Monday, November 26, 2012

How To Survive The Password Apocalypse

Some time ago, I said that passwords were not secure and that I would be doing a blog post about it so you would know what to do.
At long last, this is that post.

When I first posted that warning to Facebook, I had just read an article talking about how successful hackers are in breaking passwords.  The article contained alot of information about the methods and tools that hackers use.

Since I read that article, I have read a second article in Wired magazine about how one of its technology reporters had gotten his entire life hacked; everything he owned that was stored online was broken into and stolen.
Did this reporter have weak passwords or some other easy reason why it happened to him? No.  His Gmail password was as long(16 characters including dashes -, upper and lower case, numbers and an exclamation point).

And it was still broken into.

So, if a techno-geek can be hacked with all he knows about security, what hope is there for us normal people?
Actually, there is hope.  I will outline several Do's and Dont's for password creation and general online security.

But before I do that, a word:  I am talking about online security, not about the computer you are sitting in front of right now.  I dont want anyone to be confused about what I am saying.
Yes, you need good security on your computer, but an antivirus program will not keep someone on the internet from trying to break into your bank account.

So here's what to do(from the Wired article):
DONT:
Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all. Dont use variants, either.  I know its tempting, but dont.
Use a dictionary word as your password. If you must, then string several together into a pass phrase.
Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.

DO:
Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm.
Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name, so it can’t be easily guessed.

I know that doing these things are and will be complicated and frustrating, but right now its what we have.
A tip for remembering all of these new complicated things is to Write Them Down.

Get a little notebook from your local office supply store and write down all of your new passwords.
Set up a new online email account, or better yet, two.  With different passwords.

One of these new emails is to be never used unless you are resetting a password, so that it wont be compromised.  The other email address is one that you dont care about; these secondary emails are called "dump" or "dummy" emails.  They are used when you are asked to register for a place that you will only use once, so that your main email doesnt get clogged with spam.

Now all you need to do is reset all of your current passwords to something stronger.

But, what is "stronger"?  What you do is, take a book, open to a random page and choose four words from different places that dont go together.
For example, "correct horse battery staple".  If the reset form says you need an upper case and a number, then put one in.  Just not at the beginning or end.

And Write Them All Down.

Tuesday, March 27, 2012

Dark iClouds on the Horizon

With all of the rush to "cloud computing," few people are taking the time to think about what it means.  Those who are able to understand "the cloud" are not really explaining it well to their friends and families.
I am probably guilty of this as well.

So I want to take some time here, and probably in the future, to explain what the "cloud" is and some of the problems that are looming.

So, first off, a definition: what the heck is "the cloud" anyway?  The Cloud(tm) is an engineers way of discussing the networks that make up the Internet.  Because all of the networks that make up the Internet would be a nightmare to diagram, whenever someone wants to indicate  "the Internet" they draw a cloud.
Hence, "the cloud."

Yes, but what is the cloud?  Any computer you can store data(pictures, documents, etc.) on that is not a computer that you own or have immediate access to, that is reachable only through an Internet connection, is the cloud.  All of them.
Ok, thats just "cloud storage". Cloud Computing is something else entirely.
But we're dealing with cloud storage today.
(Whats the difference? Wouldnt you like to know?  Stay Tuned.)

Ok, so thats the cloud.  Whats the Big Deal?  The Big Deal is nearly instant access to all of your data from any device, anywhere.  Anywhere you can get good signal, that is.
It takes some imagining, but the idea is that if you upload (that is, store) your data to an Internet computer, then you can retrieve it from any device with an Internet connection.
Like photos.
Or Netflix.
Or your music.
Or that document you need for your work, but forgot to take with you.

It could be really, really convenient.

Or really, really bad.

Any cloud storage provider in the U.S. and allied nations(Australia, New Zealand, Europe, etc) must give up any and all data to any U.S. government agency upon request.
Currently, any data stored outside of your home computer or personal computing device is not subject to Constitutional protections.  It can be seized unreasonably, or by corrupt federal agents.  Your cloud-stored data can be used to incriminate you for crimes where data stored on your home computer cannot.

Any data stored in the cloud is vulnerable to theft.  Most cloud service providers do not encrypt your data as it is stored, so thieves can break in and steal it (think credit card breaches).

Whats worse than data theft?  Having a non-governmental agency, for example the RIAA, demand that you provide purchase records for all of the music you have stored on iCloud.

