Popular Security

We have all been burned by it: the web site you must use — your bank, a government site, something else you really want to use. The worst offenders are those where you have no choice: you must use their web site. You go through the whole process of “registering” and then they drop the bombshell on you: you must use a gibberish username or password so complex that there is no reasonable way a human being can remember it, or some other nonsense of equal uselessness.

Yes, you could make up words for each letter of the random garbage password. Sure, you could write it down so you don’t forget it. You could go to http://random.org and have the computer generate you a list, then tape it to your monitor. But really, why are they doing this to us?

Does it improve security? No. It harms security.

First, web sites are not usually hacked because someone used a brute force attack trying to log in — they logged in using information they already had from somewhere else, or they used an exploit to break into an unpatched system. No system needs to fall to brute force attacks — just install DenyHosts or something else like it for free: three bad password attempts and the IP address is banned until the sysop removes it from the hosts.deny list. And don’t get me started on people who allow outside logins with the root account — people learn to login with a normal account and shell. We get hundreds of hack attempts every day and the first login they try is ‘root’ followed by ‘bob’ and some other junk. Read your system security logs for more entertainment.

Second, ridiculous logins and passwords cannot be remembered: they must be written down. The most profitable way banks are broken into is not by breaking doors or threatening physical violence: it is by reading post-it notes bank managers stick to their computer screens with non-memorable passwords written on them.

Third, very few web sites are worthy of their own very special, unique, just-for-them-alone, login and password. And that is where the real security problem exists: the most common security breach is not passwords that are too easy to break by brute force methods or dictionary lookups. The most common security breach is by password reuse.

Password reuse is what we all do for unimportant web sites that we visit, and which demand that we create a login for them, but which we really do not care about. We all visit 10’s if not 100’s of those. Trojan web sites can be used to snarf up logins, then the mafia behind the trojans can use the data to break into popular web sites — sometimes a person will, for example, use the same password on FaceBook, AOL, and her bank. If they enter that same information in a junk web site, then the mafia can also use it to access her bank, FaceBook, and so forth.

Most people are savy enough they do not use ‘password’ as their password. I have several passwords, made of random characters, which I use for different types of web sites. One password goes on garbage sites that I really do not care about — it is simply kept around to satisfy web site owners who think they gain something by forcing everyone to log in. Another password I use for sites I care about, but which are not really very dangerous, and in a very few places — banks, popular social sites, my personal blog sites — I use a special password crafted just for them. I write these passwords down in an administrative journal because these are important web sites, and if I get hit by a truck on the way to work tomorrow, there are people who will need to use those sites in my absence. The garbage sites could vanish tomorrow and the world would never notice, nor mostly, would I.

I have noticed another interesting thing about the security problem: the web sites which degenerate into this counter-productive policy seem to be mostly sites which are using .aspx technology — Microsoft servers. My bank has even gone so far as to require Flash to be installed on my browser to login, with the idea that measuring how fast I type somehow identifies me better than my login or IP address. Honest. The same Flash that was not available in a 64-bit version to fit my 64-bit browsers on my 64-bit quad core Linux system. They actually required me to uninstall my browser and go backwards to the old 32-bit version to access my bank accounts on-line. For a while Flash was not even allowed on Linux. That is over-the-top unreasonable. It is actually written in some banking policy that they must do that. Flash, the technology that has so many crashes and hacks, that spyware installs ‘updates’ to posing as Adobe. Yes, that Flash, is required to login to my bank.

Freedom of the press belongs to those who own one — I said that years ago. It is still true. If you don’t like a web site you are free to vote with your feet. But it is irritating, and unnecessary, and it doesn’t help security, it harms security. And we should never have that situation in cases where a person has no choice but to use the site. If it is that important, then pass out USB ID sticks or RFI chips in cards with readers instead.


Wi-Fi data Collection continues: using YOUR CELL PHONE

According to an article in networkworld, Google is still collecting wi-fi data. After some legal hoopla earlier this year, they stopped using their wi-fi “Street View” cars to log wi-fi locations, but they then switched to using peoples Android phones and location-aware mobile apps to rat out wi-fi sources. Hope they are asking each phone owner for permission first..


