IT security vs. the construction industry

On the Risky Business podcast last week, Andrew Wilson, the CEO of Australian cryptography gear maker Senetas, stated that many businesses see the bad things that happen from poor IT security as just a cost of doing business.

Nothing revolutionary there. We’ve all seen it. Target is paying a steep price right now, but what about Michaels and Nieman Marcus? They got breached at the same time as Target, and nobody’s talking about them. Maybe Target thinks the cost of doing business got too high, and they’ve hired a CISO and I hear they’re hiring lots of new security personnel–I have coworkers and former coworkers in the Minneapolis area who tell me as much–but for Michaels and Nieman Marcus, the cost, at least so far, appears to have been manageable.

But Wilson added something that I hadn’t heard anywhere else before. Fifty years ago, he said, construction workers dying while building a large building was considered a cost of doing business. Fifty years ago that was normal. Today it’s unacceptable.

Read the full post »

Training future cassanovas

Last week, a coworker and I had dinner with three representatives from a potential vendor. One said he was planning to celebrate his one-year anniversary with his girlfriend in Paris and Italy. It was going to be a really good time, he promised, and he was excited about it.

My coworker and I, both married, looked at each other. We were about to deflate the air from his balloon, but we had to do it.

“Are you planning to propose to her there?” my coworker asked. Read the full post »

A super-simple ping sweep for Windows

Need a quick-and-dirty map of a home network? Here’s a one-liner from a CMD prompt:

for /l %i in (1,1,255) do @ping -n 1 -w 100 192.168.1.%i | find "bytes="

I’ve seen variants of this that search on “Reply,” but in the event that you get “destination host unreachable” when trying to ping some hosts, this method filters those out, giving you cleaner output.

If you want the output saved to a file, you can easily do that too:

for /l %i in (1,1,255) do @ping -n 1 -w 100 192.168.1.%i | find "bytes=" >>network.txt

Not that I’ve ever had to use this script to figure out the IP addresses of my access points because I forgot to put a label on them. Why would I do that? Why would anyone?

If your network is something other than 192.168.1.x (and it’s not a bad idea for it to be something else) change the portion in bold to match your network.

Five malware myths

I found a story called Five Malware Myths and take no issue with anything it says. Run antivirus, whitelist your program directories, run EMET, and you’re reasonably protected but not invincible. But nobody is as invincible as the majority of people seem to think they are.

Let’s take them one by one.

Read the full post »

Don’t defrag Android. TRIM it.

I had a question come in the other day about defragging Android. Since Android devices use solid-state storage, you don’t want to defrag it. I directed him to Lagfix, an Android app that forces the underlying Linux kernel to issue a TRIM command to perform garbage collection on the internal storage.

It’s not quite like defragging, but the concept is very similar. Most Android devices do this automatically, but if things start lagging too much, forcing TRIM can pep things up a bit.

Bethlehem Lutheran Church sacrificed its sanctuary for a greater good

If all (or even a slim majority of) Lutheran churches were like Bethlehem Lutheran Church, I would still be Lutheran. Since they aren’t, I’m not.

But I’ve gotten ahead of myself, and made this way too much about me.

Late last week, there was a big boom at the corner of Salisbury and North Florissant in the north St. Louis neighborhood of Hyde Park. It sounded like a truck wreck, but it turned out to be the wall and roof of a 120-year-old sanctuary crashing to the ground. Read the full post »

Password advice in the wake of Heartbleed

I’ve seen a lot of bad password advice lately. Guessing passwords is just too easy for a computer to do, especially as they get more and more powerful.

Formulas are bad, but unavoidable, so here’s what I recommend if you’re not going to use a password manager creating completely random passwords: Unverifiable (or difficult to verify) facts. Things like what house you lived in in 2001 and what you paid for it. Better yet, your favorite baseball card and what you paid for it. Or maybe the address and phone number of your favorite long-gone pizza or BBQ joint. Think along those lines.

T206Wagner$0.50 was a reasonably good password before I published it here (you paid 50 cents for one at a garage sale! Right?) only because it contains an unverifiable fact. I guarantee T206Wagner$1M (the value of the most valuable baseball card in existence) is in all the password lists these days.

This isn’t especially great advice, but it’s something that there’s half a chance people will be willing to follow, and it pretty much forces passwords to have a nice mix of character types and to be at least 12-16 characters long. I don’t think it forces enough non-alphanumeric characters, or a wide enough variety of them, but left to choice most people won’t put any of them in. It would become lousy advice if very many people chose to follow it, but I know few will, and most people will continue to use the weakest passwords a site allows, so it’s adequate for a while.

The most important thing is to make it personal. What I paid for favorite baseball cards is easy for me to remember. If you never collected baseball cards, think of something along those lines that’s easy for you to remember, with a spin that’s hard for someone else, computer or otherwise, to guess.

How to light the underside of your train table

There are few things worse than fumbling around in the dark under a train layout. So I mounted a ceiling-mount light socket underneath my train table to create a work light so that I could see when I’m working on my wiring. It’s another one of my 15-minute projects, one that pays dividends by making future 15-minute sessions more productive.

I did most of the work with stuff I had on hand. If you want to duplicate my project, you’ll be able to get everything you need at your nearest hardware or home improvement store, and the materials will cost less than $10. I provided Amazon links for everything, so you can see what these items are. Some people know what a wire nut is before they know how to read, and some people may be well into adulthood before they undertake any kind of electrical project. Yes, this is an electrical project. As long as you check and double-check all your connections and don’t plug it into an outlet until after it’s done, it’s safe. Respect electricity, and you’ll find there’s less reason to be afraid of it.

Read the full post »

Why AMD’s turnaround is working when so many turnarounds fail

As this editorial notes, a year ago chipmaker AMD was on the ropes. Today AMD still won’t be unseating Intel any time soon, but they’re profitable again.

The problem, it argues, is that changing CEOs isn’t enough. A CEO has to have lieutenants that tell the CEO what the CEO needs to hear. Steve Ballmer failed, the author argues, because he inherited Bill Gates’ team, and Gates’ team wouldn’t tell Ballmer what he needed to hear.

It’s a very interesting perspective, and timely, as AMD released a compelling product line today.

Passwords you need to change in Heartbleed’s wake

Heartbleed, a serious vulnerability in a piece of Internet backend software called OpenSSL, is the security story of the week. Vulnerable OpenSSL versions allow an attacker to see parts of a web session they aren’t supposed to see, including passwords in transit.

Timing is critical. If a site upgrades to a new version after you change your password, you have to change your password again. That’s why some experts are saying to wait, and others are saying change right now.

Here’s a list of sites that are affected or potentially affected. My recommendation: Change any passwords for any sites on this list listed as affected. Hint: Yahoo, Google, and Facebook are on the list. If at any point in the near future you get e-mail from them saying you need to change your password, change it again.

To clarify: Changing your password right now won’t hurt, but it might not be enough either. To be safe, you may end up changing some passwords twice, so be ready for it.

Another clarification: If you’re using 2-factor authentication, don’t bother changing the password. An attacker has to catch the password after it’s been sent, but if you’re using 2-factor, you’re not sending the password (you’re sending other stuff–and that stuff changes to prevent replay attacks), so you’re good.

Switch to our mobile site