And what happens if you choose the wrong cloud storage provider?  Your data could be deleted without warning (even if you are paid up), it could be sold off, it could even be seized by a government who then decides that the type of data you have stored indicates that you have taken part in a crime. (Especially if you are innocent; real criminals take precautions against that sort of thing.)

If you decide that cloud storage and privacy are as important, and you encrypt everything with an older, but still good, encryption algorithm, the government can force you at gunpoint to give up the key.

But dont worry about it, the chances of the government coming after you are slim to none, right?

You just keep telling yourself that.

You probably think that e-commerce is safe, too.

Wednesday, March 21, 2012

Hacker, Crackers and Pirates, Oh My! (Part 3)

Ok, so I've talked about hacker and crackers, so now its on to Pirates.

But wait, what is a Pirate? Am I talking about "Arrr! Shiver me timbers!" or "I'm going to download this movie"?

Actually, neither.

What is meant by "pirate"? Well, it depends on who you ask. According to the dictionary, "pirate" is "a person who robs or commits illegal violence at sea or on the shores of the sea" or "any plunderer or predator".

According to the Recording Industry Association of America(RIAA) and the Motion Picture Association of America(MPAA) a pirate is "
a person who uses or reproduces the work of another without authorization" and "to use or reproduce (a book, movie, song/audio recording etc.) without authorization or legal right" or "any person who buys our product and uses it in any manner by which we make no money."
Ok, I made that last one up; but if you've ever been frustrated in an attempt to use your legally purchased song or movie on your legally purchased hardware, it sure seems like it.

Now that the definition is out of the way, who is a pirate. Again, it depends on who you ask.
Are overseas counterfeiters who acquire master disks of music and movies, and then use industrial duplicators to make thousands of copies, pirates?
According to the RIAA and the MPAA, no.
Why not? Because they are outside U.S. jurisdiction.

Does that mean that the teenage daughter of the past president of the RIAA, who was caught downloading songs from the Internet that she didnt pay for, is a pirate?
No. Because that would have embarrassed the RIAA too much in the media.

So who is a pirate? The accepted (as far as anything is accepted on the Internet) definition is the person who takes a camcorder into a movie theater, records the movies and posts the 'shaky-cam' version online. And all the people who download it.

Really? Thats a pirate? No, not just them. Anyone who downloads anything off the Internet that they dont own, and havent paid for(or given the rights-holder something in exchange) is technically a pirate. This includes pictures, artwork, articles, lol-cats, anything and everything.

Even the things you think are free, but aren't actually.

Even the cute things you put on Facebook, but down own, and dont have the legal right to re-distribute.

How is it for you, living the pirate life?

Really, its a matter of degree, as you may already have surmised. Re-distributing pictures and videos via your Facebook Wall, is technically pirating, but nobody will accuse you of it because the culture of the Internet (and broader society) accepts it.
Have you ever seen one of those Internet videos that is so funny, or emotional or whatever that you just have to tell your friends about it? Of course you have.

That's a "viral video." Videos cant go viral without "piracy". Remember the definition above: "to use without authorization or legal right"?
What did you think you were doing by forwarding that email joke? Or by reposting that viral video?

Yep. Piracy.

So, yes; a matter of degree. But who gets to decide to what degree you are a dirty, dirty pirate and must be punished?
Is it the police? Nope. Copyright enforcement is a civil matter not a criminal one.
Is it the courts? Nope. They merely weigh the claims for and against you and apply the appropriate laws. Its called "the system" because it just a big machine.

So who, then?
The copyright owner. In most cases, one or more representatives of Hollywood. Usually the RIAA or the MPAA.

Yep, Hollywood gets to determine whether you have committed a crime, and what your punishment should be.

But wait, I hear you say; Isnt this America? Dont we have laws and courts and stuff?
Yes, this is America; and we do have laws and courts and stuff. And they are all dedicated to eradicating the scourge of PIRACY!

So, lets sum up; piracy is taking something you dont own and havent paid for. It usually happens willingly; everyone does it, and only Hollywood gets to determine who goes to jail and for how long.

That about sums it up, except for two things. And these are Big Things, one of which will get you into protracted arguments which make our current political climate seem all lovey-dovey.

1) This is just an overview, without any of the fine detail and nuance which will drive you insane if you try to understand it all.

2)Computer and Internet Piracy are not theft. It may seem like it, because they both involve taking other peoples stuff without paying, but they arent.

