Thursday, May 3, 2012

The 15 Commandments of Computer Safety

The Computer Gods hath spake unto us these divine commandments, saying:


1) Thou shalt have complex passwords

Your passwords should look truly random. It should be a minimum of 10-15 characters long, contain upper case letters, lower case letters, digits, and (if possible) special characters. There should be no dictionary words in it.

There are two password managers I can recommend that will automatically do this for you and you will be oblivious to what your actual password is. They are LastPass and 1Pass4All. This will make life easy for you. You still need to make your master password very strong using these services. There is a wonderful password checker at howsecureismypassword.net.

2) Thou shalt not have the same password on more than one website

Never, ever, ever, ever, not ever have the same password for more than one website. There are no exceptions to this rule. There are numerous SAFE ways of not having to remember the actual password for each website. LastPass, mentioned above, is a watertight password manager that uses servers to store your keys in the cloud. However, your passwords are encrypted and decrypted locally. 1Pass4All allows you to have one password for all your websites. It simply runs your password through a complex hashing algorithm that's specific to each website.

Finally, you can come up with your own algorithm. For instance, you could assign each letter of the alphabet a specific three-character alphanumeric string, and use the first three letters of the URL address as your password. Or the last three. Or whatever. Come up with your own solution that takes into account the website URL as part of the password. Make it hard to figure out in case someone hacks one of your accounts.

3) Thou shalt not type your password

You should never type your password for your bank account. This is because there could be a software-based or hardware-based keylogger on your machine. LastPass and 1Pass4all can both fill out the password field automatically, so it is a non-issue with these. But if you must type your password, simply type the characters out of order, using the mouse to move the cursor at some point while you're typing. Or you can use an on-screen keyboard. On a windows computer go to Start → All Programs → Accessories → Accessibility → On Screen Keyboard. Linux also has an on-screen keyboard under Preferences -> Universal Access.

A copy+paste of your password from a file on a USB isn't 100% secure. It's possible that a piece of malware could have access to your clipboard data or the file. Also, storing your passwords without encryption would be a bad idea.

4) Thou shalt change your password often

Many times websites' databases will get hacked and will contain improperly hashed passwords. When passwords are stored on a webserver as hashes, they can be cracked in time with high power computers. If you change your passwords every 1-6 months you will be much less vulnerable to these breaches. You create a moving target for a would-be account thief. If your passwords are strong enough, it will take someone more time to crack it than a weak password, but it can still be cracked. By changing passwords often you make it virtually impossible for someone to keep up within the timeframe. Conversely, by never changing your passwords you allot them more time to crack your password from a password hash.

5) Thou shalt secure thy operating system

Run a supported version of Linux or BSD, if at all possible. If you need to use Windows applications you can still run them inside a virtual machine. If you must run Windows or Mac as a full time environment, keep it patched (security updates), do regular virus scans, and keep abreast of security news for that OS (operating system). If you don't know what an operating system is, you probably shouldn't be using the Internet.

6) Thou shalt keep thy browser and plugins patched and up to date

What browser are you running? Is it the latest version available? It better be. Do you know what plugins you have enabled for that browser? Are those up to date as well?

To check the browser version go to "Help → About" (Firefox and IE) or just "About" (Chrome). To see what plugins are enabled in Firefox, open up a new tab and type “about:plugins” (without the quotes). To check if those plugins are up to date go to mozilla.org/en-US/plugincheck/. To see what plugins are enabled in Chrome type “chrome://plugins/” (without the quotes). It should automatically list which plugins need to be updated. Internet Explorer does not have a sufficient built-in plugin checker (correct me if I'm wrong), but Mozilla's plugin checker should work, although it is very limited with IE.

7) Thou shalt know thy browser settings

For instance, when I close out my Firefox session, it automatically clears out all browsing history, download history, active logins, cache, saved passwords, and offline website data. I keep cookies and form history enabled. I set it to automatically block reported attack sites, web forgeries (phishing sites), and automatic add-on installs.

There’s a Firefox add-on called “HTTPS Everywhere” that forces Facebook, Twitter and popular websites to use secure log-in pages. Another great add-on is NoScript. It keeps website scripting under control. It is very annoying the first week of use, but after you whitelist all of your most commonly used sites it's well worth the trouble.

If using a public computer, always use private browsing mode. In Firefox go to "Tools → Start Private Browsing". In Chrome go to "New Incognito Window".

Again, know how to use your browser.

8) Thou shalt guard their email account with their life

This means don't let friends or family have access to your email account that's associated with your bank accounts. Change your email password 1-6 months or any time you have suspicion it might have been compromised.

If someone has unrestricted access to your email account, they are more than halfway there if they want to ruin your life. Most banks even offer to reset passwords through your email account and some other rudimentary personal information. Yikes!

9) Thou shalt not follow links provided in emails

We've all heard this one before. Just enter the address using bookmarks or your keyboard (making sure not to mis-spell the URL).

10) Thou shalt know how to identify an institution

Phishing continues to be one of the primary ways people get hacked. There are several ways to identify a website. Google, Facebook, and banks with online access all offer https access. Keep in mind this is not always by default. Sometimes you have to type in the “s” part of https manually. When their secure page is displayed, you can click on the left side of the URL address bar (right side for Internet Explorer) and it will display identity information for that website including third party SSL validation, encryption specifications, and the date of last visit. Also, most banks invoke a SiteKey for mutual authentication.

11) Know thy public WiFi dangers

Check your WiFi connection before connecting. If it's WEP or open access, it's totally insecure. If it's WPA2, it might be secure. To make a WPA2 connection completely secure you must (a) not broadcast its existence publicly (to keep a low profile), (b) use a unique SSID (to protect against rainbow table attacks), and (c) use a long, complex and unique password (the most important step).

Any information that you don't want in a stranger's hands should be encrypted when using a public WiFi connection. This means that all URLs should be https and not http. Also, if a clandestine hacker is lucky enough to have access to a forged SSL certificate, know that you could be the victim of a man-in-the-middle attack. In this case your banking session or whatever would be encrypted, but it would be going through that person's laptop and he/she would be accessing your bank on your behalf. That's a very bad situation. The only way to protect against a MITM attack is to stay on top of the news regarding forged SSL certificates, not something the average person is willing to do.
Another consideration when using a public WiFi connection is to use a VPN (virtual private network). This allows for anonymous, secure web browsing in public locations.

12) Thou shalt monitor their logged on locations

Many websites supply this information at the bottom of the page or on the log-in page. If you suspect foul play, check your settings and then reset your password immediately.

13) Thou shalt not download illegal content

Anytime you download illegal content, you're asking to get hacked. If you absolutely can't live without pirating something, do it in a virtual machine and don't ever use the file on the same OS (operating system) you do your banking with.

14) Thou shalt secure all sensitive computer data

If someone gave me a computer to I hack, I could clone the drive in an hour and read the files without having that person's administrator or user password and return it without them knowing. What about if a trojan/virus had access to your file system? What data could they plunder?

The only acceptable way to store sensitive data on a machine is 256-bit symmetric AES encryption (minimum). Personally I use 4096-bit asymmetric PGP encryption. Some people prefer to encrypt the entire file system rather than just the files that need it. You can also encrypt emails before sending them and use encrypted chat rooms to communicate. If you keep your backup data in “the cloud,” encrypt your data before sending it out. If you live in a country where encryption is legal, use your rights! If you don't, well there's always TrueCrypt.

If you delete a sensitive file, make sure you use a program like Eraser (Windows) or the “shred -fuz” command (Linux). Otherwise it can still be recovered. 

15) Thou shalt add extra security layers

Two-factor authentication (AKA two-step verification) is the new security layer in town and it's here to stay. Google offers it. Facebook offers it. My Chase credit card offers it. It essentially does not allow someone to get to the page where a would-be hacker can guess your password unless they also have unrestricted access to your cell phone and/or email account. Once you log in from a computer, the website will remember that computer for 30 days (if you want it to). The process repeats every 30 days. This process automatically phases out computers that you don't use anymore.

Also, make sure your security questions are next to impossible for anyone to guess, including law enforcement, who might have access to your mother's maiden name, previous addresses, etc. FYI Sarah Palin's email account got hacked this way. If Sarah Palin had multi-factor authentication and strong security questions, she would have been safe. Google is one of the few websites that lets you type in your own security questions and answers. This can be a great thing or a terrible thing if used improperly.


Monday, March 12, 2012

Why Apple is Evil

(original post 03/12/2012)

In 2011, Apple Inc. passed Exxon-Mobile in market value to become the largest company in the known universe. The success of Apple, particularly in recent years, has made it a darling of the business/investor realm. And it doesn't show any signs of slowing down. Did Apple create their empire by making ethical decisions all along the way? Let's take a closer look and find out.

