Thursday, May 3, 2012

The 15 Commandments of Computer Safety

The Computer Gods hath spake unto us these divine commandments, saying:


1) Thou shalt have complex passwords

Your passwords should look truly random. It should be a minimum of 10-15 characters long, contain upper case letters, lower case letters, digits, and (if possible) special characters. There should be no dictionary words in it.

There are two password managers I can recommend that will automatically do this for you and you will be oblivious to what your actual password is. They are LastPass and 1Pass4All. This will make life easy for you. You still need to make your master password very strong using these services. There is a wonderful password checker at howsecureismypassword.net.

2) Thou shalt not have the same password on more than one website

Never, ever, ever, ever, not ever have the same password for more than one website. There are no exceptions to this rule. There are numerous SAFE ways of not having to remember the actual password for each website. LastPass, mentioned above, is a watertight password manager that uses servers to store your keys in the cloud. However, your passwords are encrypted and decrypted locally. 1Pass4All allows you to have one password for all your websites. It simply runs your password through a complex hashing algorithm that's specific to each website.

Finally, you can come up with your own algorithm. For instance, you could assign each letter of the alphabet a specific three-character alphanumeric string, and use the first three letters of the URL address as your password. Or the last three. Or whatever. Come up with your own solution that takes into account the website URL as part of the password. Make it hard to figure out in case someone hacks one of your accounts.

3) Thou shalt not type your password

You should never type your password for your bank account. This is because there could be a software-based or hardware-based keylogger on your machine. LastPass and 1Pass4all can both fill out the password field automatically, so it is a non-issue with these. But if you must type your password, simply type the characters out of order, using the mouse to move the cursor at some point while you're typing. Or you can use an on-screen keyboard. On a windows computer go to Start → All Programs → Accessories → Accessibility → On Screen Keyboard. Linux also has an on-screen keyboard under Preferences -> Universal Access.

A copy+paste of your password from a file on a USB isn't 100% secure. It's possible that a piece of malware could have access to your clipboard data or the file. Also, storing your passwords without encryption would be a bad idea.

4) Thou shalt change your password often

Many times websites' databases will get hacked and will contain improperly hashed passwords. When passwords are stored on a webserver as hashes, they can be cracked in time with high power computers. If you change your passwords every 1-6 months you will be much less vulnerable to these breaches. You create a moving target for a would-be account thief. If your passwords are strong enough, it will take someone more time to crack it than a weak password, but it can still be cracked. By changing passwords often you make it virtually impossible for someone to keep up within the timeframe. Conversely, by never changing your passwords you allot them more time to crack your password from a password hash.

5) Thou shalt secure thy operating system

Run a supported version of Linux or BSD, if at all possible. If you need to use Windows applications you can still run them inside a virtual machine. If you must run Windows or Mac as a full time environment, keep it patched (security updates), do regular virus scans, and keep abreast of security news for that OS (operating system). If you don't know what an operating system is, you probably shouldn't be using the Internet.

6) Thou shalt keep thy browser and plugins patched and up to date

What browser are you running? Is it the latest version available? It better be. Do you know what plugins you have enabled for that browser? Are those up to date as well?

To check the browser version go to "Help → About" (Firefox and IE) or just "About" (Chrome). To see what plugins are enabled in Firefox, open up a new tab and type “about:plugins” (without the quotes). To check if those plugins are up to date go to mozilla.org/en-US/plugincheck/. To see what plugins are enabled in Chrome type “chrome://plugins/” (without the quotes). It should automatically list which plugins need to be updated. Internet Explorer does not have a sufficient built-in plugin checker (correct me if I'm wrong), but Mozilla's plugin checker should work, although it is very limited with IE.

7) Thou shalt know thy browser settings

For instance, when I close out my Firefox session, it automatically clears out all browsing history, download history, active logins, cache, saved passwords, and offline website data. I keep cookies and form history enabled. I set it to automatically block reported attack sites, web forgeries (phishing sites), and automatic add-on installs.

