I haven't posted in a couple of weeks (oops, I forgot!), so I figured I would put something up quickly that's fairly relevant to the typical blog posts and is somewhat topical. Posting this last week would have given you, dear reader, time to observe more and be a bit more informed about the issues discussed.
If you're in the United States, you had the opportunity to choose the lesser of two evils today and vote for many of your government officials. If you are in the rest of the world, I'm sure you can feel our pain. But maybe not as much pain as many of us actually feel. See we use these electronic voting machines here which are not very well liked. If you haven't heard about this by now, consider yourself lucky.
Now don't get me wrong, some of these things probably work well. But nobody is ever going to hear about things that work as well as they should. For those unsung heroes who designed these machines, I salute you. For the others, please find a suicide cult and join it soon.
I'm not going to go through and rehash old arguments made by others. If you want to read those, you'll find plenty of links. The basic problems are that the machines are difficult to use, they frequently break, and it's possible to manipulate the votes. And instead of fixing the problems, the companies that make them are fighting people who expose the flaws.
What the companies should be doing is making "bulletproof" devices and inviting people to try and break them. There should be no question whatsoever that things are on the up-and-up when it comes to our freedom. Further, there should be independent code audits and security tests to verify that there are no ways to breach the integrity of the machines. In fact, I'm one of the people who thinks that the code should be opened up for review by everyone. Why not leverage the power of a million or so people looking over the code for any problems? Publish the code! You only have something to lose if it's broken and insecure and you've been hiding that fact.
With these devices, you don't design them so they can work, you design so they can't fail! Take a look at ATMs -- they do this for the most part. Very few people accidentally pull out stamps when they mean to withdraw money. Diebold, one of the largest manufacturers of voting machines also makes ATMs. They obviously have the expertise to make touch screen self service devices work, so why is it so hard to actually pull it off?
Every system has its advantages and disadvantages when compared to others, but there is almost always a way to design a system that creates fewer disadvantages than the current system, while increasing the advantages. When something works consistently and intuitively, there may still be ways to tweak the system to get greater efficiency. But the electronic voting machines seem to have created a problem just as big as the one that they purport to solve. Votes are still being counted inconsistently, ballot tampering is still possible, and the devices have added unreliability and complexity to the system.
Ideally, a perfect solution will be efficient, simple to understand, intuitive to operate, and will minimize the possibility of mistakes. Which brings us to our lesson for today: A solution should not fix some problems only to create different, bigger ones! That seems to obvious to have to state, but often times people lose sight of the basics and need to be reminded of them. It happens to us all at one time or another, so it's worth pointing out.
Tuesday, November 07, 2006
Thursday, October 26, 2006
Lock Up Your Valuables
If you're going to keep backups of your important information, it only makes sense to protect those backups. This is doubly true if you're storing your backups off site. If you have your backups on the internet, this is a no-brainer. The best way to do this is to put the data in some kind of container that is locked away digitally. No one can see through the container, and nobody can open it without the key. In the digital world, this is accomplished by encryption.
There are several types of stored data encryption software, from FOSS to Top Secret; from mobile phone software to hardened enterprise appliances; from file-by-file to whole disk. Each of these types has its place in the world of Information Security. I will attempt to treat the most relevant ones here. Hopefully by the end of this post you'll know what encryption is, why it's important to encrypt your valuable data, and what the best method is for you.
Encryption and cryptography are much too broad to cover in depth here, but if you'd like to learn more about its history, it's details, and its uses, I recommend you start with the Wikipedia page and with Bruce Schneier's best known books, Applied Cryptography and Practical Cryptography. I haven't read either of these, but I have a decent idea of the principle ideas behind cryptography and encryption. I have neither the aptitude nor the desire to learn more about these fields. Here is a very brief explanation and history of cryptography and encryption, which may or may not be technically accurate (but it's close enough).
Cryptography is the use of codes or ciphers to transmit information between two parties in clear view in order to make the meaning of the message incomprehensible. Both parties must have a key to decrypt the code. This can be done by memorizing a substitution pattern, by using a physical device, by using a computer to keep track of the encryption and decryption code, by making use of a one-time pad, etc. Each of these has its advantages and disadvantages. As a general rule, usability comes at the cost of security. All cryptographic techniques can be broken by modern computers given enough time, but some are easier than others due to flawed implementation.
The earliest cyphers were simple letter or word substitute cyphers, such as replacing each character with a number or letter. Julius Caesar used a cipher named after him which relied on both parties having a cylinder of equal size -- a physical decryption key of sorts. Not a whole lot happened until the advent of basic computers -- in the mid 1800s by Charles Babbage! But during World War II, the use of cryptography (and cryptanalysis) really took off. The most famous bits of cryptography during this era were the Enigma machine and the Polish mathematicians' breaking of this (by hand, no less), the American decoding of the Japanese diplomatic and, after Pearl Harbor, tactical encryption, and the American Marines' use of Navajo "Code Talkers" to relay messages to and from the front lines. Modern powerful multipurpose computing machines have ushered in the age of Modern Cryptography and its various methods and techniques for encryption.
Now that the obligatory background information, we can start on the meat of the post. I find that it is best to think of encryption software by its functionality. What does the software do and how can that be useful? In this sense, there are three categories of stored data encryption: file level encryption, file vault encryption, and whole disk encryption. Note that I will not be discussing cryptographic protocols, such as SSL/TLS, for securing data as it crosses a network.
File level encryption or filesystem level encryption is a method of encrypting individual files on a disk. Usually this requires the user to manually select to encrypt a file. Some software allows the user to specify that a directory in its entirety is encrypted, including new documents created or put into this directory. Windows uses the Encrypting File System (EFS), and OS X uses their FileVault. Each of these automate decryption when the user logs into the computer. However, this means that anyone who has access to this login has access to the sensitive files. It also makes transporting the files encrypted a challenge: they are decrypted in transit, but are difficult to copy when encrypted (or rather, they are difficult to decrypt after they have been moved when encrypted). Other programs can be used which can overcome the latter difficulty, but which do not solve the first one and may not provide the same ease of use as the integrated products.
