Heartbleed – what is it?

April 11, 2014 at 11:16 am | Posted in Economoney, Internet, Media, Online services, Security, Software, Web Apps | 6 Comments

When you log into a secure web site and get “https” and a lock symbol, what you transmit is secure, right? Maybe. About 2/3′s of the web uses OpenSSL and its recently been discovered it’s had a bug for about 2 years.

“Heartbleed has the potential to be one of the biggest, most widespread vulnerabilities in the history of the modern web.”

Security expert Bruce Schneier says “‘catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.

While there is a fix and it’s unlikely this was discovered and exploited in the past, the issue now is with sites that don’t have decent maintenance and don’t get updated. Now that the bug is known, some old site you used once long ago may now be insecure. If you have the habit of using the same password all over or using your social media (Facebook, Twitter, etc) logins on other sites, you may have unwittingly shared your access all over. Including to sites that are now secure.

Changing your password on such old sites won’t help in the slightest, contrary to some of the advice floating around. It’s only a useful exercise if you know the site has updated. But you can on sites that are fixed. All the major ones apparently have but there are millions of servers out there.

And the trick is, even server admins may never know they’ve been hacked with this one.

This article explains: Heartbleed Nightmare

You can check a site you use here

This is a great reason not to use the same password on multiple sites and may be a great time to implement a password manager like LastPass, if you have not already.

Not only did Monday bring Heartbleed but there was a security update for WordPress on Tuesday and another for Jetpack on Wednesday. The second 2 are things bloggers should update now. The first you want to be sure your web host has. You really don’t want your ecommerce offerings to go nasty on you.
David

UPDATE – see comments for more links

Safe Browsing, still

February 19, 2014 at 11:52 pm | Posted in Computers, Economoney, Internet, Online services, Security, Software | Leave a comment

Periodically, I’ve recommended some tools that help keep your browsing safe. Web sites are the most common way of getting infections now. Not to mention tracking your activities and identity. I thought it was time for an update as the threats and tools continue to evolve.

Of course, the most important tool is common sense. Don’t go into bad neighbourhoods. Look before you leap.

I personally use the Firefox browser because it’s the most customizable. It’s also an open-source platform that’s not invested in making money from the collection of user data. That collection in itself leads to both privacy and security issues. Some consider Chrome superior but I have concerns about using too many Google services as they do collect user info for marketing. LifeHacker discusses the browser issues here.

This article is thus focused on securing Firefox on a Windows PC. Some of these tools or equivalents are also available for Chrome and Internet Explorer. This is not a review of all security tools but rather recommended examples in several categories, with a few caveats. All are free, unless otherwise noted.

Your first line of defence is of course a good Anti-Virus service and Firewall. With Windows 7, the built-in firewall is fine. The hardware firewall in routers is also advantageous. As for anti-virus, you can check testing sites like AV-Test for your choice. Some free ones are as good as the paid ones for basic protection. I’ve been using paid ESET NOD32 AV to good effect for some time.

Firefox Add-ons:
Anti-Code:
AdBlock Plus
Blocks most annoying 3rd party ads that slow down web sites and track your presence.

NoScript
The first thing many suggest you install – it blocks the troublesome scripts on web sites, similar to the above. Lifehacker suggests this is redundant with AdBlock. I’ve been using both but they have come to overlap more.

RequestPolicy is a more aggressive version of this. With it, I typically found a web site was text-only until I worked out where their styles and functionality were loaded from and adjusted the settings. This is a bit of a guessing game that makes it less effective in practice to me.

Priv3
Specifically targets tracking done by social networking services on other sites, like the omnipresent Facebook “Like” buttons that can track your browsing even without clicking.

Better Privacy
This deletes “Super” or Flash cookies – a more invasive and persistent type of cookie. I’ve not found the deletion affects performance of any sites. But I was surprised how many some sites use.

None of these would be necessary if web sites played more politely with visitors.