There’s a Firefox add-on called “HTTPS Everywhere” that forces Facebook, Twitter and popular websites to use secure log-in pages. Another great add-on is NoScript. It keeps website scripting under control. It is very annoying the first week of use, but after you whitelist all of your most commonly used sites it's well worth the trouble.

If using a public computer, always use private browsing mode. In Firefox go to "Tools → Start Private Browsing". In Chrome go to "New Incognito Window".

Again, know how to use your browser.

8) Thou shalt guard their email account with their life

This means don't let friends or family have access to your email account that's associated with your bank accounts. Change your email password 1-6 months or any time you have suspicion it might have been compromised.

If someone has unrestricted access to your email account, they are more than halfway there if they want to ruin your life. Most banks even offer to reset passwords through your email account and some other rudimentary personal information. Yikes!

9) Thou shalt not follow links provided in emails

We've all heard this one before. Just enter the address using bookmarks or your keyboard (making sure not to mis-spell the URL).

10) Thou shalt know how to identify an institution

Phishing continues to be one of the primary ways people get hacked. There are several ways to identify a website. Google, Facebook, and banks with online access all offer https access. Keep in mind this is not always by default. Sometimes you have to type in the “s” part of https manually. When their secure page is displayed, you can click on the left side of the URL address bar (right side for Internet Explorer) and it will display identity information for that website including third party SSL validation, encryption specifications, and the date of last visit. Also, most banks invoke a SiteKey for mutual authentication.

11) Know thy public WiFi dangers

Check your WiFi connection before connecting. If it's WEP or open access, it's totally insecure. If it's WPA2, it might be secure. To make a WPA2 connection completely secure you must (a) not broadcast its existence publicly (to keep a low profile), (b) use a unique SSID (to protect against rainbow table attacks), and (c) use a long, complex and unique password (the most important step).

Any information that you don't want in a stranger's hands should be encrypted when using a public WiFi connection. This means that all URLs should be https and not http. Also, if a clandestine hacker is lucky enough to have access to a forged SSL certificate, know that you could be the victim of a man-in-the-middle attack. In this case your banking session or whatever would be encrypted, but it would be going through that person's laptop and he/she would be accessing your bank on your behalf. That's a very bad situation. The only way to protect against a MITM attack is to stay on top of the news regarding forged SSL certificates, not something the average person is willing to do.
Another consideration when using a public WiFi connection is to use a VPN (virtual private network). This allows for anonymous, secure web browsing in public locations.

12) Thou shalt monitor their logged on locations

Many websites supply this information at the bottom of the page or on the log-in page. If you suspect foul play, check your settings and then reset your password immediately.

13) Thou shalt not download illegal content

Anytime you download illegal content, you're asking to get hacked. If you absolutely can't live without pirating something, do it in a virtual machine and don't ever use the file on the same OS (operating system) you do your banking with.

14) Thou shalt secure all sensitive computer data

If someone gave me a computer to I hack, I could clone the drive in an hour and read the files without having that person's administrator or user password and return it without them knowing. What about if a trojan/virus had access to your file system? What data could they plunder?

The only acceptable way to store sensitive data on a machine is 256-bit symmetric AES encryption (minimum). Personally I use 4096-bit asymmetric PGP encryption. Some people prefer to encrypt the entire file system rather than just the files that need it. You can also encrypt emails before sending them and use encrypted chat rooms to communicate. If you keep your backup data in “the cloud,” encrypt your data before sending it out. If you live in a country where encryption is legal, use your rights! If you don't, well there's always TrueCrypt.

If you delete a sensitive file, make sure you use a program like Eraser (Windows) or the “shred -fuz” command (Linux). Otherwise it can still be recovered. 

15) Thou shalt add extra security layers

Two-factor authentication (AKA two-step verification) is the new security layer in town and it's here to stay. Google offers it. Facebook offers it. My Chase credit card offers it. It essentially does not allow someone to get to the page where a would-be hacker can guess your password unless they also have unrestricted access to your cell phone and/or email account. Once you log in from a computer, the website will remember that computer for 30 days (if you want it to). The process repeats every 30 days. This process automatically phases out computers that you don't use anymore.