What I call "file vault encryption" others call "disk encryption". I think this is easily confused with "full disk encryption" so I will continue to use my terminology, despite the possible confusion with Apple's FileVault. Whatever you want to call it, file vault encryption creates a single file in which all data is stored encrypted. Typically the software will mount this file as an additional hard drive in your computer, making access to the data easy. This type of encryption is very easy to transfer to another computer or to medium -- you just copy the single file. However, it typically requires entering a secondary password after logging into the computer.
Full disk encryption or whole disk encryption usually refers to encrypting the entire boot device. This ensures that all of the data on the disk will be encrypted, including temporary files, working files like the ones Microsoft Word creates, and the scratch disk or virtual memory. Encrypting all of this data is most appropriate for mobile computers which are likely to be lost or stolen. However, this security costs performance. Also, once the user logs into the computer, all files are copied and transmitted unencrypted. In addition to the fact that transporting the data requires additional encryption, if the hard drive is damaged or if the boot sector is overwritten, the data is essentially irretrievable.
Of these three types, each has its proper use. The least useful type of stored data encryption of the three is the file level encryption. It offers the fewest benefits with the highest risks. In fact, I would argue that it is completely useless in comparison with file vault encryption, which performs many of the same functions with the added bonus of transportability. In addition, the fact that the vault is mounted to a drive letter clearly delineates which data is encrypted and which data is not encrypted. Full disk encryption should be used anywhere the risk of computer theft or loss is moderate, in addition to some high security environments. And some form of encryption should be used on all backed up data.
Of the many dozens of attacks where personal information has been lost, it is unclear how many were preventable by encrypting the data. However, it is a good bet that every lost or stolen laptop or backup tape would have yielded no data if proper encryption methods had been used. And many of the hacking incidents may have been preventable if the sensitive information had been encrypted properly. While it may seem costly for a company to implement, the encryption software and practices cost hardly anything compared to an incident like the Department of Veteran's Affairs suffered.
The take away lesson here is to keep your important stuff protected. It's not enough to just keep it in a safe place, you should keep it in a secure place. Whether that is a safety deposit box at your bank, a safe in your home, or a vault at Ft. Knox, you can't afford to let your valuables just sit around unprotected. How cheap it would seem in retrospect to buy a safe than to try replacing a family heirloom after it is stolen.
There are several types of stored data encryption software, from FOSS to Top Secret; from mobile phone software to hardened enterprise appliances; from file-by-file to whole disk. Each of these types has its place in the world of Information Security. I will attempt to treat the most relevant ones here. Hopefully by the end of this post you'll know what encryption is, why it's important to encrypt your valuable data, and what the best method is for you.
Encryption and cryptography are much too broad to cover in depth here, but if you'd like to learn more about its history, it's details, and its uses, I recommend you start with the Wikipedia page and with Bruce Schneier's best known books, Applied Cryptography and Practical Cryptography. I haven't read either of these, but I have a decent idea of the principle ideas behind cryptography and encryption. I have neither the aptitude nor the desire to learn more about these fields. Here is a very brief explanation and history of cryptography and encryption, which may or may not be technically accurate (but it's close enough).
Cryptography is the use of codes or ciphers to transmit information between two parties in clear view in order to make the meaning of the message incomprehensible. Both parties must have a key to decrypt the code. This can be done by memorizing a substitution pattern, by using a physical device, by using a computer to keep track of the encryption and decryption code, by making use of a one-time pad, etc. Each of these has its advantages and disadvantages. As a general rule, usability comes at the cost of security. All cryptographic techniques can be broken by modern computers given enough time, but some are easier than others due to flawed implementation.
The earliest cyphers were simple letter or word substitute cyphers, such as replacing each character with a number or letter. Julius Caesar used a cipher named after him which relied on both parties having a cylinder of equal size -- a physical decryption key of sorts. Not a whole lot happened until the advent of basic computers -- in the mid 1800s by Charles Babbage! But during World War II, the use of cryptography (and cryptanalysis) really took off. The most famous bits of cryptography during this era were the Enigma machine and the Polish mathematicians' breaking of this (by hand, no less), the American decoding of the Japanese diplomatic and, after Pearl Harbor, tactical encryption, and the American Marines' use of Navajo "Code Talkers" to relay messages to and from the front lines. Modern powerful multipurpose computing machines have ushered in the age of Modern Cryptography and its various methods and techniques for encryption.
Now that the obligatory background information, we can start on the meat of the post. I find that it is best to think of encryption software by its functionality. What does the software do and how can that be useful? In this sense, there are three categories of stored data encryption: file level encryption, file vault encryption, and whole disk encryption. Note that I will not be discussing cryptographic protocols, such as SSL/TLS, for securing data as it crosses a network.
File level encryption or filesystem level encryption is a method of encrypting individual files on a disk. Usually this requires the user to manually select to encrypt a file. Some software allows the user to specify that a directory in its entirety is encrypted, including new documents created or put into this directory. Windows uses the Encrypting File System (EFS), and OS X uses their FileVault. Each of these automate decryption when the user logs into the computer. However, this means that anyone who has access to this login has access to the sensitive files. It also makes transporting the files encrypted a challenge: they are decrypted in transit, but are difficult to copy when encrypted (or rather, they are difficult to decrypt after they have been moved when encrypted). Other programs can be used which can overcome the latter difficulty, but which do not solve the first one and may not provide the same ease of use as the integrated products.
What I call "file vault encryption" others call "disk encryption". I think this is easily confused with "full disk encryption" so I will continue to use my terminology, despite the possible confusion with Apple's FileVault. Whatever you want to call it, file vault encryption creates a single file in which all data is stored encrypted. Typically the software will mount this file as an additional hard drive in your computer, making access to the data easy. This type of encryption is very easy to transfer to another computer or to medium -- you just copy the single file. However, it typically requires entering a secondary password after logging into the computer.
Full disk encryption or whole disk encryption usually refers to encrypting the entire boot device. This ensures that all of the data on the disk will be encrypted, including temporary files, working files like the ones Microsoft Word creates, and the scratch disk or virtual memory. Encrypting all of this data is most appropriate for mobile computers which are likely to be lost or stolen. However, this security costs performance. Also, once the user logs into the computer, all files are copied and transmitted unencrypted. In addition to the fact that transporting the data requires additional encryption, if the hard drive is damaged or if the boot sector is overwritten, the data is essentially irretrievable.