If you steal a physical object, the owner is deprived of its use and value(not to mention the thing itself). If you steal something off the Internet, you have not deprived the owner of the thing itself, because the owner retains possession of it. Nor have you deprived the owner of the use or value of the downloaded object(depending on the object, you may have lessened its value but you cannot take away all of it).

If you download a picture from Flickr, does the owner of that picture lose it; does it then vanish from the Internet?
Of course not.

That is why "piracy" is copyright infringement, and not theft.

Legally, theft is removal or deprivation of a single physical object from its rightful owner.
"Piracy" is Copyright Infringement; you are depriving the rightful owner of the ability to distribute and make money off of their creation. You are not removing the physical presence of that creation.

See, its sticky. And argument-inducing. Try it on your friends! Hours of fun!

Tuesday, March 13, 2012

Hacker, Crackers and Pirates, Oh My! (Part 2)

In my last post, I talked about hackers; who they were and who they are, as well as a look into their motivations.
Now, in this second of three posts, I am going to give crackers a similar treatment.

"Crackers" are the least known of all of the computer hobbyists (with the possible exception of 'phreakers'; but they're not a part of this post), so they have received less of the Hollywood treatment that glamorizes yet muddies who and what they are.

So who are crackers, and why are they called that, anyway? Crackers are people who, at the most basic level, enjoy math puzzles. But I'm not talking about sodoku here, in this case "math puzzle" means deciphering secret codes, such as the ones behind DVD encryption.
Crackers are the people who allow you to jailbreak your iPhone and play your DVD and Blu-ray movies outside of your TV's.

Crackers are called that because they "crack" codes. They hate pointless restrictions on hardware or software whose existence serves only to make the legitimate consumers life harder.
Examples of such pointless restrictions are DVD region coding, the unskippable warnings at the beginning of every DVD, and consumer electronics that come from the manufacturer with built in restrictions(known as 'crippleware' because it has been intentionally crippled at the factory).

Did you know that, on average, it takes 17 steps in order to play a standard DVD, and it only takes 2 steps to play a 'cracked' DVD?
Is it any wonder that the average consumer is frustrated with the record and movie companies?

The easier it becomes for any person who is technologically literate to overcome these restrictions(and there are lots of 'how-to's' out there, at all skill levels), the more gruesome laws Hollywood demands be passed by Congress to further lock-down the consumer.
This makes it much easier to restrict individual freedoms and imprison otherwise law-abiding citizens for the merest offense.
Better watch how you use that screwdriver! It could land you in federal prison for up to five years and up to a $500,000 fine (Digital Millennium Copyright Act, Section 1201, subsection a).

So you see, while you may not have heard of the name, crackers are right here with us; enabling the technological freedom we (sometimes) take for granted.

Eventually, it will be crackers that will be the forefront of the revolution. Which revolution? All of them.

Wednesday, March 07, 2012

Hackers, Crackers and Pirates; Oh My!

Hackers are in the news at the moment, and there is a great debate over who and what is or is not a pirate, so I thought I would take some time and give some detail and a little background and these people: who they are, what they're doing, and why the heck they're doing it.

To start off, lets explain the names. Hackers you have heard of, I'm sure. But what of "crackers" and the eponymous "pirate"?
Lets tackle hackers first, because they are the most well known.

A "hacker" is any person who "hacks" at programming code, much like Indiana Jones hacks his way through jungle vines. At least originally. Now, a hacker is any person the media or Fortune 500 company wishes to blame for all the ills in the world.
So, who really is a hacker? A hacker is a person who knows computers and networks inside out, they are enthusiastic hobbyists who go places they shouldnt be, and do things they shouldnt do.

Why? For the same reason a mountain climber climbs mountains. "Because its there." "Because it hasnt been done before." "Because I was told 'it cant be done', or 'I shouldnt do it'."

Is there a guiding principle hackers follow, or is it all vandalism, spam and credit card theft?
Yes, there is; and it has nothing to do with crime, theft or money.
It is called "the hacker ethic." (linked to the Wikipedia page here)
But, like all codes of conduct, some follow this principle more closely than others.

In the last few years, as some people feel justice has become increasingly hard to come by, some hackers have become activists, aka "hacktivists."

The best known of these is the group called Anonymous. You've may have heard of them when they are in the news. In the last few days, a spin-off group called "LulzSec" have been arrested by the FBI and various police agencies.
Where did Anonymous and LulzSec come from? In a very real way, they came from the Internet. From the image forum website known as 4chan, and its /b/ section, specifically.