Also, make sure your security questions are next to impossible for anyone to guess, including law enforcement, who might have access to your mother's maiden name, previous addresses, etc. FYI Sarah Palin's email account got hacked this way. If Sarah Palin had multi-factor authentication and strong security questions, she would have been safe. Google is one of the few websites that lets you type in your own security questions and answers. This can be a great thing or a terrible thing if used improperly.


Monday, March 12, 2012

Why Apple is Evil

(original post 03/12/2012)

In 2011, Apple Inc. passed Exxon-Mobile in market value to become the largest company in the known universe. The success of Apple, particularly in recent years, has made it a darling of the business/investor realm. And it doesn't show any signs of slowing down. Did Apple create their empire by making ethical decisions all along the way? Let's take a closer look and find out.

Suppliers and Contractors

Apple Inc. is not in the business of building anything. They are simply a company that produces ideas. A lot of their ideas originated outside the company but we'll get to that later. Not long ago, Apple boasted that its products were made in America. The actual process of making hardware has been moved offshore and commoditized. In January of this year, Apple released a list of their suppliers under pressure from labor rights groups, journalists, academics, consumers and investors (source:NY Times). They tried to clean up their act as much as possible before releasing the list to the public but, unfortunately, audits still turned up many issues regarding working conditions in factories making Apple products.

Life in a Chinese factory is harsh by western standards. The majority of Chinese workers routinely work  more than 60 hours per week while either standing up or sitting on backless stools (source: March 5, 2012 interview with Charles Duhigg on NPR's Fresh Air).

Personally, I do not have a huge issue with this in particular. I think hard work is a virtue, as long as it is "employment at will." Employment-at-will means that either the company or the worker can terminate the employment relationship at any time without consequence. Employment-at-will also ensures supply-and-demand wages, where employers cannot use contracts as leverage over their employees regarding pay and working conditions. The problem is that China uses a contract employment system. In a contract employment system, worker's rights are compromised or in some cases completely ignored. I won't talk at length about this because most companies that contract to do manufacturing in China run into this ethical issue and it is not specific to Apple.

Another big issue is that inside many of Apple's supplier factories, there are very serious health risks. One factory ordered workers to clean iPhone screens using a poisonous chemical, causing toxic shock, nerve damage and/or paralysis to 137 employees. Numerous workers have committed suicide, or fallen or jumped from buildings in a manner suggesting suicide attempts. In two separate explosions caused by dust from polishing iPad cases, four were killed and 77 injured (source: NY Times). The decisions made by the people running these factories were and continue to be reckless, disturbing, and far from ethical.

Originality?

Investors like Apple not because they build things, but because they design things. But how many of Apples ideas are truly original? iCloud is a blatant rip-off of Dropbox, Ubuntu One, etc. Facetime, iMessage, iTunes Cloud/Match, and Reminders were not new concepts when they came out. Apple's flagship operating system, OSX, is built on BSD, which is built from Unix. So they didn't even "invent" their operating system. They simply built a user interface (UI) on top of an existing one. Essentially all of their software is existing software with a prettier interface. Whether or not the UI is actually better than competing software remains non-definitive, subjective, and the answer varies from person to person.

Anti-Freedom

Apple is obsessed with control. Control of hardware. Control of software.  Control of information. Not only that, but they are very secretive about how they control things. I'm sure everyone is aware of the phrase "walled garden" that fits Apple so well. They subjugate the user in every aspect.

Apple creates an ecosystem for users to invest their time and money in. They then trap the user in their ecosystem, since they use proprietary software that does not have the ability to export data en-mass or adhere to any open standards. This is known as vendor lock-in. They control all protocols and standards within their software ecosystem.

For example music purchased through iTunes may come with DRM (digital restriction management software) that locks the files. These files are compatible only with Apple's iTunes media player software on Macs and Windows, and on apple specific devices such as iPods, iPhones, and iPads. In September 2005, U.S. District Judge James Ware approved Slattery v. Apple Computer Inc. to proceed with monopoly charges against Apple in violation of the Sherman Antitrust Act (source: Wikipedia).