Suppliers and Contractors

Apple Inc. is not in the business of building anything. They are simply a company that produces ideas. A lot of their ideas originated outside the company but we'll get to that later. Not long ago, Apple boasted that its products were made in America. The actual process of making hardware has been moved offshore and commoditized. In January of this year, Apple released a list of their suppliers under pressure from labor rights groups, journalists, academics, consumers and investors (source:NY Times). They tried to clean up their act as much as possible before releasing the list to the public but, unfortunately, audits still turned up many issues regarding working conditions in factories making Apple products.

Life in a Chinese factory is harsh by western standards. The majority of Chinese workers routinely work  more than 60 hours per week while either standing up or sitting on backless stools (source: March 5, 2012 interview with Charles Duhigg on NPR's Fresh Air).

Personally, I do not have a huge issue with this in particular. I think hard work is a virtue, as long as it is "employment at will." Employment-at-will means that either the company or the worker can terminate the employment relationship at any time without consequence. Employment-at-will also ensures supply-and-demand wages, where employers cannot use contracts as leverage over their employees regarding pay and working conditions. The problem is that China uses a contract employment system. In a contract employment system, worker's rights are compromised or in some cases completely ignored. I won't talk at length about this because most companies that contract to do manufacturing in China run into this ethical issue and it is not specific to Apple.

Another big issue is that inside many of Apple's supplier factories, there are very serious health risks. One factory ordered workers to clean iPhone screens using a poisonous chemical, causing toxic shock, nerve damage and/or paralysis to 137 employees. Numerous workers have committed suicide, or fallen or jumped from buildings in a manner suggesting suicide attempts. In two separate explosions caused by dust from polishing iPad cases, four were killed and 77 injured (source: NY Times). The decisions made by the people running these factories were and continue to be reckless, disturbing, and far from ethical.

Originality?

Investors like Apple not because they build things, but because they design things. But how many of Apples ideas are truly original? iCloud is a blatant rip-off of Dropbox, Ubuntu One, etc. Facetime, iMessage, iTunes Cloud/Match, and Reminders were not new concepts when they came out. Apple's flagship operating system, OSX, is built on BSD, which is built from Unix. So they didn't even "invent" their operating system. They simply built a user interface (UI) on top of an existing one. Essentially all of their software is existing software with a prettier interface. Whether or not the UI is actually better than competing software remains non-definitive, subjective, and the answer varies from person to person.

Anti-Freedom

Apple is obsessed with control. Control of hardware. Control of software.  Control of information. Not only that, but they are very secretive about how they control things. I'm sure everyone is aware of the phrase "walled garden" that fits Apple so well. They subjugate the user in every aspect.

Apple creates an ecosystem for users to invest their time and money in. They then trap the user in their ecosystem, since they use proprietary software that does not have the ability to export data en-mass or adhere to any open standards. This is known as vendor lock-in. They control all protocols and standards within their software ecosystem.

For example music purchased through iTunes may come with DRM (digital restriction management software) that locks the files. These files are compatible only with Apple's iTunes media player software on Macs and Windows, and on apple specific devices such as iPods, iPhones, and iPads. In September 2005, U.S. District Judge James Ware approved Slattery v. Apple Computer Inc. to proceed with monopoly charges against Apple in violation of the Sherman Antitrust Act (source: Wikipedia).

The simple fact is, people that use Apple products are failing to defend their freedoms. For example if I buy a DRM-laden book through iTunes, I can't use the digital book in the same way that I can a traditional book. I give up my freedom to buy books anonymously. Apple has a giant list of users and the books they've read. The mere existence of such a list could be considered a threat to human rights. I can't sell my book to a friend or used book store. I need a proprietary technology just to simply read my e-book. I am handcuffed to digital restrictions that simply don't exist in the world of physical media. These restrictions are made possible because Apple uses proprietary software exclusively.

Proprietary is software is software that executes code on your device, but doesn't allow you to examine the actual source code of the software. No one but the programmer knows the implications of what the software will do to your computer or device. In other words it's a akin to buying drugs from someone who says "Trust me, it's totally safe! If you don't believe me, just ask me." The only reason a person or company would ever want to hide the source code from you is because they have a secret they want to keep from you and everyone else. Users cannot scan proprietary software's source code for software vulnerabilities, bugs, or signs of malicious intent. They simply have to trust the developers.

Contrasting this is free/open source software. “Free software” means software that respects users' freedom and community. Roughly, the users have the freedom to run, copy, distribute, study, change and improve the software. With these freedoms, the users (both individually and collectively) control the program and what it does for them.

Let me make an analogy. We will compare two automobiles, one representing proprietary software and one representing free/open source software. I will leave you to guess which one is which.

The first automobile, car #1, has full access to the engine compartment. It also comes with a parts list and the blueprints for each part, including dimensions and materials. Parts conform to automotive standards and most parts are widely available. Parts can be taken off and sold. Parts can be upgraded. Parts can be maintained by the owner or anyone the owner chooses. Parts can be examined for flaws. The car can be used for any purpose.

Now let's say you bought a second car because it was "cool" and all your friends had one or maybe you thought it ran better or whatever. This car #2 is bought from a clandestine dealership. The dealership is very secretive about where car #2 came from. In order to buy car #2, you must sign a lengthy End User License Agreement, which states exactly what you can and cannot do with it. After paying a much, much higher price for the car than you would with car #1, you drive away.

A couple months later, car #2 starts flashing an obnoxious warning light on the dashboard, so you take it to a local shop. The mechanic there informs you that the hood is locked, and only the person that made car #2 or an authorized dealer can unlock it to do any kind of maintenance. So you take it back to the dealer. He tells you that you need an oil change. You agree and decide to get the more expensive synthetic oil. He says okay, but he will not let you into the shop to see if they actually put synthetic oil into it. You have no idea of knowing what type of oil they put into the car. You drive away.

Another couple of months go by. Now you notice that there is a design flaw in the steering system while going over bumps with one wheel and not the other. Car #2 tends to lose control in this condition. Knowing this to be an obvious safety hazard you drive back to the dealership. They say "yeah, we know about this problem, but we have hundreds of other problems to tackle, and this one is considered to be a low priority." You explain that you know a little about cars they could easily solve problem by raising the steering rack relative to the wheel hubs. They tell you "you can't make changes to your car! Thats against the End User License Agreement!" They refuse to unlock the hood for you to make any changes. They also acknowledge that they probably won't redesign the steering system anytime soon.

One day your psycho ex-girlfriend starts chasing you and you try to outrun her putting the gas pedal all the way to the floor. You then realize that car #2 is limited to 70 MPH. At this point you hit a bump with the right tire and the whole vehicle careens out of control and crashes. Barely able to move you finally ask yourself: "why did I ever allow myself to be in this position?"

Did you figure out which car represents free/open source and which one was proprietary? LOL. Any person or company whose purpose is to restrict or subjugate or lock-in, finds that proprietary software is the only way to accomplish this. Free and open source software, by definition, means that the users are in full control of their software.

Apple is not the only company to use proprietary software. Microsoft popularized the use of proprietary software decades ago. So why am I harping on Apple so much? Apple pushes proprietary software on users harder than any other company that comes to mind.

I think that simply the use of proprietary software in the first place is unethical because it strips the most basic freedoms from the user. It hides its true form behind a curtain and disallows any form of true protection for the user. For example, many anti-virus programs for Windows are actually viruses themselves. If the source code is a non-readable proprietary blob, why wouldn't malicious software makers take advantage of this. We should never allow software makers to be in the position of deciding what is ethically right to do us as users. We should always be able to look at the code (as a community) and decide for ourselves.

Another thing Apple does is even worse than the use of proprietary software. They actually prohibit free/open source software in their app store. They don't allow users the choice of using free/open source software. They don't want users to take back even the slightest amount of control from them. This is highly unethical. Apple is a pioneer in attacking users' freedom. This is why the world is a worse place because of Apple.

Apple has successfully locked down its hardware. Even if I wrote my own software, I can't use it on any iOS device. OSX for Macs are moving in the same direction, by disallowing installation of 3rd party applications by default. Eventually, OSX or any subsequent operating system from Apple may disallow altogether all 3rd party applications that are not "vetted" by Apple. This would make the Mac a completely sealed system just like iOS is now.

Censorship

Apple says "there's an app for everything," but what they don't say is that you can't get it if its not sold through Apple. They are able to censor apps for the end user as they see fit, much like how Iran censors the end user experience of the internet. World governments are okay with these censorship policies because it generally makes censorship easier for them as well. Jonathan Zittrain writes "What used to be a Sisyphean struggle to stanch the distribution of books, tracts, and then websites is becoming a few takedown notices to a handful of digital gatekeepers."

