Although the number of vulnerabilities are lower on a Macintosh, I encourage the same rule on that operating system as well.

When you setup a new computer, the first account created on both Windows and Macintosh is the administrator of the computer. Give that account a very generic name, a strong password, and then don’t use it! Create a second account for your day-to-day operations. Then create a third account for the kids, don’t let them near your data. Of course, creating an account for every one in the family is easy too.

Most people don’t like doing this because when they need to perform some actions, they need to logout of their account, login as admin, and do the administrative stuff. Don’t be lazy! Be safe! Just setup the extra accounts.

Read the Ars Technica article, “90 percent of Windows 7 flaws fixed by removing admin rights” for the details of how safe you could be.

See my previous article, “Don’t operate as Administrator“.

Other related links:

• Barrett Lyon on Wikipedia
• Barrett Lyon’s website
• Richard Stiennon’s website
• Denial of Service attack explained on Wikipedia

I keep meaning to write up my backup routine. But in the mean time, one area that I am weak in is backing up my Google Docs documents. There does’nt seem to be an automated way at this time. But there is a simple manual way with the use of Firefox,  Grease Monkey, a Grease Monkey script called Google Docs: Download and DownThemAll.

Google Docs has become my primary suite for word processing and spreadsheets. Those things need to be backed up too! If Google turns evil or dies just when I need a document then I want to have my work available somewhere. Check out Google Docs: Download for instructions on how to get all this working together to backup your Google Docs.

Once DownThemAll is complete, all the documents are local on my computer and then get backed-up by my regular means and copied offsite.

SO the next time you are checking your backups, make sure you backup the stuff you have in the cloud too!

For now, I’m just going to post some quick comments for I fear I won’t get back to this list soon.

• iFolder – is an Open Source project that allows you to sync, backup and share files across a network or the internet and access or manage your files anywhere and any time. I haven’t had a chance to try this yet but I hope to. I am currently using Microsoft’s Live Sync to do a similar thing and would much prefer an open source solution if it’s adequate for my needs.
• Russell Dunham, a WWII Medal of Honor recipient, died this week. He was 89. You should read Sgt. Dunham’s complete citation.
• Pirates attacked an American flagged ship this week. A small group of pirates boarded and took control of Maersk Alabama freighter. The crew was able to re-take control of the vessel but the ships captain was taken hostage. And is still be held. The U.S. Navy is now on the scene and we await a conclusion to this hostage situation. I wish the Obama Administration would stop saying they are exploring options and start saying that all means at our disposal will be used to recover the captain of the Alabama. “Cry havoc”, and let the United States Navy and Marines deal with these people. France seems to be willing. This story is still developing. Look for updated info.
• Vanessa Van Petten has a bunch of links at Radical Parenting that I want to read through. If you are not following the topics that Vanessa is writing about then you should be.
• The Electronic Frontier Foundation (EFF) on the Obama Administration’s warrentless wiretaps. I thought the Bush Administration was evil in this regard? Hope and change just doesn’t seem to mean what I thought it meant.
• I wrote a week ago about Federalization of Cybersecurity. Yesterday, the EFF had an article on this matter and how bad it is. I’m embarassed that one of my Senators, Olympia Snowe, is involved in this stupidity.

So there are a few of the things I found interesting this week. Some of them I look forward to exploring more. Happy Easter everyone! He is risen indeed! Alleluia!

Click on the image of the Conficker Eye Chart and it will present a page with six images. If any of the top row of images does not load then you might have a problem with Conficker.

Visit the site for a better explanation.

It’s too bad that every virus or worm wouldn’t provide a simple means like this for their detection. So make sure your operating system stays up-to-date and that you run an up-to-date anti-virus protection. And don’t install crap!

Of course, if you are on a Mac or Linux computer then you wont have a problem at all. At least not with Conficker.

From the Washington Post: “Senate Legislation Would Federalize Cybersecurity”

The proposals, in Senate legislation that could be introduced as early as today, would broaden the focus of the government’s cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. At the same time, the bill would add regulatory teeth to ensure industry compliance with the rules, congressional officials familiar with the plan said yesterday.

The legislation is co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV of W.Virginia and Sen. Olympia J. Snowe of Maine, my home state.

On the face of it, this sounds good. A government agency who is responsible for monitoring and reacting in conjunction with other agencies in the event of an attack on our nations cyber-infrastructure.

