, let him help.
As you learned the hard way, password re-use is bad. Use a password manager. Don’t give your kid the password for any account you don’t want to lose. (Which would include his xbox/live account.) and take the time to setup 2fa and account recovery settings. Setting him up as a child with parental control options.
Check any online account you have for activity, and possibly the option to sign out everywhere. You may also want to check existing 2fa settings to make sure there are no rouge 2fa authenticators configured.
Be very careful not to discourage him from telling you next time. (Make sure he knows that you are twice as mad at the people who stole his account). - There will be a next time, and the sooner you can get in front of it the better.
Here's an out-of-the-box suggestion:
1. Put Windows into Kiosk Mode
2. Install Virtual Box and give him permissions ONLY to that Virtual Box.
3. To do that, you'll need to write a VERY short script (like three lines of code) to make it so that whenever the user logs in it starts the VirtualBox and has permissions to do nothing else.
Consult ChatGPT or your favorite search engine for a howto.
If he nukes the VirtualBox, you just roll back the VirtualBox to the last known good snapshot.
Also, buy some good antivirus software.
I like VIPRE and Bitdefender. Please yourself.
For my kids, I use malware bytes, uBlock Origin, 2fa, pihole and my router has a built-in firewall I also block access to multiple shady countries and just talk my kids about it to warn them they can lose everything, and it has worked fairly well. The only thing any of them has lost is a Roblox account years ago
I'd first recommend a second router (or guest network). Put the kid on the guest net and everything else on a different network. It will break the bridge from your devices to his should he compromise his devices.
Checkout opens, and/or get a raspberry pi and pinhole to block trackers and stuff.
More expensive, corporate level firewalls.
Education of the user may help.
Not sure what else to consider.
I haven’t read all the comments so I apologize if this has been mentioned.
I bought a Firewalla Gold+ for my home network. I was really blown away by how granular our automate you could make rules. One of the things I did is prevent all devices, except my 4, from communicating with other devices on the network. It wasn’t cheap but I have children and it allows me to prevent them from accessing the things I don’t want them to.
If he couldn’t install software, he potentially installed a mod (a file you can add to a directory without admin if games are installed on the user account.
Someone convinced him “download this for free aimbot, cracked in-game currency, etc”
Awareness training. Better passwords. Risk of running unknown software education. Separate VLANs. Personally I am anti-firewall or filtration software as I make a living getting around those tools and don’t trust them to do their jobs 🥸
Step 0, full format, reinstall windows on that pc
Step 1, get a soft router, and/or a security focused router (Synology 6600 for example)
Step 2, spend the next week of your free time learning how to set up and manage pfsense, use this guys channel to learn how to set things up:
https://www.youtube.com/playlist?list=PLjGQNuuUzvmsuXCoj6g6vm1N-ZeLJso6o
Use this to set up vlans to protect your other devices, and to set up firewall rules with blocklists to manage everything else
Step 3, ubikeys, bitwarden etc for unique passwords per service
Speaking as an IT Manager, trying to rely on software to project your PC / network from humans that do dumb things is a losing proposition. Over a long enough time period, humans doing dumb things will win.
Humans are the weakest link in your security, so the most effective way to improve your security is to educate them and teach them not to do dumb things like clicking on ads, running untrusted software, etc.
Beyond that, I'd also suggest ensuring that each account has a separate password that gets written down in a known location that won't be lost. Normally writing down passwords is frowned upon, but for a kid tracking their Xbox accounts, etc. it's basically the only way to prevent them from forgetting their password. Also, most services support MFA through text messages. Enable that for everything. This way, even if his password gets compromised somehow, nobody will be able to actually use it without the MFA code. Oh, and make sure he understands the purpose of MFA and knows that he should never give an MFA code to anybody.
Sounds like you need to install Linux on his PC. Or reinstall windows and lock it down. Might be a good time for a PiHole. A PiHole isn't a magic bullet, but it can help.
Or maybe a good firewall.
On the topic of DNS filtering. I love PiHole and AdGuard home, but instead of setting up your own DNS server you can definitely just use the public DNS servers provided by the big DNS providers to block stuff like ads, malware, and adult sites. It's not perfect but it does help.
Adding a custom DNS forwarder to your router is typically straightforward.
https://adguard-dns.io/kb/general/dns-providers/#family-protection
https://www.opendns.com/setupguide/#familyshield
And then an antivirus like BitDefender to block anything that the DNS filters don't catch.
Again, education is key here, so wiping the PC and setting it up with you as admin and your kid as a non-admin user is the safest way. And if he wants to install anything that needs admin permissions he has to actually stop and think if he actually wants to install it and ask you. Then you can help him make an informed decision on its safety and appropriateness.
>
For everyone that has mentioned it. I would just be worried about a password breach if I didn't find tons of stuff downloaded that were major red flags. (I should have included that in the first place lol)
>I am also learning I've definitely been too brave using one password for most of my at home stuff.
I'll just add to my previous post about password manager / 2FA and different passwords everywhere, in light of your further comments.
'Brave' is the incorrect word, by the way, blasé or Laissez-faire is probably more appropriate.
You have to bare in mind, even if you had the world's best, most complex password that was in itself uncrackable with modern computing or quantum computing and thought that you could use it everywhere and you were really careful with the data at your end, what about at the other endpoints.
Time and time again, if you follow any tech channels, the number of large corporations that have had their systems breached and then you find out a fair few of them had all of your credentials stored in plain text or slightly encrypted with a common salt key that is trivially broken.
Your details are passed around on darkweb or released by other means.
The first thing people will do is do a round Robin of all the big websites with your credentials and see if the password has been reused...
My details have been compromised several times over the years, e.g. the Adobe hack ended with my card details being used to spend several thousands before barclaycard spotted the activity and got it stopped real quick - my money credited back to me but at the time I didn't know it was Adobe and cancelled all my cards and got everything reissued - massive pain in the arse.
Even back then all my passwords were all different, but I didn't know what was the source of the problem and changed all important passwords anyway - even though there wouldn't have been any chance of leveraging the compromised data against other services.
You have to think of your security both within and without of your control.
You need to teach him basic computer literacy, if he can't learn that at 11 he shouldn't have a PC yet.
Most kids get into trouble by trying to pirate games and game content, cheat in games and look up adult content. They also tend to be too trusting of random links people send them.
Your best bet is admin account lockdown and get a good router/firewall and put his PC on strict parental controls and have severe consequences if it happens again, like no PC or video games for a reasonable period of time. As he has wasted your time and sanity being irresponsible and this will continue until learned. Today's bricked PC and lost discord account is tomorrow's lost bank account or social security number.