But it's not just apps that they sensor, no. Apple also censors people. Ellen DeGeneres did a parody of an Apple ad on her TV show. Soon after that, she got a phone call from Apple accusing her of making the iPhone look hard to use. I don't know what Apple said to her over the phone that day, but on the next episode of her show she magically changed her mind about the segment and apologized.

If you're a small-business owner and happen to have an apple – yep, it's also a fruit - in your company's logo, Cupertino's coming at you. Recently, Apple threatened Apfelkind ( “apple child” in German), a family-run cafe in Bonn that has an Apple in its logo. The logo, which is quite different from Apple's own logo, has a child's face inside an apple. According to Apple, Apfelkind infringes on Apple Inc.'s trademark (source: junauza.com).

The company's commitment to secrecy is so extreme, that they fired an engineer for showing Steve Wozniak (co-founder of Apple and former contestant on Dancing With the Stars) some features of an unreleased version of the iPad. 

Harm to Developers

This is an important topic. Apple can reject an app or remove an app from its app store without any reason, according to the app store license agreement. This can and has caused many issues to indy developers that rely on the app store for income. Apple can reject an app because it doesn't like the way it prints, or because they use an in-app payment system, or because it competes with an existing Apple product.

I came across one developer who got screwed by apple and created a web page to share his story: SaveMyHouseFromApple.com

End User License Agreement (EULA)

Many people agree to EULAs, but does anybody actually read them? Ed Bott from ZDnet says:
I read EULAs so you don’t have to. I’ve spent years reading end user license agreements, EULAs, looking for little gotchas or just trying to figure out what the agreement allows and doesn’t allow. I have never seen a EULA as mind-bogglingly greedy and evil as Apple’s EULA for its new ebook authoring program.
Dan Wineman explains:
Apple, in this EULA, is claiming a right not just to its software, but to its software’s output. It’s akin to Microsoft trying to restrict what people can do with Word documents, or Adobe declaring that if you use Photoshop to export a JPEG, you can’t freely sell it to Getty. As far as I know, in the consumer software industry, this practice is unprecedented.
 For more information on this topic read this article on ZDnet.

Conclusion

I'm sure I can come up with half a dozen more reasons why Apple sucks but I'm done giving Apple the spotlight. Don't buy Apple.

Full Disclosure

I currently own an iPod that I bought years ago. But I have not made any Apple purchases since then and will continue to boycott them. I am voting with my dollars.

Friday, May 13, 2011

The Next Generation of Gaming Consoles

(original post 5/12/2011)

The current generation of gaming consoles - PS3, Xbox 360, and Wii - have been out for a few years now. The old way of thinking is that they should be long in the tooth by now. Since the 1980's, gaming consoles have enjoyed a generational refresh typically every 3-5 years. But that all changed with the Playstation 2.

The Playstation 2 is still the best selling console of all time, with over 150 million units sold (source). It's life cycle was over 10 years long, producing some 10,000+ games for the platform. Why did it stay on top so long? What changed?

This ten year console cycle was no accident on Sony's part. They deliberately spent much forethought into future-proofing their hardware. Microsoft caught on to this before releasing the Xbox 360. They too, went to great lengths to ensure a longer life cycle for their current console. It's easy to see why the console producers want a long life cycle. They can produce the hardware cheaper over time and increase their profit margins more and more as they approach the end of the cycle. The cost of manufacturing drops precipitously as manufacturing technology increases at a steady clip. We've all heard references to Moore's Law of transistor technology. Eventually, at the end of the cycle, sales start to die off, and the cost/benefit ratio of producing a new generation console tips towards a refresh.

So what's in the ten year plan for us, then? Technology progresses so rapidly that hardware becomes quickly outdated after just a year or two (compared to PC gamers' rigs). I, however, will actually agree that a ten year cycle is a good thing. The most obvious reason, for consumers, is that we won't have to drop 600 USD on the latest console every few years. I simply would refuse to do that. I personally wait a couple years after a console comes out for the price to drop back down to earth before purchasing. If the cycle was only three years, I would be buying something that may become obsolete in a matter of months!

The other reason a ten year cycle is a great thing is that it allows developers to perfect the platform. Just look at the PS2. The games that came out at year ten look a hell of a lot better than the games that came out at year three, when the developer's were claiming that they reached the console's limit. They simply weren't coding as efficiently in the beginning as they were towards the end. The launch game titles look way under par when you compare them to God of War 1 & 2, Ico, Okami, Resident Evil 4, etc. Game developers are ALWAYS complaining about not enough GPU, processing power, memory, etc. Some of them are just lazy and won't be bothered to write code efficiently unless they have to. Something along the lines of what Plato said: "Necessity is the mother of invention". Or something like that. Consoles will always have limits and constraints that developers will have to work with. Whichever developer is the most talented at working within those constraints will produce the best games.

A third argument for the ten year cycle is simply e-waste. Less console generations means less dumping of the older consoles. Sure, there's a few people out there who like to collect consoles, but they are in the minority. I acknowledge the fact that most people don't give a flip about the environment. But that doesn't mean its not a real problem that we are eventually going to have to deal with.

Let me put it this way. If Sony didn't push for a future-proof console with each iteration, those of us that chose to buy would be spending hundreds of dollars for mediocre hardware that would be behind the technology curve by the time you took it home and opened the box. In other words you would have a Nintendo Wii!

**Begin Rant/Tangent/Sidetrack**

The Nintendo Wii IS NOT a current generation gaming console. It is a gimmick for kids, the elderly, the technologically inept, and drunks. There. I said it. I think I can speak for the majority of serious gamers when I say this thing is nothing more than a party favor. The graphics are horrid (most games feature heavily pixelated protagonists or cartoonish characters). It almost seems as if the graphics have gotten worse instead of better. The processor is woefully underpowered. And 88 MB of memory? Are you serious? It has an outdated architecture 90nm processor, which means it consumes more power per floating-point calculation than its competitors, so it doesn't even have that going for it. The games are short-lived fun, which I guess is okay if you're ADHD. "You wanna play Wii? That was fun. You wanna go ride bikes?"

The "revolutionary" controllers seem to always be low on batteries. And those controllers aren't even that precise. I must be an old codger or something, but I can play a shooter more accurately using my "sticks and buttons" controller. It has no hard drive. It has no Blu-Ray drive. It has no HD visual or audio output. It can't even play DVDs! That's laughable. Even a a PS2 can do that and it was released a full six years earlier.

But hey, 87 million people can't be wrong, right?

**End Rant/Tangent/Sidetrack**

In the news recently, Sony and Microsoft have both stated that they will hold off on releasing their respective next generation consoles until 2014. This will no doubt make for some irate developers and early-adopter consumerists alike.

Personally, I am okay with this for the PS3. The games coming out this year look better than ever. Exclusive PS3 titles are hitting their stride with no sign of slowing down soon. A few examples that come to mind are Uncharted 3, Killzone 3, and Infamous 2. Additionally, on top of the nonstop barrage of awesome games that keep coming out, I have a backlog of games that are still laying in a stack with shrink wrap on them.

The Xbox 360 may not have the legs to stand for that long without an upgrade. Since they released their console earlier in the 7th (current) generation, their specs are not quite as up to date as Sony's. I'm hoping the Xbox 360 holds its own long enough to release their new gen equipment around the same time frame as Sony so we don't get too "uneven" with platform capabilities. That would make life harder for the game devs.

The wild card in all this is Nintendo, who announced that they're working on "Project Cafe," their next-generation console. Oddly enough, I don't think this will cause Sony or Microsoft to compress their development/release times for their 8th generation consoles. The specs for the new Nintendo console are already outdated and it hasn't even been finalized for production yet, which is now typical of Nintendo. Nintendo relies on sales gimmicks and "innovation," rather than acceptable hardware. It has, roughly speaking, the same hardware specs as a 7th generation gaming console, even though they are marketing it as an 8th. In fact, I will go so far as to say they will only just barely eclipse the 7th generation performance-wise, just as a bullet point that says they're the most powerful hardware available when it releases. Never mind the fact that the consoles they're competing with were designed 6-7 years ago. This will allow developers to easily port multi-platform games over to the new Nintendo console for little cost to them. Also, expect to see another "innovation" that will drive sales, like a small screen on the controller or something equally appalling.

I think the real danger is that Nintendo's Project Cafe console will be a success. This will drive home the fact that dumbed-down consoles can sell better and turn a higher profit more easily than serious gamer consoles. Since the casual gamers could possibly make Sony, Microsoft, and 3rd party developers more money for less work, there will be a gold rush to push out crappy games in bulk to garner the most amount of that money pie. Which, unfortunately, leaves the more serious gamers out in the cold. The PC will have it's hardcore gamer devs and the Wii-like consoles will have the casual gamer devs, which leaves hardcore console gaming in purgatory. The budget-conscious "hardcore" gamer will find Wii-like consoles unsatisfying and dedicated PC gaming rigs far too expensive for us mere mortals.

