Writing from the nation's capital, this blog explores technology, telecommunications, national security, policy, and their impact on people, with an occasional rant.

Tuesday, March 30, 2010

Of passwords and online security

Here's something you really should think about.  I know that many people use a simple password--anything from a word to just numbers, or even a word plus a number.  This is common knowledge to security specialist and bad-guy hackers alike. Late last year, tens of thousands of Hotmail, Yahoo, and Gmail users were hacked through phishing attacks.  These break-ins were enabled in part due to easy-to-guess passwords.  There are automated ways bad guys can try to guess your password which take much less time than your log in process. 

What can you do?  First, read this and start applying the recommendations.

Specifically, take the following steps now.   Especially, make these changes if you think you passwords might be compromised or could be.
  1. Change any passwords for sites that access financial info or other sensitive stuff (information you store on line, commercial sites which have your credit card #, etc).  This might include google/gmail, yahoo, amazon, depending on the services you use there.  (look here to see how much google stuff you use https://www.google.com/accounts/ManageAccount
  2. Make sure your bank/investment passwords are STRONG and are not the same as other passwords.
  3. Don't use exactly the same password at each site, especially if they use the same user name.
That's the end of your security triage.  You will likely be safer after these steps, and if you do nothing else, you should be ok. (If you use Wi-Fi, then you need a really strong WPA passphrase too.  Read about this in Security Now episode #13)

You might ask, what is a "strong" password?  Well, in general it should contain 10+ characters and include letters fo both cases, numbers, and symbols.  It should not be a word, name, string of number, or date.  An easy way to develop one is to pick a sentence, phrase, or similar and use the first character of each word.  You could use a line from a movie or book, Bible verse, a quotation, or a saying. Then modify it somehow, perhaps by adding symbols, number, or interchanging letters.  This technique is known to hackers, so if you use a well known sentence and just take the first letter, it may already be in a cracker's list of passwords, just like Pa$$w0rd1 is.  For example, "In the beginning, God created the Heaven and the Earth" could become ItbGctHaE.  Maybe start with 1:1 and replace a with &, but that's pretty simple too. But you'd have to get some numbers and symbols in there too.  That is the basis for a strong password.  Oh, and you can't use this one anymore, because its now out in public.

Now go change your passwords. 

To learn more, the DOD has a pretty good one page summary on protecting computers and your information.  It summarizes the threats which are out there and can effect you.  Stealing passwords and accessing your accounts is just one thing that can happen. You can read it here:

This stuff does really happen.  You must be the first line of defense.  Failing to act is acting to fail. 

Do I really need to worry about this stuff?  Well, if you have no online presence, then probably not.  If you don't bank or have any financial data online, then you might be ok.  If you don't have a bunch of information on your Facebook page which someone could use to impersonate you, guess other passwords, or open accounts in your name.

Right now, many of us are trusting to security through obscurity--there are so many people online, how could someone target me?  An out of the blue attack may be less likely.  But, if some of your information from a W-2, school transcript, or other info were to fall into nefarious hands, it would be all too easy for the wrong-doer to look you up on Facebook.  They might even send you a carefully crafted message to get more info or send you a malicious web link.  Have you ever lost such a document?  Has your school, employer, credit card company, etc ever lost some of your data on a thumb drive, laptop or hacker break-in?  Probably.  But don't just believe me, read more about secure passwords in the links below.

Now go change your passwords. 

Additional Recommended Security Links:

US CERT Cyber Security Tip ST04-002 Choosing and Protecting Passwords

MakeUseOf.com - Create Strong Passwords

GRC.com Perfect Password generator

Password Strength Checkers - to be really safe, you shouldn't put your new password into one of these.  If you do, at least make sure they are a secure page (https).

Sunday, March 28, 2010

Are Apple's iDevices the end of Macs?

Recently there's been discussion about the iPad being the demise of the Mac.  It has been mentioned a few times on TWiT and also notably Sasha Segan's piece over at PCMag (via Digg).  The argument is that Apple cannot or will not long support two different computer platforms.  As evidence, observers say Apple may be maxed out with the launch of the iPad.  Their engineers are consumed developing and translating apps for the iPad/iPhone OS. 

Last month I was reading the book Apple Inc. (Corporations That Changed the World), which I picked up at the library.  The book talks about the early history of Apple products: the Apple II line, Lisa, and the Mac.  Although Apple said it would support the II for the long haul, it was soon discontinued.  The Lisa followed not long after, and that left just the Mac.  So it would seem a compelling case.

