Securing Your Computer With Encryption and Other Means

Recent events in the United States (along with other countries) and even commercials for companies like LifeLock are bringing the concepts of how to properly secure your computer back into focus. For example the LifeLock commercial which shows the doctor leaving his laptop in the taxi, emphasize the importance of encryption. While LifeLock is using this to sell their protection, the reality is that the doctor (and everyone) should have taken steps to ensure that your data is protected. The need for services like LifeLock would be reduced, if either the entire computer, or at the very least, the personal information about the patients,  was encrypted.

In the case of the NSA, and other law enforcement agencies, it doesn’t matter if you’re innocent or guilty of committing a crime. If you are detained, or suspected of committing a crime, then they will search your computer and other data devices. Think that your computer is password protected so that will stop them? Think again. Law enforcement agencies have tools that will read the data on your drive–even though it’s protected by a password. The only potential solution is completely encrypting the drive. While this isn’t a perfect solution, it’s at least better than nothing.

There are many ways of encrypting your computer, depending on what operating system you’re using. And each has their strengths and weaknesses. It’s up to you to decide which method you want to use and to make it work.

Before I go on, I want to emphasize some points about this topic…

In the case of Edward Snowden, and Bradley (Chelsea) Manning, I don’t think they’re heroes or traitors. I think they’re criminals. Pure and simple. There are laws concerning what they did, and they violated those. Not to mention the policies in their respective companies/military services that were violated. I don’t condone their actions or their reasons for their actions.

For the people who think that what these two did made a difference (because they exposed what the Government was doing), it really didn’t matter. Here’s what happened after the documents were released (in the case of Edward Snowden):  He fled for his life, and became a man without a country. The NSA requested (and received) re-authorisation to continue doing the surveillance that he exposed. They continue to do it today. The partner of the reporter who wrote the articles based on Snowden’s documents was detained in London. Even though he was released, they kept all of his computer equipment–including an X-Box. The company who hosted the email service that Snowden used was forced to shut down, due to receiving a FISA warrant. Groklaw (who isn’t involved in this situation at all) chose to shut down, in fear of having to make the same choices that Lavabit had to make.

At the end of the day, it’s not a question of guilt or innocence. It’s a question of privacy. And it’s a question about whether you want to enforce your right to privacy or not.

So what are your options, and what are their strengths and weaknesses?

My plan is to do some research on your options, and give you all of the details that I can find. I should note that this is NOT the same thing as email encryption. I’ll discuss that in a separate topic as well. Please feel free to comment with your answers to my question. I’ll confirm and add them into my articles in the future.

E-Book on Programming and Logic

I’m planning on writing an e-book about Programming and Logic. Right now, I have a basic Table of Contents set up, and I want to get some feedback from people who are learning to use Pseudocode and Flowcharting.

Some questions that I have for you are these:

1. Which do you think is harder, creating flowcharts or pseudocode?
2. Would you prefer to see a) more flowcharting examples, b) more pseudocode examples, or c) an equal share of each?
3. Which aspects of logic are you struggling with (for example but definitely NOT limited to: variables, arrays, looping, decisions, methods, classes, objects, or data types)?

Please post in the comments section, and I’ll be more than happy to frame the book along the requests. Also if there are other subjects that I haven’t covered in the questions, please post those as well.

At some point, I’ll be posting the table of contents for opinions on things like the chapter names, the order that I’m presenting things, and the structure of the book overall.

Thanks, and have a great weekend. 🙂
Patrick.

A slightly different look to the place

If you haven’t noticed, I’ve been making some changes to the blog.  I wanted to add the polls last night, but the only way to do that was to upgrade from “Templates” to “Layouts”.  Doing so wiped my template pretty clean.

Luckily, I was able to restore most (if not all) of my items in their former places. Although I did do a little minor rearranging and the upgrade includes the “Follow” gadget.  So, if you like my blog, you can follow it, and get updates whenever I post them.

One thing I should note and that I will need to fix is some of my graphics are cut off on the side.  Where the template had a larger area, the “Page Elements” is smaller.  So, I’ll need to get reduced sized graphics for those spaces.  And it’s a static amount of space, which means widening your browser doesn’t affect them at all.  That’s something that disappoints me, because there is a lot of wasted space on the sides now.