This is my concern, dude.

I like the fact that we still have a fair amount of competition in the gaming world. Sony's missteps in the Playstation network will undoubtedly cause some gamers to switch platforms in the next generation. I may be one of them. I try to choose the best platform, with no conscious brand loyalty. For now, I'm sticking with the PS3. But as for the next generation: let the best console win.

Tuesday, December 28, 2010

Haiku OS Development

(original post 7/29/2010)

In early May of this year, the Haiku development team announced the availability of Haiku R1/Alpha2 (Release 1, alpha 2). A typical software project will include daily builds, followed by alpha releases, followed by beta releases, followed by release candidate builds, and then the final release.

For those who are unaware, Haiku is a free and open source desktop operating system that takes over where the proprietary BeOS left off in 2003. BeOS was designed from the ground up circa early 90's to compete with Microsoft Windows and Mac OS. Although it never gained the traction it deserved, it had features that were far more advanced than it's competitors at the time.

Haiku is fast, clean, and slick. It's elegant and beautiful in design. The performance of this OS is absolutely fantastic. The overall performance is, in my opinion, better than any other OS I've ever tried. I suggest running Haiku on your computer off the hard drive to see what your computer's hardware is really capable of. Haiku is designed to take advantage of multi-core/multi-processor computers unlike anything else. Every process in the OS is a thread. This allows the CPU much more versatility in carrying out its processing requirements. It also allows for multi-threading from a single processor. This is not anything new for a modern operating system, but Haiku has been doing these things since it's inception in 1991 and it does it better and to a greater extent than anything else out there.

Earlier I wrote a blog about the advantages Linux offers over proprietary OSs. Well Haiku has, more or less, all of those same advantages. In some cases, such as speed, memory usage, and hardware requirements, it beats Linux hands down.

This system uses around 160 MB of RAM, even with several apps running. Wow. Boot time is also incredible. But with Ubuntu aiming to have a 12-15 second boot time by next year, it won't be winning that arena by the same wide margins for long. I can't say enough about the speed of this system though. It's fast. It's mind-blowingly fast. It's earth-shatteringly fast. It's ball-crushingly fast. It screams. When you launch an application it jumps out at you as fast as you can blink. It makes me smile every time I launch an app!

Haiku is perfect for hardware that is limited on resources, such as a netbook. If India's $35 tablet comes to fruition, I imagine someone could get costs even lower using Haiku due to the lower resource requirements.

Haiku is nascent in terms of open source operating systems, so naturally the selection of applications is pretty thin at the moment. There are some games available for Haiku, but it's not a big list by any standard. However, the Haiku developers successfully ported a development framework called Qt for its use. This means all applications written for Qt on other platforms will work with Haiku. Right off the bat this will vastly expand Haiku's software offerings to include an abundance of media players, IM clients, games, browsers, and a well respected office suite, KOffice.

The user interface is, quite simply, plain Jane. It's not very flashy. In today's day in age I think of this as a good thing. It's right down to business. It has yellow tabs as title bars that don't span the full length of the window as a normal title bar would. Here are some images from Google for Haiku. I have a gut feeling they will evolve the UI once they get the underlying kernel/operating system working well.

The file system was designed and implemented very well. It uses BFS, a modern, 64-bit capable, case-sensitive, highly customized journaling file system. BFS has also been successfully implemented with the Linux kernel and is an installation option on some modern distributions of Linux. The Haiku file system layout is, in my opinion, more intuitive than any other OS. Both Windows and Linux seem very cryptic from the top of the file system hierarchy. Haiku is more easily interpreted by novices. If you install Haiku, have a gander for yourself.

Speaking of which, I might mention that the Haiku installer is really easy for a novice to use. I was dumbfounded on how easy it was to install. For a project that's still in the Alpha development phase, I have nothing but praise for where they stand right now. For anyone out there who's ever installed/reinstalled Windows, you're in for a real treat with Haiku. You will feel like your cheating!

The transition from a completely proprietary OS to an open source OS has not been exactly a walk in the park. They have had an ambitious team working since 2003 to get this off the ground for you and me to enjoy free of charge. So kudos to the Haiku development team. They have been replacing lines of code bit by bit, byte by byte to make sure it doesn't infringe upon any patents and complies with the MIT license. So believe it or not, the entire codebase of BeOS has been replaced with new code. It has also made some improvements and updates along the way.

For nerds like me, there are all kinds of goodies packed into this OS. The system monitor (or task manager for windows users) is phenomenal. It has a detailed display for everything from each program's CPU/memory usage to setting individual process priorities on a per thread basis. For anyone that uses computers for critical applications this is a godsend. For instance, if you're recording a podcast, you want all the software related to recording to have full priority. If you're a DJ at a club, you want your MP3 decoder to have full priority, not your damn anti-virus software that keeps popping up annoyingly.

Speaking of anti-virus software, you wont need it. Although Haiku is not a Unix-based OS, it's security model seems to have well written code that has been written from the ground up twice now. For now it also has security through obscurity, meaning it's not a malware target due to it's niche uptake.

There is actually still a LONG way to go to get this OS as user friendly as others, such as Linux Mint. Currently WiFi is not yet supported (not widely, at least), a plethora drivers are not yet available, the app selection is anemic, and even the OSs utility apps are not all completed. Flash is not currently supported. But Haiku is, nonetheless, showing lots of promise. Bugs and show-stoppers are to be expected in an alpha release, so there's no need to criticize Haiku over its shortcomings. I'm looking forward to seeing how things develop from here. Haiku has become one of my favorite niche operating systems.

Modern Digital Encryption: an Overview

(original post 5/7/2010)

Earlier I wrote about how to best avoid the dangers of surfing the web. Think of this as part two of my earlier blog post: Security on the Web. This time I'm going to focus on securing data on your computer, AKA your local machine. If your like me and love security-related topics, or watching paint dry, this article is for you.

Sometimes it is necessary to store information on your computer that could be considered sensitive information. If you were to secure paper records, such as the deed to your home, you would put it in a safe or bank deposit box. But how do you secure the private data residing on your computer's hard drive? Encryption! Encryption can be used to protect data "at rest", such as files on computers and storage devices (e.g. USB flash drives). In recent years there have been numerous reports of confidential data such as customers' personal records being exposed through loss or theft of laptops or backup drives. Encrypting such files at rest helps protect them should physical security measures fail.

Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. Although the history of cryptography is very interesting, I'll keep to the point. Encryption has come a long way since the ciphers of Julius Caesar. I'll point out the basic forms in modern use today.

Symmetric and public-key encryption

The first method is called symmetric-key encryption. This requires both a key and a password to decrypt the file. The key is used to unlock the ability to guess what the password is. Without the key, prying eyes would not even be given the opportunity to guess what the password is. As you can guess, there is no way of sending a key securely over a network, such as the Internet, without an additional layer of security. Otherwise the key itself would be pulled from the data stream while in transit. What this means is that you must copy the key to a storage device and physically carry that device over to each computer that you want to decrypt files from. In other words the sender and receiver must share the key in a secured way in advance.

The second method is called asymmetric-key encryption, AKA public-key encryption. This method solves the problem of the first method (sending a private key across a network) by involving two keys. It uses a key pair based on prime numbers of long length. This makes the system extremely secure, because there is essentially an infinite number of prime numbers available, meaning there are an infinite number of possibilities for keys (source).

The key pair that consists of a public key and a private key act exactly as their name implies. The public key goes out publicly. It is there for the taking for any computer on the network that wants it. Hiding within that public key is an algorithm directly related to your private key that can only be used by your your private key for decryption purposes. Essentially, the public key provides encryption for the private key. It's a dual-layer encryption operation. The reason this works is because the key used to encrypt a message is not the same as the key used to decrypt it. The keys are related mathematically, but the private key cannot be feasibly (in actual or projected practice) derived from the public key.

It's a tough concept for the average person to wrap their head around. So if you find that explanation confusing, go to this HowStuffWorks article for further clarification.

Modern banking institutions also use digital certificates, which establish trust from whom you want want to make a secure connection with. They use a third party certificate authority that verifies that they are who they say they are.

Here are a couple of good analogies pulled from Wikipedia:
An analogy to public-key encryption is that of a locked mailbox with a mail slot. The mail slot is exposed and accessible to the public; its location (the street address) is in essence the public key. Anyone knowing the street address can go to the door and drop a written message through the slot; however, only the person who possesses the private key can open the mailbox and read the message.
An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the seal authenticates the sender.
And so it is the combination of these two that allow secure commerce over the Internet.