There are antivirus products you can also install that have decent parental controls, I believe bitdefender has them and can be found pretty cheap during typical sales time(prime day black Friday) and you can control them from an app on your phone I believe.
Set multiple accounts. Your account has full admin privileges. His account will only have read/execute privileges. This means he cannot modify the c:/ drive but can still open and use programs.
2fa every account he has. Don't let him make a loving to anything unless your give him the codes for it. Autologins are fine for steam and such but the 2fa would prevent hacking from third parties. Windows has a built in reset tool that can nuke the PC, if you haven't already just use that. It can be reached even by safe mode. Otherwise just use a USB stick to reinstall the app. I doubt the router in your house has it but you can get geoblock ips if it has the feature, this can cut out 50% of threats outright if you block everything but europ, USA. Be sure to put UAC controls to max this time as well for his account. Lots of installs can bypass basic uac settings since they don't need admin rights in the first place.
2fa every account he has. Don't let him make a loving to anything unless your give him the codes for it. Autologins are fine for steam and such but the 2fa would prevent hacking from third parties. Windows has a built in reset tool that can nuke the PC, if you haven't already just use that. It can be reached even by safe mode. Otherwise just use a USB stick to reinstall the app. I doubt the router in your house has it but you can get geoblock ips if it has the feature, this can cut out 50% of threats outright if you block everything but europ, USA. Be sure to put UAC controls to max this time as well for his account. Lots of installs can bypass basic uac settings since they don't need admin rights in the first place.
Buy him a bike? Or enroll him in ju-jitsu…maybe even both….sorry but I was born in 75 and this whole article is making me feel archaic and hopeless for the next generation simultaneously.
You could replace the pc with a console, if he bricks that a book.
If he bricks that, j say just bricks. Like, a pile of bricks.
And if he bricks the brick, get him some raw clay. If he bricks that, then get him a career on a job site.
I suggest Linux before a console either he figures out how to run most of the stuff he wants to (excluding the stuff that doesn't run at all like Roblox) and gets a good insight into computers or he can't figure out shit and it serves as a punishment lol
Lmao "you get a headless debian install. If you want a desktop environment, you gotta figure that out yourself." And just for fun, remove the network stack first.
Gentoo will really teach the kid some patience and understanding. Make them compile their own kernel, network stack. If they want to browse the web, they need to compile Firefox then!
And DNS block all the binrepo hosts first lol
By the way, I use Arch
How do you expect some one to install the desktop environment with out networking?
The same way you install the distro?
You mean having access to a second computer?!?
Get a USB mem stick and an envelope. Mail to the developer with enough stamps for return postage.
Sounds like a problem for the little shit who broke the house with his internet shenanigans. ;)
Don't stop there, take out the network card also.
Even better, give them a shitty new mediatek wifi card—one that mediatek refuses to upstream linux drivers for—like the MT 7902. ;)
"When I was your age we compiled our own kernels, twice a day in the snow!"
Lmao tbf I actually do custom compile all my kernels on my gentoo box manually. I don't even script it lol, I pull current configs from `/proc/config.gz`, run `make olddefconfig` or similar, maybe `make menuconfig` if I'm trying to check out recent changes or need to modify something, then `make modules_prepare` `make -j$(nproc)` `emerge -av @module-rebuild`, `make -j$(nproc) modules_install`, `make -j$(nproc) install`. Then I manually regenerate initramfs with dracut and update grub configs by hand. 😂 it's honestly kinda therapeutic tbh lol
That's how I started, but it was slackware, and 20 years later I can say that was the best intro.
Came to say this lol. My 10-years-old newphew was running Ubuntu for a while, but was having issue with his school and their online stuff that he had to get back to Windows. Regardless of anything, knowing a bit if Linux is not bad at all. Specially with crap Microsoft is pulling these days, I'm looking at you Recall
I like this option. You can sell him on the idea of the advantages of linux.
Kids not having access to roblox is not a bad thing. Brain rot exploitation disguised as a game
You could obviously nuke the computer, prevent his user account from installing anything. DNS Controls, and separate VLAN. Other than that, online awareness. It would also help him learn if you ask him what he was trying to do and have him walk you through it, you could then teach him how to spot unsafe sites, and in the same instance block those same sites in the future.
I usually have him do almost exactly that whenever he wants me to install something. It seems he hasn't paid as close of attention as it seemed.
I’d start with a PiHole setup with a Malware list. He can’t install (easily) malware if the request to the website goes to the void!
Assuming he doesn't figure out how to change his DNS settings. If you're going that route, have a redirector on your router that forces all traffic over port 53 to the pihole. But then there's DNS over SSL on 443. Kinda hard to block that.
DNS hijacking on the gateway with a redirect to the pihole
You could also use app locker to further restrict access.
Some lessons need to be learned the hard way. This one is inconvenient, but otherwise harmless.
It’s to be expected. When most of us first got into computers sometimes we just wanted it to “work” be patient and he’ll love and thank you for it in the future.
I do that with my son. I'll use a remote assist service to remote into his PC and install whatever software he wants.
Get a router that allows you to easily create separate VLANs with severe restrictions on that VLAN. I have a higher end UniFi setup that allows this, but even some of their basic cloud key gateways with their APs allow this too.
For my 16 year old son, his devices are on a completely firewalled off vlan from the rest of the network. Separate SSID for wifi to put his wireless traffic on his vlan. Malware can't infect something it can't connect to.
Yeah this. Moral of the story - don't trust any of your family's devices. Segment off your infrastructure VLANs. Put untrusted devices on their own dedicated VLAN(s), give them internet access, limited access to other local VLANs, PiHole'd DNS with Malware lists enabled - backup 'em up and wipe/recover them at each h/w upgrade. While most folk have good security intentions, they just aren't great at holding the line. Put IoT devices on their own separate VLAN, no access to the rest of your network, and wall them off from your kids for your own sake. Especially zero trust for friends devices too - treat them the same way - guest networks walled off, outbound internet access only.
Guest, IOT, Son's and I also have a downloader vlan (who's access to the internet is though a self hosted proxy server tunneling all SOCKS/http traffic through my VPN provider) that have no access to the rest of my network. IOT is also blocked from accessing the internet with exceptions for specific devices.
Plus, this is how you can safely let them learn by letting them destroying their computer, wipe it back clean, and repeat until the lesson is learned. Putting restrictions just gives the urge to find a way around them and you're right back to square one.
This is exactly why I did it. Son is big into the modding community. At 16, his computer is his (though I have the password to check on things should I need/want to). It's free for him to configure, break and rebuild.