Of these three types, each has its proper use. The least useful type of stored data encryption of the three is the file level encryption. It offers the fewest benefits with the highest risks. In fact, I would argue that it is completely useless in comparison with file vault encryption, which performs many of the same functions with the added bonus of transportability. In addition, the fact that the vault is mounted to a drive letter clearly delineates which data is encrypted and which data is not encrypted. Full disk encryption should be used anywhere the risk of computer theft or loss is moderate, in addition to some high security environments. And some form of encryption should be used on all backed up data.
Of the many dozens of attacks where personal information has been lost, it is unclear how many were preventable by encrypting the data. However, it is a good bet that every lost or stolen laptop or backup tape would have yielded no data if proper encryption methods had been used. And many of the hacking incidents may have been preventable if the sensitive information had been encrypted properly. While it may seem costly for a company to implement, the encryption software and practices cost hardly anything compared to an incident like the Department of Veteran's Affairs suffered.
The take away lesson here is to keep your important stuff protected. It's not enough to just keep it in a safe place, you should keep it in a secure place. Whether that is a safety deposit box at your bank, a safe in your home, or a vault at Ft. Knox, you can't afford to let your valuables just sit around unprotected. How cheap it would seem in retrospect to buy a safe than to try replacing a family heirloom after it is stolen.
Thursday, October 19, 2006
Backups
This tip will either be a waste of time or it will save you more grief than you can imagine. Backing up your important information can make the difference between taking 10 minutes to restore your data versus weeks and hundreds of dollars to get none to all of it back. I lost my data once and didn't have the money to spend restoring, so I spent over a year and a half trying out different software and techniques before I was finally able to rebuild the data I lost -- a lot of irreplacable pictures.
So now that you know you should be backing up your data, how do you do that? The first step is to identify what you want to back up. This isn't as easy as it might sound at first. Things tend to get scattered all across your hard drive, floppies, CDs, etc. The only thing worse than not backing up anything is backing up everything but a key document -- by the time you realize you've lost it, it may be be too late to recover. Once you've got it all collected, find a spot on your hard drive where you can store everything.
Now that the first step is completed, it's time to look at your backup options. Which backup method you choose is largely a matter of personal preference. The four general ways to backup data are online, nearline, offline, and offsite. There are benefits to each, as well as drawbacks. Here are some brief descriptions.
Online storage backups are not really backups, they are redundancies in the way the data is stored, meaning that a single dead hard drive does not lead to data loss. However, for the purposes of our discussion, it can be considered a method of backup. Typical online storage would be something like an internal RAID with fault tolerance, NAS/SAN, or some other method of keeping data instantly accessible and current in the event of a failure. Also, you don't have to think about performing backups, data is automatically backed up whenever you change or update it. However, in the event of a complete system failure, all information will be lost. This could be due to theft, lightning and other natural disasters, structure failure, fire, etc.
Nearline storage allows you to keep data close at hand, but not fully current or instantly accessible. This would be a true replication of data, so that it exists both on the computer and on another device. Typical nearline storage devices are USB flash drives, external hard drives, secondary internal hard drives, or any other type of storage usually connected to the computer or across a network. The backed up data is quick and easy to access in the event of a primary storage failure. This type of backup is probably most common in home environments.
Offline storage is that which is backed up, usually on removable media such as blank CDs or DVDs (optical media), floppy disks, zip disks, storage tapes, etc. These media are easily stored elsewhere, since they are typically much cheaper and more portable than the other solutions. Offline storage requires that you locate the media and put it in a reader attached to your computer. One of the biggest problems with this type of storage is that sometimes the media goes bad. This is especially true for optical media.
Offsite storage is typically an offline storage system where some or all of the media is kept in another physical location. For example, if you backup your home computer's data to DVD and store the DVD in your desk drawer at work, you have an offsite backup. This may accomplish your goals just fine, or you may want to look at a more secure solution, such as a safety deposit box or a professional service which will pick up and store your media.
Another form of offsite storage is internet-based storage. There are plenty of sites out there that will give you free storage, from free web hosts, to file sharing sites, to dedicated backup sites, to jumbo sized email hosts. Some of these are better than others for keeping backups of sensitive information. For example, the backup sites linked all claim to encrypt your data so that only you can retrieve it. In general, I don't trust proprietary encryption and I don't trust somebody else to encrypt the data for me. So you'll probably want to encrypt it before uploading (that's a topic for another day...).
While any data backup is better than none at all, I recommend keeping a few different backups using different methods. My important data resides in several locations. First, it is on my local hard drive. Once a week or so I copy this to a file server running a RAID. Every once in a while I'll copy the backup to an internet-based offline storage system. This ensures that I can survive several failures without loss of data.
Don't forget how critical your backups are! Don't store the backups where they may get stolen, lost, damaged, or otherwise be useless. Also don't forget to keep this data secured and/or encrypted. And it might be handy to test your backups regularly to make sure you can restore the information. Many businesses learn these lessons the hard way by losing their only copy of data, by having the information leak out because they treated their backups as if they were blank, or by not being able to get their data back when they really needed it. I warned you.
Businesses pracitce "Risk Management," determining an acceptable amount of risk to allow as a tradeoff for cost. But they're only protecting their money; you have to protect much more valuable property. Whether you're backing up your Great Grandmother's cookie recipé, your college thesis paper, or your pictures of your kids' first Christmas, these things are irreplacable. With the free tools outlined here, the only cost to you is your time.
The final lesson in data backup is trust. Backups are an insurance policy and the most important part of insuring against loss is trust. So don't listen to the lizard or the duck when they tell you that cheap insurance is better. The truth is that if you ever have to cash in one of these things, they'd better pay off. If you don't have 110% confidence that you can recover quickly and easily after a disaster, then it's time to start looking for somebody that you can trust to make that happen.