Security of key lengths

So just how secure are these algorithms? In the 1970's the United States developed an encryption standard called DES, which had a 56-bit encryption specification. This offered 70 quadrillion (70,000,000,000,000,000) possible combinations. This was considered more than adequate at the time. No one ever dreamed that computing power would advance to the point of making this standard obsolete. Well, guess what? That's exactly what happened! A modern consumer desktop computer could easily crack this in short order. It's too bad the U.S. government never heeded the implications predicted by Moore's Law around the same time period.

Necessarily, a new encryption standard was created: AES. This standard calls for 128, 192, or 256 bit length keys. The number of possible combinations increases exponentially in proportion to the key length. So a 128-bit key would have more than 300,000,000,000,000,000,000,000,000,000,000,000 key  combinations [source: CES Communications].

I should point out that there is a physical argument that a 128-bit symmetric key is secure against brute force attack. Let me back up a second and clarify. Many cryptographic systems have no (practical) known weaknesses and so the only way of "cracking" them is to use a "brute force attack" by trying all possible keys until the message can be decoded. The Von Neumann-Landauer Limit implied by the laws of physics sets a lower limit on the energy required to perform a computation, such as breaking an encryption cipher.

In order to simply flip through the possible values for a 128-bit symmetric key (ignoring doing the actual computing to check it) would require 2128 − 1 bit computations. If we assume that the calculation occurs near room temperature, ~25C, we can apply the Von Neumann-Landauer Limit to estimate the energy required as ~1018 joules, which is equivalent to consuming 30 gigawatts of power for one year. Whammy Blammy! The full actual computation—checking each key to see if you have found a solution—would consume many times this amount.

Note: this argument assumes that the register values are changed using conventional set and clear operations which inevitably generate entropy. It has been shown that computational hardware can be designed not to encounter this theoretical obstruction (see reversible computing), though no such computers are known to have been constructed.

The amount of time required to break a 128-bit key is also daunting. Each of the 2128(340,282,366,920,938,463,463,374,607,431,768,211,456 to be exact) possibilities must be checked. A device that could check a billion billion keys (1018) per second would still require about 1013 years to exhaust the key space. This is a thousand times longer than the age of the universe, which is about 13,000,000,000 (1.3×1010) years. Wowie Zowie!

Key length caveats

So why would you ever want to use more than 128-bit encryption? Ask the CIA. Their guidelines state that all information considered "Top Secret" is to be secured using the AES specification of no less than 192-bit encryption. An underlying assumption of brute-force computations is that the complete keyspace  is used to generate keys, something that relies on an effective random number generator, something that is still in the works.

For example, a number of systems that were originally thought to be impossible to crack by brute force have nevertheless been cracked in this way because the key space to search through was found to be much smaller than originally thought, due to a lack of entropy in their pseudorandom number generators.  These include Netscape's implementation of SSL (famously cracked by Ian Goldberg and David Wagner in 1995) and a Debian edition of OpenSSL discovered in 2008 to be flawed (source).

Using a truly random seed would fully utilize the entire keyspace, ensuring that AES keeps true to it's theoretical brute-force protection. The Swiss are working on such a system now using quantum cryptology in which key ciphers are seeded by a number generated using photons -- tiny, massless packets of light. Since this method uses physics instead of math to create the key used to encrypt the data, there's little chance it can be cracked using mathematics. This type of method looks extremely promising. For more information on this subject see Heisenburg's uncertainty principle and How Quantum Cryptology Works

Ironically this solution, quantum physics, may also present a challenge to the security of our data in the future. If quantum computing proves to propel computing power significantly ahead of the Moore's Law projection, it could present serious challenges to any encryption scheme. If any minor flaw is found in a cryptographic system, it effectively lowers the key length. As previously stated, this would be an exponential reduction rather than a direct linear reduction. Which means that a 128-bit key could possibly be cracked. Let's also not forget that there is a cosmological chance that any brute-force attack could discover the cipher in a short period of time due to pure dumb luck chance.

Because of these concerns, and the concerns of paranoid conspiracy theorists, most software applications that generate keys will go all the way up to 4096-bit encryption support. This is kinda like cutting your butter with a chainsaw. My personal opinion is that 256-bit encryption is just fine for the rest of our lifetimes. Besides, you're much more likely to get rubber-hosed or black-bagged. These are euphemisms for getting coerced or burglarized, respectively, for the possession of your cipher.

Believe it or not, there is actually a solution to these issues as well! Well, partially anyways. There is something called a hidden volume that offers plausible deniability. In countries such as Iran you can be targeted and prosecuted for encrypting your own data. As preposterous as that sounds, there are still many dictatorships around the world that smite free speech and treat you as a revolter if you even speak your opinion about something negative relating to your sovereign authority. Deniable encryption can offer things such as an encrypted decoy or even hide encrypted data altogether. Also, storing encrypted data on an Internet server that has no traceable connection to you is another preferred method.

Well, it's happened again. I've wrote too much and you've undoubtedly squandered another perfectly good block of time reading this. Signing out. 

Security on the Web

(original post 4/5/2010)

There are pervasive criminal organizations that use sophisticated operations via the Internet to exploit a weakness in the U.S. banking system to steal money. Once their highly sophisticated operation is streamlined, it is all but too easy for them to leave churches, school districts, local governments, small businesses, and even individuals destitude.

The large conglomerate U.S. banks, as it turns out, are using procedures for verification and transaction operations that were put into place decades ago. There are serious weakneses in the system that criminal hackers are exploiting without too much trouble. Over the last several weeks the FBI, the FDIC, and the Federal Reserve have all issued warnings about this. It has garnered the attention of several major newspaper publications such as USA Today and The Financial Times of London.

Who exactly is at risk? 

A major portion of those at risk goes to those that do online banking from compromised computers. But even if you never sign up to do online banking, you are still at risk of having your money fraudulently wired out of your personal or business accounts. Small to medium-sized businesses have the greatest level of risk, followed by individual consumer accounts.

What can you do to protect yourself?

There is no black and white answer to this question. It depends on how specifically you are targeted by a criminal. You could have a virus or trojan horse on your computer that has broad-based algorithms that catch usernames and passwords. Or you could have an ex-employee or acquintance that knows everything about your accounts and personal life. There are software-based keyloggers and hardware-based ones. There are unscrupulous individuals at airports and coffee shops catching usernames and passwords on public wi-fi hotspots. I will attempt to explain how to avoid all of these security problems.

Encryption on the web: an overview

Modern banks use asymmetric key encryption, AKA public key encryption, to establish a secure connection from a banking server/terminal to an individual computer. Once this connection is established, all transactions over the web are more or less completely secure, with almost zero chance of any evesdroppers extracting any useful data, assuming they didn't catch your username and password credentials. Modern protocols are SSL 3.0 and TLS 1.0. Any encryption that is 128 bits or higher is considered secure enough for online banking. If you want to find out if your web browser is currently on an encrypted connection to a website, simply look for https instead of http in the URL address bar. That's the bar at the top where the www.(website).com address is located. If you want to dig deeper and find out what the current grade of encryption is your browser can supply that information as well. In Firefox, for example, you would just hit CNTRL+I (or click Tools-> Page Info) and click on the security tab. As an example, I'm currently writing this on a 256-bit encrypted connection to Zoho office. For more information see the Howstuffworks encryption article.

Basics for guarding your log-in credentials

If possible, I recommend that you avoid doing sensitive financial transactions over a public wi-fi connection. The most secure way to connect to the internet is by a wired connection to a router, switch, or other local computer. That said, currently the most secure connection over wireless would be a WPA password-protected connection, where only a limited number of people have access to the wireless network password. There is another wireless protocol called WEP that is much less secure and is easily hacked. A no-password wi-fi setup is the proverbial wild wild west, where anyone with the most basic packet sniffing software can read any unencrypted information you send to and fro on the Internet. This brings me to my next point.

You MUST ensure that your connection to your bank is encrypted before even thinking about typing in your password. Most banks use a two step process now where you only type in your username on the first page, and then it brings you to an encrypted second page for you to type your password. If there is no https in the title bar (URL address bar), then anything you send will be in plain text. Many email systems are set up so that both your username and password are both sent through "plain text", meaining it's unencrypted and evil-doers can pick up your log-in credentials. Once they have your email log-in credentials they can reset your online banking account password and then can subsequently log in to your online bank. You must guard your email account with your life! I reccomend signing out of your email every time your not working on something, or you can alternately set up an email account that you use specifically for registering with your online banks. Many email providers offer a "secure access" option. I highly recommend using this at all times.