The simple fact is, people that use Apple products are failing to defend their freedoms. For example if I buy a DRM-laden book through iTunes, I can't use the digital book in the same way that I can a traditional book. I give up my freedom to buy books anonymously. Apple has a giant list of users and the books they've read. The mere existence of such a list could be considered a threat to human rights. I can't sell my book to a friend or used book store. I need a proprietary technology just to simply read my e-book. I am handcuffed to digital restrictions that simply don't exist in the world of physical media. These restrictions are made possible because Apple uses proprietary software exclusively.

Proprietary is software is software that executes code on your device, but doesn't allow you to examine the actual source code of the software. No one but the programmer knows the implications of what the software will do to your computer or device. In other words it's a akin to buying drugs from someone who says "Trust me, it's totally safe! If you don't believe me, just ask me." The only reason a person or company would ever want to hide the source code from you is because they have a secret they want to keep from you and everyone else. Users cannot scan proprietary software's source code for software vulnerabilities, bugs, or signs of malicious intent. They simply have to trust the developers.

Contrasting this is free/open source software. “Free software” means software that respects users' freedom and community. Roughly, the users have the freedom to run, copy, distribute, study, change and improve the software. With these freedoms, the users (both individually and collectively) control the program and what it does for them.

Let me make an analogy. We will compare two automobiles, one representing proprietary software and one representing free/open source software. I will leave you to guess which one is which.

The first automobile, car #1, has full access to the engine compartment. It also comes with a parts list and the blueprints for each part, including dimensions and materials. Parts conform to automotive standards and most parts are widely available. Parts can be taken off and sold. Parts can be upgraded. Parts can be maintained by the owner or anyone the owner chooses. Parts can be examined for flaws. The car can be used for any purpose.

Now let's say you bought a second car because it was "cool" and all your friends had one or maybe you thought it ran better or whatever. This car #2 is bought from a clandestine dealership. The dealership is very secretive about where car #2 came from. In order to buy car #2, you must sign a lengthy End User License Agreement, which states exactly what you can and cannot do with it. After paying a much, much higher price for the car than you would with car #1, you drive away.

A couple months later, car #2 starts flashing an obnoxious warning light on the dashboard, so you take it to a local shop. The mechanic there informs you that the hood is locked, and only the person that made car #2 or an authorized dealer can unlock it to do any kind of maintenance. So you take it back to the dealer. He tells you that you need an oil change. You agree and decide to get the more expensive synthetic oil. He says okay, but he will not let you into the shop to see if they actually put synthetic oil into it. You have no idea of knowing what type of oil they put into the car. You drive away.

Another couple of months go by. Now you notice that there is a design flaw in the steering system while going over bumps with one wheel and not the other. Car #2 tends to lose control in this condition. Knowing this to be an obvious safety hazard you drive back to the dealership. They say "yeah, we know about this problem, but we have hundreds of other problems to tackle, and this one is considered to be a low priority." You explain that you know a little about cars they could easily solve problem by raising the steering rack relative to the wheel hubs. They tell you "you can't make changes to your car! Thats against the End User License Agreement!" They refuse to unlock the hood for you to make any changes. They also acknowledge that they probably won't redesign the steering system anytime soon.

One day your psycho ex-girlfriend starts chasing you and you try to outrun her putting the gas pedal all the way to the floor. You then realize that car #2 is limited to 70 MPH. At this point you hit a bump with the right tire and the whole vehicle careens out of control and crashes. Barely able to move you finally ask yourself: "why did I ever allow myself to be in this position?"

Did you figure out which car represents free/open source and which one was proprietary? LOL. Any person or company whose purpose is to restrict or subjugate or lock-in, finds that proprietary software is the only way to accomplish this. Free and open source software, by definition, means that the users are in full control of their software.

Apple is not the only company to use proprietary software. Microsoft popularized the use of proprietary software decades ago. So why am I harping on Apple so much? Apple pushes proprietary software on users harder than any other company that comes to mind.

