Wednesday, August 31, 2022

A sure way to get yourself ignored

 Have you ever received an entire email that looks like this?

 If I can't get the critical content of your message in my preview screen, I won't give it 15 seconds of attention. When you put everything in an image, you're just out of luck. My reader won't display images without without my permission and I only give that permission when I know and trust the source of every attachment.*

 I get emails like this regularly (like multiples per day) from at least one national merchant. I also get 5-10 emails from media companies with subject lines like: "WEATHER UPDATE: we stayed under 100 degrees." Or from my doctors or insurance companies like: "Tips for boosting brain health." I also get transcribed voicemails of all the phone calls that I don't answer from spammers. (most of those are "I can't understand this" because they waited until the beep to "hang up on me.")

I can't block the senders because occasionally I want to get their email - like a receipt or confirmation.

My strategy is to just select everything from today, unselect the 2 or 3 real emails, and use a 1-click command to shuffle these off to another folder. The "IGNORE" folder collects 15-30 messages a day from 3-6 correspondents. Meanwhile my Inbox has a manageable 4-8 messages that I really want. Occasionally I have to go back to the IGNORE folder because I inadvertently grabbed one I needed. Periodically I trash everything but the last few days and start over.

Folks: save your marketing spam. I know where to find you when I need you.


* "Trust the source" means I may not look at the cute cat pictures from a technologically reliable friend and certainly not an ad from a dicey vendor. It may make me seem obsessive, but I send images and reading matter as attachments - with a note in text as to the file name and size so the recipient knows they're authentic. For recipients who don't know me (or mailing lists), I save the originals to an online sharing service such as Dropbox, MS OneDrive, or Google Drive, and send the link.

Saturday, July 11, 2020

A diagnostic tutorial

I got a call from a client with a networking issue. The ISP's tech had been in his office because he wasn’t getting the 200 Mbs he was paying for. (Incidentally, after the ISP left, he also had lost connectivity between his computer and the server.)

Naturally, the first thing I did was disconnect everything and plug my laptop directly into the modem. The ISP’s speed test reported 235 Mbs, so the problem isn’t there. Then I reconnected the router and rebooted first the modem, then the router. That gave me 67 Mbs. So, for the first time I looked closely at the equipment. The router was a Linksys Wireless G (manual © 2007, last firmware update 2012.) and the switch was a 16-port Linksys 10/100. Maybe that explains the inability to get full speed in the office. He was lucky there wasn’t a 10 Mbs device in the system.

After I explained the problem and the cost of the solution; I restored his network and rebooted everything in the correct sequence. Magically, he regained access to the server and network printers.

He asked if I’d be back in an hour to upgrade his system. I explained that in the current environment I’d probably have to order equipment. Then I’d configure the new network on my bench – with more features than just gigabit network ports. Unfortunately, my source didn’t have any compact 16-port gigabit switches, so I’ll have to shoehorn a 19” rackable switch into his closet and hope the wires are long enough.


Thursday, July 12, 2018

Stranded at the store

Stranded at the store

Oops ...

Do you have a fancy modern car that doesn’t even have a key? That pushbutton on the dash almost got me into trouble.

I took my wife to work one morning and when she got out, the car beeped at me. I peered at the flashing icon on the dash and it was in the shape of a red key. Immediately, I rolled down my window and called to my wife who fortunately hadn’t gotten across the plaza.

What happened was that on the way out the door at home I’d set my keys down to pick up something else. The car started with the “key” she had in her purse. Since I’d only put it in Park when she got out, it would continue to run without a key. But, when it got shut down, it wouldn’t start again for me.

Since I was planning to make a couple stops, I could have ben stranded far from my “key” at home or hers on the 13th floor.

Morals (workarounds) to the story:
• Always be sure you have your keys.
• Always lock the car doors. With my car, the driver’s-side door won’t unlock if the dongle is at the passenger door.
• Always turn the car off when a key owner is getting out.
• Don’t assume the alert on the dash is just the dog moving around without a seat belt.

How things work:   
    https://zaitech.com/downloads/PKES.pdf
    or https://pc3.org/news/programnotes/150611_PKES.pps


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page - Blogs Home

Tuesday, February 13, 2018

What Is Bitcoin?

The first thing to know is that Bitcoin is not blockchain; even though both were released to the world concurrently by the pseudonymous “Satoshi Nakamoto” in 2009.

What is blockchain?

Visualize that using Windows requires certain hardware in the computer. However, that same hardware could, with minimal modification, run the Macintosh or Linux operating systems – or control a printing press or a heart-lung machine. Similarly, the blockchain infrastructure could replace a stock market or create a firearms registry that might satisfy all sides of the argument. 

In addition to monetary exchange; blockchain has been suggested as a ledger for contracts, ownership titles, artwork provenance; even identity documentation and voting. All of these uses are attracted by the ability to store encrypted, incorruptible data without a central depository.

And that is all I understand about blockchain. That statement is comparable to “all I know about carburetors.” I can tell you its value and where it’s likely to be used; but could not build or configure one. I do know to hire someone so immersed in the technology of blockchain that they can’t name the pope if I need one.

What is Bitcoin?

Bitcoin is a cryptocurrency that purports to allow the transfer of value potentially instantaneously and with anonymity. In reality, it has become a cross between trading stamps and tulip bulbs. It has no real value and is scarce, so it increases in price until the holders decide to take their profits or the bubble bursts merely from overinflation. As the price falls, the last buyers in try to rescue their value; accelerating the cascade as more and more people take a loss.

Where do bitcoin come from?

Bitcoin are mined by performing a computational task. The task is designed so that as more bitcoin are added to the global inventory, it takes greater computing power or time to create the next one.  In the beginning, they could be mined on typical desktop computers (I know of a person who installed the mining program on one computer and the next morning had 50 bitcoin. Had he used it immediately, that amount would have covered his Valentine’s dinner – if the wine weren’t too expensive.) Now it requires networks of special-purpose computers to create a single bitcoin. The electricity to power the computers and associated cooling costs more than their return in all but the least expensive energy markets. Meanwhile, the total number of bitcoin extant will never exceed a finite amount – about 21 million – no matter how many computers work at it.