So now that you know you should be backing up your data, how do you do that? The first step is to identify what you want to back up. This isn't as easy as it might sound at first. Things tend to get scattered all across your hard drive, floppies, CDs, etc. The only thing worse than not backing up anything is backing up everything but a key document -- by the time you realize you've lost it, it may be be too late to recover. Once you've got it all collected, find a spot on your hard drive where you can store everything.
Now that the first step is completed, it's time to look at your backup options. Which backup method you choose is largely a matter of personal preference. The four general ways to backup data are online, nearline, offline, and offsite. There are benefits to each, as well as drawbacks. Here are some brief descriptions.
Online storage backups are not really backups, they are redundancies in the way the data is stored, meaning that a single dead hard drive does not lead to data loss. However, for the purposes of our discussion, it can be considered a method of backup. Typical online storage would be something like an internal RAID with fault tolerance, NAS/SAN, or some other method of keeping data instantly accessible and current in the event of a failure. Also, you don't have to think about performing backups, data is automatically backed up whenever you change or update it. However, in the event of a complete system failure, all information will be lost. This could be due to theft, lightning and other natural disasters, structure failure, fire, etc.
Nearline storage allows you to keep data close at hand, but not fully current or instantly accessible. This would be a true replication of data, so that it exists both on the computer and on another device. Typical nearline storage devices are USB flash drives, external hard drives, secondary internal hard drives, or any other type of storage usually connected to the computer or across a network. The backed up data is quick and easy to access in the event of a primary storage failure. This type of backup is probably most common in home environments.
Offline storage is that which is backed up, usually on removable media such as blank CDs or DVDs (optical media), floppy disks, zip disks, storage tapes, etc. These media are easily stored elsewhere, since they are typically much cheaper and more portable than the other solutions. Offline storage requires that you locate the media and put it in a reader attached to your computer. One of the biggest problems with this type of storage is that sometimes the media goes bad. This is especially true for optical media.
Offsite storage is typically an offline storage system where some or all of the media is kept in another physical location. For example, if you backup your home computer's data to DVD and store the DVD in your desk drawer at work, you have an offsite backup. This may accomplish your goals just fine, or you may want to look at a more secure solution, such as a safety deposit box or a professional service which will pick up and store your media.
Another form of offsite storage is internet-based storage. There are plenty of sites out there that will give you free storage, from free web hosts, to file sharing sites, to dedicated backup sites, to jumbo sized email hosts. Some of these are better than others for keeping backups of sensitive information. For example, the backup sites linked all claim to encrypt your data so that only you can retrieve it. In general, I don't trust proprietary encryption and I don't trust somebody else to encrypt the data for me. So you'll probably want to encrypt it before uploading (that's a topic for another day...).
While any data backup is better than none at all, I recommend keeping a few different backups using different methods. My important data resides in several locations. First, it is on my local hard drive. Once a week or so I copy this to a file server running a RAID. Every once in a while I'll copy the backup to an internet-based offline storage system. This ensures that I can survive several failures without loss of data.
Don't forget how critical your backups are! Don't store the backups where they may get stolen, lost, damaged, or otherwise be useless. Also don't forget to keep this data secured and/or encrypted. And it might be handy to test your backups regularly to make sure you can restore the information. Many businesses learn these lessons the hard way by losing their only copy of data, by having the information leak out because they treated their backups as if they were blank, or by not being able to get their data back when they really needed it. I warned you.
Businesses pracitce "Risk Management," determining an acceptable amount of risk to allow as a tradeoff for cost. But they're only protecting their money; you have to protect much more valuable property. Whether you're backing up your Great Grandmother's cookie recipé, your college thesis paper, or your pictures of your kids' first Christmas, these things are irreplacable. With the free tools outlined here, the only cost to you is your time.
The final lesson in data backup is trust. Backups are an insurance policy and the most important part of insuring against loss is trust. So don't listen to the lizard or the duck when they tell you that cheap insurance is better. The truth is that if you ever have to cash in one of these things, they'd better pay off. If you don't have 110% confidence that you can recover quickly and easily after a disaster, then it's time to start looking for somebody that you can trust to make that happen.
Monday, October 09, 2006
Free Software Advantage
I was pretty busy last week and didn't get the post up on Wednesday like I'd planned. I decided that rather than rush something out that isn't quite done, I'd hold off. So I'll post it sometime this week.
One problem that I'm having with them is that they tend to get drawn out and give way too much information. Also, I know that they tend to jump around and be less understandable than I mean them to be. These are both problems that result from a lack of good planning. I haven't really got a plan for the blog, and I don't really have a plan for each topic. I just start writing and whatever related stuff I think of, I put in there. So I'm thinking I might revisit some of these first ones sometime down the road and do them right. Maybe I'll start doing a week on a theme and posting something short every day for some of the bigger themes.
Something that I wanted to point out is that most of the links and suggested programs are free. I like free, because it lets me test and compare them before deciding on something. Many commercial programs have a trial period, but I find that I usually don't focus my testing and comparisons to 14 or 30 days. Free software usually works out fairly well, though the commercial ones are much more polished and have better features and support.
I really like to use and recommend FOSS whenever I can. This type of software has very few restrictions, is quickly patched and fixed, and can be just as good as commercial stuff sometimes. A mature software product is the same, whether a large company created it or whether it was made by a coordinated group of unpaid volunteers. Most of the time the people who contribute to the software packages are professional programmers, anyway.
This isn't to say that you should stay away from commercial products. Some of them are very good with no real FOSS alternative. Sometimes the commercial tools will have features that make it well worth the cost. Especially if they have better stability, a better interface, save time, or have some feature that you really need. In businesses, support and accountability are also crucial in a software product. This is why companies tend to shy away from using free software -- someone on the payroll would end up doing this, and that can get expensive. Sometimes it ends up costing less to buy software than to use a free or lower priced alternative.
Often times with non-software, the same is true. Is it worth saving $25 on a $250 purchase? What does that 10% price difference really buy? Sometimes these things aren't quantifible, sometimes they are. If the $25 buys a much better experience, then you're more likely to use the product. The more expensive product may end up costing you less per use than the cheaper one. Many times I don't consider price at all, and just buy whatever will be the best product for me. I have never found myself wishing I'd saved the money, but I often find myself wishing that I'd spent the little bit extra for a better product.