But I am not in favor of a bigger government. Also, I think there is a lot of good going on in the private sector in regards to security. They don’t need regulation. I believe that Homeland Security already has authority to respond to threats and attacks on the internet. I prefer that legal due process remain in place and fear that a new agency would be given powers to circumvent the courts.

I guess we shall see how this turns out and I look forward to reading what more inteligent and thoughtful writers have to say about this idea.

Read the entire article:

http://www.washingtonpost.com/wp-dyn/content/article/2009/03/31/AR2009033103684.html?nav=rss_nation/special

• Conficker article at Wikipedia – Lot’s of good information and many citations to good sources.
• Protect Yourself from the Conficker Computer Worm – Microsoft’s web page on Conficker.
• FAQ: Conficker time bomb ticks, but don’t expect boom – CNET’s explanation on what to expect.
• The Conficker Worm at Symantec – Info and removal tool.
• Sophos on Conficker – Info and details.
• Sophos Conficker clean-up tools – Both a standalone and network removal tool.

So if you think you are in trouble then check these links out. But whatever you think, you should always maintain an up-to-date computer, with up-to-date anti-virus and anti-spyware tools. Be careful what you agree to when you get a pop-up from the internet.

Stay safe and happy computing!

“Graham Cluley is one of the world’s leading experts in viruses and spam, and works as Senior Technology Consultant at Sophos.”

He released a video today on Vimeo giving his secret password. Not really, but he does reveal some great tips on how to make a great password.

Read his blog post on passwords. Watch the video! Feel free to check out my tips on good passwords. And then evaluate all your passwords and think about improvements you could make to your security!

Be informed. Be careful.

The rogue application, dubbed “Error Check System,” displays an error message in the notifications section that reads “(Friend’s name) has faced some errors when checking your profile View The Errors Message.”

Much of the CNET article’s details come from Graham Cluley’s blog. There doesn’t seem to be anything malicious but that could change. Or it could simply be an attempt to steal personal information.

I recieved two of these this week. But, like most applications and game requests, I ignored it. You should too!

This is a good reminder that just because a website tells you a “friend” recommends something doesn’t mean you should try it. Don’t be socially engineered!

It turns out that the real threat might be to the smart people who are suspicious. Graham Cluley has a follow up blog,  A sting in the tail of the “Error Check System” Facebook scare.

If you Google this error or Facebook app, it leads to a result that takes you to a website that will attempt to trick you into installing a fake anti virus application  on your computer.

Don’t be socially engineered! Be careful, it’s a very dangerous world out there.

10 Privacy Settings Every Facebook User Should Know

The title explains it all. My favorite is #6, “Prevent Stories From Showing Up in Your Friends’ News Feeds”. Nothing gets people asking question like a change in someone’s relationship status.

If you are on Facebook, then take the time to check your privacy settings. Be aware of what you are showing publicly and what you are sharing with friends. You may decide there is too much out there.

If you run your own WordPress installation then you might want to consider some of these suggestions for imrpoving the security of your blog.

I’ll be working on adding a couple of these tips to my blogs. But one easy one I added already is from tip #9, Restrict Erroneous Log-In Attempts.

First let me say that you should figure out a solution for yourself. And then don’t share it with anyone! Any example I use in this explanation should be customized for you alone.

The short explanation is that I am suggesting you create a algorithm or rule for all your passwords. That the rule can stay the same for a long long time. But the phrase that gets applied to the rule can change often. If you remember the phrase then you can always figure out your password.

Example:

Pick a three word phrase and apply it to the following rule.

(1st 2 vowels of 1st word + 1st 2 letters of 2nd word with the first letter capitalized + last 3 consonants of last word + least favorite symbol)

This produces an 8 letter password. It has UPPER and lower characters and a symbol. Alas, there is no numbers. You should have a rule that includes UPPER and lower letters, numbers and a symbol. But with a rule, then you can change the phrase when needed but since you can easily remember the phrase and the rule, you can always figure out the password.

You can even add a rule that would make a unique password for each website or location you login to. For example, the 1st 2 consonants of the domain you are logging into could be in your rule.

And again, don’t use this rule but think of one that is your own and unique. Change the number of letter. Grab the last vowels or consonants or put the symbol or number or capitalized letter in an odd location. Mix it up!

Of course I am not going to tell you my rule. But I will tell you that I never use personal info in the phrases I use for my password. That I have one rule that makes mostly unique passwords. Not every password is different from every other password. But it’s far too many differences to worry about. And I change my passwords twice a year.