How do you use your bitcoin?

Bitcoin are held in a wallet – an encrypted computer file – that you have to keep track of. Your “account” is a long random code with no connection to you other than that only you can decrypt the wallet. You send bitcoin to another person by using their anonymous account code. The clever point is that you can transfer a miniscule fraction of a bitcoin so; when they are “valued” at $10,000, you can still buy a donut for a reasonable price.

At the transfer is where blockchain kicks in. The transaction to decrease your holdings by 0.0001 bitcoin and increase the donut shop’s by the same amount is encrypted and recorded in the blockchain ledger. Then the new blockchain is duplicated in everyone’s account. While your true identities are unknown, the transaction can’t be erased or hidden from the record without collusion from many millions (>50%) of users to modify it.

What is bitcoin good for?

Originally it was expected to be a “currency franca” that could transcend units of value, time, distance, and borders. Consumers would carry their bitcoin in a wallet app to spend with a click at merchants. A few businesses and online sites did accept bitcoin. These were primarily local shops or online services and subscriptions; although some national chains attempted to honor it.

It also could be used to move money across jurisdictions for legitimate purposes such as remittances to families or refilling a student’s account. In theory; the speed, convenience, and transaction costs would be far more favorable than conventional wire transfers or transfer agents such as Western Union.

It’s also good for anonymous transfers and money laundering for good and evil uses. This is why it’s used by extortionists and merchants of illegal or illicit goods.

What’s wrong with bitcoin?

The difficulty of trying to establish bits as a conveyor of value is that there was no entity to define its value. When John Reed found his yellow rock in 1799, he may have thought it a pretty doorstop; but a jeweler from the big city told him what it was really worth. The value exists because there was a market where people would give you government-backed currency for your gold.

But bitcoin has no intrinsic value and no central bank sponsorship to establish a stable exchange rate. Like tulip bulbs, it’s worth whatever item of value someone will give you for it. This could be donuts (a barter trade) or dollars (a speculative offer).

If you don't like the value you're offered, you can always make jewelry from your gold or plant the bulbs and have a nice garden.

Since not everyone could mine the bitcoin they needed and merchants couldn’t pay their staff in the bitcoin they received, exchanges sprang up to sell and buy bitcoin for hard currencies. Unfortunately, these exchanges are unregulated by anyone and may be as reliable as the person with a card table outside the Dakar airport offering you francs for your dollars.

When you hear about bitcoin heists taking millions and millions of dollars’ worth of bitcoin it has actually been stolen from the exchanges. There’s no FDIC to regulate cryptocurrencies and indemnify coin holders. Once you turn your wallet over to an exchange to facilitate converting it back to dollars, any flaw in their system can put your money at risk. The blockchain has not been compromised and the security of your stash is dependent on the security of how you protect your wallet.

So, where does $16,000/bitcoin come from?

Bitcoin has been a speculative entity since its value passed $10. The exchange rate does not represent hyperinflation from too many coins chasing too little merchandise. Nor is it from scarcity of an item of value (although the quantity of bitcoin are finite) because it has no value beyond the market. Any price is merely the result of people buying now on the assumption they can sell for more later. But all bubbles burst … sometime.

---------

Resources:
https://en.wikipedia.org/wiki/Blockchain and other links at Wikipedia
https://pc3.org/bitcoins/
https://twit.tv/shows/security-now/episodes/643
Scientific American, January 2018

---------

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.

 

Sunday, December 17, 2017

Ransomware hits close to home

Ransomware hits close to home

The county government got infected with ransomware. It can happen in the best of families; it’s just a matter of time before someone gets bit. If you haven’t paid attention because you didn’t know anyone who got it, here’s a quick primer:

What is ransomware?
It’s malware that holds your data hostage unless you pay the perpetrators for the instructions to retrieve it.

I’ve got the best antivirus money can buy. How did I get it?
Usually it is delivered as an attachment or link in a phishing email or web ad. If you click on it, it may request a helper or update to an app like Flash or JAVA. Click again and instead of the helper, it installs the worst class of malware a user will typically encounter.

You were suckered into installing it and you gave it permission to bypass the antivirus.

Then what happens?
It contacts Central Control which gives it a unique identity for you. Then it starts to encrypt all the content accessible to you. That’s all your media, pictures, documents, spreadsheets, emails, financial records, and more. When you look at a file listing; all the files are still there with the correct name, extension, and date. But when you try to open them, they show as “corrupted.” But if you create a new document, all your programs still work.

If you’re on a network at home or at work it will encrypt files shared from other computers too. Not only do you lose everything you’ve done, but your family or coworkers do too. Some versions may also install themselves on other computers or infect attached portable media to share the pain.
Not to worry, though. Every folder contains a text document telling you that your data are safe, it’s just been encrypted. Just send a certain amount of Bitcoin and they’ll give you complete instructions and the key to unlock all your data. Oh, and send the money by this fast-approaching deadline.

Surely I can find a fix online.
Sorry. Killing your data is one thing the programmers did right. It’s as lost as the $100 bill that blew out the window at 60 MPH.

So what do I do?
First of all … If you are aware that you made a mistake hitting the link and something is happening to your files; turn off your computer! Don’t wait for a shut-down, pull the plug! Also, shut down any other computers on your network in case they also got infected.

Now check your other computers. First, turn off your router so they are not connected to each other or the internet. Turn one computer on and check any folder you had network access to for evidence that its files are corrupted. Then do that for each of the other computers on your network. If they all appear clean, you can probably restart your network and the other computers. Do not restart your computer. Disconnect it from the network by pulling the network cable or changing the master password on your WiFi before you do anything else.