Safe Sites marker:
WOT (Web of Trust)
This is a crowd-driven add-on that will flag your search results to warn you off of troublesome sites. (versions for most everyone)

Safe Preview
This tool does not show up in search results unless you ask but can give an overview from 5 services, including WOT, before you click. (Norton now stingily blocks 3rd-party tools like this) I use it as a 2nd opinion if the WOT result is unexpected either way. I used to recommend LinkExtend similarly but it’s not been updated in some time.

VTzilla
A Virus Total tool to give a site or download link a deeper check with a right-click. How’s it fare with multiple anti-virus sources? A cautionary step before inviting something onto your computer from unknown sources.
(VT has other versions for Chrome and IE)

Search Management:
Google No-Tracking
Shuts off nested links in Google search results to avoid click-tracking. Google will still track you but it reduces some of this and it makes copying web addresses, doing checks with the above tools and so forth much easier. It also makes Google faster.

StartPage.com is a search alternative that doesn’t track but uses Google. DuckDuckGo is also suggested but I’ve not found the results as useful. Both eliminate the “filter bubble” of targeted search results where your IP and history determine what you see, rather than what the larger world is discussing.

Support tools:
LastPass
For secure passwords – much more secure storage that will fill-in login details and remember strong passwords for you. Way better than browser tools. I’ve recommended this before. RoboForm is also well-recommended but not free.

TIP – Avoid the temptation to use your social site logins on other sites. It makes you much easier to hack and track. That’s becoming all too common and is not in your best interest. Use distinct logins for every site and let something like LastPass help you keep track of them.

FEBE
backs up your Add-ons, themes, and settings in Firefox automatically.

If you want to see how a site is tracking you, try Lightbeam.

Some of the other add-ons I’ve tried I found too aggressive. Lifehacker recommends Disconnect, for example. While it may reduce tracking, it also greatly reduces the functionality and display of web sites. Again it becomes a guessing game to know what needs OK. They have made you more anonymous but do it by breaking site features.

And if you’re also logged into a sister site, you’ve lost the advantage. Even worse if you’ve logged in using a social media sites credentials.

Browsing through a VPN, sandbox, or alias site would be more effective if privacy is a priority. Just keep in mind that the web is not about privacy but sharing. That’s why it’s called a world wide web. Anything you share often stays shared, beyond anything you may have imagined. A long-gone web site I built 16 years ago still has a copy on-line at the Wayback Machine, for example.

Bad Add-ons:
On the flip side, you may find this HowToGeek article useful – some browser add-ons are or have become spyware, reporting all of your browsing history and inserting ads on pages you visit. The article includes a follow-up list of troublesome ones to avoid or remove.

I considered moving away from popular webmail services to avoid some of the tracking but soon realized that many contacts use them, so the messages get tracked anyway. Email has not yet had this kind of functionality added. Another gold mine for advertisers.

Safe computing!
David

Backup That Counts

January 25, 2014 at 12:26 am | Posted in Backup, Computers, Internet, Online services, Security, Software | 3 Comments

Many tell me they’re not worried if their computer dies – they’ll just buy another. But gradually as our lives go more digital, we start collecting digital things that are more difficult to lose. The password for the service you paid for. The holiday photos. Your oh-so-carefully prepared resume. Important contact information. The list gets larger and larger.

With that growing body of digital history, the need for decent backup grows. For most people, you want it to be automatic. Set it and forget it. Manual gets forgotten.

At the same time, you want a backup that works. If it’s not reliable or there are barriers to getting access to your key files during a failure, it’s not working. A backup is only useful if it can be easily restored. I’ve seen studies that show even expensive business backup solutions failed in practice the majority of the time.

Software and Data, Local and Remote
There are 2 types of stuff to back up and 2 types of places to put that backup.

Software
The first type of stuff to backup is your operating system (OS) and programs. The key reason to do this is to get you up and running again as quickly as possible. Having to reinstall the OS, all your software, and all the updates can literally take days of your life.

