Srcasm

Many of us in the IT field find it very difficult to actually “go away” on vacation.  Whether we’re connected by beepers, EDGE/EVDO wireless cards, PDAs or any other type of neural connection to the mainframe, we’re always at the beck and call of the computers — I mean users.  It’s the time of year again when I take my annual trip to Florida.  This year it’s to see the grandparents (who no longer travel) and to visit the Florida Keys.  I always enjoy traveling to the warm weather this time of year even if it was 66°F yesterday in Philadelphia.

The only downside is a lack of connectivity to the outside world.  I know what most of you will tell me, “Disconnect, unplug, turn it off!”  Well, that’s easier said than done.  Being in a global company without a very large global IT staff means that I’m on call almost all the time.  Whether they call about a line down, a network break in or a simple “this system isn’t running properly”, I’m on call.  Work wouldn’t say that I was on call as I won’t have the pager that week (note: I don’t carry a beeper, I forward it to my cell phone) but I will be.  I’ll have with me my Blackberry 8820 (which I can’t go anywhere without), my HP/Compaq 2510p laptop and a wireless EDGE aircard from AT&T.  This should be enough to keep me connected, especially if I find a wifi signal near where I’ll be staying.  In between swimming with the dolphins, going snorkling on the reef and tanning/studying on the beach, I’ll check up online and see where everything is at.  A quick VPN login and browse of the systems will make me feel much better…  And I know my girlfriend will love for me to do it as well.

I ask you — How do you disconnect?  Do you cut it out cold turkey on vacation?  Do you sneak-a-peek at your email, check up on work or throw a couple Tweets out while lounging on the beach?  I know I’ll try to stay off line but it never seems to work for me.

I’ve been a long-time believer in the need to encrypt your data but the question has always been, at what cost? Do I slow my access to the data down? Do I store it on a separate hardware encrypted device? Can I recover the data if something becomes corrupt? These are all important questions to ask one’s self when deciding on the level of protection of your data. TrueCrypt has won a new place on my shelf on security tools.

TrueCrypt has been one of the most intriguing programs I have used over the past few years. It has the ability to created encrypted containers to store data in that can be auto-mounted as drives during Windows logon, it’s cross platform, it allows encryption of full partitions and most recently in v5 had the addition of full system encryption (including a Windows partition). It does this in a seemingly easy but secure way. Continue reading »

We all live in the same world (well, most of us anyway) and we all have 20 different passwords at any given time. Sometimes sites/services don’t allow more than 8 characters, others require at least 9 characters, some do allow special chars and others don’t. It’s a nightmare trying to figure out a password scheme that works and allows you to use the same one across the board… And then there is the all problematic issue of using the same password everywhere means if one is compromised then they all are. What to do? A password manager might be the answer.

There have historically been three main options for managing passwords with regards to the computer. First there was memory (not the RAM kind). That worked well for 1-3 passwords. Then there was the pencil and paper. This was a fail-safe method was had no security, could get lost or thrown out and eventually got dirty if you erased it too many times. Finally there was the computer. Using programs like KeePass and RoboForm users could record their passwords in a secure, recoverable environment that never got dirty due to too many eraser marks on a piece of paper. It seemed like all the issues were solved but then the internet came and blew it all up.

How many times are you at one of your 15 computers and that one doesn’t have your KeePass container. You either have to guess/reset your password for that specific service (and then remember to update it later in your password management software) or you would have to get to the computer that the password was on. In addition to that, you might not even have your computer available. Maybe it was stolen, lost or MIA (in transit with that pesky airline luggage). What can you do then? Recently a couple new services have popped up that allow secure password management online — that’s accessible from almost any computer. PassPack and Clipperz are both startups that are trying to fix the need for remembering too many passwords and other pertinent information. While you can check out PassPack’s “unbiased” comparison chart and blog entry to compare the two services, I’m just writing about PassPack today.

PassPack uses client-side (JavaScript) encryption to protect your information.  You get to setup an account on their servers that stores your encrypted file that has used a pass key called your “packing key” to uniquely and securely (AES) encrypt your information.  While there are trust issues that have to be overcome when storing your information almost anywhere, the guys (and girls) at PassPack have been open and honest about what they’re doing and how they’re doing it.

In addition to offering its users an online storage area (while currently limited to 32k) for their information, PassPack has also unveiled some pretty neat features.  Their “1 Click” logon allows a user to add a bookmarklet to their browser and simply go to a page that they have saved information for and with a single click (get it?) log into the site.  It uses JavaScript layed over the actual site and doesn’t use the clipboard to log the user in.  Pretty neat, huh?

Some of the new features that they’re coming out with are even more impressive.  The ability to share certain passwords securely with other users will be a big help if they want to break into the commercial/small business area.  Having the ability to share a password with a colleague on a temporary basis without emailing it to them or sending it to them via mail or the dreaded fax machine would greatly increase productivity as well as security (if they build it right, the end user would never even have to see the password with 1 Click logon).

While PassPack has a long way to go before they accepted by most users or better yet the corporate environment, they’re on the right track.  The possibilities are endless with the configuration that they have so far.  Maybe encrypted document storage, better offline support or secure transmitting of information (like encrypted email) that can not be broken by anyone (I know, a far-off wish).  What do you think?  Would you store your passwords online?  If they were encrypted?  What would a company have to do to prove to you that they were honest and could do what they said they could do?

So I needed to create a speech and what net neutrality is and give a 5-10 minute presentation following my outline. Let me know what you think.

The trouble with websites attempting to help users with their “browsing” issues is that sometimes they don’t get the whole picture.  Take this relatively new site Bux.to.  They offer and interesting albeit strange service that enables users to earn $0.01 per page that they look at for at least 30 seconds.  Using advertising dollars (and more), they can help these website viewers earn an “unlimited” amount of money.  Honestly I don’t know that I’d spend my time doing it but that’s not what this post is about.

I was reading through their FAQ page and came across an interesting question.  It said, “I can’t see any ads!“  A simple enough problem that I’m sure many of us would complain about to any website (that is if we didn’t actually want to see the website content).  But their answer is what scares me, “If you see no ad links on the “Surf Ads” page but you DO see stats on the right hand side then you need to disable all antivirus and antispyware/adware programs.“  Now, I don’t know about anyone else but I would be weary of any website that tells its users to disable ALL antivirus and antispyware/adware programs.

At my company we make sure that these programs have to be running on the users machine at all times but I’m sure that this isn’t the case for many organizations or home users.  I ask the security industry, what can we do to protect users from following these types of directions?  We can educate users on good and bad websites to visit and how to protect themselves from not opening email from people they don’t know but how do we go about telling users not to trust some of the information on legitimate websites that they use each and every day.  This is not the first time I’ve read or heard something like this on the web it’s just the first time I’m writing about it.  Thoughts anyone?  Or is this just another example of Darwin’s Law?