What about my computer?
Your concern is your data. Once infected with destructive or particularly malicious malware, the computer can never be trusted again until the disc is wiped and Windows is reinstalled from scratch.
Many computers have a feature accessed from the manufacturer’s boot options screen or a special button at start-up to return to the factory-original operating system installation. If you’re running Windows 10, you can download the Windows Media Creation Tool to portable media for a clean install.

You’ll have to reinstall your applications from their original install media and with their original activation keys.

Then just restore your data from your recent good backup. If your backup is a continuous update, it may include some corrupted files and the original source of the malware. For those files, you will have to restore from a previous backup.
Read more about backups at https://fromthehelpdesk.blogspot.nl/2017/12/about-backups.html.

Err…; I made a Windows backup when I bought the computer.
At this point you may want to call in professional help. Remember, there is a clock ticking before it’s too late to give in and pay up to the “kidnappers.”

If you shut down your computer before the encryption process got too far along, you may be able to live with the partial loss. But you want to determine if you lost any critical files. And to do that, you need to check the files without starting Windows.

Start your computer from a Linux Live DVD (or flash drive) which should be able to read the files off the Windows drive. If you’re only concerned with standard Office files (such as Word or Excel docx or xlsx), pdfs, pictures and media; the live DVD may be able to display a preview of the standard format. Otherwise, you will have to copy the data to a portable drive to another computer to test whether or not it is corrupted.

If you don’t have the software to check out your files handy on another computer, there may be cloud services that can read your files well enough to ensure they are intact. This might be the case if you use programs like Photoshop, Quicken, or even Microsoft Word. Start with the publisher’s website or OneDrive.com for Microsoft Office. Failing that, Google has apps for many file types and viewers for even more.

When everything else fails.
You don’t have a backup. You copied the critical files and they’re gibberish. And, they’re critical enough that you’re willing to pull out your checkbook.

Except you can’t write the hackers a check. Most likely they will demand payment in bitcoin. Bitcoin is an invented “currency” that allows the recipient to be totally anonymous and untraceable. It also has no fixed value. During 2017 (so far) the price to acquire one bitcoin has gone from less than $900 to more than $16,000. That’s over an 18,000% increase. Don’t worry; the cost to get your data back has typically been under $1,000 unless you are a high-profile individual, big company, or government.

There’s still a chance you’ll pay up and get a “dead baby” back. Most hackers absolutely want everything to work properly or they would lose credibility and no one would bother paying them. Unfortunately, the effort to distribute the malware such that it works as intended often exceeds the skill of the criminal who sees it as a get-rich-quick scheme and you still won't get your data back after paying.

Monday, September 11, 2017

The Social Security Number must die.

The Social Security Number must die.

It’s been evident for years, but recent publicly disclosed hacks makes it even more obvious. The 80-year-old Social Security number is no longer appropriate as a special identification document.

When an important device to exclusively identify me is available to just about anyone, it is not an exclusive identifier. If anyone can “prove” that they are me; I can no longer prove my identity, nor disprove what they claim.

The government needs to assign everyone a new Federal Identity Number for use only by people who have a direct tax or Social Security relationship with you. The restriction should include stiff penalties for anyone else who possesses an Identity Number not assigned to them.

Most of the reasons we gave out our SSN a generation ago were never valid. Present technology allows us to prove to someone else that a fact (our identity) is true without revealing that fact to them. Disconnected databases and encryption could allow authorized entities to “use” the identity without possessing it.

Everyone else just needs to find a way to trust that I am me without demanding a common unique secret from me. Marketers and web trackers sure have succeeded.

---------
Update - (quite) a bit late

From:        my doctor’s office
Received:    12/28/2017  4:10 PM EST

Personal identity theft affects a large and growing number of seniors. People age 65 and older are increasingly the victims of this type of crime. This is why the Centers for Medicare and Medicaid Services (CMS) [ie: the federal government] have started a Fraud Prevention Initiative that removes Social Security numbers from Medicare Cards.

Starting April 2018, CMS will begin mailing new Medicare cards, which will include new Medicare numbers. The mailings will be staggered throughout the year, with completion expected by April 2019.

When you receive your new card, destroy your old card and begin using your new one. Present your new card to the office when you are checking in so our staff can enter your new number into our system and make a copy of the card.


---------

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page -

Saturday, September 9, 2017

Wednesday, August 16, 2017

The deal about passwords

In August 2017, the National Institute of Standards and Technology (NIST) issued new recommendations on passwords that received significant play in the popular press.

The core of the reportage focused on two points:
• Scheduled change of a password should not be enforced.
• Passwords do not need to be complex if they are long.

That means you can use a password like “Now is the time for all good folk to come to the aid of their party.” instead of “Kk*Uw#eAsk ”. And you don’t have to change it ever.

But removing strict requirements does not mean you have to stop using them. The good practices you’ve already been following are still good.

Is a memorable phrase still memorable when you have a dozen of them for a dozen different sites? And is it really easier to enter 60 letters and spaces perfectly with your thumbs four or five times a day than 8-12 random characters?

Background

We must remember that NIST writes standards for government agencies. If organizations outside the government find their standards useful (such as the amount of coffee in a pound), they are free to adopt them. But NIST password recommendations apply primarily to large organizations whose users log into a small number of services with unique identities.

In reality, most consumers of this news need passwords primarily in the course of business, research, commerce, or social networking on the internet. In a family there may be some sites (such as mail accounts) where every member has their own identity and others (such as a magazine subscription) where they all share a logon. For an active family, the number of identities could add up to hundreds.

Still the best recommendations

The old security rules still apply:
1.    Identify whether a site needs high security or low security.
2.    Identify whether a site’s password needs to be memorable or can be looked up in a secured list as needed. There may be other special needs depending on the use.
3.    Use a unique password for every site that deserves any security.
4.    Every high security password needs high entropy.
5.    Humans are very poor at creating good randomization.
6.    The best practice is to use a well rated password manager.