The best solution for software is an Imaging tool. The ones built into modern operating systems (like Windows 7+) are fine. Or buying the well-known Acronis TrueImage. This can be set up to be automatic. Weekly is probably enough unless you experiment with software a lot.

Data
The second type of backup is for all your stuff – all the files you create or receive and store in the digital world. If your needs are simple, the above imaging software may be fine. Just image it all together. If you do this, set the backup for ‘daily incremental’. This will catch all the changes made each day.

The downside of imaging your data is access to that backup. If your system goes down or is stolen, you have no quick access to your stuff inside the backup until you have a similar environment and software installed. Go to your old Vista computer, for example, and you’ll have to jump through hoops to get at your Win7 backup.

A better solution is simple file copy or zipping. Those copies of all your created files can then be accessed at any time by any OS – even a floppy. Cobain Gravity has been my recent free choice for that. Plug in your backup drive to another computer and get to work.

For your most critical files where you want to save current versions more often than daily, I recommend File Hamster. When that file or folder is added to File Hamster, ever time you hit save, it makes an additional copy to the location of your choice. (a different drive) This has saved my bacon a couple of times when a file got corrupted. And this is much more likely to happen on files you use all the time.

The program is not presented as free but if you don’t purchase it after the trail period, it reverts to Basic mode. It’s more than worth paying for though. I wrote 2 articles about it here.

Location, location, location
Local
The first type of backup location should be local, due again to the simple question of immediate access. In your office or nearby on the network. An external hard drive or network attached storage (NAS) are best and not expensive. Different types of backup above can be saved to different folders on the same external drive. Figure on double to triple what you have now for the size of the external drive.

Backing up to an optical disc is useful for long term archives, but is too manual for automated backup. Thumb drives have longevity issues and are again too manual.

Remote
Unfortunately, a local backup will not save your files in the event of a fire, major theft or other such disaster. For that you need a secondary off-site backup. But it should be secondary. Automated remote backup still has too many possible points of failure to be your primary solution.

Software
Storing an OS image in the cloud is problematic as it is large and thus takes massive time and bandwidth to upload. Not to mention the cost of the on-line storage. And then if you have a failure, you cannot restore the OS from the cloud. You need an OS to get to the OS.

The simple off-site solution for the OS is making a periodic image to portable media and storing that safely off-site. Then you can still restore if your local backup solution fails. It’s a bit manual, but ensures it’s easy & workable.

Data
The focus of your automated secondary backup is for your critical files. On-line file-sharing and backup services have been growing in leaps and bounds. I even researched setting up one myself. But they also have issues. Make sure the service is suited to the task. Some sites delete your files automatically after a certain period of time. They’re not designed for backups.

Copying your critical data over the wide open Internet is akin to sharing – not a fine idea. Some suppliers may add encryption, but make sure it’s also encrypted in transit or you’re exposing your content where it’s most vulnerable. Complicating your choices are the cost and that some use quite proprietary techniques. This can again create access issues in the even of system failure.

In a recent article by Fred Langa, he introduces an alternative solution. You use the online storage of your choice. And you use a local pre-encryption tool that automatically encrypts, then uploads to that on-line service whenever you copy files to it. He used Boxcryptor. (requires .Net4)

You set up Boxcryptor and point it to your on-line storage. Then you set up a secondary backup routine in your backup software to copy to your designated Boxcryptor folder on an automated schedule. Backup to Boxcryptor to On-line storage. Voila – automated and secure on-line backup. The basics are free for personal use.

From a convenience and recovery standpoint, those encrypted files are then available from all platforms anywhere – Android , Mac, & PC.

Be sure the size of your backup routine is less than the size of the on-line space you have. BoxCryptor does allow you to connect multiple services. Also make sure you’re backing up to the virtual drive, not the BoxCryptor.bc folder, or the files won’t be encrypted. Same with decrypting them – get them from the virtual folder or they won’t be decrypted – they’ll just be gibberish. PCWorld talks about using BoxCryptor here.