How to avoid phishing

Phishing simply refers to fake websites that try to get you to hand them your log-in credentials directly by masquerading as the real website it is trying to emulate. There have been several advances forward in the prevention of phishing, but it is still a major problem. The most common form of phishing involves a seemingly legitimate email that has links in it that take a user to a maliciously constructed website that may look like an exact replica of the real one. They commonly use similar domain names to add to the confusion. For instance, the URL may read www.bank0famerica.com instead of www.bankofamerica.com. Did you catch that one? The difference is between the the letter O and the number 0. Most people could never tell the difference. This is just one example and the possibilites are endless. So how to you know for sure if a website is the one you want to be at? I recommend carefully typing in the web address manually and then saving it as a bookmark so that you will never mistakingly type the wrong address in the future. If you get an email from your bank saying your statement is ready, don't click on the link provided in your email. Instead open up a separate window or tab and navigate to the website on your own.

There is a new security model that invokes a "SiteKey" for authentication. Originally, it was the banks that were feverishly trying to authenticate the users during the log-in process. It was later pointed out that it's just as important for the user to authenticate the bank before giving out their super-secret passwords. Originally, if the user wanted to authenticate the bank they would use a browsers advanced features to view the SSL server certificate and compare the certificate's "fingerprints" to the ones they had on file for that website. This process can still be used today and is extremely effective. But most users wouldn't bother with this process, even if it only takes a couple of seconds. Well, necessity is the mother of invention. Ergo the SiteKey was born. It's basically a combination of a unique picture and phrase that are both displayed on the banking website's page where the user must enter his or her passcode credentials. This is how it works: if the picture and/or phrase displayed are not the ones the user is expecting, a giant red flag goes off and the user (hopefully) does not enter their password without further investigation. It is a great step in the right direction towards reducing the occurences of successful phishing attacks.

It is important to note that phishing attacks are not limited to the internet. They can be done over the phone or even in person. If your bank calls you and wants you to reveal sensitive information to them, you need to hang up on them and call them back using a number from your statement, the bank's website, or even the phone book. But do not call the number listed on your caller ID!

Keystroke loggers

This is a big one. In fact, Keystroke logging attacks may be the single most hazardous attack that criminals use to procure your log-in credentials. The first type is the software-based Keystroke logger. This is the result of viruses, malware, and trojan horses targeting your computer's operating system to allow evil-doers to record each and every keystroke made on the keyboard. I won't get into the nitty gritty of all the different technical ways this is possible. Microsoft Windows is far and away the worst at combating these malicious software programs, and new viruses are discovered each and every day. There are over a million malicious software programs written for the Microsoft Windows platform. It is a constant battle of trying to find viruses in the wild, logging them into anti-virus programs, downloading the lists to individual machines, and endlessly scanning every machine for those viruses. By the time your antivirus program receives the update, there are new viruses in the wild that you are not protected from. Sound a bit like a dog chasing it's tail? The problem is worse than you can imagine. But should you lose hope?

The newspapers, magazines, and TV stations claim they have an answer to the problem. Their solution is that you should by a separate computer dedicated solely to sensitive information handling such as online banking, payroll, etc. On this computer you would not surf the Internet aimlessly and casually like you would on your normal machine. No email, no online chatting, no social networking. It's strictly down to business and nothing more. This machine should be configured to disallow scripts, videos, and/or images to load from the internet. Also, it must have a firewall that is specially crafted to block all unused ports and services. It is, in my opinion, a waste of resources, space, and money.

But why not install a second hard drive with a separate operating system on it? If you really wanted to save money you (or your closest geeky friend) could repartition some free space on your current hard drive to make room for another operating system. You can use one of any number of free operating systems that are much more secure than Windows. In fact I wrote a piece earlier on why I use Linux Mint as my operating system of choice when doing any sensitive transactions on the web. But there are many other free alternatives out there that are just as suitable. If you absolutely insist on using MS Windows, do not install any programs that are not needed to carry out the transactions you need to accomplish, only connect to the internet when you need to, run antivirus programs regularly, and use the latest version of Firefox or Opera (arguably the two most secure) web browsers.

There are also hardware-based keystroke loggers. They are most commonly manifested as a device plugged inline between a computer keyboard and a computer. They can also be built into a keyboard. There is an old saying that any computer can be compromised if physical access to the machine is possible. This is just one example that ringing true. These attacks are not usually broad-based attacks, but are specifically implemented to gain information from a single person or company. In other words, Espionage.

Some institutions are now using authentication by clicking numbers or letters on-screen to mitigate these types of attacks. 

An ounce of prevention...

There are several layers of prevention that can be used to avoid becoming a victim of a phishing attack. The chances of someone gleaning your log-in credentials are exponentially reduced with each step, so I recommend you take all of them.

First of all, use bookmarks. They will ease the temptation of clicking on links in your email and also prevent you from accidentally misspelling the web address.

Second, if your bank supports SiteKey or similar mutual authentication procedures, use them. This system is one of the great triumphs against phishers.

Third, if you run Microsoft Windows, run antivirus software once daily or after surfing the Internet if you don't use your computer daily. If you run any other operating system you don't necessarily have to run antivirus software, but make sure you stay abreast of security news regarding that particular operating system.

Also, there is a dead-simple, yet extremely effective trick I learned that prevents you from becoming the low-hanging fruit for malicious keylogging programs. You simply type your password out of order. For example if your password is 12345678, you would type 5678, then click the mouse to move the cursor back to the beginning and finish typing 1234. If there was a keystroke logging device it would read the log file as 56781234, which is the wrong password. The criminal might be able to figure it out eventually, but they wouldn't waste their time if there was lots of other low-hanging fruit out there. Remember also that if you use your mouse to click on bookmarks instead of typing in a web address, there is a lesser chance that a criminal can figure out which site you are trying to log into.

Wiring transactions

Bank-to-bank wire transfer is considered one of the safest international payment methods, assuming you wire to the intended individual. However, if you wire money to the wrong person, it can be nearly impossible to recall the funds. Once a criminal receives a wire transfer, they have a high rate of success making away with the loot.

I'll give an example of the precautions I normally take involving a wire transfer. When I opened my checking account, I instructed the bank to do a double authentication for wire transfers. This is very common among small business owners. What this means is I can't wire any money out of my bank account without the bank actually calling me and asking me questions that prove my identity and verifying the amount and destination of the wire. It is critical that you get the destination right and also make sure that it is a legitimate enterprise. When I had to wire my life savings to an escrow account to buy my first home, I took many steps making sure the company I was wiring my money to was legit. For example, I checked the BBB (Better Business Bureau), did a phone book search to verify the physical address of the business, did a Google search to find their website, and called the escrow agent and personally verified the routing and account numbers over the phone. You NEVER can be too careful when wiring money out of your bank account. For some examples of what NOT to do head over to this article. 

Special considerations for small businesses

In the United States, if a consumer account is compromised, the bank usually takes the loss. However, if you own your own business and your business bank account is compromised, the law (specifically the Uniform Commercial Code) can require that the business owner prove that they took due care in safeguarding information and access relating to that account. You may find yourself in a corner defending your due care in preventing the losses suffered in your bank account. Therefore, it is imperative that you take at minimum the preventative steps mentioned in this article. If you must write down your password, you have to keep that piece of paper under lock and key.

If you are going to buy a separate computer for all of your sensitive financial transactions, I would have an IT professional set it up for you for that purporse. You will need to disable all drives and ports, configure the firewall properly, configure the browser properly, uninstall all crapware applications, and keep the computer itself in a locked room or cabinet.  

Stay tuned for more...

Making the Switch to Linux

(original post 01/17/2010)

This blog/article is meant to inform the general public about open source software, but is more heavily geared specifically toward my experiences and opinions relating to Linux-based desktop operating systems and, more specifically, Linux Mint.

I won't go into too much detail about my history with computers, but I had learned on and exclusively used Microsoft Windows as my computing platform for at least a decade. I learned all of the ins, outs and idiosyncrasies of it in painstaking detail. My opinion of Windows XP when it debuted, was that it was powerful, flexible, and adequately secure. But as the Internet grew up, innumerable problems started to arise. That's what lead me to search for something else, and what lead me to, ultimately, start using Linux.

Many things I took as standard operating procedure, were actually just exclusive to Windows. Like forced restarts, for example. I remember one time I was working on some things and the system decided to restart itself in the middle of my work. I couldn't save all the documents in time before it shutdown. Every time, it seems, I update the operating system, it constantly nags me to restart. Install a new application? Restart. Uninstall an application? Restart. File system error? Restart. Persistent dialog box won't go away? Re... well, you get the idea. And sometimes I will reboot after a Microsoft update, only to have the system tell me it needs another update. Then when I install it, it tells me I need to reboot again!

Speaking of booting, why is it that with every passing week of regular use, Windows takes longer and longer to boot. The constant rebooting wouldn't be so bad if it booted in 45 sec. like it did out of the factory. But it does get worse. In my experience after about six months I find it takes at least three to five times as long to boot. I can't blame this entirely on Microsoft, but the problem seems to only occur on their operating system so what else can I say.