The “Technology Interpreted”

The popular press, for the most part, are getting it right … as far as they go.

• Requiring ordinary users to change their password every 180 or 90 – or even 60! – days has always been a boneheaded policy. These may be often-used passwords that the users must remember. In that case, the new password is frequently a derivative of past passwords easily deduced from social engineering.

• Choosing a memorable sentence instead of complexity is merely trading the method to achieve the same level of entropy.

There’s that word again: “entropy.” In the context of stealing a password, the assumption is that the only way to crack a logon is by brute force. This is the measure that is given in the discussion of password haystacks (https://www.grc.com/haystack.htm). That is, try every possible combination of passwords from “a ”, “b ”, to “z ”, and then “aa ”, etc.

In fact, a brute force password crack starts with “123456 ”, “password ”, “12345678 ”, etc. It continues through a dictionary of words, sorted by their frequency of use from previous cracks. As the new guidelines and examples come into use, you can be sure the dictionaries will add combinations of words and common phrases to the list. Soon, “now is the time for all good men to come to the aid of their country ” will be in the test right after “monkey ”.

What we really need in passwords

Effective use of a password depends on who’s using it and the effort to enter it. A skilled typist on a full keyboard could enter a 15-word passphrase in 10 seconds. On a phone that same phrase could take excruciating minutes with every character and capitalization another opportunity for error. Worse, in most cases, characters are blacked out so there’s no way to discover and edit errors.

Some logons require a memorable password while others only need to be available for a look up. You want the code to abort the bomb on the tip of your thoughts. But you can trust your video device to remember your streaming account and only reenter the password when the power blinks.

It is critical that every high-value site have a unique, strong password. Ideally, low-value sites should also be unique. The reason not to share passwords is because sites have been known to be sloppy about protecting your password. If a blogging site loses its database and hackers see that John.Doe@doe.com has the password 1qaz2wsx (the #15 most common password for 2015 – where’d that come from?); they might also try those credentials at banks and stores.

Two-factor authentication is a system where you enter a second, one-time credential in addition to or in lieu of a password. The most common form of second factor is for a website to send a code to a previously verified text, email, or voice account. You then enter the code to proceed. If you choose to use two-factor regularly, the least secure method is to receive an SMS message on your phone. The best method is with a time-based system such as Google Authenticator.

Final recommendations

• Short or long, choose a password that is appropriate to what you’re protecting.
• Never reuse a password you’re actively using elsewhere.
• If you hear that a site has been hacked or otherwise think a password has been compromised – change it now.
• Use a well-rated password manager and take advantage of all its features.

There are more notes on this topic. Download the document at:
https://zaitech.com/downloads/TheDealAboutPasswords_notes.pdf

---------

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page -

Sunday, August 6, 2017

"Your connection is not secure"

A user asks …
« From time to time I update my notebook, Windows 10, with the usual Windows random updates and some others like Firefox and now I seem to be locked out of accessing most of my favorite sites by Firefox. I can get to them through Internet Explorer and Edge, but I don’t know how to move my favorites file over to either of those two browsers. Anyway, I want to correct my Firefox if I can. I have attached a print screen file to show you what I am getting. »


--- Techy alert – How we know a connection is secure ---
First, some background. More and more websites are available with https secure connections. This is good. At its most basic level it prevents anyone (such as your ISP or the government) between you and the website from seeing what you send out (a search on a touchy topic) or getting back (the newest unreleased tune or TV episode). This is desirable because it protects the privacy of good people as well as bad. It’s even better because when you’re communicating with financial, shopping, medical, legal, and other sites; the enhanced version of https verifies not only that no one can eavesdrop on your conversation, but that the owner of the website is who they claim to be.

Some browsers have announced that they will soon flag any non-https website as potentially risky. They also will scare you if some component, such as a picture, of a truly secure site is not delivered by https. This is a nuisance for many websites, such as my blog, that are not dealing in money matters or confidential information. Fortunately most servers are now able to install basic https with no cost and minimal skill.

When you connect to an https site, you receive a certificate from the site that is validated by a Certificate Authority. If the CA is not built in to your browser from when the browser was installed, you will get a message that the certificate is not recognized. The certificate also has to match specifics to the web page and have appropriate valid dates. For example, if the certificate is issued to website.com and you browsed to www.website.com, it may not be accepted. Similarly, if it expired yesterday, it may be appropriate but not valid.

Certificates also could be counterfeited, giving you confidence in your session while it’s being managed by a Man In The Middle. The MITM would typically involve malicious action starting at the first connection between you and the internet. For example, an ISP, a business, or a bogus “free WiFi” connection could be reading your session while the lock on your screen is for their own certificate. Protect against this potential privacy leakage by checking the certificate fingerprint you get against a known unspoofable fingerprint from GRC at https://www.grc.com/fingerprints.htm.

--- end Techy Alert – Back to your question ---

Funny thing about that. Welcome to nanny computing. Software from Windows to Notepad to my new car all want to tell you what to do and protect you from skinning your knees. Of course, the first thing they’re going to do is put squirrel guards up so you can’t climb any trees.

I had no problems getting into the website with Firefox 54.0.1 (32-bit) by typing the exact address you had. I also got to their secure (https) homepage by typing website.com in the address bar and hitting Enter. Try starting from that point and working your way to the signin screen. You may need to re-save your bookmark to the screen before signin because for many sites that is not a real web destination, but created on-the-fly for your environment.

By the way, if you click Advanced on the blocked page, you may be able to see why Firefox thinks this site is not good and decide to override their restriction. You want to override only if it shows a trivial error. I consider “trivial” to be something like a recently expired certificate if you trusted it previously or a slightly different domain name such as connecting to www.website.com and the cert is for website.com. Do not trust it if you’re looking for website.com and the cert is for a different extension like website.cn!