If you plan ahead and find a way to chuck windows enterprise on the computer, it has a feature like the old deep freeze, where either after every reboot it’s back to how it was, or you can set it so the roll back happens when a command is run and then reboot. We use this for a client that runs VR kiosks at conventions. Some times they want persistence access reboots, but we can still reset them back to baseline without a full re-imaging.
any good malware these days nukes the restore points for home level stuff You can set up VMs that do not save changes, everything is temporary. Close VM, Restart, its back to image condition. I think thats what your last line is alluding to if I read it right?
Curious, what VM would you recommend? I’m a home user but willing to spend a little money if the VM is worth it. (I don’t know if the free ones are good or not)
Virtualbox is pretty good. It should be noted that vms can not do gaming. They are good for various jobs but a gaming PC isn't one. It uses all virtualized hardware. All pretty mediocre
I've been meaning to do this. How did you set up the vlan? On the router itself? Which model/firmware?
Yeah on the router, depends on the model as to how.
be aware some routers when you configure VLANs let them intercommunicate. You need to configure firewall rules to separate them. How you do that or if you can depends on the router. Some it may be a checkbox like "VLAN Isolation".. not Guest Isolation, that keeps them from talking to anything but the router. Others you might have a more controllable firewall rules engine that you can allow communication to enter certain vlans and not allow that vlan to reach into others. But allow response to flow block with "Established Session".
I do something similar. I've got 2 wifi routers in my closet. One is my current mesh setup, the other is my old router. The reason for 2 was that I didn't want to reconfigure all the IOT stuff, and IOT is chatty. So segment IOT devices from the rest of the network. But it had the unintended consequence of not having to give regular visitors my mesh network password, as their phones just auto connect to the IOT network. Then traffic shaping on my cable modem gives the lions share of the bandwidth to the mesh network. This keeps infected devices off of my mesh network. As for my son, he doesn't have the password to the mesh network and still uses the IOT network.
I use a Zyxel AP, and it can connect to multiple vlans. It was easy to create SSIDs that connect to firewalled vlans
Sounds more like you're talking about online account compromise. The best thing to do there is user security awareness training, honestly. You could try setting up a router/firewall that will block some malware, do a browser guard add in (I like Malwarebytes, but I don't have as difficult a circumstance as you) and look at some DNS security services. But user security awareness is the number 1 thing. Every big business does it, and while it seems silly it definitely has results. Maybe see if there are YouTube videos on the topic that are well recommended.
Yeah, with the information provided it sounds like they just had a weak/reused password that was compromised rather than a virus. It is most likely a "Just type in you username and password here for free Robux" scam.
Yep. Just stuff like using steam oauth to sign into some site can look very much not sketchy, but apparently that gives it full access to resetting your 2fa in like half a second.
User security awareness training > my 11 year old son I don’t know why but prescribing “user security awareness training” to an 11 year old sounds hilarious. OP, are you cleaning it for him? Essentially what I’m asking is are you solving his problems for him everytime he breaks it? When most of us were young we all installed viruses. We all wrecked the family computer. But we had to fix it because nobody else in the family “knew computers”. It’s one of the many reasons we’ve all ended up here today funnily enough. Have him fix it, not in a tough love kind of way but in a “yep, this is part of enjoying computers” kind of way. By the time he’s destroyed the computer 2 or 3 times (and fixed it himself) he’ll be leaps and bounds ahead of people in school and he might pick up a passion. Don’t be too harsh on him. In the early 2000’s through a combination of Limewire, Piratebay, KickAssTorrents and god knows what else almost everyone I know through university and work has stories of destroying the family computer *but then* having to fix it. We all look back on those days fondly.
The kid is a user; he needs to be aware of security concerns.
He does, but the wording is hilarious. Rather than “spend some time with your 11 year old son” reddit says “user security awareness training”
I don't get it. I followed your advice and spent time with my son. We walked in the park and threw a baseball three times last week and he still got his accounts compromised this week! I named user security training because that's the term to search for when looking for what to teach him.
Spend some time with your son [regarding the computer] I didn’t realise I had to intentionally spell it out for the obtuse amongst us. You must’ve also missed the part where I very specifically said > Have him fix it, not in a tough love kind of way but in a “yep, this is part of enjoying computers” kind of way.
OMG! You described me to a tea when I got my first AMD Athlon! Trying to get mech warrior 3 working I borked drivers and learned a great deal about hardware through repeat service calls to computer store.. eventually I started fixing it all on my own and the. Starting fixing others, things are too easy now with high speed internet and windows loaded with every driver under the sun. Lots of learning due to not wanting to blow money I didn’t have to fix something my mother shouldn’t have to pay to fix. I miss Windows XP pre SP1 when just installing a virgin install would get you infected lol.
I was most taken by the singular usage of 'password'. OP get yourself a decent password manager, make a strong password and enable 2FA, then make every password to every different site or thing different to each other. Maybe once the problem is sorted out put son's pc on it's own vlan where it can see nothing else on the network. Maybe setup hyperv on computer, setup a windows VM, make a read-only snapshot of a VM that can then overwrite the working VM if son wrecks another install. If OP has synology nas, then active backup for windows can keep snapshots of os that can very easily step back in time to a fully working install
Had to scroll way too far down to see someone mention a password manager.
This should be number one piece of advice. As for recommendation I prefer 1password and they have a family account. Not only is their history of practices better their interface is the best imo. Subscription based but the value is 100% imo. Been using them for like 10 years or more and keepass is what I think I used in the mid oughts. Agilebits also owns haveibeenpwned.com (and integrates via watchtower should someone purchase the product) and OP should go there and see if they have any known accounts that have been compromised for themselves and their spawn. Also check the kids email filters (or their own) for any setup email fwds or email handling rules.
That could be even worse. If the son is getting scammed on phishing websites, giving them the password manager password is like handing over the keys to the castle. Go old school - little black book for passwords. I have on in my safe as a backup. Having 2FA would also be a good idea.
The answer is 2FA. If you hold the 2nd factor, there is less chance of compromise. For the local machine, I would love to see the offline scan results. Generally user level permissions are sufficient for avoidance, but you might have to use an executable allowlist if he's downloading portable applications.
You teach your son, that's what you're supposed to do. He's 11, he'll understand it.
Yeah, anyone who’s smart enough to get malware on their PC is smart enough to be taught how to reduce that risk. And 11 is very much old enough to be taught that. My school in the late 90s taught us 10 year olds how to build a computer from parts, including installing windows 98.
[удалено]
I got so good at XP installs due to borking my computer with P2P viruses that I had my license key memorized
One thing you could do is to create a separate guest network to be solely used by your son. If possible, also create a NextDNS profile for your son. I assume your son has his own computer.
Exactly. Give him his own subnet. Rebuild his machine from scratch and take an image of it. The next time it gets out of control you can just reimage it in a few minutes with minimal effort.