The iPhone was said to be a flop before it was released and people stood in line to buy it--days in advance.   And Apple sold 1 million iPhones in 74 days; 1M iPhone 3G and 3GS each took just 3 days.

Now its the same for the iPad: it's no iPhone, they say.  (Just Google it)

All the talk makes me worry about my ability to buy future MacBooks.  But think again.  Mac sales are higher than ever, with no sign of stopping.  And you don't introduce a new product and kill your cash cow.  But you better have a new product before your old one isn't selling.

I think there's less chance that Apple plans to dump the Mac, and more that Apple is starting an evolutionary step with the iPhone/iPad OS.  Or continuing the the path started with the iPhone.  Apple doesn't play by the rules--it makes them.  The iPad is the start of new rules.

I want to like COMCAST, but they don't want me to...

I really want to like COMCAST for the effort they've made improving services, but they seem determined to keep me from being happy.  Not too long ago, COMCAST started a cool service called myDVR.  It lets you access your DVR from the Internet (like Tivo has had for a while).  They even have an iPhone app, which I quickly downloaded.  Initially the app didn't allow me to access the function.  After reading online I found that when "myDVR" service becomes available in your area the function will show up in the app.  At some point it did and I thought I was set. But I could never get it to work.  Instead I got this message. 

I tried to log in via my COMCAST account.  Still nothing.  In desperation I called COMCAST.  A 30 min investment of time got me to someone who confirmed the service is available in my area but that my Cisco DVR is not compatible with myDVR. The very nice rep told me to take the box in to the COMCAST office to swap it out for a compatible model (Motorola, I believe). 

After driving 15 min to wait for 15 min to change out the box, I had to explain to the rep what "myDVR" service was and what I wanted to do.  It took a while to communicate to the rep my wishes--she kept referring to my recorded TV content because the button on the remote is labeled "My DVR".  Ultimately, I learned from the rep that my office will only supply the crappy Cisco RNG200 in my area.  She suggested I contact the Manassas office who might be able to provide further explanation.   I took a replacement box since the hard drive was likely going bad anyway, and in the hopes of trying a different box might help.

When I called the COMCAST number provided, I wound up in the Silver Spring office (not even in the 703 area code...). I went through this My DVR problem again: "Ok, so you cannot record TV programs?"  I asked why COMCAST was telling me about myDVR service online and apparently provisioning the service in a place where they won't give you compatible equipment.  I learned that the Cisco box is not highly regarded, and a better Motorola box is available everywhere else but here. My rep favored that model. But I got no useful answer to my question (though this rep was very patent and friendly). 

Bottom line:  I am out nearly 120 minutes to learn that COMCAST will not provide equipment to make use of services they advertise and apparently have provisioned in my area.  What is up with that? 

Monday, March 22, 2010

This is a strange way to blog

Now I can post directly from mobile devices.

Sent from my iPhone

DoD's Open Internet Policies and USB -- Not so Fast

Air Force web users are still stuck in the Internet of the past. Despite DoD's recently released policy which states unclassified networks will "be configured to provide access to Internet-based capabilities across all DoD components," many Air Force users of base-level networks are still blocked nearly a month later. The Dep SecDef-signed policy was the result of a months-long review of the mishmash of separate policies across the department.  Each service had its own policies, many of which conflicted, allowing sailors to access some sites while airmen were prohibited.  Perhaps the Air Force is still sorting out how to remove its draconian restrictions. 

Meanwhile over at Wired's Danger Room, Nathan Hodge writes about DoD's not-so-fast on allowing USB drives.  There will be many restrictions on the USB drives when they are eventually allowed.  These won't be USB drives ordinary people drive.  Back when the dives were suddenly banned,  there were anecdotal reports of military authorities having confiscated any and all USB drives they rounded up in searches.

Hodge aptly notes this is just the tip of the ice berg.  The real problem is the "heavy-handed" military approach to unclassified networks.  But the problem isn't the "public" networks as Hodge writes, but rather the private unclassified systems soldiers, sailors, airmen and marines use on a daily basis for most all staff work and communications.

The irony is that airmen are banned from following the senior military officer -- the Chairman of the Joint Chiefs -- on twitter.  Admiral Mullen is not alone.  The National Guard Bureau Chief and many official military offices are also on Twitter.  But Air Force network managers don't seem to see the value of modern networking and communictions.  Twitter shouldn't feel singled out though, because the Air Force is blocking Facebook, Linked-In, most blog hosting sites, webmail sites, and much much more.

The Air Force hoped to be the service that led the military's cyberwar efforts. Nice try Air Force.