So here is my thoughts on passwords & security.

Security of your account is your responsibility. Please consider these guidelines when creating new passwords

Safe guarding your password:

• Do not share your password with anyone. There is no reason for anyone else to have access to your account.
• Do not write down your password. Someone may stumble upon it, or you may lose the item on which you wrote it.
• If you must write down your password the keep the written note on your person, in your wallet or purse, as the most secure location to store it.
• Do not use the same password for all accounts and all websites.

How NOT to choose a password:

• Do not use any word found in any dictionary. Words found in common English, French, Spanish, Japanese, Klingon, or other dictionaries assist password cracking applications to make an attempt against your user name.
• Do not use your name or any combination of your name.
• Do not use your friend’s name. In fact, do not use the name of anyone you’ve every heard of, famous or not, living or dead, fictional or real.
• Do not use any combination of your birth date, or any other personal information that others may be able to discover, such as street address, home town, social security number, favorite color, shoe size, etc… How much of this information is available on your favorite social networking site or your blog?
• Avoid slang or acronyms or any word that would result in a positive result in any search engine on the Internet.
• Do not use any suggested password found in this document. Someday it might show up in a search engine on the Internet.

How to choose a good password:

• Choose a password that is at least six characters long. Eight or more is better!
• Use a mixture of UPPER-case & lower-case characters and a combination of letters & numbers and feel free to use a symbol. This may be more difficult to remember but you should not write it down.
• Use the “Vanity Plate” method. Take an expression you can remember and squeeze it down to eight characters or so, just as you would if you were to pick a vanity license plate for a car. For example, “GR8passW” But remember, no matter how impressed you are with it, do not tell anyone.
• Deliberately misspell a word or phrase.
• Drop a specific vowel and/or consonant from a word or phrase, or make a rule about dropping a specific character placement, such as the first and fifth letter from a word.
• Rearrange the letters of a word or phrase to form an anagram.
• Use a phrase as an acronym. Perhaps not even the first letter of each word in the phrase.
• Use a combination of the above suggestions.

Be imaginative. Be random. But make your password tough to guess. Be safe and happy computing!

So what do I do to avoid the size problems and security issues? There are some great web-based services to help you share files easily over the internet.

An oldie but a goodie is YouSendIt.com. The YouSendIt free version allows files sizes up to 100MB and there are limits on how many times it can be downloaded by someone else. But for the kind of one-off files that you might be sending by email, this works fine. There are for-pay services that provide some significant advantages for business that may be sending larger files often. I use this service a few dozen times a year to share large files with people. The recipient gets an email from YouSendIt with a link to the file you are sharing. They click the link and download the file. Easy! If you create an account then you can password protect the file for a small fee.

Drop.io is very similar to YouSendIt. It also has a free version with a 100MB limit on the file, but it’s free to set a password and you can also set an expiration for the file. Drop.io also has a paid service with some nice advantages for those who would use this service often enough. Drop.io is a bit different in that you create a drop or storage bin to put more than one file if you want. You can then send the link to the file to the recipient. I like Drop.io very much. Lot’s of nice features and settings. But, when you use the “Email Recipients” button, it sends the files as an attachement. Not what I want! So I always just copy and paste the link tot he file into my own email message.

Another option is MediaFire. It’s very similar to Drop.io and YouSendIt. Is fast and works well. For some reason I haven’t’ used it other than testing. So I have no real experience. But see nothing wrong with adding it to the tool box just in case.

Of course, if you are running your own web server, you could be FTP’ing a file up and sharing a link by email as well. But even people who know how to do that will sometimes take an easier route like the services above. But whatever works for you, try these options over sending attachments. Please don’t send me attachments!

One last service I am going to mention is Dropbox. Dropbox is a utility you install on your computers and it syncronizes files and folders across them. Macintosh, Windows or Linux! You organize files and folders on your computer they way you would any file or folder. When you drg and drop it to your Dropbox, it begins to copy to the Dropbox servers and then back down to the other computers you have setup for you Dropbox. It’s free up to 5GB. I use this to easily copy files between my wife’s Vista machine and my MacBook. Works from home and work without issue.

“Ok Michael, what does this have to do with your pet peeve about email attachments?” Well, I’m glad you asked! Dropbox has a public folder that you can share a URL to and send that link by email. Voila! Also, the developers of Dropbox have mentioned that they might add some features to make one-off file shares easier too.