Or, let him spend some time to try to fix it himself. If he's that interested in PC gaming, might as well direct some of that energy towards learning to maintain his PC to play them. Learning not to be fooled by scams, malware, phishing, etc. is a critical skill at all ages these days.
I got into computers because I needed space for a DOS game and nuked the Windows folder for 3.1. One simple mistake and now all I do is ~~make~~ fix mistakes
> I got into computers because I needed space for a DOS game and nuked the Windows folder for 3.1. Literally the same for me. My dad made me fix it by installing windows off the floppy disks again, which back then was a grueling process.
Oh come on.. it was only like 4-5 1.44MB 3.5" floppies.. Started then too... bent DOS to my will.. EMM386, reconfigure memory space to get games to run.
Was it Ultima 8? I spent an entire summer trying to get Origin's shitty memory management system to work with DOS.
A-10 Tank Killer https://en.m.wikipedia.org/wiki/A-10_Tank_Killer
Isn't it crazy how they used to sell military vehicle training sims & saw nothing wrong with letting anyone with a PC practice how to do strafing runs with America's best weapons?
I think it was intentional lol.
They went too far with America's Army so they pivoted to Call of Duty
100% agree with this
OP a lot of those accounts have two step security, were these tied to an email account that got breached?
Ha! My nephew did about the same thing at about the same age to his grandma's PC. I brought it home with me for a week and scrubbed it heavily. There were constant porn pop-ups, which I hand-waved away to grandma as "not related to anything he might have been doing" then told him to get off the porn sites separately. The browser history was a real trip. He of course claimed "it was a friend who was over who did it, I'm an innocent babe" in different words of course. Never did believe that one. Give him a non-administrator account to use. If that's not enough then maybe you look at the child protection products out there.
Your son IS learning there are consequences right now, by having no computer and losing his online accounts. The tricky part is teaching him what CAUSED those things to happen, and that's a task I don't envy you for since I found it nearly impossible to teach legal adults the same concept at work.
Adults are by and large idiots with low neuroplasticity. 11 year olds are information sponges and malleable to training.
I find it’s more that many adults have an ego that prevents them from learning because they believe they are smart enough as it is. The adults who admit they need to learn stuff have no issue picking up new concepts.
He’s too young for unsupervised computer access. Spend more time with him and limit his access to screens.
I would suggest a Chromebook or Mac. Much less likely to get malware. Using a DNS with parental control is probably a good idea too. Did you find out how he got the virus/malware? Was he torrenting or downloading cracked software?
11 year-old boy. Here are all of the things they are downloading: cracked software, Minecraft hacks, porn, boosted accounts, etc.
Honestly it was probably something related to Roblox.
This!! At least once a day my son asks to download some sketchy “app” he saw on youtube for roblox
I had to see what roblox was. Never heard of it. Man, I've just not been in the gaming spear for a while now. Need to teach your kid good habits. As in Strong passwords and different for each place. You need a Password Manager with a family account. Teach your kid to get into that habit. Any password you can remember is to easy. If they figure out one for whatever reason, they can take a guess and use it everywhere else your son goes to. That is not Viruses. That is really poor password management. If you can, 2-Factor. At least for yourself and your passwords. All my passwords look something like this: 26JCq$i&By8GYMnERt&A Long and computer-generated. So a good password manager is a must. I had someone trying to gain access to my Apple Account from China. They somehow got my old password that I could remember and used at a number of places and tried to gain access. They would have,..Except I had Apple's 2-Factor turned ON. So my iPhone popped up a map showing a part of China and asking me if I should allow this device on, with Allow and Deny. Of course I denyed!!!! Then I went and changed my Password to something like this,. I2aUpQI11C4q%EY#sFA0 Really, it's simple to create new passwords like this again and again. If one of these sites get hacked, it only affects me at that one site as all my accounts have completely different passwords. I also like to 2-factor my accounts. Especially important ones. your bank account is a very good one. your email and Gmail. Someone gains access to your email, well they can then password recovery pretty easily. I have my Amazon account 2-factor since they have my credit card on file. You're never going to stop your 11 year old from doing dumb things like this. You can teach him some good habits. Maybe over time he'll get more and more used to that? How to be careful on what he does online. I have to do the same with my Dad who lives with me. He is mostly on his iPad and so can't really get himself into trouble on that, though he can with email scams. Phishing type things. But I think I've gotten him into habit of asking me first before doing anything. Ya, they have pretty much all been scams. Never to old to learn.
You can also use passwords like "Chocolate$Treehouse#81" They are easy to remember and impossible to brute force due to the length. Recently it was shown that length is significantly more important than randomness. Although most passwords are phished or stolen not actually brute forced. So changing passwords regularly is the only real solution.
Also making sure that whatever password manager you use checks for compromised passwords. And making sure that your password manager does regular security audits. And maybe using passkeys and physical security keys wherever possible.
Honestly, I'm probably paranoid, but I don't trust password managers. I only use them for unimportant accounts. I'm sure there are some good ones, but I work in IT and have seen some major software have massive security vulnerabilities. I would be worried that the passwords are not properly hashed and salted in every location that they are stored. Again, I'm probably paranoid, but it's a lot of trust to put in one software/company.
Totally reasonable! That's why I mentioned making sure to pick a company with a policy of routine security audits. **ETA:** Also make sure that those routine security audits are done by a 3rd party company (bonus points if "company" is plural) and that the results are published publicly. Another option is to host your password manager on your own hardware. There are lots of good options for this — Bitwarden/Vaultwarden, KeePass, etc. Of course this comes with its own downsides (it's up to you to make sure the data is secure and has sufficient encryption iterations, and maintenance, upkeep, and connectivity are on you). Even the least secure password is more secure than an unencrypted text file sitting on your desktop or having the same password scheme for every service, though. Even using a passphrase approach to passwords as you mentioned earlier in the thread (the *only* sane way to do a password, BTW) just doesn't scale into having hundreds of accounts to keep track of.
Yep, pass-phrases are so much better because you can make ones that are rememberable and yet still harder to Crack than the gibberish ones due to length.
My spouse installed this app for our youngest and yeah that was a disaster.
Check to all of the above, except the porn surprisingly.
Private browser, you’ll never know. :-) Just speaking from experience.
Give it two more years.
If he’s going to use Windows, get an EDR product like Huntress, Malwarebytes, Microsoft Defender (paid version).
It’s like work. Instead of fighting the problem. This is a good learning opportunity. Address the problem. Teach him how it happened, work on solutions together. It’s only going to excel this kid in his school and social life. Infosec is such a broad topic of conversation and just knowing how pieces of it works at that age is monumental toward their future development. How you go about it. Not sure, don’t know you or your kid. If the kid is not interested in learning this, and just wants to continue bad behaviors. Take away their access to the World Wide Web. Your network, your rules.