You can also double-check the cert fingerprint to protect from a Man In The Middle. Go to https://www.grc.com/fingerprints.htm and enter the exact address between “https://” and the next “/”. Read the details on the page to learn how to find the fingerprint from your session. Sadly Edge does not have an interface to show details of the certificate. Microsoft’s “solution” is to view the cert with Internet Explorer on the same computer. (Opera and Google Chrome use the same certificate store as Edge/IE so, if they say it’s OK, it’s OK in Edge.)

1a) All browsers have some means to export and import bookmarks (favorites), and possibly history and cookies, to and from a file. When you first install them, most browsers will also grab bookmarks directly from another browser in the same session without your needing to export them. Check your browser’s Help pages or your favorite search engine for instructions (always start at the publisher’s site before you go to third-party advisors).

However, most browser settings are user specific. If you’re moving to another computer or a different user on the same computer, you will have to go through the export to file process. Some browsers will sync their settings to other devices – if you’re willing to give a lot of personal information to the publisher.

1b)    While you’re playing with your browsers’ settings, go on and look through the privacy settings. In particular, enable Do Not Track (many browsers leave it off by default) and disable 3rd party cookies and allowing your browser to save passwords. Tracking and 3rd party cookies are just cowardly ways for browsers and websites to make money off you. Browsers have historically poor control over protecting stored passwords. Instead, opt to use a recommended password manager such as LastPass or PasswordSafe.

Open links:
Fingerprint    https://www.grc.com/fingerprints.htm
Me    https://technologyinterpreter.info
Last Pass    https://s.zaitech.com/SignupForLastPass
PasswordSafe    https://pwsafe.org/

---------

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at https://zaitech.com/satellite/contacts.htm.
(cc) 2017- Bill Barnes - Disclaimer - Home Page - Blogs Home

Tuesday, May 16, 2017

The most basic protections


If you haven’t done so since details about the WannaCry ransomware attack started dominating the news cycle, go right now and verify that all your computers have their current software update. That’s not just the computer you’re sitting at, but the rest of your family’s computers, your office mates’, and especially the 10-year-old computer in the spare room that you use to download pictures off the old video camera.

Start with any updates for your operating system. Microsoft sends updates the second Tuesday of every month and occasionally a special update in between. These automatic updates frequently require an irritating computer reboot that comes just as you’re completing a critical project. Search for “Windows update” from the Windows search bar in or near the Start button to verify you're up-to-date. Do not use web search as those may include ads that may give you malicious results. Always install all important updates and any Microsoft Office, Defender, or Security Essentials updates that apply to you (you don’t need to install language packs or other unusual accessories).

Now check that your other software is up-to-date, starting with your web browsers and document viewers. Many programs include a “check for updates” link under the Help menu. Unfortunately, few notify you or install updates automatically. Some may even want to charge for an update or new version.

If you find that you have Java from Oracle installed, be sure it is up-to-date. If you find Flash or Shockwave from Adobe, uninstall it now. Flash has officially been declared obsolete and will be abandoned by Adobe. Any computer that still has it will be vulnerable far into the future.

Other details

If you leave your computer running all the time the Windows and antimalware updates will usually be installed automatically including automatically rebooting. But still verify the installation monthly.

Although they may not be susceptible to this attack, don’t forget about the computers in your purse or pocket. Apple is pretty reliable at getting the latest software to i-devices as soon as it’s available. Android users aren’t as lucky since updates have to be mediated through Android, the device manufacturer, and then the carrier before they get to you. Apps may get updated frequently or never and can have less-than-desirable actions even when functioning as intended.

Many devices that users don’t think about as “computers” also need frequent updates. If you have a computer professional, they should be aware of the risks posed by equipment such as routers and WiFi. At home you may find that equipment such as DVRs, streaming media, security systems, and personal assistants also pose a risk to your personal information or the internet.

Thursday, April 13, 2017

Protecting your data in transit

Data In Transit – Data At Rest

I recently received this question from a user:


Question,
Especially given the new anti-privacy laws. Is there a way to encrypt your data to avoid it getting sold to the highest bidder. I already have everything on Google drive, for the most part. It makes it easy since I have so many computers where I do my work and I travel a lot, which increases the likelihood that I lose a laptop or tablet.

Someone mentioned a VPN. I have one for work. Is it worth getting a VPN for personal use to guard my privacy?


Here's my response:

First of all, congratulations on being aware of these issues.

Second question first:
Protecting your data in transit.

The world as of 1/1/17:

When you interact with websites over HTTPS (such as financial, shopping, legal, and more every day), your communications are encrypted both ways between your browser and the remote servers. The encryption is good (and evolves as the attacks grow more capable) such that anyone tapping the communication can’t read your credit card number. This is why some industries such as health care and legal, by their professional ethics rules, can use email only to alert you to go to your account on a secure portal to read any substantive communication.

The risk is if an untrusted party controls a segment of the communication pathway between you and your destination. This “Man In The Middle” can then feed you a bogus certificate that encrypts your data so he can read it as it goes by. The most common scenario for the MITM is to offer public WiFi in a situation that you should be expecting it. He could create his own hotspot named “coffeeshop” or “hotel” sitting at the next table or nearby room and induce you to use it rather than the authentic hotspot.

The world today:

Recent rumblings in Washington imply that any US internet provider (ISP) will be allowed to act as an MITM. Previously they have at least been on their honor to read and record only the information required to pass your communication on its way towards its destination. Now they may track the contents of your communication and sell what they learn about you to whatever market is interested in it. This can be particularly valuable, or noxious, depending on your viewpoint because they already have a lot of personal information about you such as your name, address, telephone, and creditworthiness and can attach that to your browsing details.

Even worse, they could attach to their terms of service that you must install their master certificate to your system so they can even look into your HTTPS communications. Presumably, you could opt out of this tracking for an additional cost.