The last thing I will say is that you definately need to be cautious about who you recieve attachments from and what the attachment is. But using one of the services  I mentioned above does not remove the responsibility of being cautious.  A link to a dangerous website can be as unsafe as opening a bad attachment. Be careful!

Here are some quick links to check out if you want to read it yourself:

• Full Report, including Executive Summary and Appendices (2.7MB PDF)
• Executive Summary (51KB PDF)
• Internet Safety Technical Task Force releases final report article at The Technology Liberation Front
• Report Calls Online Threats to Children Overblown article at The New York Times

You should definitely read the Executive Summary and the two other articles I listed above. Read the full report if you have the time. I admit that I’m still working through it.

In my opinion, the most interesting statement in the Executive Sumaary is the following paragraph:

• Minors are not equally at risk online. Those who are most at risk often engage in risky behaviors and have difficulties in other parts of their lives. The psychosocial makeup of and family dynamics surrounding particular minors are better predictors of risk than the use of specific media or technologies.

And then this group of sentences from a later paragraph:

Technology can play a helpful role, but there is no one technological solution or specific combination of technological solutions to the problem of online safety for minors. Instead, a combination of technologies, in concert with parental oversight, education, social services, law enforcement, and sound policies by social network sites and service providers may assist in addressing specific problems that minors face online.

Which kind of confirms for me what I have felt for a long time. That this is not a new problem. Only a new avenue for an old problem. That parents need to be teaching their kids about being safe in their neighborhood and online. That when parents have the “birds and bees talk” they also need to have a talk about what personal info their child can and can not share online. It’s all about the education we give our children and weather our children heed our advice and follow safe practices online.

The fact that cyber-bullying is believed to be a larger problem than sexual predators seems to be a double-edged sword. On the one hand it’s good news that sexual solicitation of minors by adults is less than previously believed but that solicitation of minors by other minors should be studied more and that bullying and threats are far more rampant occurrences. Both sexual solicitation of minors by minors and bullying are big problems offline as well! Problems that many communities are struggling to deal with.

So the good news is, you don’t have to worry about the strangers so much. The bad news is that your children have to worry about people they know! Technology alone is not the problem, nor does it provide an easy answer. Parents just need to keep talking to their children.

If you are not familiar with what DNS is or does then let me briefly explain. When you visit a website, your computer needs to determine where that domain is on the internet. So it looks up the IP address for the domain from a Domain Name Service (DNS). Typically, your computer gets the DNS settings automatically from your ISP. However, you can configure your computer to use another DNS, like OpenDNS.

OpenDNS has plenty of instructions on how to use OpenDNS for your network.

Once you have an account and your computer or router setup, then take a look at Parental Controls control panel. Using the minimal or low filtering level. This will protect you when you visit a site that OpenDNS has determined might be a potential threat. Or if you have young children in the house that you wish to protect from cetain kinds of sites then you can try a higher level or custom filter certain categories.

I’ve been using it on my home router for just about a year. I am very happy with OpenDNS.

A quick outline of these ideas I have is making sure you are up-to-date with anti-virus and security patches for the operating system. Not running with administrator privledges for day-to-day operations. Backing up your stuff. Keeping things clean and performing well.

What is your routine maintenance like?

A website I am a regular reader of is Heal Your Church WebSite. Dean Peters actually wrote an article about password before the news broke of Gov. Palin’s misfortune. And wrote a follow-up after the news was out.

So if you are wondering how to avoid Gov. Palin’s embarassment then read the following two links. Good, sound advice:

• 5 simple steps to stronger passwords
• 5 things we can learn about password recovery questions from Sarah Palin

Anyway, the OpenDNS features I was interested in playing with were the phishing protection and the content filtering. I have a four year old at home who is learning more and more about the many things on the internet. There are some things that I’m not ready to explain and I didn’t want her to discover an adult site or a dangerous site accidentally. OpenDNS has many categories to filter by. OpenDNS makes me feel better knowing that it is far less likely my daughter will stumble upon some of the evil and ugliness of the internet.

Filters go beyond the adult only sort of thing I am trying to protect my daughter from if you need to block other sites. Also allows for blacklists and whitelists if you need to block or allow a specific site. It all depends on how draconian and involved you wish to be.

