Continuing in the theme I’ve been following for the last couple of days, here’s a guide to security and privacy with web browsers. Like the guide I linked to yesterday, I’m not sure I agree with it 100%–I think saying never use Internet Explorer is too absolute–but I do agree with the overwhelming majority of it, and if everyone did all of this instead of what they’re doing now, we’d be in a much better state.
And, on a somewhat related note, here’s a rundown of what Windows 10 changes in the way of privacy, and some recommendations, but here’s a hint: You’re going to want to type privacy into your Windows search bar, pull up everything related, and start shutting stuff off. Use your discretion, but chances are there will be several things. If nothing else, there are things that are appropriate for a Windows tablet that aren’t appropriate for a desktop PC.
Let’s get back to privacy and safety in general, whatever OS you’re running. Here are some highlights.
Continue reading A guide for safe and private web browsing
There was a fair bit of talk last week about a study that compared security advice from security experts versus security advice from people who are at least somewhat interested but don’t live and breathe this stuff.
There were significant differences in the answers, and a lot of security professionals panned the non-expert advice. I don’t think the non-expert advice was necessarily bad. Mostly it was out of date.
Continue reading Five things security experts do vs. five things non-experts do
One of my college buddies (Hi Christian!) shared my previous post on Facebook, pointing out that I’m a long-suffering Royals fan in Cardinals country, and adding that what I said was balanced and dispassionate.
I’m normally anything but dispassionate. But in this case, it’s not a baseball matter–it’s a business matter, and neither my employer nor any past employer is involved, so it’s easy to be detached and dispassionate. I guess you can say my take on hacking has changed. I was going to say “evolved,” but “changed” is more dispassionate.
Continue reading Final thoughts on the Houston Astros’ database
Over the weekend I installed the All-in-One WP Security and Firewall plugin to fix another issue–more on that tomorrow–and I ended up breaking my site. Hopefully I fixed it to a better state than it started in.
The lesson, as with many security tools, is to proceed with caution.
Continue reading All-in-One WP Security and Firewall plugin can be spectacular, but be careful
Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.
I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.
Continue reading Worried about the wrong things? It’s always the wrong thing.
So my buddy, we’ll call him Bob, runs Data Loss Prevention (DLP) for a big company. DLP is software that limits what you can do with sensitive information, in order to block it from going out of the company. The NSA wasn’t using DLP back when Ed Snowden was working for them; they probably are now.
Sometimes DLP blocks people from sending their own personal information. Doing so is their right–it’s their information–but from a security point of view, I’m really glad DLP kept them from e-mailing their entire life around in plaintext.
Continue reading Don’t e-mail yourself a list of all your passwords and bank account numbers to yourself from work
I was talking breaches last week when a very high-up joined the conversation in mid-stream.
“Start over, Dave.”
“OK. I’m talking about breaches.”
“I know what you’re talking about,” he said, knowingly and very clearly interested.
Continue reading You’re telling me someone gave a stranger his password?
This week, numerous celebrities, mostly female, had their Apple accounts hacked and intimate photos stolen and leaked. There are several things we all need to learn from this.
We don’t know yet exactly what happened, though I’ve heard several theories. One possibility is that the celebrities’ accounts were hacked recently. Another is that someone who’s been collecting these photos through various means was hacked.
The incident probably was inevitable, but it’s also entirely preventable. I can think of three things that led to it. While this discussion may seem purely academic, there are misconceptions many people, famous and not, have and need to get rid of.
Continue reading This week’s photo leak is a reminder of the need for good passwords
On Slashdot, a newcomer to the IT field asked a really good question: What do you do to avoid seeing things you’re not supposed to see?
Clearly, some people do it better than others, but it seems to me it’s a fact of life that eventually you will see things you’re not supposed to see. How you handle it is the bigger problem. Continue reading IT personnel and knowing things they aren’t supposed to know
I’ve seen a lot of bad password advice lately. Guessing passwords is just too easy for a computer to do, especially as they get more and more powerful.
Formulas are bad, but unavoidable, so here’s what I recommend if you’re not going to use a password manager creating completely random passwords: Unverifiable (or difficult to verify) facts. Things like what house you lived in in 2001 and what you paid for it. Better yet, your favorite baseball card and what you paid for it. Or maybe the address and phone number of your favorite long-gone pizza or BBQ joint. Think along those lines.
T206Wagner$0.50 was a reasonably good password before I published it here (you paid 50 cents for one at a garage sale! Right?) only because it contains an unverifiable fact. I guarantee T206Wagner$1M (the value of the most valuable baseball card in existence) is in all the password lists these days.
This isn’t especially great advice, but it’s something that there’s half a chance people will be willing to follow, and it pretty much forces passwords to have a nice mix of character types and to be at least 12-16 characters long. I don’t think it forces enough non-alphanumeric characters, or a wide enough variety of them, but left to choice most people won’t put any of them in. It would become lousy advice if very many people chose to follow it, but I know few will, and most people will continue to use the weakest passwords a site allows, so it’s adequate for a while.
The most important thing is to make it personal. What I paid for favorite baseball cards is easy for me to remember. If you never collected baseball cards, think of something along those lines that’s easy for you to remember, with a spin that’s hard for someone else, computer or otherwise, to guess.