It's not just the boot performance that suffers over time, but other aspects as well. Many programs load a small script at each startup and run in the background taking up precious disk space, RAM, and computing power. Not to mention they can also be a back door for an exploitative malware program.

I'm somewhat of a go-to guy for everyone and their dog's computer-related problems (and other problems for that matter!). Many times people will come to me with a "broken" machine. But it usually turns out that they were not maintained at all. By this I mean registry clean up, hard drive defragmentation, virus/malware scans, and, especially, startup scripts/applications. These computers had simply used up all of their RAM and were resorting to "virtual" RAM at a terrible performance penalty, rendering their computers unusable.

To counter this "Windows degradation" I decided to just wipe my hard drive clean and reinstall Windows every 6 months or so. This was not only to maintain peak performance, but to eradicate trojan and rootkit malware as well.

Microsoft should, in my opinion, have made Windows secure in the first place. But they failed MISERABLY at securing the desktop and, until recently, relied upon third party vendors to plug in the holes. So what you have, ultimately, is a company with closed-source binary code that has a plethora of both known and constantly emerging security flaws telling you that you can rely on them to patch the code for you sometime in the future. It's like having someone with a known high level of incompetence promising they know how to pack your parachute.

There are well over a million viruses circulating that target the Windows platform. We live in an age where online transactions are a major part of normal business operations. Security is a big deal. I personally took every precaution (or so i thought) and still picked up viruses (virii?) on my Windows machines. This is what lead me to search for a more secure operating system. Here are a couple of articles that may be relevant:



I was excited when the tech world was abuzz with Windows Vista before it's release. I was happy that Microsoft had finally gotten their act together and was working to put out a world class operating system for the masses. Or so I thought. When it finally came out, I gave it a whirl myself. I was underwhelmed, to say the least. I was actually accepting of their User Access Control scheme, which most people considered annoying and tiresome. But the hardware requirements for Vista are appalling! They not only force you to upgrade all their software packages (by pulling support for the older ones)... they force you to upgrade your hardware too! All of this just to try and get the same performance you used to get before. Windows uses their monopoly to push their latest operating system, requiring new hardware whether the consumer wants it or not. And the computer manufacturers encourage this behavior so they can keep selling more machines. Which loops right back to Microsoft maintaining it's monopoly stronghold. It is a vicious cycle of greed that seems to be a perpetual motion machine so far.

When I bought a laptop that had Vista on it, I read the End User License Agreement (EULA) before accepting it. It had some pretty disagreeable stuff in there. Especially for people like me who re-install Windows on a regular basis due to their shoddy product degrading itself over time.

Vista also has an increased level of Digital Rights Management, another tech industry idea that I am vehemently opposed against. Here is a snippet from a Wikipedia entry on the subject:

Windows Vista supports additional forms of digital rights management restrictions. One aspect of this is the Protected Video Path, which is designed so that "premium content" from HD DVD or Blu-ray Discs may mandate that the connections between PC components be encrypted. Depending on what the content demands, the devices may not pass premium content over non-encrypted outputs, or they must artificially degrade the quality of the signal on such outputs or not display it at all. Drivers for such hardware must be approved by Microsoft; a revocation mechanism is also included which allows Microsoft to disable drivers of devices in end-user PCs over the Internet.[107] Peter Gutmann, security researcher and author of the open source cryptlib library, claims that these mechanisms violate fundamental rights of the user (such as fair use), unnecessarily increase the cost of hardware, and make systems less reliable (the "tilt bit" being a particular worry; if triggered, the entire graphic subsystem performs a reset) and vulnerable to denial-of-service attacks.[108] However despite several requests[109] for evidence supporting such claims Peter Gutman has never supported his claims with any researched evidence.

While I could keep ranting about how draconian Windows is, it's time for me to switch gears and talk about my most used operating system: Linux.

I found Linux out of a quest for a more secure operating system. System security was (and still is) my number one priority. I do trading, banking, purchasing and so forth over the Internet. I also keep records and personal information in "the cloud", so security is of paramount importance to me. I have seen other people's lives turned upside down because of various attacks that criminals use in cyberspace. I try to stay informed about security issues on the Internet. 

What I found was that, basically, Linux is more secure because of three primary things:
  1. A clear division between users and administrators (whereas Windows is built with the assumption that the user will be the administrator). If you don't have the correct permission, then you cannot, for example, access a particular piece of hardware. Additionally, privacy can be ensured because the files on the PC are owned by individual users, who can permit or deny others access to those files;
  2. It lacks hooks in kernelspace that Microsoft built in to give its additional products a performance edge over those of competitors (which make Windows as a whole vulnerable to a user's actions, even if the user doesn't have administrative privileges), and finally;
  3. Because of code transparency. Because code is published rather than hidden, it is publicly scrutinized and patched BEFORE it is released into production. 
Some people might also add security through obscurity, since only about 1% of the computing population uses Linux as a desktop consumer operating system. Linux is more secure, but make no mistake, this is hardly because of obscurity. The majority of publicly accessible webservers in use today are running Linux. Those are targets with public IP addresses and an always-on connection -- prime targets for worms -- yet they are the least commonly infected, with percentages well below those of Microsoft's security-optimized servers. Wikipedia says this:

The Linux operating system, Unix and other Unix-like computer operating systems are generally regarded as well-protected, though not immune, from computer viruses, compared to Microsoft Windows. There has not yet been a single widespread Linux malware threat of the type that Microsoft Windows software constantly faces; this is commonly attributed to the malware's lack of root access and fast updates to most Linux vulnerabilities. (src)

There are entire books written on Linux security, so I won't go into any further detail. But anyone who does the most rudimentary research will find the Linux is far more secure than Windows. Here are a couple of commentaries worth reading on the subject:

So after picking a distribution, I installed Linux for the first time. I initially found it to be a headache getting some of the hardware to work properly, but after a short amount of googling everything came together nicely. I switched distributions to a version of Linux called Linux Mint. It turned out to be a pleasant surprise. Everything worked more or less perfectly out of the box. As a side effect, I found other various attributes and virtues of Linux. Here is the list off the top of my head:
  • Speed.
There was a noticeable performance increase of the system. Boot times were quite expeditious. I had a hunch that it was not as much of a resource hog either. I checked the System Monitor (Linux's version of Task Manager) and sure enough, it was using far less RAM idling at 188 MB vs. Vista's 700+ MB.  In my tests, it has had faster file transfer times than Vista. Linux supports USB 3.0 already, something Vista and 7 can't claim yet (please correct me if I'm wrong on that).
  • Stability. Reliability. 
In my experience Linux simply does not crash. Period. I have been using Linux for more than two years now and can't remember a single time when an application took down the entire operating system. That used to happen to me at least once a week in Windows. No frozen mouse cursors. No error dialog boxes that cannot be resolved without a reboot. It was refreshing to find that a system can work so well in this manner.
  • Applications. 
The version of Linux that I use, Linux Mint, comes standard with a graphics editing program (that has been put on par with Adobe's Photoshop by some people), a softphone VoIP client, IRC chat client, dictionary, PDF viewer, OpenOffice.org -- a full office suite (fully compatible with Microsoft Office 2007 and earlier) that supports 110 languages -- and a fully capable media player. As a side note, OpenOffice.org has been found to be able to open files of older versions of Microsoft Office and damaged files that newer versions of Microsoft Office itself cannot open. Thousands of additional applications are available for the cost of $0.00 USD. A perfect fit for a cheapskate like me. Almost every piece of software I use in Linux is open source. What this means is that it is not only free of charge, but that it is arguably more secure. It also has a nice philosophical undertone akin to free speech. The source code is available for anyone to view and improve upon, a condition that open source advocates view as necessary and vital for technological and societal advancement. Linux is a platform dedicated, almost exclusively it seems, to open source software. There is a great 8 page chapter by Kier Thomas on the history and philosophy of open source software that I highly recommend reading . I found it very interesting. It can be found here:
  • Inherent Malware Protection.
I have mentioned the security aspect already, but did I tell you that you no longer have to do anti-virus, anti-spyware, anti-trojan, and anti-rootkit scans? That's right. There are very few, if any, active viruses in the wild that are infecting Linux boxes. They do crop up every now and again but in most cases they only affect those administrators who changed the permissions from the default settings and/or rely on someone having physical access to the computer to plant the malware. In addition, security holes are patched promptly and updates are issued immediately, not the second Tuesday of each month or whatever Microsoft does. No operating system is completely invincible, but all in all, it's a very efficient system. Unfortunately, I still use Windows from time to time so I'm still tied to scanning the computer for 2 hours (seriously) after surfing the Internet.
  • Updates. 
The updating system in Linux Mint (a specific version of Linux) is far, far superior to anything I have ever witnessed prior. It allows you to prioritize updates according to what level they have been tested. It issues critical updates immediately. And best of all, it updates not only the operating system, but all of the installed software on the computer as well! Eat that Microsoft and Apple. Okay, I'll settle down before I start to sound like a fanboy. Here is a quote I pulled from Michael Horowitz, a syndicated "defensive computing" CNET blogger/analyst:

Linux is better at self updating than either Windows or OS X. This is critically important because many malware infections result from exploiting bugs in installed software. Apple and Microsoft update their own software, period. Microsoft's Windows Update is fine, but it doesn't go far enough. Keeping all the software up to date on a Windows computer is nearly impossible. It's the Wild West, with each software vendor using a different approach to maintaining their software. Applying bug fixes across the board challenges techies and is impossible for non-techies. I'd go so far as to say that keeping software updated is the biggest problem Windows users have, even though many don't know it.