I can’t say I noticed it being faster than other local DNS’s I’ve hit. But it was reliable. I only had one issue and I was able to explain that as not an OpenDNS issue. I had my laptop setup for a while to use the OpenDNS servers but I ran into some problems with an intranet at work. Since my laptop was only looking at OpenDNS and OpenDNS not aware of the local network then some in-house servers required additional changes for me to get to. There are ways to work around this. It was just easier to run OpenDNS only on my home router and not on my laptop

OpenDNS is not hard to setup but you do need to be comfortable editing your computers network settings or your router.

So it is a small piece of comfort for me. If you are considering filtering in your house then you should check out OpenDNS.

• Heal Your Church WebSite – Dean Peters always has good stuff about web design and good management behavior to consider. I’ve been following his articles for a couple of years now. I usually find a morsel or two of value everytime.
• OpenID – The buzz around OpenID is growing. The idea is simple. One username and password that will authenticate you onto many accounts and services across the Internet. I’ve started using it for any site that will accept it. I even have delegation setup for my website. Much more cooperation between big players is needed for this to succeed but the ground swell is well underway and it’s all good!
• Yuda Freedom – I’m not sure I will find myself using this service often. But I will definitely be suggesting it to others who need to publish a document but might not be very web-savvy or are in a hurry to display their work in an easy to use format. That’s what Yuda does. You turn your work into a PDF file and upload it to Yuda. Yuda makes the document interactive.
• Teens Today with Vanessa Van Petten – I first heard of Vanessa Van Petten on Jumping Monkeys 43. Since then I have read some of her articles and am really enjoying her work. She tries to connect parents and teens together. I’m still a long way from being the parent of a teenager. But I work with teens everyday and any advise is helpful. Listen to Jumping Monkeys and then add her to your RSS reader.

That’s all for today. What neat new place on the Internet have you discovered this week? I would love to see your link in the comments!

According to 9 to 5 Mac:

PayPal Corporate Communications spokesman, Michael Oldenburg said, “PayPal is developing features to block customers from logging into PayPal when using obsolete browsers on outdated or unsupported operating systems.

So this seems to let off the hook whatever the current version of Safari is on the current Macintosh OS but may still mean that Safari on older versions of the Mac OS may be considered as dangerous. I’m not going to rehash my previous post as it is still mostly relevant. I am still curious if Apple will change some of it’s past practice in regards to updating Safari on older versions of the OS. I don’t believe you can run Safari version 3 on anything but Mac OS 10.5. So anyone still running 10.4 or even 10.3 is out of luck?

We shall see…

eWeek has an article about plans by Paypal to ban user from using unsafe browsers. PayPal‘s plan is to block its users from making financial transactions from web browsers that don’t have support for blocking identity theft-related Web sites or support for Extended Validation Secure Sockets Layer (EV SSL) certificates.

EV SSL Certificates are similar to normal SSL Certificates with the addition that the party requesting the certificate must prove they own the domain and be validated as authorized to request a certificate. And a web browser must recognize and demonstrate the difference between a standard SSL certificate and the new Extended Validation certificate. With the idea that the end user has an added trust in the identity of the certificate holder and therefore the web site.

Secure Socket Layer (SSL) is basically a security measure to ensure a secure, private, connection between your web browser and the server. It’s the little lock you see when you visit your bank or buying something online. My explanation above is very much in layman’s terms. Please do your research if you are more interested.

PayPal is basically stating that if you are using a browser that does not support EV SSL then they will protect you by not letting you transact with PayPal and warn you to update your web browser.

This is good! Requiring a secure browser is perhaps a bigger step than last years addition of the PayPal Security Key, which I also highly recommend. Many ignorant users who don’t or can’t maintain there own security are at risk. This forces them to recognize their ignorance and hopefully educate them some. Hopefully banks and other financial institutions will consider adopting this approach in the next couple of years.

The bad news is that currently Microsoft IE7 is the only major browser to support EV SSL. Firefox and Opera have announced support in their next release. But Apple’s Safari has not announced this support. Hopefully, when Apple does announce support they will also announce support for the previous version of Safari and update that. Traditionally Apple ties Safari into the Macintosh operating system so tightly that they don’t upgrade Safari to work with previous versions of the OS.

I’m a regular user of PayPal. I wish that my bank would support the idea of a PayPal Security Key instead of the silly authentication schemes they make me jump through now. I’m glad that PayPal is taking this step. It could cause some trouble and confusion if they roll this out too soon but in the end I hope it encourages greater security across the internet.