Stay tuned to see what other changes I make.  I’m going to be playing around with the site for a while.  And I’m still looking at moving to my own domain in the next few months.  If and when I do, I’ll make sure to post a few articles in both places and post plenty of links to the new home.

Have a great weekend:)
Patrick.

Still looking for web hosts for my blog.

Just an update to say that I’m still looking at webhosts for my blog.  I’m debating between BlueHost and JustHost, although I’m open to anyone that will allow me to import my blogger (or wordpress) blog, and allow me to use my affiliation links.

The other issue that I have to consider is price.  In that respect, I’m leaning towards JustHost, because they have their 3 month and 6 month subscriptions.  Although if they don’t have the promotion going when I decide to buy one, I may lean towards a 1 year at Bluehost, as it’s the same cost as the 6 month at JustHost.

Another thing about JustHost that I like is this.  The first time you sign up for a subscription, you pay upfront.  Then when it comes time to renew, you pay month to month (even if you change your subscription time).  BlueHost is upfront for everything.

I’m open to any suggestions for hosting.  I’d prefer one that uses WordPress, although I could probably live with something else.  And if I’m able to create multiple pages, I may move my website(s) over there too.

Have a great day:)
Patrick.

Migrating my Blog

Over the next three months or so, I’m going to be migrating my blog to two other sites as well as this one.  The first one is at http://wordpress.com and is just a placeholder, so I can import to my permanent home.  The other one will be a WordPress host, but I haven’t decided which one yet.

I’ll continue to update this blog as I make my decision.  I’m looking at the WordPress format because there are more advertising methods and other widgets that are available for it.  Plus if worse comes to worse, I can migrate the blog to my own home network.

Ultimately, this blog is going to be a side income for me.  At this time, it will probably be one of my main sources of income.  I hope you’ll bear with me as I make this migration, and hope that this will create a better experience for both you and me.

Have a great day:)
Patrick.

Online Backups – iDrive

While not as quick and painless in setting up as Mozy was, iDrive appears to be a robust backup system as well.  It offers the option of Continuous Backup, which will continually update 50MB of data that you select.

The setup was a little different than Mozy in that you had to choose a folder outside of the C:\Program Files\ area for iDrive to store it’s data.  The default is C:\iDrive, which most people won’t have an issue with.  It installed fairly quickly, with the only pain-points being that Comodo Firewall was constantly alerting about the different files trying to do their magic. 

The login box offers you the option of their 128-bit encryption (default) or your own encryption key.  I chose my own, and it prompted me to keep a hard copy of that key somewhere for restoring files.

Choosing your files…  This is where Mozy seems to have iDrive beat.  iDrive automatically chooses to back up your entire desktop, My Documents, My Videos, My Music, My Pictures and other folders like that.  This is alright, except that I have a lot of files that I don’t want to back up in those folders.  Where Mozy was intuitive enough to only choose file types (and let you select others), iDrive uses folders.  So, you have to manually uncheck anything that you don’t want to back up.  I allowed it to back up my “My Weblog Posts” where this post will reside.  So it will be interesting to see if it automatically finds this file, or if I have to manually add it to the list.

It took me about 20 minutes to weed out most of the 14 GB that iDrive originally selected.  In the end, I was able to weed it down to less than the amount I have stored at Mozy.  One thing that I found was that I have a lot of files that were recovered from another drive stored in a subfolder of a subfolder in “My Documents”.  That actually accounted for about 2GB of the stuff that was going to be backed up.

The amount of time that was expected for my 420MB was around 1 hour (which is about two hours less than Mozy needed for a similar amount of data).  iIn reality, it only took about 34 minutes.  The time will depend on your connection speed and the amount of data that you’re backing up.  Subsequent backups have been considerably faster.

One issue that I don’t like with iDrive is that the backup scheduler only allows you to select one time for backup (unless you use their Continuous Backup option).  It uses the same type of scheduler as “Scheduled Tasks” or “Outlook”.  Mozy allowed you to back up after a set amount of time (8 hours was the default) and you could decide how many times a day.