This is where the VPN comes into play. When you install a VPN on your computer, you originally received their certificate through a reliable channel. By contrast, when you browse to an HTTPS site you receive a certificate on the fly and would have to examine it in detail every time to ensure its validity. Updated browsers will alert you if there seems to be a problem with the cert, but few people understand what the problem might be or how to validate it so they just accept it anyway.

Having made a verified connection to the VPN, you then send your data directly through an encrypted link to the VPN’s connection to the internet whence it continues to its destination. This method is comparable to handing a letter to the agent in the post office rather than clipping it to your door and hoping that the person who picks it up is a trusted mail carrier. (When you use a VPN to your office, the endpoint is the office network and you are able to function as though you were sitting at your desk in the office.)

The Opera browser includes the ability to connect directly to a VPN for all your browsing. (Enable it from the Settings menu in the Privacy & security section. You then turn it on or off and choose the location of the exit point from a button in the address bar.) This VPN only protects your data that is going through the Opera browser. If you use another browser, an email client, or other app such as messaging, file sharing, or media streaming; you are not protected.

To protect all your internet traffic you need to use a VPN that is installed in the operating system like any other program. You may set it to start at your computer’s boot up or turn it on whenever you are away from a trusted internet connection. If you have a company VPN you can probably access the internet through it and not need another installed VPN. (Be aware, though, that the company VPN, especially from a company computer, means they are a trusted MITM if you use it for personal communications. Even if they don’t decrypt all of your traffic [which is the case frequently to protect their computers and network from malware], they are still seeing your metadata such as that a large file was transmitted to their competitor.)

Using a VPN may impose a degradation of your communication speed or latency. This would be most noticeable when transferring large files or with real-time applications such as gaming, voice or video chat, or remote computing. Such issues should be less significant with a paid service. The only installed VPN I’m familiar with, which came highly recommended, is proXPN at https://proxpn.com.



Aren’t you glad I answered the easy question first?

Next comes …
Protecting your data at rest.

Monday, October 24, 2016

Protecting your data at rest


Data In Transit – Data At Rest

I recently received this question from a user:


Question,
Especially given the new anti-privacy laws. Is there a way to encrypt your data to avoid it getting sold to the highest bidder. I already have everything on Google drive, for the most part. It makes it easy since I have so many computers where I do my work and I travel a lot, which increases the likelihood that I lose a laptop or tablet.


Here's my response:

First of all, congratulations on being aware of these issues.

Protecting data at rest is not a matter of one or two simple responses: 


On your computer you may have financial and medical records, password lists, personal emails, and a decade of browsing history. While legitimate internet communication shouldn’t expose static data, your disc drive is a prime target of malware. You have installed “set and forget” technical protection in the form of antimalware software and think you’re protected. Modern operating systems are largely hardened already and user best practices are even more important. Once you click on a link, you’ve given whatever is attached to it permission to do whatever it might. Everyone who sits at the computer must develop the reflex to ask why are they opening an attachment or visiting a website and what are the risks?

Now you can trust that your data are safe once you turn off the computer and lock the door to your office. But that computer is a laptop sitting on the seat next to you on the train or in the coffee shop. Maybe your data aren’t even on the computer but conveniently shared and available “in the cloud.” Either way, some stranger may be able to walk by and pick it up from you.  

How do you protect this?

The answer is that your files should be encrypted whenever they are not in use. Unlike your HTTPS communications, this encryption is something that you must take responsibility for. It’s a nuisance, but it means every time you open a project or share a document you must use a password and appropriate procedures.

Fortunately this need not require entering a unique password constantly. Probably most of the files you handle daily don’t really need to be strongly protected against snooping. Most pictures and emails, even if they’re not public, may not represent a significant privacy or financial risk.

For what does need to be protected, files can be encrypted either individually or in bulk. Modern office suites offer an option to password protect a document as you save it. Compression utilities (“zip”) also can encrypt the files as they’re stored. Their encryption methods are now solid; unlike the password option in Microsoft Office 2003 (.doc files rather than the current .docx format) which could be opened without difficulty if you used another brand of editor.

For larger quantities of files you can use an encryption system like VeraCrypt to create an encrypted virtual disc or even to encrypt your entire computer. If you choose the virtual disc option; it creates a single file that, when you open it appears to the system like any other drive. When it’s closed the contents appear as total gibberish to anyone without the key. The encrypted file can be stored or transmitted without fear of loss of your data. While it can be stored in a shared cloud, it must be synchronized manually as most systems won’t recognize when it has been changed.

But you want universal access of your data in the cloud.
 
 Again, weigh the nuisance factor of file or folder encryption with the value of its contents. Most “name-brand” cloud providers probably offer reasonable security by requiring a sign-in to your account. Hopefully they also use encrypted transmission while it's in transit. The bigger risk is when you give a collaborator access to modify a document that is synchronized back to your computer. In that case, you have given someone permission to put any file they want on your computer without your intervention. This could represent the ultimate phishing attack if you’re not alert to it.

What if someone doesn't have to break in to see your data?

If you synchronized individual files, the cloud provider has your data and all the meta details associated with it. Unless you've encrypted the individual files with a password, they also have access to that content. Maybe their terms of service promise they won't actually read the files, how will they react if someone comes in claiming to be "with the government" and asks for your data? If their data center is in the same jurisdiction as you they have to satisfy a subpoena; and may respond to an unjustified request.

You can make your cloud storage secure from this loss by using the same practices you use for data on your own laptop. You would have to download and upload the files every time you use them to ensure the protection is always in force. Collaboration also would be problematic unless you were all working with the shared files in a homogeneous environment such as Microsoft Office365.

Hacked over Russian hackers?

OPINION

Are you upset that Russian hackers – possibly operating under the influence of, or even directed by, their government – got into the Democratic Party’s email system?

I’m not.

I’m upset that anyone was able to get into the system as easily as they did.