One problem that I'm having with them is that they tend to get drawn out and give way too much information. Also, I know that they tend to jump around and be less understandable than I mean them to be. These are both problems that result from a lack of good planning. I haven't really got a plan for the blog, and I don't really have a plan for each topic. I just start writing and whatever related stuff I think of, I put in there. So I'm thinking I might revisit some of these first ones sometime down the road and do them right. Maybe I'll start doing a week on a theme and posting something short every day for some of the bigger themes.
Something that I wanted to point out is that most of the links and suggested programs are free. I like free, because it lets me test and compare them before deciding on something. Many commercial programs have a trial period, but I find that I usually don't focus my testing and comparisons to 14 or 30 days. Free software usually works out fairly well, though the commercial ones are much more polished and have better features and support.
I really like to use and recommend FOSS whenever I can. This type of software has very few restrictions, is quickly patched and fixed, and can be just as good as commercial stuff sometimes. A mature software product is the same, whether a large company created it or whether it was made by a coordinated group of unpaid volunteers. Most of the time the people who contribute to the software packages are professional programmers, anyway.
This isn't to say that you should stay away from commercial products. Some of them are very good with no real FOSS alternative. Sometimes the commercial tools will have features that make it well worth the cost. Especially if they have better stability, a better interface, save time, or have some feature that you really need. In businesses, support and accountability are also crucial in a software product. This is why companies tend to shy away from using free software -- someone on the payroll would end up doing this, and that can get expensive. Sometimes it ends up costing less to buy software than to use a free or lower priced alternative.
Often times with non-software, the same is true. Is it worth saving $25 on a $250 purchase? What does that 10% price difference really buy? Sometimes these things aren't quantifible, sometimes they are. If the $25 buys a much better experience, then you're more likely to use the product. The more expensive product may end up costing you less per use than the cheaper one. Many times I don't consider price at all, and just buy whatever will be the best product for me. I have never found myself wishing I'd saved the money, but I often find myself wishing that I'd spent the little bit extra for a better product.
Wednesday, September 27, 2006
Password Pandemonium
I hate passwords. There, I said it. I'm a security guy and even I hate them. As a technological society, we should have advanced past the point where we need passwords for everything. But passwords are cheap to implement, the concept is easy to understand, and they work with any existing system that has an input device. For these reasons, they're not going away anytime soon.
So now that we've established the need for them, we might as well learn how to effectively manage and use them. My first password was "qwertyuiop" -- just the top line of letters on the keyboard. It was simple to type, it was easy to remember, and it wasn't a dictionary word. I thought I was doing pretty well coming up with that one. I guess everyone did when they came up with it too. The problem with this password is that it isn't unique (in fact it is fairly common) and it is easy to guess. I don't use that password anymore.
Instead, I use a three-tiered system of passwords. The tiers are based on the type of information contained in the systems. The three types of information that I have are public, private, and secret. Public information is that which is readily available to all, private information is that which I want to keep from all but my friends and people who know me fairly well, and secret information is information that I don't want anyone but myself to know. Other highly respected people use the same system that I do and feel perfectly secure doing it.
The first tier are systems like the Atlanta Journal-Constitution website, the New York Times website, and other systems where I only receive and never give information. Not only that, these sites contain only public information that is available to anyone. Not even my email address is stored there; I used one of the many anonymous email services to register. (I'll cover online anonymity in a later post.) In short, I use a simple, generic password here because it doesn't matter if anyone gets access. In fact, there are places where people register for a login and password then post it so that others don't have to bother.
For the second tier, I use a password that is more secure. This one I use for websites where I have some personal information, but only things that my friends, family, and several others already know about me. Things like my name, some pictures, my address and phone number, etc. But I would NOT use this password to protect financial information or any kind of information I wouldn't want anyone to find out about. This password is one that I only change once a year or so. These types of systems are ones that would merely be inconvenient if they were cracked, like an email account I use to chat with friends or online stores that don't store credit card info.
The third type of password I use is usually 20-60 characters long, mixed with numbers, upper and lower case letters, and special characters. These passwords guard systems that protect financial and private information. Systems like my bank account, my online bill-pay for my home utilities, my credit card website, and the email account that I use to get email from all of these systems. Each system has a unique password and each password is changed at least once every 90 days. These are systems where a loss of confidentiality would severely hurt my financials, my reputation, or be difficult to repair.
If all of this sounds extreme, it probably is. You probably won't ever lose personal information or have your identity stolen because someone cracks your password. These days, it is much more likely that the database itself will be broken into or that you'll have a keylogger installed onto your computer. But this is also the type of password system that I use at work, where the stakes are higher. At work, I'm responsible for keeping other people's secret information.
But believe it or not, there are simple ways to keep track of this stuff. First, you have to classify your information systems and figure out which ones you need to protect and at what level. First, it's best to look at any website where you have financial information, like your credit cards, bank accounts, credit union, investments, utilities, etc. Next, identify your second tier systems -- you may want to double check these to make sure that these don't have any financial information, like bank account emails, etc. If they do, you'll want to include them in the "secret" tier or get a new email account to receive your secret emails.
NOTE: You'll want to pick an email account that lets you login over an encrypted connection. This way, if someone manages to observe your communications with the website they won't see what you're actually seeing. All they'll see is an indecipherable data stream. I recommend hushmail for this.
Second, you'll need to come up with some passwords. For the first tier (public information) systems, you can use any password that you want. Use qwerty, 12345, password, or whatever you'll be able to remember. You might want to use something a bit more complex so that any website that checks for password complexity. Something like q1w2e3r4t5y6 might be good here. It's easy to remember, but will pass most complexity checks for public information websites.
You'll want to put more thought into your private information passwords. I'd recommend a very complex password, something with upper and lower case letters, numbers, and special characters. There are dozens of websites with password generators, advice on how to come up with strong passwords, and ways to remember them. Keep in mind that you'll only change this only once or twice a year, so even a long and difficult password will quickly be easy to remember. Passwords are usually committed to muscle memory after only a few uses, so that will probably mean that after a week or so, you won't be mistyping it anymore.