It would seem that I’m more of a fan of Mozy, but I have to admit that since I love “My Dropbox” and it’s features of constantly synching your files, I think that the Continuous Backup in iDrive is a plus over Mozy.

At 2 GB of storage, neither of these will be the end-all solution. Both have their advantages and disadvantages.  With Mozy, if you’re backing up a file that will change in size (such as your Outlook pst and ost files), you could potentially run out of space.  And with iDrive automatically backing up files that are placed in certain folders (unless you manually unselect the files), you either have to be selective about where you save your files, constantly monitor the files that are being backed up (which you should be doing anyhow), or you’ll run out of space.

Where Mozy couldn’t produce a snapshot with Outlook open, iDrive simply ignored this post while it was backing up.  Then it backed it up at the next scheduled time. This doesn’t mean it won’t run into the same issues as Mozy, but it didn’t have the problem this time out.  Of course I’m not backing up my pst or ost files in iDrive, so I really haven’t tested it under that situation. 

In general though, irregardless of what program you’re using to back up, if you can avoid having the files open at the time of the backup, close them.  It will make your life and the backup application’s process a lot easier.

I’ll keep iDrive running for a few days or a week and report back with anything that changes.

Next up, Live Mesh and it’s related cousin Skydrive.

Have a great day:)

Patrick.

Shortwave Radios

This is a continuation of my post about the cyber attack on Morgan Hill, CA.  In that post, I mentioned how the “ham” radio operators helped out, and suggested that people either get their license, get a CB radio, or befriend someone who has one.  I want to discuss part of this today.

If you have a scanner and your local ham radio club has a repeater, then you’re half-way to the goal of being informed.  What you’ll want to do is find out the frequencies that they use, and program them into your scanner.  If you don’t want to be bothered with the idle chit-chat that happens on the repeater, simply lock the frequencies out until such time as you need them.  This is also beneficial if they provide storm chasing or skywarn for your area.

Buying a CB and antenna is pretty simple.  You really don’t need to spend a lot of money—although you may want to spend a little more to have it properly installed.  One thing to keep in mind is that using a CB nowadays is not like “Smokey and the Bandit” or “Convoy”.  If you act like the characters on those movies, you’ll probably be ignored.  While the lingo is similar (“Break 19” or “10-20”) the attitude is way different.  You’ll find people having normal conversations on there more than anything else.

The title of this post is about shortwave radios.  I purchased an old tube-type radio (built in 1942) from my parents who were antique dealers.  With it, I was able to get QSL’s from stations in the Netherlands, Germany, Argentina, China, and Japan.  QSL’s are basically confirmations that you actually heard their broadcast.  It’s an inexpensive hobby.  And it exposes you to viewpoints other than those of your country.  Plus in times of emergency, it will give you a better sense of what’s happening.

This especially ties into yesterday’s blog post.  Quite a few of the shortwave broadcasters are turning off their transmissions in favor of digital (satellite or Internet-based broadcasting).  That’s fine, except for the events in Morgan Hill prove that your station (or your radio) can be cut off simply by cutting a cable.  Had one of those stations been located in the San Jose area (Morgan Hill) they wouldn’t have been heard at all. 

I’m encouraging the people in general to look into the shortwave listening as a hobby.  And I’m encouraging the broadcasters to not completely give up on the medium for transmission.  The more people who request QSL’s from stations, the more encouraged the stations will be to continue broadcasting.  Because the more that they receive requests, the greater the chances that any advertising or other money-making ventures being used on the SW broadcast will be successful. 

The incident in California this month should strengthen the resolve not to do away with the old but tried-and-true methods.  While the Internet is the way of the future, it’s not foolproof and it’s not the only way that works.

If you’re interested in learning more about Shortwave, I recommend http://www.shortwavelog.com as one source.  That will provide you with a means of tracking your logs and finding out what you may be able to hear.  Plus, certain people offer their stations up for you to listen via the Internet. 

You can also find out about the radios that are recommended.  You don’t need to purchase the high-end radio receivers.  I actually have received a lot of my QSL’s on a Grundig Mini 300 receiver which got low rankings in all of it’s reviews.  It cost me about $30.00 or so.