Any high interest operation such as a major election is going to attract the attention of hackers trying to break in for any of a multitude of reasons. Just as Willie Sutton is going to rob banks, political adversaries or those seeking financial gain will take any advantage they can against their opponents.

It is the responsibility of the people with valuable information to protect it themselves. Once an organization reaches a size, a level of notoriety or importance, or economic or political significance; they must take advantage of professional security experience. An individual who gets hacked may have some losses but won’t necessarily suffer serious economic or reputational disaster. A large business may be able to expend the resources to clean up after they’ve learned their lessons. But the entities in the middle, from a 10-person office to a national volunteer organization could be damaged beyond recovery.

What should a high profile organization like a political party do?

If I were consulting them, the first thing I’d do is sequester the devices and accounts from everyone with a recognizable name. Then I would issue them devices that are known free of any malware and without the most attacked apps. These would route all online activity through the office via VPN where it is protected from interception and filtered. Similarly, their email and messaging will go through a single system with advanced safeguards and appropriate passwords. Finally, social networking will all be posted by public relations personnel. Although there can be accounts in the principals’ names and they may submit posts; they will be vetted and edited, if necessary.

Finally, everyone will attend a class in protecting themselves against attacks from phishing to ransomware and all the online lures. This is because a slip of the finger by anyone from the top dog to the intern – and even the IT staff – can open the entire organization to an attack.

Browsers churn disc drives

A researcher discovered that browsers might churn disc drives - to the extent of writing gigabytes of redundant data per day.

Steve Gibson, using Sysinternals tools discovered that the Firefox web browser was rewriting a snapshot of its current contents to the default disc every 15 seconds. If you habitually leave your browser with many tabs open all the time, this could amount to a huge amount of data over the course of the day. Also, if you are leaving tabs open, it's writing the same data every time. (Gibson admits to keeping hundreds of tabs open.)

While writing unnecessary redundant data to the disc may have had a minor impact on overall computer performance a decade ago; this could seriously degrade the life of modern Solid State Drives.

All chip-based memory devices from a $5 flash drive to the industrial-grade system storage in servers can have information written to a given cell a only finite number of times before the reliability starts to deteriorate. Under normal use, the SSD that helps your laptop run cooler and have a longer battery life will probably outlive your desire for a faster computer or larger screen. But there is no need to put this extraordinary stress on the system and reduce its life by possibly as much as half.

SSDs are also appearing in higher-end consumer and business desktop computers or are being retrofitted by hobbyists. End-market devices marketed at a lower price point may be even more prone to early failure under this load. They might have a lower redundancy and not be able to survive as many write cycles as those sold for use in internet servers.

A similar issue of heavy disc usage also exists in Google's Chrome browser. Hopefully publicity will encourage the browser publishers to revise this procedure. Unfortunately, not being a security issue, it probably will not get a high priority for correction.

Gibson has determined a tweak to Firefox that allows the user to reduce the churn that is excerpted at http://bloghd.zaitech.com/extras/BrowsersChurnDisc.pdf. Or listen to the podcast at https://twit.tv/shows/security-now/episodes/582 (you can jump forward to about 1:05).


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2016- Bill Barnes - Disclaimer - Home Page - Blogs Home

Friday, September 23, 2016

How to steal an election

Please read my article on how difficult it is actually to significantly change the outcome of a major election.

Download it here: http://zaitech.com/downloads/HowToStealAnElection_pub-wm.pdf


Wednesday, September 7, 2016

Heat

A spinning hard drive (HDD) is often the greatest source of heat in your computer. My custom-built computer has five (5!) HDDs in the case. While one is a different model, they are all 1 TB drives with similar specs.

I happened to be running with the case open recently and touched one of the drives. It was HOT! After installing Crystal Disk Info (http://crystalmark.info/download/index-e.html), I discovered a couple of my HDDs had internal temperatures of 47° and 59°! (That’s 116°F and 138°F).

I moved one HDD to the empty DVD bay so that none would be sandwiched between two others. Then, with the case open, both showed running temperatures of 44° (111°F). Whether it was adjacent to another or completely in the open, both drives showed the same internal temperatures.

When I put the covers on the case, the temperatures came down another 6° to 38° (100°F). You may think having the case wide open to the air conditioned room would be good for component temperatures. Being enclosed allows the fans to pull outside air over the drives and other critical components, cooling them more efficiently.

While I was at it, I pulled out my wife’s computer which is almost 10 years old – and runs fine. However, when I opened the case the cavity and heat sink fins had an incredible amount of dust. I hit it with the compressor (I can’t afford enough canned air to keep my computers clean) and reconnected the computer after straightening out the spaghetti bowl of cables that built up under her desk.

Monday, September 5, 2016

A useful utility

How many keyboards and screens do you have on your desk?

Here's a utility (skip down) to help tame a tangle, but first, the history.

Many hobbyists, power users, and business people find it necessary to work on more than one computer at a time. Lots of people have multiple monitors, but this applies if you have a complete additional computer and monitor at your workstation.

I have long used a KVM (keyboard-video-mouse switch) to use two computers with a single set of desktop components. In the mid-1990s the keyboard would not reliably switch so I kept a second keyboard connected. Unfortunately, I often forgot to move to the alternate keyboard and would type a command to "computer A" that actually had a deleterious effect on "computer B".

I now have 3 monitors on my desk. My primary computer has dual screens and the third is connected to a secondary computer so I can continue to work while monitoring a process - or watching Netflix.

Start reading again ...

I used to use a KVM to control the secondary computer - ignoring the video component. Then I discovered a free utility from Microsoft Garage. This is a group that thinks up neat stuff and makes it work - at least sorta. But the powers decide it's not commercial or of broad interest and they abandon the project. But they make the program available - without any promises of support, updates, or even that it will function as described.

I'm using Microsoft's Mouse without Borders* to control my secondary computer. It allows the mouse and keyboard to move seamlessly across up to 4 computers, each with their own monitor. Move your mouse and instantly you're controlling a different computer. Slide back and you're on the original. Even the clipboard comes across more smoothly than it does for many remote control programs.