Why did Anonymous and LulzSec attack the websites and companies that they did? When they were asked, mostly the answer was "for fun." But not always. The attack on HBGary was retaliatory, because HBGary's CEO said he could and would reveal the top members of Anonymous to the world.

Anonymous, the group, sometimes takes a dislike to people or organizations. Usually this is when someone high profile threatens them. Sometimes, its because they think the result will be funny(at least to them). And sometimes they feel it is to correct an injustice.
When Anonymous does attack, they can be destructive. Sometimes this is in the public interest; such as the cases of HBGary and the Church of Scientology.
And sometimes not, as in the case of the English women who was caught on video putting a cat into a garbage bin, and whose life was brought to such an utter standstill that she sought protective custody from the police.

So thats what hackers are; a collection of hobbyists, enthusiasts, explorers and activists.
But what hackers are not is criminals.
You might think "but where does all that spam come from if not hackers?"
Because it comes from actual criminals.
"But arent hackers criminals?"
No; for the same reason speeding drivers are not criminals, or for the same reason an office worker who takes a pen or a paper clip is not a criminal.

Thats not to say all hackers are misunderstood saints. They're not. There are are good guy hacker and bad guy hackers, known as "white hats" and "black hats."
Just like the old cowboy movies.
But even the bad guy hackers, the black hats, are not "criminals", per se. Yes, they do stuff they shouldnt, but they dont go in for the credit card stealing and data breaching and ID theft stuff.

Because it isnt "fun."

Even when LulzSec broke into StratFor and looted credit card numbers, they didnt take any of the money for themselves. They thought it was "fun" to donate other peoples money to charities and non-profit organizations right at Christmas time when the money would be most needed.

Obviously, this was double-plus un-good. But not criminal in the sense of stealing all of that money for themselves.

So, painting all hackers as criminal, in the same vein as burglars, murderers, rapists, drug-dealers and Wall Street bankers, would be wrong, because not all hackers do the wrong things. Without white hat hackers, real computer criminals would never be brought to justice.

This has been your primer on who and what hackers are. Tune in for Part Two, where I explain crackers and pirates.

Wednesday, September 07, 2011

What is Jailbreaking?

What is "jailbreaking" you ask? What does it mean? Why is it called that?

Jailbreaking is the term used by owners of iPhones and iPads when they want to use more features of the device than Apple will allow. If you have an "Android" device, the term is "rooting" because you are being given "root" access to the device.

People in the computer press often describe Apple products as a "walled garden." Imagine a beautiful walled garden filled with all the things you could desire; happy people, fun parties, all the desirable things you might find in say, a Hollywood stars mansion or a luxurious spa resort.

But, some people feel that this beautiful garden is nothing but a prison.
A prison that gives everything a person could want, except freedom. These people feel as though they are in "jail".

So they break out of jail; they perform a "jailbreak". They find ways to get around the restrictions that Apple (the jail warden) has put on them.

Like in the real world, breaking out of Apples' "jail" carries consequences. You could cause your iDevice to stop functioning, a condition called "bricking"; because your shiny device is now nothing more useful than a brick. Or, Apple could sneakily re-capture you and put you back "in jail."

One consequence that no longer applies is going to real-world prison. Yes, thats right; until last year, you could have gone to real jail because of un-jailing your phone.

So, now you know. Any questions?

Tuesday, September 06, 2011

On The Nature of Technological Progress

Next week will be the 10th anniversary of the attacks of September 11th, 2001.

At that time, the only way people knew about the attacks was through traditional broadcast media; TV and radio.
Today, when momentous events occur the first notice of them is produced by citizens who broadcast news of the event over the Internet; through Facebook or Twitter or YouTube.

10 years ago, none of that existed. 10 years ago, the Internet was there but most people did not use it, nor did they have convenient, fast access to it.

Today, we have pocket-sized super-computers that also make phone-calls. Today, people are assumed to have Internet access; not only access but fast, always-on and convenient access.

In the last 10 years, we, society, have embraced so much technological change we dont even think about what it was like without it.

10 years ago next week, we were told "the world has changed."

They didnt know the half of it. What were you doing the first time you had convenient access to fast Internet?
Or you got your first "smart" phone?

Can you really imagine your life without the gadgets you use now?