Have a great day everyone.  I’m off to fire up the tube-type radio and see what I can get with the lightning storm passing through.  The electro-magnetics may give me something interesting…..

Patrick.

Bruce Perens – A Cyber-Attack on an American City

Bruce Perens – A Cyber-Attack on an American City

On April 9, the people around Morgan Hill, CA woke up to a cyber nightmare.  Their phone systems, ATM’s, Internet, and way of life were cut.  Even their hospitals were helpless.  Eight fiber cables were cut just after midnight.  This disrupted all services for a 100-mile radius around Morgan Hills.  Now to be clear, these cables were in four different locations.  And were cut in an organized attack.

The article is aimed mainly at people in charge of infrastructure (engineers, managers, disaster planning) but there are a few things that can be applied to home users as well.

How many of us have ditched our landline phones in favor of all cellular?  I have my hand up.  And I can tell you from a past experience that the cellular system is fragile.  We had a tornado move through my area, and about 30 minutes later the cell systems went completely offline.  But, I was still online through my DSL.

“Cash was king for the day” (from the article).  “and many found that they didn’t have sufficient cash on hand.”  What can be taken from this?  Keep enough emergency cash on hand to last you a couple of days to a week.  Now, I’m not talking about being able to buy a car each day.  But, I’m talking about enough to fill your tank once, and buy some food to get you through.

“The first lesson is what stayed up: stand-alone radio systems, and not much else”.  I can remember about 10 years ago, you’d see CB antennas and Ham Radio antennas everywhere.  Nowadays, you don’t see them much.  The hospital in Morgan Hill had a good working relationship with the local ham club, and they used them to direct ambulances and other needs.  Do YOU have a relationship with anyone that has a ham or CB radio?  Does your business have any type of “real two-way communication” or do you rely on the stupid “walkie-talkie” feature that Nextel and other cell phone providers give you?

How many people have replaced their landline phones with the VoIP phones like Vonage and Skype?  Do you realize that if the fibers were cut in your city, your old landline phone might still work to call your neighbor, but that wonderful Vonage phone won’t do anything at all?  It relies on an Internet connection to make even a local phone call.  If the Internet is disconnected, how can you call anyone?

So, what can be taken from this for home-users?

  1. Keep an emergency stash of cash on hand somewhere.  It doesn’t have to be a lot, but it should be enough to get the basic needs for a few days.
  2. Have backup methods for communication besides cellular and VoIP phones.
  3. Part of two includes acquiring an interest in CB or Ham Radios or at least knowing how to get a hold of someone that has access to this equipment.
  4. Have a strategy in place with your family for emergencies.  This needs to include ways of communication besides cellular and VoIP phones.  If you’re not able to get in touch, have a meeting place and time-frame set up.  A parent (preferably the one who can get access to the cash in #1) should be at the meeting place before everyone else.
  5. Be watchful.  If you notice something that looks suspicious, report it.  Even if it turns out to be harmless, you’re better safe than sorry.
  6. If you’re in charge of disaster planning for a company or community, take heart of the points in this article.

The Boy Scouts say “Be Prepared.”  Even if you’re not a multi-million dollar corporation or city, you can still take steps to ensure that you end up better off than someone who isn’t prepared for something like this.  As the article points out at the end, there WILL be another incident.  Next time, it could be a lot worse.  Will you be ready if it happens in your town?

Have a great day:)  I’m off to reinstall my old CB radio in my car, and get some cash hidden away.  At least after I wake up in a few hours 😉

Patrick.

VRT: Updating Software

 VRT: Updating Software

This is a short blog post from the VRT team at Sourcefire.  It’s mainly about updating software on a *nix system (or mac) but can easily be modified to work on Windows.