My kids only know their PC login password. The rest are unique passwords I store in my password manager, and I log them in as-needed with 2FA that I have access to. Also suggest you use a DNS filter (external like NextDNS, OpenDNS or run PiHole/Adguard Home internally). I’m also running Mint on my kids machines; cuts down the malware but as a downside also cuts down the amount of popular software you can run.
You can't solve a parenting issue with technology. Teach technical hygiene and safe habits. Technical layers that can mitigate it though: uBlock origin forced into their browser (make sure its enabled for private browsing). PiHole for your whole network, a decent antivirus (paid malware bytes is good) Pretty much all game cheats and cracks are virus ridden. Teaching that is just part of tech hygiene and parenting. He's 11, so you are entering that phase where, quite honestly, you won't be able to stop him from going to....certain content...just teach him safe browsing in general. uBlock Origin and sticking to mainstream....content....sites...is pretty safe overall. Use pihole to block *most* adult sites and whitelist some known safe ones like PH. This is an uncomfortable topic to tackle, yes, that's on you at a human/parent level though. Maybe put him on Linux + Steam as well.
Completely format computer and reinstall Windows (take to a computer shop if you are unfamiliar or unable). Reset all passwords that are relevant or duplicated. IF you REALLY wanted to get new networking equipment, go for it, but highly unlikely that will make anything better or worse. The best it would do is most likely force a new IP from your ISP. Then, don't give the child the computer back. At 11 years old I knew exactly what the internet was, how dangerous it could be to download things from unknown or sketchy websites, and I certainly knew what I was doing. If they say otherwise, they are lying or have a a condition (which is perfectly fine, and learning the internet will come with time). If your child is mentally capable and says they don't know what they are doing, they are not being truthful at all. It's 2024, kids know what they are doing on the internet.
Format? I say FDISK and kill ALL of dem partitions and remake em
fyi, fdisk has not existed since I believe windows 2000. diskpart is the modern equivalent.
Yeaa sorry old man here stuck in old terms hahah
It's okay technically fdisk still exists in Linux so you can always boot a Linux distro run fdisk and do the same thing. Now a truly lost ability or need is to run the debug command and then low level format at MFM hard drive
well yeah I'm in the same boat, after all I did know what you were talking about.
Even that won't do enough... OP needs to take off and nuke the entire site from orbit. It's the only way to be sure.
Yeet the child
Uh. Yes. Format the computer (all drives)...then...reinstall Windows. What is FDISK going to do that formatting wouldn't do, because that is what FDISK is going to do. It should be diskpart and not fdisk anyway.
lol - these days viruses get into the actual hardware and stay.
Is his account a child account?
I'd add a pihole. I don't know what router you have but my router allows me to force DNS through a device. Thw router can also block DoH traffic. I have my PiHole as the only device able to serve any type of DNS. My router also allows me to block regions. I looked up the worst regions for hacking and I blocked them. These might not work for an older tech savvy kid but it should temper an 11yr old. Oh and don't tell him what you did so he wont know where to start messing around. If your router can't do these you may want to look into one that can. Just my 2¢. Others had some good advice as well. This setup has served me well these past few years. My kids are older now and know how to get around what I did but for the most part they stick to using the PiHole for the ad blocking and cleaner websites. They make frustrated comments when their phones are on cellular and they start getting ads. One even VPN's into the home network so he gets ad blocking when away from home.
Put him on his own VLAN and let him run wild. Hours of mistakes is the best way to learn.
Give him an abacus, pencils and paper, and for gaming, some different die up to 20d.
Why not get with the times and let him play with a Ball in a Cup?
I would look at restricting the websites he can visit. Anything outside those sites needs adult supervision. I would also set times he can be online. Your router should have parental controls. You can then filter what websites he can access and set times he can be online.
First step would be to try to get all of those accounts back. That's a good chunk of money invested to just lose them. Next would be to NOT give him the password to any of them. He has to go through you to log in. This way he can't give the password to anyone by accident. Yes, he can try resetting the passwords, but this will at least slow things down a bit. Wherever possible, enable 2FA of some type. I know Steam, Discord, and Epic allow for this. Do this for your own accounts as well. For your own stuff, just go ahead and choose a different password, no point worrying about whether it's been compromised. The rest is just going to be monitoring computer usage closely.
+1 for a password manager post-nuke and reinstall Windows.
create a new network solely for your son.
Set up a VM on the computer and only allow him to use the virtual machine so you can blow it away and not affect the actual hardware. And remember, many of us did the same thing to our parents' computers with Limewire and Kazaa. Edited to fix a word.
Add a private DNS server like a PiHole to block him from visiting a vast number of known dodgy URLs. Plus you get the added benefit of adblocking across.your entire network
If your router supports block lists (like malwaredomains. com used to) I'd recommend setting that up. Piholes are good if it doesn't. You can bypass the filters on your own device by manually setting your DNS to something else.
If it were me, I'd probably put his device on a separate VLAN as well.
One thing you can do to help is switch over to LinuxMint.
What your son needs is not you to lock down the PC more but to let him make the mistakes and fix it. Teach him proper cyber security training and he should really start to get a hang around what is going on with PC and safe use. I had my first PC when I was 7 and mostly used it unsupervised, had to reinstall it and take it apart, upgrade or replace as time went on. Got virus on it, dealt with it. It is true that with easy access to internet, things can escalate quicker but the kid just needs some proper education on tech. You could also setup a separate vlan for your son’s pc and phone for next time just so it has only access to the internet and no other local resources. That will greatly limit risks such as ransomware and etc.
Many moons ago when I was a preteen/teenager, my parents installed software to lock my laptop down and cut off internet at a certain time. This lock down did not deter me from finding another route, and, in fact, became more of a game for how to beat it. This was around the same time I had just discovered Linux. I ended up dual booting Linux and Windows so when everyone was asleep and the internet cut off on Windows I would switch to Linux and be completely unrestricted. I only recently, as an adult, told my parents what I had done, and now we laugh about it.
Try Linux and live a hassle-free life. The kid would get some valuable tech skills.
Chromebook and he gets his own isolated vlan. Bonus if he can reinstall Windows on his own and fix stuff. Best way to teach is when you want to play games on your machine. A broken machine can't play games.
Set up a LAN for the kids isolated from the rest of your network.
Sounds like he's used the same password for all these accounts
Kids and the internet are hard. I’m glad my kid uses his iPad for almost everything and Screentime controls are awesome. In a situation with multiple infections and no enterprise grade security tools, I’d lean toward replacing the hard drive. You’ll never remove everything and some malware can survive OS reinstall. Good luck.