Fred’s article talks about using it with Skydrive. Boxcryptor supports a wide range of on-line providers, including Dropbox, Google Drive, Box and many more.

Just make sure you use LastPass or some other tool to securely store that unrecoverable Boxcryptor password. In a place that can be accessed any time. Otherwise, you’ve added a key point of failure.

I also reviewed several other encryption options. Some of the on-line storage companies are offering software to do much the same with their own tools but reviews said they were slow. Several tools only work with the big 3 or even only with Dropbox.

And then there’s ownCloud. A little more geeky, but it lets you create your own on-line storage in whatever web server space you have available (assuming your web host is OK with that). It can also manage other sites, mount webDav supporting services like Box, DropBox, GoogleDocs (which it will also open) and supports FTP. It will also give you a cross-platform tool for accessing files, calendar, contacts, bookmarks, galleries and so forth.

Blend that with Boxcryptor and you have your own custom solution.
Happy computing,
David

New Old Pages

January 12, 2014 at 9:44 am | Posted in Blogs, Computers, Internet, Online services, Software, Web Design | Leave a comment

Those of you who have followed the blog for a while know that this is a spin-off of what was once a large site on web design, from the hand-coding era. Better resources for that came up over time but a few key pages I retained as a stub on some other web space.

When I went to grad school in ’10, that web space ended and the resources went off-line. The “Web Ref” tab here closed. Finally I’ve tackled the grunt job of converting a few key pages with their custom styles and tables into the theme-driven blog environment.

Now you’ll find 3 new tabs:
Web Colour is an updated intro to how colour is defined on the web, using hexidecimal numbers. While software does a lot of that work for you now, it’s useful to understand it and  standardize how you use it. There’s also a link to some Character Code tables elsewhere, useful when you want to insert obscure symbols into text, like Ø, Ψ, or ©. Most software only covers parts of the full set.

Colour Chart is an old Web Safe table of 216 colours. While we no longer have to worry about low-bit screens, it does still offer a table of simple, clean colours and easy compatibility checks. I still use it. There’s also a small table for converting from web-safe HEX to RGB. And links to other excellent online color tools.

CMY to RGB is a comparison of the print colour gamut (range) with RGB screen colours. Print colours are produced in a different way resulting in a very different range that only partially overlaps. The table is based on the 64 shade CMY Colour Cube and includes CMY, HEX and RGB values for all sample colours. There’s also a table that compares key RGB colours to CMY. If you plan to choose web colours that will translate easily to print, this may be a good starting point.

Hope you find them useful.
David

Upper Amazon

August 8, 2013 at 9:11 pm | Posted in Economoney, Humor, Media, Online services | Leave a comment

When you browse the products in a store and are searching for a specific brand, where might you be expected to find a bearded baseball card, an autographed girls photo, and a multi-million dollar painting? Why Amazon, of course. Who knew Monet was so available? Amazon recently opened a new fine art section, featuring some rather pricey artworks being offered by various local galleries.

Someone with that kind of budget for art would be pretty unlikely to buy through a reseller. It’s not exactly discreet.  And who carries plastic with $5 million on it? Do they even offer such a thing? (consider the insurance cost for a stray card)

The effort has attracted some cheeky “buyers” feedback (“I returned it – the Monet was used”) and price comparisons (Warhol vs bulk canned soup). I notice several of the highest-priced Monet’s are gone now. Some galleries may not consider such attention desirable. Not to mention some observations, like on a Norman Rockwell for close to $5 million: Is it art or “just an illustration”? But look – free shipping.

I wonder how many are adding to their Wish list. Missed birthday anyone?

I suppose if you enjoy throwing some extra cash around and advertising it on Amazon and Facebook, it’s an option. Bet your home insurance company may not appreciate it though. Better get that rider. And a better security system.