FaceBook Virus or Ethics Violation?

FaceBook presently seems to be demanding a cell phone number as a condition of logging on. It could be a virus forwarding mobile phone numbers to China or Siberia for posting unauthorized charges to cell phones to steal money, or it could be FaceBook actually pulling the same stunt themselves for the same reason — to place unauthorized charges on the cell phones. It cannot be to authenticate customers as they are already authenticated through providing a valid non-public (not yahoo, hotmail, msn, etc.) email address.


Using Social Media for Education

We came across a July 1 post by Phil Montero at http://theanywhereoffice.com on how to use Social Media, such as FaceBook to enhance education at K-12, College, and special post secondary educational situations. It was a good find. His link for further information is http://www.theanywhereoffice.com/digital-lifestyle/using-social-media-for-inspired-learning-and-education.htm which points to Fred’s article at http://www.fredshead.info/2010/05/100-inspiring-ways-to-use-social-media.html.

Here is a taste of Fred’s patter:

“Social media may have started out as a fun way to connect with friends, but it has evolved to become a powerful tool for education and business. Sites such as Facebook and Twitter and tools such as Skype are connecting students to learning opportunities in new and exciting ways.”

One interesting aspect of this web site is that it is designed to be accessible to the visually impaired.


Work Shifting: common sense leads to new productivity

On 08/31/2010 10:23 AM, Mike Mansbach, Citrix Online wrote:

John:

Workshifting, or the flexibility to work when and where you want, is on the rise. The advantages for employees and companies are plentiful — from cost savings and increased productivity to a greener workplace.

This new podcast, featuring Phil Montero, CEO of The Anywhere Office, explores the advantages of a workshifting environment and how to create your own workshifting program.

“There’s no shortage of benefits for both employees and businesses.”

Listen to the podcast to learn:

* Key benefits of workshifting for employees and businesses
* How to implement a strategic workshifting program
* How to pick the best tools for a workshifting environment
* And more…

View this Complimentary Podcast

Please forward this to colleagues who might be interested in learning more.

Best regards,

Mike Mansbach | VP & GM


On 08/31/2010 12:41 PM, John Nash of API, replied:

Hi Mike,

Thank-you for writing. Yes, I know workshifting is important. I am working from home right now. I simply shell into my servers with SSH2 or connect with FileZilla. The 16 people I expect to add to my workforce soon will also largely work when and where they can be most successful and cost effective.

I am interested in your presentation, but when I tired to view your previous link, it refused to let me participate: it is a “Microsoft Only” setup. Yes, I could simply load a virtual machine with one of the MS environments in it: that is not the point. If you are hosting the presentation, then I would expect to see how your product line facilitates my success in using a totally space / time / equipment independent work environment. Since the presentation is only accessible to Microsoft, it is probable that your tools are only accessible to Microsoft.

Work Shifting involves more than geographic location. It involves location, time, equipment, intellectual activation (mental readiness) and even social presence. Essentially, our present technology allows the worker to work when it is optimal. We are entering an age where not only time or location but especially computing device is flexible. Most mobile devices today do not use Microsoft. Most professional web servers do not use Microsoft. While I know there are sporadic instances of a Microsoft web server or two, or a Windows email machine here or there, Microsoft exists mostly on the end user desktop, and they have been loosing market share fast.

I sincerely thank-you for thinking of me, but neither of us can profit from this. If you have a presentation later that conforms to international standards and respects technological diversity, please let me know: I would be happy to view it on one of my Ubuntu desktops.

John Nash, CEO
American Programmers Independent, LLC.

P.S. The Podcast Mike provided a link to in his email today DOES work, although it is only audio (.mp3). In time, hopefully, larger corporations will begin making their products compliant with html v5 standards so that all media can be played with Google Chrome or any other standards compliant browser without extra addons. If you would like to listen to his link, click here. To check out Phil’s web site with his ides on Work Shifting, browse to http://www.theanywhereoffice.com/.