For the final tier, your secret information, you'll probably want to come up with a passphrase. A good passphrase will be several words long, have a couple of capital letters, punctuation, and numbers. A good passphrase will be nearly impossible to crack by brute force techniques, or even using rainbow tables! Passphrases can be easier to remember than passwords, though they might take more time to type. A good passphrase for your Hotmail account might be "I use Hotmail.com 5 times a day!" This passphrase is 32 characters long, has 2 upper case letters, 1 number, and 8 special characters. This is very secure and very easy to remember. Make sure you have a different passphrase for each of these systems.
Alright, so now you've got your three tiers of passwords, but you may still have over a dozen passwords to keep track of. This is no easy task, even for very smart, security-minded people. In corporations, this can be a problem that costs millions of dollars per year when people flood the helpdesk with calls by employees who have forgotten their passwords. So somebody really smart invented a concept known as Single Sign On. The basic concept is that you only have to login once to access all of the systems needed for business.
But SSO isn't just for businesses. You can get password management utilities for your desktop that will automatically log you into websites. Firefox and Opera have this capability builtin, but they only work for websites. The two best password management programs out there for windows are Password Safe and KeePass. Password Safe was originally written by Bruce Schneier -- the guy who wrote the book on cryptography. Then rewrote it. That gives this program as much credibility as anything else out there. KeePass is another great program with a better user interface and more options. Either one of them is a great way to keep your passwords safe and even auto-login to applications and websites!
This has been a pretty long post, but it pretty much breaks down to this: passwords don't have to be burdensome! Like any security system, a little planning and thought can actually enable you to do more with the resources you have. In this case, planning out how you treat your important information and having a good password management strategy can be easier and more secure.
So now that we've established the need for them, we might as well learn how to effectively manage and use them. My first password was "qwertyuiop" -- just the top line of letters on the keyboard. It was simple to type, it was easy to remember, and it wasn't a dictionary word. I thought I was doing pretty well coming up with that one. I guess everyone did when they came up with it too. The problem with this password is that it isn't unique (in fact it is fairly common) and it is easy to guess. I don't use that password anymore.
Instead, I use a three-tiered system of passwords. The tiers are based on the type of information contained in the systems. The three types of information that I have are public, private, and secret. Public information is that which is readily available to all, private information is that which I want to keep from all but my friends and people who know me fairly well, and secret information is information that I don't want anyone but myself to know. Other highly respected people use the same system that I do and feel perfectly secure doing it.
The first tier are systems like the Atlanta Journal-Constitution website, the New York Times website, and other systems where I only receive and never give information. Not only that, these sites contain only public information that is available to anyone. Not even my email address is stored there; I used one of the many anonymous email services to register. (I'll cover online anonymity in a later post.) In short, I use a simple, generic password here because it doesn't matter if anyone gets access. In fact, there are places where people register for a login and password then post it so that others don't have to bother.
For the second tier, I use a password that is more secure. This one I use for websites where I have some personal information, but only things that my friends, family, and several others already know about me. Things like my name, some pictures, my address and phone number, etc. But I would NOT use this password to protect financial information or any kind of information I wouldn't want anyone to find out about. This password is one that I only change once a year or so. These types of systems are ones that would merely be inconvenient if they were cracked, like an email account I use to chat with friends or online stores that don't store credit card info.
The third type of password I use is usually 20-60 characters long, mixed with numbers, upper and lower case letters, and special characters. These passwords guard systems that protect financial and private information. Systems like my bank account, my online bill-pay for my home utilities, my credit card website, and the email account that I use to get email from all of these systems. Each system has a unique password and each password is changed at least once every 90 days. These are systems where a loss of confidentiality would severely hurt my financials, my reputation, or be difficult to repair.
If all of this sounds extreme, it probably is. You probably won't ever lose personal information or have your identity stolen because someone cracks your password. These days, it is much more likely that the database itself will be broken into or that you'll have a keylogger installed onto your computer. But this is also the type of password system that I use at work, where the stakes are higher. At work, I'm responsible for keeping other people's secret information.
But believe it or not, there are simple ways to keep track of this stuff. First, you have to classify your information systems and figure out which ones you need to protect and at what level. First, it's best to look at any website where you have financial information, like your credit cards, bank accounts, credit union, investments, utilities, etc. Next, identify your second tier systems -- you may want to double check these to make sure that these don't have any financial information, like bank account emails, etc. If they do, you'll want to include them in the "secret" tier or get a new email account to receive your secret emails.
NOTE: You'll want to pick an email account that lets you login over an encrypted connection. This way, if someone manages to observe your communications with the website they won't see what you're actually seeing. All they'll see is an indecipherable data stream. I recommend hushmail for this.
Second, you'll need to come up with some passwords. For the first tier (public information) systems, you can use any password that you want. Use qwerty, 12345, password, or whatever you'll be able to remember. You might want to use something a bit more complex so that any website that checks for password complexity. Something like q1w2e3r4t5y6 might be good here. It's easy to remember, but will pass most complexity checks for public information websites.
You'll want to put more thought into your private information passwords. I'd recommend a very complex password, something with upper and lower case letters, numbers, and special characters. There are dozens of websites with password generators, advice on how to come up with strong passwords, and ways to remember them. Keep in mind that you'll only change this only once or twice a year, so even a long and difficult password will quickly be easy to remember. Passwords are usually committed to muscle memory after only a few uses, so that will probably mean that after a week or so, you won't be mistyping it anymore.
For the final tier, your secret information, you'll probably want to come up with a passphrase. A good passphrase will be several words long, have a couple of capital letters, punctuation, and numbers. A good passphrase will be nearly impossible to crack by brute force techniques, or even using rainbow tables! Passphrases can be easier to remember than passwords, though they might take more time to type. A good passphrase for your Hotmail account might be "I use Hotmail.com 5 times a day!" This passphrase is 32 characters long, has 2 upper case letters, 1 number, and 8 special characters. This is very secure and very easy to remember. Make sure you have a different passphrase for each of these systems.