Hey – the Monet poster (Nympheas) is on sale for $2.76, regular $15. I can afford that! Over in Artwork though, not Fine Art.
David

PS – there are thousands of more modest paintings to choose from under Fine Art. And if this helps some of the smaller galleries survive, great. (this is reseller, not Amazon stock)

Test your Current Knowledge

May 5, 2013 at 9:40 am | Posted in Media, Online services, Psychology, Science | 2 Comments

Recently, I was sent links to a couple of short on-line general science and religion knowledge quizzes by Pew Research. What is particularly interesting is the detailed stats from the original study showing how well people did on specific questions, overall and so forth. You’ll see that with your results.

The Science Quiz (13 questions)

The World’s Religions Quiz (15 questions)

This article at Slate talks about it. For example, that 42% don’t know the most basic fact about global warming….
David

Kiva – Start Free

May 2, 2013 at 11:10 am | Posted in Books, Economoney, Online services | Leave a comment

If you’ve ever looked at Kiva (microloans) but were uncertain about investing, here is a chance to try it out for free. You can make a free $25 loan contribution and see the process in action.

http://www.kiva.org/bankofbob

Bob is the author of a book about Kiva. During a journalists tour of outrageously expensive hotels around the world, he saw the poverty of the people nearby, some of whom helped build the palaces. He took his pay and invested it in Kiva. Then he went on another world tour to see the loans in action.  The resulting book, The International Bank of Bob, is a funny and moving story of the ensuing adventure. And a profound look at real life in some of the more challenging spots on earth.
David

Weather Wherever, Whenever

April 24, 2013 at 10:59 pm | Posted in Internet, Online services, Web Apps | Leave a comment

In its day, the Weather Channel was a big change. A TV channel devoted just to weather, before we had many dedicated stations. Then weather sites began to show up on the web, including the Weather Channel’s own. They give live, anywhere weather.

A few years ago, I began using the AniWeather browser plug-in. It displays a very customizable temperature and weather readout with optional links to various graphical maps. Click the temperature and you get a pop-up with a 5 day forecast + links to other cities and towns you choose. It’s America-centric but was especially useful when I was in the US Midwest – it’s weather is far more variable and changeable than here in the Pacific Northwest.

Today I was checking out a new site, Forecast.io.* It shows local current conditions with an animated map of global, regional or local conditions. The animation runs a time-scale as well. Below this is a weekly forecast with relative temperatures. I quite like this feature as you can tell at a glance where the temperature range is going.

Click Add in the dark bar near the top to add your location to the menu list. I tried adding 2 small towns, 1 in Europe and 1 in the US and both were found in moments. Interestingly, the URL in the address bar shows the digital longitude and latitude, if you’re looking for that.

It also has a “Time Machine.” I tried a date from 1976 in a European town and it showed me the correct days weather. (I was there)

Who knew weather could be fun? ;-)
David

*.IO is a new country domain for Indian Ocean. But they’re available for anyone, rendering that relatively meaningless. But not cheap.

The TED Controversy

April 21, 2013 at 6:45 pm | Posted in Events, Internet, Media, Online services, Science | 3 Comments

An interesting debate has arisen around the way TED determines what talks they consider acceptable. While they will happily host a talk on life purpose or on a writer’s muse, they have characterized some neuroscience research as “a bunch of goofballs.” Given that this was in response to pulling 2 talks, it suggests their attitude about same. Also on their no-no list, the medicinal value of food.

Notably, Rupert Sheldrake’s pulled talk was on the Delusions of Science. As one contributor (3rd letter below) observed, “The materialist worldview is a belief system based on ten core beliefs. Many people call this worldview science. The method of science and the worldview of materialism are actually two different things.” This is where it becomes troublesome – when a scientist fails to differentiate between their beliefs and science, they introduce non-objective bias.

It was also noted by several that paradigm-busting is how science progresses. New research must meet with skepticism and be tested but some have made skepticism a trademark, another fundamentalism. Richard Dawkins has famously called himself a “militant atheist”.