The post boils down to the following items if you’re installing on Windows (although you should read their list and fit it to your needs):

  • Backup everything before starting the update.
  • Make and use checklists.
  • Read the documentation BEFORE you start the update.
  • Check the configuration options before you do the update.
  • Document what you’re doing (config options used and why, etc).
  • Verify that the new version is properly installed.
  • If you have the option, use the config files that come with the update.  You’ll tailor them to your specifics later.
  • Tailor the configuration to what you need (based on your documentation from last time) and document the changes.
  • Test the software thoroughly.
  • Make a checklist of what files it will replace.  Uninstalling and doing a completely new installation may be a better solution.
  • Test how the software interacts with other applications on the system (part of “Test the software thoroughly).
  • Monitor your system for a few days (closely).
  • Make sure ALL of your documentation is complete, clear, concise, and that anyone could repeat or undo what you’ve done.

The important things to take away from this are

  • Know what the software is going to do and why. Know how it’s going to interact with your system and what changes it will make.
  • Test everything completely before calling the update complete.
  • Document everything clearly, completely, and concisely.
  • Configure the software after you update it, to suit your needs.
  • Above all, back up everything before you start.  If the update goes wrong, you’ll be glad you did.

Have a great day:)
Patrick.

US-CERT Cyber Security Tip ST06-003 — Staying Safe on Social Network Sites

US-CERT Cyber Security Tip ST06-003 — Staying Safe on Social Network Sites

I may have posted a blog entry about this in the past, but it’s worth revisiting.  Recently the daughter of an old friend got in contact with me through a social networking site.  Upon looking at her profile, I realized that she’s breaking most of the tips presented in this article.  So rather than lecturing her directly (and risk her not listening), I decided to post an entry reminding everyone about the dangers and preventions.

It doesn’t matter whether you’re 5 or 68.  If you post too much information about yourself, someone with malicious intent can get it.  It doesn’t have to be on a social networking site, but it would seem to be easier to find the information there.  People tend to think “Social Networking means that I need to tell them everything.”  So they publish things that they normally would keep quiet.

This isn’t new.  The rise of Social Networking sites only made it easier.  Six years ago, I sent an e-mail to two of my online friends.  I gave them both my address and phone number—because I had found theirs online (even though they were both unlisted in the phone book) and thought it was only fair to give them mine.  I showed them exactly how I found them and told them what to do to try and counter that.

One had posted a picture of her kids and herself on a community. In the picture, it showed her house number.  So, I simply searched for her last name, and picked the one with that house number in it.  Even though they didn’t have the Phone number listed in their full name, it was easy to find.  The other had purchased something and put her address/phone number down. It was sold off, and published.  Even though she had it unlisted in the phone book.

The basis of the tips presented are these:

  • Do not publish your address or phone number anywhere that can be publicly searched.  If you have the information posted, make your profile private.
  • Choose what you publish carefully.  This includes pictures and things you type.  Current and future employers, amongst other people can and will search for you.  If it’s not something that your employer (or potential career choice) will approve of, DON’T POST IT.
  • Be careful with who you open the information up to.  Anyone can impersonate anyone else online.  An example of this is on Twitter.  There are a lot of people impersonating famous celebrities on there.  PC World Magazine posted an e-article about the top 15 “fakes” on twitter.  Some of them are pretty realistic.  So, just because that person claims to be an old friend, doesn’t mean they are.  And it doesn’t mean that they don’t have malicious intentions (even if they are the old friend).
  • Parents should monitor what their children are posting.  If your child won’t add you as a friend on their social networking site, then there’s a problem somewhere.  If your child posts something that’s inappropriate, talk to them about it.  Don’t chew them out for doing it, just talk to them about the dangers of posting it.  If they post something that they did, discuss both what they did, and why they shouldn’t have posted it.  Again, don’t chew them out though.

On the last bullet, it’s easy to say “Yeah, you don’t have kids.”  This is true.  But if you lecture them and chew them out for doing something, two things will probably happen.  One is you’ll find yourself off of their friends list, and two is they’ll create another account and post it there instead.  If you discuss it with them, they’re more apt to listen to what you have to say.  And they’re more apt to actually do what you tell them.

One more tip that the article talks about is be aware of the Privacy Policy of the Social Networking sites.  Some of them will harvest your personal information and sell it to advertisers.  Others will protect your information to the extent that they’re allowed to.  And remember that just because they will protect your information, doesn’t mean that someone won’t come through with a script or bot and harvest the information anyhow.

Be safe and have a great day:)

Patrick.