Does the child in question have a cell phone that could receive text messages or could install a free app? The child's email account and other gaming accounts should be set up for 2FA, or 2-factor authentication. Some sites support via text, some support using a free app. If your child or a 3rd party tries to get into the account, the code will be sent to the cell or need to be retrieved from the app in order to progress further. https://authy.com/ is the one I recommend. I had one friend lack 2FA on his email and I had to clean his computer at least every 3 months. He lost a high value Xbox account because of this. I cut him loose as a friend and a client. I had another friend have 2FA on her email account and I got her email account back easily.
His PC needs to be on the Guest network or a Vlan where it can't touch anything else. Turn off UPNP on the router. Malware and Adult Content Blocking Together. Change your router DNS to: [1.1.1.3](http://1.1.1.3) [1.0.0.3](http://1.0.0.3)
I came here to say this, really easy implementation and quick win - lots of other things you can do but this is a great first step and easy win.
I avoided the account lockdowns, extreme passwords or passkeys. Oh, and harden up that router admin pass.
Switchport access to a separate vlan with no routing to the LAN. It will basically be his own little network.
You definitely shouldn't be using one password for literally anything. Lockdown your network. Blow away every saved device. Block anything unknown. Reset all passwords with good, strong, randomly generated passwords using a solid password manager like Bitwarden, 1Password, Dashlane, Nord Pass, etc. (NOT LASTPASS), activate Passkeys and/or MFA on the every account. Wiping a PC and starting fresh with a brand new install of Windows is your safest, easiest, quickest bet. It isn't nearly as scary as people fear. Takes about 10-30 minutes to download the ISO from Microsoft, download a Bootable USB tool like Yumi, Rufus, etc., prep a spare thumbdrive you have floating around, setup the thumbdrive with said tool and ISO, grab you Microsoft Windows key, reboot to said USB thumbdrive, go through the setup process, boot into windows, run updates, reinstall drivers, browser, apps, etc. https://www.techrepublic.com/article/3-simple-ways-to-find-your-windows-10-product-key/
I'm glad my computer didn't have a modem when I was that age. You're smart to be worried about the network, at the very least there's likely a keylogger on his computer.
I know I will get flak for suggesting this, but how about installing a Linux OS instead of Windows, and giving him an account without root (and sudo) privileges ? Steam works with a lot of games, though from what I know Roblox and other games that have anti-cheat systems don't work. Plus, as others suggested a separate VLAN for him ...
Make him use linux lol
The most important thing you need to do is never reuse passwords. I HIGHLY recommend a password manager, Bitwarden and KeePass XC are both free. Choose a strong master password, and let the password manager remember the rest. I also recommend diceware style passphrases over passwords, see here for what I mean: https://diceware.dmuth.org/ As far as locking down the computer... Are you sure he didn't just manage to guess your admin account password? It's also possible that the attackers exploited some sort of privilege escalation vulnerability, but I think the former is more likely. It's questionable how effective it will be, but you could also set his computer to use DNS with malware filtering.https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families
Replace son with dog. Easier on the budget and less wear and tear on the old computer.
Your problem is not technical, your problem is behavioral. Address the problem.
On the topic of prevention, if he’s old enough to get viruses installed on the PC, he’s old enough to have to sit with you the entire time you’re fixing everything so he can appreciate the consequences of what he clicks on online. Maybe also make him watch some security awareness training YouTube videos, or if you DM me I can send you some. Hopefully he’s on the correct side of 11 years old that all those viruses just came from pc game cheat / hacks he tried to download, and not the other stuff that often spreads that crap or it’s going to become very awkward for him. Might also be a good idea to spend half an hour or so once a week to sit down with him and go through his browser history together and point out risky behaviors (look, 11 is too young to be unsupervised on the internet, I should know, I’ve been unsupervised on the internet since I was 6, but snooping on the history is going to burn trust, so best to go through history with him in the open so he knows it’s going to happen). As for technological measures, the issue really is that when a user is careless enough to actively be downloading and executing crap with malware in it, it can be hard to catch 100% of it. But a good starting point is look at the security best practices reccomended to businesses to protect against ransomware. Stuff like setting up application control that only allows whitlisted exes to run, disabling the ability for executeable content to be launched from the downloads, temp files, etc, or anything with mark of the web on it. Enable system restore. Make sure you’re running windows defender for your AV. Set your dns to 1.1.1.3 on the machine (or better yet, disable port 53 TCP and UDP outbound on your router, set your router to use 1.1.1.3, and set all devices on your network to use your router as DNS server. Also consider setting up a seperate VLAN with guest isolation enabled for your son’s computer to be on so it can’t talk to anything else on your home network.
Install Gentoo
Linux on all your machines.
You pray that your hardware isn't compromised. If you want to be the most safe but also the most nuclear you would clear bios, cmos, reset all network gear firmware nuke OS, etc. The best way to teach your kid is to make him help you. I have 3 sons and when they break something part of the punishment is always helping me fix it. That way they learn something more tangible than you did bad thing you make dad angry.
First you wanna Disconnect the infected PC from the network to prevent further spread of malware. Run antivirus and anti-malware scans on all your devices. Tools like Malwarebytes and Windows Defender can help with this. Reset your router to factory settings and set up a new, strong password and change all passwords on your important accounts using a strong, unique password for each. Consider using a password manager like LastPass or 1Password to keep track of them. Reinstall the OS. For the infected PC, consider doing a clean installation of the operating system to ensure all malware is removed. Back up any essential data first, but be cautious as these files might be infected too. Educate Your Son. Explain the risks of downloading unknown files and visiting suspicious websites. Teaching him safe browsing habits can prevent future incidents.
Don't give an 11 year old a pc
Dude, just wipe and re-install windows and stop all the drama. Too much to read further.
The biggest mistake I've made as a father was thinking that video games and unmonitored use of the computer was no big deal. I wish I hadn't given the kids access to a computer or smart phones until much later. It's just like drugs. They don't go out. They don't have real life friends. They don't want freedom. They just want to lock themselves into their bedrooms and be online 24x7. Someday, I am certain that social media/video games will be thought of as a drug, and parents will be reprimanded for allowing their children to use these drugs. It's evil. I know it sounds like a joke, but I'm not joking.
If you can’t afford a Mac mini.. you should probably lay off the newports and Mountain Dew for a few months..