The sequence to date:
After a few complaints, Sheldrake and Hancock’s TEDx talks are pulled from the main channel. Vocal objections caused them to repost the clips on the TED blog as a discussion point. However, the talks were misrepresented and TED was obliged to retract some statements.

Further TED articles on the subject:
A Fresh Take, Debate on Sheldrake, Debate on Hancock.

They then pulled the TEDx branding from a West Hollywood event, who decided to go ahead anyway.
I’m also aware of another event in IA that similarly lost it’s TEDx designation for being subtitled “Consciousness and Transformation.” They also went ahead. Some of the talks sounded excellent and only one mentioned consciousness, by a Kilby award-winning physicist.

1 – On April 18, Deepak Chopra and 5 other scientists responded in an open letter. Not real well written but it made some valid points.

2 – The next day, TED responded. They fairly indicate they have to draw a line somewhere. And it’s not always clear. But their attitude and name-calling is not serving anyone.

3 – Later that day a letter from Chopra and some 15 other scientists, each contributing a segment. Some of these comments are excellent. “Censorship almost always arises from some political agenda.” “A robust science of consciousness threatens no one but dogmatists.” And so forth.

Personally, I don’t have a high regard for using drugs to induce altered states of reality. This may bring brief but typically distorted expanded perception. But it doesn’t help real development and won’t give reliable insight. And it can cause serious after-effects. From people I’ve talked to that have done it, it pollutes the finer nervous system. As such I’m not a fan of Hancock. But does the talk deserve “semi-censorship?” Debate certainly.

On the other hand, I’ve read some of Sheldrake’s work and heard a talk he gave on how laws of nature evolve. As the contributors comment, some of his work is excellent research.  Some of his books are used as university textbooks. But his talk did directly but gently confront science vs worldview.

Another question I’ve not noticed raised. TED suggested they can’t vet all the videos from TEDx events but I have to wonder how they determine what they do post. Their YouTube channel currently has 1,375 videos. Given there has been thousands of TEDx events, that is but a fraction. Chopra notes that Dawkins talk is posted but his rebuttal is not.

When I was getting my grad degree, we spent a little time exploring the difference between science, pseudo-science, and proto-science. The last uses the scientific method to explore new paradigms but is not yet established as a science. Pseudo, on the other hand, talks science but does not use proper methodology. Thus calling another scientists work pseudo-science is high insult. I would suggest proto-science is where Sheldrake and other contributors are working, especially around subjects like consciousness. Some people seem to be forgetting that.
David

WP Bloggers Alert

April 17, 2013 at 3:00 pm | Posted in Computers, Internet, Online services, Security, Software, Web Apps | Leave a comment

There’s a new botnet that is infecting WordPress-based blogs and web sites and then using them to infect others. The botnet can then be used to attack other web sites in denial of service attacks, etc. Because web servers are always up, it’s superior to virus-infected home PC’s.

Think it’s minor? Over 90,000 IP’s are already involved. Evidently, symptoms of an infection include slow performance and the inability to log into the WordPress account. They may also go off-line for a short time.

WordPress itself is not to blame. As with webmail accounts being hijacked, the issue is poor passwords.  Apparently its still common to use “admin” or other simple passwords. Brute force password-trial attacks can discover easy passwords in seconds. You need a strong site admin password for your web site – even if it’s not WP based. Do you want to be infecting visiting customers? Or have their AV block them from your site? Friends have had these problems.

Hopefully, server-based anti-virus will be developed to reduce the issue. Some web hosts don’t provide web site anti-virus though. That’s how the virus problem spread in the first place.

Even if you don’t care about your own site, please do others the courtesy of not becoming a vector to attack them.

I talked about good password techniques here

It can be a hassle to remember hard-to-guess passwords, so a Password Manager can be very handy.  I talked about my fav – Lastpass – here.
Safe surfing!
David

Next Page »

Blog at WordPress.com. | The Pool Theme.
Entries and comments feeds.

Follow

Get every new post delivered to your Inbox.

Join 39 other followers