I think that simply the use of proprietary software in the first place is unethical because it strips the most basic freedoms from the user. It hides its true form behind a curtain and disallows any form of true protection for the user. For example, many anti-virus programs for Windows are actually viruses themselves. If the source code is a non-readable proprietary blob, why wouldn't malicious software makers take advantage of this. We should never allow software makers to be in the position of deciding what is ethically right to do us as users. We should always be able to look at the code (as a community) and decide for ourselves.

Another thing Apple does is even worse than the use of proprietary software. They actually prohibit free/open source software in their app store. They don't allow users the choice of using free/open source software. They don't want users to take back even the slightest amount of control from them. This is highly unethical. Apple is a pioneer in attacking users' freedom. This is why the world is a worse place because of Apple.

Apple has successfully locked down its hardware. Even if I wrote my own software, I can't use it on any iOS device. OSX for Macs are moving in the same direction, by disallowing installation of 3rd party applications by default. Eventually, OSX or any subsequent operating system from Apple may disallow altogether all 3rd party applications that are not "vetted" by Apple. This would make the Mac a completely sealed system just like iOS is now.

Censorship

Apple says "there's an app for everything," but what they don't say is that you can't get it if its not sold through Apple. They are able to censor apps for the end user as they see fit, much like how Iran censors the end user experience of the internet. World governments are okay with these censorship policies because it generally makes censorship easier for them as well. Jonathan Zittrain writes "What used to be a Sisyphean struggle to stanch the distribution of books, tracts, and then websites is becoming a few takedown notices to a handful of digital gatekeepers."

But it's not just apps that they sensor, no. Apple also censors people. Ellen DeGeneres did a parody of an Apple ad on her TV show. Soon after that, she got a phone call from Apple accusing her of making the iPhone look hard to use. I don't know what Apple said to her over the phone that day, but on the next episode of her show she magically changed her mind about the segment and apologized.

If you're a small-business owner and happen to have an apple – yep, it's also a fruit - in your company's logo, Cupertino's coming at you. Recently, Apple threatened Apfelkind ( “apple child” in German), a family-run cafe in Bonn that has an Apple in its logo. The logo, which is quite different from Apple's own logo, has a child's face inside an apple. According to Apple, Apfelkind infringes on Apple Inc.'s trademark (source: junauza.com).

The company's commitment to secrecy is so extreme, that they fired an engineer for showing Steve Wozniak (co-founder of Apple and former contestant on Dancing With the Stars) some features of an unreleased version of the iPad. 

Harm to Developers

This is an important topic. Apple can reject an app or remove an app from its app store without any reason, according to the app store license agreement. This can and has caused many issues to indy developers that rely on the app store for income. Apple can reject an app because it doesn't like the way it prints, or because they use an in-app payment system, or because it competes with an existing Apple product.

I came across one developer who got screwed by apple and created a web page to share his story: SaveMyHouseFromApple.com

End User License Agreement (EULA)

Many people agree to EULAs, but does anybody actually read them? Ed Bott from ZDnet says:
I read EULAs so you don’t have to. I’ve spent years reading end user license agreements, EULAs, looking for little gotchas or just trying to figure out what the agreement allows and doesn’t allow. I have never seen a EULA as mind-bogglingly greedy and evil as Apple’s EULA for its new ebook authoring program.
Dan Wineman explains:
Apple, in this EULA, is claiming a right not just to its software, but to its software’s output. It’s akin to Microsoft trying to restrict what people can do with Word documents, or Adobe declaring that if you use Photoshop to export a JPEG, you can’t freely sell it to Getty. As far as I know, in the consumer software industry, this practice is unprecedented.
 For more information on this topic read this article on ZDnet.

Conclusion

I'm sure I can come up with half a dozen more reasons why Apple sucks but I'm done giving Apple the spotlight. Don't buy Apple.

Full Disclosure

I currently own an iPod that I bought years ago. But I have not made any Apple purchases since then and will continue to boycott them. I am voting with my dollars.