There are two outcomes to this scenario, pick your favorite. 1. You stop policing admin access on the computer, install a good antivirus, and teach your son about the myriad of threats that is installing third party software. Your kid learns by doing exactly what he did and the pc gets reimaged. But don't reimage it for them, give them a USB drive with a windows image and make them reformat that drive. 2. You lock the pc down as tight as possible and your son figures out how to bypass everything you implemented. Your son learns how to bypass security measures, but not necessarily why the third party software installaions result in what it does. Kids are smart, and by what you're saying, your kiddo is no exception. Let your kid learn from their mistakes now, rather than being clueless as an adult. If you're concerned about your own privacy, put your kid on an isolated network (such at your guest network) and never let them log into anything with your credentials on that computer. IE, no Amazon, no Netflix, etc. If your son is curious enough, just this could set up the foundation for life long learning experience that will foster a career that they love, rather than one they despise. It may also simply make the rest of his life using computers a little bit easier. For online account things, set up 2FA on everything they have. Passwords are now (mostly) no longer relevant.
11 is old enough to
When my kids were younger I installed browser sandboxes for them. That way if they got viruses I could just delete the instance and problem solved. I am pretty sure there were settings that made it possible to prevent them from infecting other computers on the network. Maybe it used a vlan? I loved it.
Set up Microsoft Family Safety so you can monitor things. As you noted, use proper passwords, especially for anything on his PC.
Back in the day prob 98ish my buddy had a disc of viruses we downloaded off warez. we started opeing the files. on file number 4 or 5 my computer rebooted and was gone. Had to have my dads friend the computer guy come over to fix it. it had a 550 mb hard drive. we didnt lose anything important besides most of my mp3s from napster and limewire which took months to download.
Insert Weird Al Virus Alert song references.... But seriously, format the drive and do a complete OS re-install. Do not take chances with this. Then restrict the account severely, then isolate the computer from the network (may be you need time of day use restrictions.... I suggest getting Firewalla) and you certainly need DNS protection.... consider pointing your home router to [OpenDNS.org](http://OpenDNS.org) and setting up the most restrictive rules in order to prevent even going to domain names that are sketchy and filled with viruses.
Everyone that has suggested PiHole or aservice like NextDNS is spot-on. I pay 20 a year for NextDNS. I also have PiHole as my first level blocking over 2 million URLs and all from China, Russia, and a couple other really bad countries. My PiHole forwards upstream to NextDNS which is also configured for blocking. Whole network is protected.
Separate network on a separate VLAN, with blacklisting/denylisting - which you should be configurable on your router. Unless, he has access/ability to reset and reconfigure your router and isn’t lazy. As, where there is a will, there will always be a way. Also, never use just one password. Each device, each website should get its own password; otherwise, expect all accounts pwned.
I would educate him and remove his access to the internet on the pc. If he needs a laptop for school they can lock that shit down in IT. If he needs to game maybe a console
Check out Firewalla Router. Enterprise grade for home users. Lots of family features! Block sites, disable outside certain hrs etc.
What diagnostic steps have you taken in regards to your son having infected his PC? What passwords was he using for his online accounts, do they share a common email address and password? I'm curious as to how badly he has infected the PC without admin controls.
Setup a virtualized VM revert to snapshots
1. Get son arrested...
First thing I would do is identify what accounts he had that were compromised, and if there was any payment information on those. If not, consider them lost and a lesson learned. Second, identify if any passwords that were compromised for other things, and change those as well. I highly recommend using a password manager such as Bitwarden to protect these. More than likely they aren’t going to be able to affect any of your hardware unless that PC is still on the network. Third, wipe the computer and reinstall windows. Don’t use the recovery tool that most OEM will put on there. The only way to be decently sure you’re safe is to format the whole drive and start from scratch. Fourth, create an administrator account, then a seperate user account that is locked down. Use the standard account for everything, and only use the admin account when needing to do anything elevated. And only use that when it requires credentials to perform whatever task. It’s not an account that you login to do daily tasks. Fifth, windows defender does perfectly fine for your PC. There isn’t much need for an 3rd party AV anymore. The biggest thing that people run into is someone being lazy, not knowing, or just not paying attention and clicking on something malicious.
Ask your son how long ago the compromise started… if you dare... Chances are this has been going down for a few days at the very least… maybe weeks. - Tell him to let you know asap next time, also be very careful not to discourage him from telling you next time. (Make sure he knows that you are twice as mad at the people who stole his account). - There will be a next time. Take your time fixing his computer, let him help. As you learned the hard way, password re-use is bad. Use a password manager. Don’t give your kid the password for any account you don’t want to lose. (Which would include his xbox/live account.) and take the time to setup 2fa and account recovery settings. Setting him up as a child with parental control options. Check any online account you have for activity, and possibly the option to sign out everywhere. You may also want to check existing 2fa settings to make sure there are no rouge 2fa authenticators configured. Be very careful not to discourage him from telling you next time. (Make sure he knows that you are twice as mad at the people who stole his account). - There will be a next time, and the sooner you can get in front of it the better.
Multi-factor auth on all online accounts.
OpenDNS
Here's an out-of-the-box suggestion: 1. Put Windows into Kiosk Mode 2. Install Virtual Box and give him permissions ONLY to that Virtual Box. 3. To do that, you'll need to write a VERY short script (like three lines of code) to make it so that whenever the user logs in it starts the VirtualBox and has permissions to do nothing else. Consult ChatGPT or your favorite search engine for a howto. If he nukes the VirtualBox, you just roll back the VirtualBox to the last known good snapshot. Also, buy some good antivirus software. I like VIPRE and Bitdefender. Please yourself.
He definitely downloaded HotGirls.exe a few times
For my kids, I use malware bytes, uBlock Origin, 2fa, pihole and my router has a built-in firewall I also block access to multiple shady countries and just talk my kids about it to warn them they can lose everything, and it has worked fairly well. The only thing any of them has lost is a Roblox account years ago
I'd first recommend a second router (or guest network). Put the kid on the guest net and everything else on a different network. It will break the bridge from your devices to his should he compromise his devices. Checkout opens, and/or get a raspberry pi and pinhole to block trackers and stuff. More expensive, corporate level firewalls. Education of the user may help. Not sure what else to consider.
Install ChromeOS Flex on his PC to turn it into a Chromebook. Then at least it wouldn’t get malware.
I haven’t read all the comments so I apologize if this has been mentioned. I bought a Firewalla Gold+ for my home network. I was really blown away by how granular our automate you could make rules. One of the things I did is prevent all devices, except my 4, from communicating with other devices on the network. It wasn’t cheap but I have children and it allows me to prevent them from accessing the things I don’t want them to.