Yes, Macs are immune to most of the malware, but there's still the issue of applying patches to all the installed software. In a commerical software environment, we'll never see bug fixes from a single source. Things are drastically different in Linux land. Each distribution has a software cocoon called a repository. Software in the repository comes from hundreds of different sources and is tested to be compatible with the Linux distribution in question. Each update package is tested to make sure that it will integrate smoothly and not break the system before being released into the wild. I'd be curious to know how many people have experienced a Windows update completely breaking the OS, because I've had to reformat and reinstall on a hard drive at least 3 times due solely to Windows updates breaking things.

Windows, in contrast, is an absolute security disaster for non-techies. We start with inconsistent and too-often manual procedures for installing bug fixes from dozens of different vendors. Then we add the huge amount of malware that targets Windows and top it all off with the hassle of maintaining at least one, if not multiple anti-malware programs.
  • Hardware Requirements.
Do an experiment. Take your oldest laptop or desktop computer -- you know, the one in the basement with a caked-on layer of dust covering it -- and try putting on the latest Microsoft operating system on it and see what happens. Uh oh! That's not gonna work even using witchcraft and sorcery. Now try putting on the latest version of a mainstream Linux distribution on it and Presto! You've got a system that likely works just as good, maybe even better than it ever has before. Older peripherals generally have better support under Linux as well. All those peripherals that would be in the landfill long ago can have a breath of new life put back into them. Linux generally gets new hardware drivers after Windows, but even that landscape is changing with more and more manufacturers opening up their specs and source code for hardware and drivers. Many manufacturers are writing the source code for Linux drivers themselves now and releasing it concurrently alongside the Windows drivers.
  • Support.
I have never had to call in to tech support for Linux. Every question I've ever had has been answered by googling the Internet, the Linux community (forums), and sometimes the actual authors of the software itself. There are also paid support systems in place for those who need someone on the other line when questions need answered. Also it works the other way too. I would rather support someone that was using Linux Mint than any other operating system.
  • System Maintenance.
How does this sound: an operating system that doesn't need to be defragged. Ever. How about never having to do registry cleanup utilities? How about not having to constantly monitor and modify startup application policies? Firewall policies are a cinch with either Gufw or Firestarter, both of which are free programs. It literally takes one minute to set up the firewall and doesn't constantly nag you. Also, as previously mentioned, no anti-whatever scans.
  • Being Different.
Okay, so I can't really count this as an objective benefit.
  • Cost.
It's free. 'Nuff said. Seriously though, I have come to enjoy Linux so much over the last two years that I now give back to the community both financially and through beta testing and bug reporting. Personally, I donate $5 to linuxmint.com for every version of Linux Mint I install on each computer. I also donate to The Linux Foundation whenever I can for upstream development and improvement. So although I may be paying for my software just like in a Microsoft ecosystem, there is still a major difference. The difference is that I choose to donate. If money gets tight I can choose to halt my donations and still get the same free software updates.
  • Participation.
What I love about Linux Mint is the democratic philosophy it's based on. For example, the lead developer decided that it was best for the community to decide which wallpaper the operating system should come with. He held a vote on the website and directly used feedback from the users to make his decisions for him. If I want a new feature added to Linux Mint, all I have to do is email the lead developer my suggestion and he will consider that feature for integration in a future release. It is truly unparalleled when you compare it to Microsoft and Apple.
  • Flexibility.
How about a pocket watch that runs on Linux? Sound absurd? Linux can and does run on everything from plug computers to mainframes. Who uses Linux? Short answer: governments, schools, Fortune 500 companies, individual users, stock market back-end trade executing mainframes, email systems, Internet servers... In fact, the majority of computers that make the Internet work run Linux (with Al Gore's help, of course :-). Linux has been a very strong player in the area of virtualization and the optimization of hardware. Linux is also completely scalable. The creator of Linux, Linus Torvalds, said that flexibility is Linux's biggest strength. Also, the operating system is more customizable than any version of Windows that I have played with. In my opinion, open source is always conducive to flexibility. This is what Torvalds had to say about it:
I think the real strength of Linux is not in any particular area, but in the flexibility. For example, you mention virtualization, and in some ways that's a really excellent example, because it's not only an example of something where Linux is a fairly strong player, but more tellingly, it's an example where there are actually many different approaches, and there is no one-size-fits-all "One True Virtualization" model....

...I mention that as a strong point of open source! Why? Because it actually is a great example of what open source results in: one person's (or company's) particular interests don't end up being dominant. The fact that I personally think that virtualization isn't all that exciting means next to nothing.

This is actually the biggest strength of Linux. When you buy an OS from Microsoft, not only you can't fix it, but it has had years of being skewed by one single entity's sense of the market. It doesn't matter how competent Microsoft -- or any individual company--is, it's going to reflect that fact. In contrast, look at where Linux is used. Everything from cell phones and other small embedded computers that people wouldn't even think of as computers, to the bulk of the biggest machines on the supercomputer Top-500 list. That is flexibility. And it stems directly from the fact that anybody who is interested can participate in the development, and no single entity ends up being in control of where it all goes.

And what does that then lead to? Linux ends up being very good at a lot of different things, and rather well-rounded in general.
  • Vendor Lock-in. (actually, a lack thereof)
Vendor lock-in, also known as proprietary lock-in, or customer lock-in, makes a customer dependent on a vendor for products and services, unable to use another vendor without substantial switching costs. Lock-in costs which create barriers to market entry may result in antitrust action against a monopoly. Companies like Microsoft and Apple have been practicing vendor lock-in since their inception. Open source software prevents a vendor lock-in occurrence from happening by its very definition. Read what Wikipedia has to say about vendor lock-in here:
  • Diversity.
It is common knowledge that genetic diversity in a population of living creatures is desirable because it reduces the likelihood that an illness -- such as a virus -- will completely wipe out every animal or plant. Many people, however, don't realize that a computer virus works just like it does in a biological setting. Operating system diversity is important for the same reason. So my concern is that Microsoft's monopoly isn't just illegal, it's a major security concern. For example, experts estimate that the Mydoom worm infected approximately a quarter-million computers in a single day in January 2004. Back in March 1999, the Melissa virus was so powerful that it forced Microsoft and a number of other very large companies to completely turn off their e-mail systems until the virus could be contained. The ILOVEYOU virus in 2000 had a similarly devastating effect. In January 2007, a worm called Storm appeared -- by October, experts believed up to 50 million computers were infected. Each one of these cost companies billions of dollars in lost productivity. Read this:
  • Longevity.
When file formats have open standards, they tend to stick around longer than proprietary formats. Take the ODF format, for example. One objective of open formats like OpenDocument is to guarantee long-term access to data without legal or technical barriers, and some governments have come to view open formats as a public policy issue. Several governments around the world have introduced policies of partial or complete adoption. What this means varies from case to case; in some cases, it means that the ODF standard has a national standard identifier; in some cases, it means that the ODF standard is permitted to be used where national regulation says that non-proprietary formats must be used, and in still other cases, it means that some government body has actually decided that ODF will be used in some specific context. Open standards apply to operating systems like Linux as well. As long as there is programmer interest in a platform, no one person or company can "pull the plug" on it. While it is common opinion that Microsoft will be around for a while, it was also common opinion in early 1912 that the Titanic was unsinkable.

Conclusion:

Every operating system has it's headaches from time to time. And Linux is no different. But I find the Linux Mint experience to be more enjoyable overall than any other, with the added benefit of a bullet-proof security model to boot. If you consider yourself technically savvy, you owe it to yourself to be open minded and give it a try. It won't cost you anything other than your time. If you are not a techno-wiz, and you find the idea of formatting hard drives and installing operating systems too daunting for your taste, you can have an expert install it for you for free! That's right. Just search for a Linux User Group (LUG) or event near you. People there would be happy to help you out to your heart's content. All you have to do is show an interest in Linux and if you've read this far, I'd say you qualify!