Alright, so now you've got your three tiers of passwords, but you may still have over a dozen passwords to keep track of. This is no easy task, even for very smart, security-minded people. In corporations, this can be a problem that costs millions of dollars per year when people flood the helpdesk with calls by employees who have forgotten their passwords. So somebody really smart invented a concept known as Single Sign On. The basic concept is that you only have to login once to access all of the systems needed for business.
But SSO isn't just for businesses. You can get password management utilities for your desktop that will automatically log you into websites. Firefox and Opera have this capability builtin, but they only work for websites. The two best password management programs out there for windows are Password Safe and KeePass. Password Safe was originally written by Bruce Schneier -- the guy who wrote the book on cryptography. Then rewrote it. That gives this program as much credibility as anything else out there. KeePass is another great program with a better user interface and more options. Either one of them is a great way to keep your passwords safe and even auto-login to applications and websites!
This has been a pretty long post, but it pretty much breaks down to this: passwords don't have to be burdensome! Like any security system, a little planning and thought can actually enable you to do more with the resources you have. In this case, planning out how you treat your important information and having a good password management strategy can be easier and more secure.
Tuesday, September 19, 2006
War With Malware
AntiVirus and AntiSpyware is not something you want to skimp on if you have any important information stored on your computer. And if you do any shopping, banking, or other types of financial transactions online, Viruses and Spyware could help a criminal steal your identity and you may be liable for thousands of dollars! However, if you have a computer where you just want some basic AntiVirus and AntiSpyware software, there are some free software packages you can pick up that will fit the bill.
The top 3 free AV products are AntiVir, Grisoft, and Avast!. Here is a comparison of these three programs. Remember, these are primarily on-demand scanners, which means you have to manually run them! Yes, you can schedule them, but you still have a long delay between when you might become infected and when you get cleaned. Also, keep in mind that stopping the viruses from getting into your system is better than cleaning up later, as you might not be able to get rid of it. [Edit: It has been pointed out to me that some of these have do real-time monitoring and should catch things before they get installed.]
Another free AntiVirus program I've seen is Cyberhawk. It is a free heuristics based AntiVirus which runs in realtime. I haven't tested it much, but it seems to pick up on some of the more suspicious behavior of some of the software I have thrown at it. I recommend using it alongside one of the other virus scanners. And don't forget that Google Pack gives you 6 months of Norton AntiVirus 2005 for free, and AOL Safety and Security Center licenses Kaspersky AntiVirus to you for free. If you'd rather do some research and pay for something, here are some good sites to get you started.
AntiSpyware is a fairly new industry and, until the last 18 months or so, the free programs were probably better than anything you could buy. However, now it seems like the free stuff isn't being updated nearly as often and the stuff you can buy makes life a lot simpler. This is my opinion, and others will have wildly differing ones, but one thing everyone can agree on is to stay far away from the rogue AntiSpyware!
Also, try out different programs on different computers. If you use F-Secure AntiVirus, Zone Alarm Pro Firewall, and Webroot SpySweeper on your main computer, put Avast!, Kerio, and Ad-Aware on your kids' computer. Find something that works out well for you. Some of the newer viruses and spyware are written specifically to evade the main AntiVirus vendors, so give some of the lesser known guys a try. Use Nod32 or Kaspersky instead of McAfee or Norton.
The way I avoid spyware and viruses is to know what I'm downloading, avoid sketchy websites, patch Windows, and configure my browsers for security -- IE, and Firefox. You can get plugins which will disable scripting, warn you of bad sites, and warn you of phishing sites. I also recommend replacing the default Windows firewall with one of the good free alternatives: Zone Labs, Kerio, or Comodo. These will block outbound network traffic as well as inbound, but they may be a bit more intimidating for the average user.
If you're worried about your kids, visitors, or whoever going to dangerous sites, you can install a web filtering proxy and set up separate Limited User Windows logins. I recently had a house guest go to some unsavory sites late at night while he was staying here and I ended up getting hit with something that shut my computer off, but thanks to my AntiVirus program, nothing ended up on the hard drive. However, taking the two steps above would have prevented the incident altogether and would have saved me the couple of hours it took to double check the computer for any nasty stuff that had gotten by.
In the end, the best thing for the average user looking at some of the freeware listed here is to just pick something and use it. If you find that it doesn't fit the bill, you can always drop it and grab something else. Remember that ease of use can be as important as anything else. If you get 10 popups an hour from your security software, you're likely to just click through it. It may be no more effective at protecting you than having nothing, and it makes using the computer frustrating.
There have been quite a few links in this week's post, and it might be a bit intimidating. But each one links to a program or to information about them. You don't have to hit every one of them, just surf where the 'net takes you. If you feel more comfortable navigating and digging deep into things, feel free to click every link and devour all of the information. And post here if you find more things.
When you were a kid, your parents tried to help you understand the dangers of the world outside your home and protect you from them. When you're going out into the big bad online world, there are a lot of things to look out for, too. Hopefully this will be a starting point for you to do some research and see what is out there so you can keep your computer healthy. And don't forget your scarf, it might get cold out there.
The top 3 free AV products are AntiVir, Grisoft, and Avast!. Here is a comparison of these three programs. Remember, these are primarily on-demand scanners, which means you have to manually run them! Yes, you can schedule them, but you still have a long delay between when you might become infected and when you get cleaned. Also, keep in mind that stopping the viruses from getting into your system is better than cleaning up later, as you might not be able to get rid of it. [Edit: It has been pointed out to me that some of these have do real-time monitoring and should catch things before they get installed.]
Another free AntiVirus program I've seen is Cyberhawk. It is a free heuristics based AntiVirus which runs in realtime. I haven't tested it much, but it seems to pick up on some of the more suspicious behavior of some of the software I have thrown at it. I recommend using it alongside one of the other virus scanners. And don't forget that Google Pack gives you 6 months of Norton AntiVirus 2005 for free, and AOL Safety and Security Center licenses Kaspersky AntiVirus to you for free. If you'd rather do some research and pay for something, here are some good sites to get you started.