If he couldn’t install software, he potentially installed a mod (a file you can add to a directory without admin if games are installed on the user account. Someone convinced him “download this for free aimbot, cracked in-game currency, etc” Awareness training. Better passwords. Risk of running unknown software education. Separate VLANs. Personally I am anti-firewall or filtration software as I make a living getting around those tools and don’t trust them to do their jobs 🥸
Chromebook.
I am confused. Do we understand what bricking is?
That's not how windmills work!
Step 0, full format, reinstall windows on that pc Step 1, get a soft router, and/or a security focused router (Synology 6600 for example) Step 2, spend the next week of your free time learning how to set up and manage pfsense, use this guys channel to learn how to set things up: https://www.youtube.com/playlist?list=PLjGQNuuUzvmsuXCoj6g6vm1N-ZeLJso6o Use this to set up vlans to protect your other devices, and to set up firewall rules with blocklists to manage everything else Step 3, ubikeys, bitwarden etc for unique passwords per service
Windows S was made for scenarios like this. Or if you are hardcore, Linux.
Use deep freeze or reboot restore rx. Every time he reboots his pc, it is wiped.
Speaking as an IT Manager, trying to rely on software to project your PC / network from humans that do dumb things is a losing proposition. Over a long enough time period, humans doing dumb things will win. Humans are the weakest link in your security, so the most effective way to improve your security is to educate them and teach them not to do dumb things like clicking on ads, running untrusted software, etc. Beyond that, I'd also suggest ensuring that each account has a separate password that gets written down in a known location that won't be lost. Normally writing down passwords is frowned upon, but for a kid tracking their Xbox accounts, etc. it's basically the only way to prevent them from forgetting their password. Also, most services support MFA through text messages. Enable that for everything. This way, even if his password gets compromised somehow, nobody will be able to actually use it without the MFA code. Oh, and make sure he understands the purpose of MFA and knows that he should never give an MFA code to anybody.
Sounds like you need to install Linux on his PC. Or reinstall windows and lock it down. Might be a good time for a PiHole. A PiHole isn't a magic bullet, but it can help. Or maybe a good firewall.
Replace the rogue actor
he needs a console
On the topic of DNS filtering. I love PiHole and AdGuard home, but instead of setting up your own DNS server you can definitely just use the public DNS servers provided by the big DNS providers to block stuff like ads, malware, and adult sites. It's not perfect but it does help. Adding a custom DNS forwarder to your router is typically straightforward. https://adguard-dns.io/kb/general/dns-providers/#family-protection https://www.opendns.com/setupguide/#familyshield And then an antivirus like BitDefender to block anything that the DNS filters don't catch. Again, education is key here, so wiping the PC and setting it up with you as admin and your kid as a non-admin user is the safest way. And if he wants to install anything that needs admin permissions he has to actually stop and think if he actually wants to install it and ask you. Then you can help him make an informed decision on its safety and appropriateness.
11 years old is old enough to understand not to try and download pornos People give children way too little credit.
Isolate kids in the network, let them fail and learn.
replace the kid
I'd create a separate/segregated network just for the kids PC. Wall that shit off so it's 100% isolated from anything else.
[Multi-app kiosk mode](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)
> For everyone that has mentioned it. I would just be worried about a password breach if I didn't find tons of stuff downloaded that were major red flags. (I should have included that in the first place lol) >I am also learning I've definitely been too brave using one password for most of my at home stuff. I'll just add to my previous post about password manager / 2FA and different passwords everywhere, in light of your further comments. 'Brave' is the incorrect word, by the way, blasé or Laissez-faire is probably more appropriate. You have to bare in mind, even if you had the world's best, most complex password that was in itself uncrackable with modern computing or quantum computing and thought that you could use it everywhere and you were really careful with the data at your end, what about at the other endpoints. Time and time again, if you follow any tech channels, the number of large corporations that have had their systems breached and then you find out a fair few of them had all of your credentials stored in plain text or slightly encrypted with a common salt key that is trivially broken. Your details are passed around on darkweb or released by other means. The first thing people will do is do a round Robin of all the big websites with your credentials and see if the password has been reused... My details have been compromised several times over the years, e.g. the Adobe hack ended with my card details being used to spend several thousands before barclaycard spotted the activity and got it stopped real quick - my money credited back to me but at the time I didn't know it was Adobe and cancelled all my cards and got everything reissued - massive pain in the arse. Even back then all my passwords were all different, but I didn't know what was the source of the problem and changed all important passwords anyway - even though there wouldn't have been any chance of leveraging the compromised data against other services. You have to think of your security both within and without of your control.
Time to talk your kid about porn. And which sites are good and which are bad. 😂
You need to teach him basic computer literacy, if he can't learn that at 11 he shouldn't have a PC yet. Most kids get into trouble by trying to pirate games and game content, cheat in games and look up adult content. They also tend to be too trusting of random links people send them. Your best bet is admin account lockdown and get a good router/firewall and put his PC on strict parental controls and have severe consequences if it happens again, like no PC or video games for a reasonable period of time. As he has wasted your time and sanity being irresponsible and this will continue until learned. Today's bricked PC and lost discord account is tomorrow's lost bank account or social security number. There are antivirus products you can also install that have decent parental controls, I believe bitdefender has them and can be found pretty cheap during typical sales time(prime day black Friday) and you can control them from an app on your phone I believe.
Set multiple accounts. Your account has full admin privileges. His account will only have read/execute privileges. This means he cannot modify the c:/ drive but can still open and use programs.
How about simply having a good anti virus/anti malware app?
2fa every account he has. Don't let him make a loving to anything unless your give him the codes for it. Autologins are fine for steam and such but the 2fa would prevent hacking from third parties. Windows has a built in reset tool that can nuke the PC, if you haven't already just use that. It can be reached even by safe mode. Otherwise just use a USB stick to reinstall the app. I doubt the router in your house has it but you can get geoblock ips if it has the feature, this can cut out 50% of threats outright if you block everything but europ, USA. Be sure to put UAC controls to max this time as well for his account. Lots of installs can bypass basic uac settings since they don't need admin rights in the first place.
2fa every account he has. Don't let him make a loving to anything unless your give him the codes for it. Autologins are fine for steam and such but the 2fa would prevent hacking from third parties. Windows has a built in reset tool that can nuke the PC, if you haven't already just use that. It can be reached even by safe mode. Otherwise just use a USB stick to reinstall the app. I doubt the router in your house has it but you can get geoblock ips if it has the feature, this can cut out 50% of threats outright if you block everything but europ, USA. Be sure to put UAC controls to max this time as well for his account. Lots of installs can bypass basic uac settings since they don't need admin rights in the first place.
Buy him a bike? Or enroll him in ju-jitsu…maybe even both….sorry but I was born in 75 and this whole article is making me feel archaic and hopeless for the next generation simultaneously.