AntiSpyware is a fairly new industry and, until the last 18 months or so, the free programs were probably better than anything you could buy. However, now it seems like the free stuff isn't being updated nearly as often and the stuff you can buy makes life a lot simpler. This is my opinion, and others will have wildly differing ones, but one thing everyone can agree on is to stay far away from the rogue AntiSpyware!
Also, try out different programs on different computers. If you use F-Secure AntiVirus, Zone Alarm Pro Firewall, and Webroot SpySweeper on your main computer, put Avast!, Kerio, and Ad-Aware on your kids' computer. Find something that works out well for you. Some of the newer viruses and spyware are written specifically to evade the main AntiVirus vendors, so give some of the lesser known guys a try. Use Nod32 or Kaspersky instead of McAfee or Norton.
The way I avoid spyware and viruses is to know what I'm downloading, avoid sketchy websites, patch Windows, and configure my browsers for security -- IE, and Firefox. You can get plugins which will disable scripting, warn you of bad sites, and warn you of phishing sites. I also recommend replacing the default Windows firewall with one of the good free alternatives: Zone Labs, Kerio, or Comodo. These will block outbound network traffic as well as inbound, but they may be a bit more intimidating for the average user.
If you're worried about your kids, visitors, or whoever going to dangerous sites, you can install a web filtering proxy and set up separate Limited User Windows logins. I recently had a house guest go to some unsavory sites late at night while he was staying here and I ended up getting hit with something that shut my computer off, but thanks to my AntiVirus program, nothing ended up on the hard drive. However, taking the two steps above would have prevented the incident altogether and would have saved me the couple of hours it took to double check the computer for any nasty stuff that had gotten by.
In the end, the best thing for the average user looking at some of the freeware listed here is to just pick something and use it. If you find that it doesn't fit the bill, you can always drop it and grab something else. Remember that ease of use can be as important as anything else. If you get 10 popups an hour from your security software, you're likely to just click through it. It may be no more effective at protecting you than having nothing, and it makes using the computer frustrating.
There have been quite a few links in this week's post, and it might be a bit intimidating. But each one links to a program or to information about them. You don't have to hit every one of them, just surf where the 'net takes you. If you feel more comfortable navigating and digging deep into things, feel free to click every link and devour all of the information. And post here if you find more things.
When you were a kid, your parents tried to help you understand the dangers of the world outside your home and protect you from them. When you're going out into the big bad online world, there are a lot of things to look out for, too. Hopefully this will be a starting point for you to do some research and see what is out there so you can keep your computer healthy. And don't forget your scarf, it might get cold out there.
Wednesday, September 13, 2006
My First Post
This is my first post to the blog, so I should probably say a little about why it was created. I decided to start this not long after I started my company, Beau Woods, LLC, in order to give out some advice on whatever I seem to be thinking about at the time. The intent is to give out some good advice for people who don't have the time to spend 10-12 hours a day thinking about keeping themselves safe online -- which is most people I know. But that's the great thing about the internet, you can usually find a lifetime's worth of knowledge and experience boiled down to a quick 15 minute read.
Think about how much research has been done that culminates decades of work into one paper. These things are published by scholarly reviews all over the world, with thorough documentation, careful analyses of all results, caveats about the conclusions, and showing the blood, sweat, and tears shed over the lifetime of the research. And on the internet, somebody will post a really quick bullet point that disregards all of the attention to detail and caveats about drawing erroneous conclusions. The summary is published in a thousand other blogs and sometimes in print, each reprinting adding credibility to a post by someone who may only have skimmed the first page of the original research paper.
I guess my point (and my first tip) is this: don't believe everything you hear or read. Whether it's on the Internets, in print, or first-hand from somebody who swears it is the truth. You learned critical thinking skills in school, right? If not, you should look into that. Often times you can pull apart a claim or argument with simple logic and a little bit of skepticism. I'm not saying you should go around calling people liars if you don't believe them, it's just that sometimes things are not what they seem.
So go forth, be truthful, and analyze.
Think about how much research has been done that culminates decades of work into one paper. These things are published by scholarly reviews all over the world, with thorough documentation, careful analyses of all results, caveats about the conclusions, and showing the blood, sweat, and tears shed over the lifetime of the research. And on the internet, somebody will post a really quick bullet point that disregards all of the attention to detail and caveats about drawing erroneous conclusions. The summary is published in a thousand other blogs and sometimes in print, each reprinting adding credibility to a post by someone who may only have skimmed the first page of the original research paper.
I guess my point (and my first tip) is this: don't believe everything you hear or read. Whether it's on the Internets, in print, or first-hand from somebody who swears it is the truth. You learned critical thinking skills in school, right? If not, you should look into that. Often times you can pull apart a claim or argument with simple logic and a little bit of skepticism. I'm not saying you should go around calling people liars if you don't believe them, it's just that sometimes things are not what they seem.
So go forth, be truthful, and analyze.
Monday, September 11, 2006
Blog Goals
My goals for this blog are to help out people from all experience levels and backgrounds. I am hoping to get people to do more critical thinking about the world in which we live. I think those types of lessons can apply to more than just computer security. So I won't tell you about the latest products and trends, and I won't spout off about whatever is harshing my mellow at the moment (mostly).
What I will do is to try to give you strategies for solving problems and attempt to shape the way you attack them. And in the close of each post I'll try to relate things to the real world.
It may take me a while to work up to something productive and useful, so I ask you to bear with me while I work through my growing pains. I can't promise you that I'll deliver on a regular schedule, or that everything I put here will be relavent to your life. But I will promise you that I'll be honest to what I believe. Hopefully that will come across clearly, because if you can't make your thoughts cross from inside your head to inside others' heads, there's hardly a point in trying.
What I will do is to try to give you strategies for solving problems and attempt to shape the way you attack them. And in the close of each post I'll try to relate things to the real world.
It may take me a while to work up to something productive and useful, so I ask you to bear with me while I work through my growing pains. I can't promise you that I'll deliver on a regular schedule, or that everything I put here will be relavent to your life. But I will promise you that I'll be honest to what I believe. Hopefully that will come across clearly, because if you can't make your thoughts cross from inside your head to inside others' heads, there's hardly a point in trying.