One of its quirks is that it doesn't reliably reconnect after a reboot. You still might need a KVM or extra keyboard for that twice a month that you have to reboot your computers.

LINKS 
Full links are offered so you can examine the URL to ensure there is no hidden misdirection.

Mouse without Borders: https://www.microsoft.com/en-us/download/details.aspx?id=35460 

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2016- Bill Barnes - Disclaimer - Home Page - Blogs Home

Friday, July 15, 2016

Planning for 2020

Windows 7? ... Windows 8.1? ... Windows 10?
Planning for 2020


Note: these comments may be irrelevant after July 29, 2016.

Are you like me? I'm very happy with Windows 7 which I've been using for 6-8 years and my computer is tweaked just like I like it. This custom-built computer has adequate power for now and is easily upgradable. But  Microsoft is definitely going to kill Win 7 in four years while I hope this computer will still be going strong. At that time, I'll have to upgrade to the newest version of Windows for which Microsoft may want to charge me $249 by then.

By July 29 - I should have started sooner - I will upgrade "this" computer to Windows 10 for free. Then I'll revert and go back to using Win7 until it can't walk any more. However, any time in the future I'll have a free Win10 license ready to run.

There are two ways I could do this "upgrade on new installation" or "upgrade, archive, and revert." I'll use the first method, "upgrade." If you have an OEM Windows without install or restore media, you may have to use the second, more complex method.

METHOD 1 - A clean install

My plan is to install Win7 on a new hard drive in this box and allow it to get upgraded. Since I'm no fan of dual boot - and am not sure I could dual boot the same DVD key - I'll disconnect my current C: drive and repeat the basic process I performed 2 years ago. Once Win 10 is installed, I'll take the new drive out and return to my running machine. Occasionally I'll swap back to Win10 to get updates and verify the installation.

Since this is a generic computer and I have a retail copy of Win7 on DVD, it shouldn't be significantly different from what would happen if I had a drive failure. At this writing, I have installed Win7 on a new drive, but am missing a few drivers. I'm looking into a utility to extract the running drivers from the running installation which happens to be on the same hardware. There's also the issue that a reinstallation of Win7 will require over 200 updates and can take a week to complete. There is a means to shortcut that problem by manually installing just a few updates.

METHOD 2 - Upgrade and revert

If you don't have your original distribution media or find it difficult to temporarily replace your primary boot drive, you will need to upgrade the way Microsoft expects most people to. This will require multiple backups, one or more large capacity external drives, and a lot of interactive patience.

Start with a complete data backup to reliable media. Don't forget any settings and customizations you've made to your applications and your password database. Also backup your email and account details and passwords if not included in your data folders. This protects your data in case something goes terribly wrong.

Then do a full system image of your Win7 boot drive. There are multiple programs that can do this; most of the ones with comprehensible interfaces you will need to pay for. This allows you to get back to where you started if the upgrade and revert processes fail.

Now allow the Win10 upgrade to install and use it for a while so it has a chance to stabilize. After you're comfortable that everything is working and no data or applications have been lost or corrupted, create an image of Windows 10.

Within 30 days of the upgrade you can revert back to your previous operating system. Theoretically you have a perpetual license to reinstall Win10 on this computer at any time in the future - even if you've made minor changes like adding memory or replacing a hard drive. I don't know how either process works or will work. If anything fails, you've still got your image backups to get back to where you started.


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2016- Bill Barnes - Disclaimer - Home Page - Blogs Home

Sunday, June 5, 2016

A second thought on upgrading to Windows 10

(1)

If you seriously want to get Windows 10 for free on your computer, you might want to get started by mid-July, 2016. When I went to upgrade my newest brand-name laptop from its factory-installed Win 8, I had to fight with it for several weeks. Here are things to consider:
  • If you are happily running Windows 7 or 8.1; consider keeping it. Microsoft will continue to support them for another 3-1/2 years and you won't have to worry about missing drivers or other quirks.
  • Will your computer take the upgrade smoothly? In my experience, what Microsoft considers "adequate" hardware has always been very optimistic. It was very happy to install Win10 on my netbook with 1 GB RAM and a 1 GHz Atom CPU. I am telling my clients they need a minimum of 4 GB RAM and a 64-bit multi-core CPU. (2)
  • Is your computer at all old or non-standard? Even if the hardware is capable, your manufacturer may not provide 64-bit or Win10-compatible drivers for components more than 2 or 3 years old. The same goes double for any non-factory components you've added or peripherals like printers or scanners.
  • Perform a full-system image backup to facilitate a roll-back should you have any problems. Even better, clone your hard drive to a new one and upgrade the disc that hasn't already got several years usage on it. Then your old drive is your backup.
  • Get the resources from Microsoft to install Win10 from a DVD or USB; even if you intend to allow the automatic upgrade. (3)
  • Verify you can boot from your external media. I found the Secure Boot feature of new computers would not allow me to do so. These two steps alone took me a week to complete.
  • Back up your data again. (4)
  • Finally say "OK" to the nag you've been getting for months. I recommend you choose the "download now, install later" option to ensure a clean, continuous download. The entire package is 3-6 GB.
Bill Barnes


Notes:
(1) Share these notes here: http://fromthehelpdesk.blogspot.com/2016/06/a-second-thought-on-upgrading-to.html
(2) Find this information in Control Panel > System. If you have 32-bit Win7, but a new computer; the app at https://www.grc.com/securable.htm will determine your CPU's capability.
(3) https://www.microsoft.com/en-us/software-download/windows10/.
(4) Naturally, I recommend you buy Carbonite backup software from me: http://goo.gl/CXqBsB.

Friday, May 27, 2016

Quotes without comment (Windows 10 edition)

Some stories that were recommended for me to read/view:

On Friday I received:

https://channel9.msdn.com/Shows/TechNet+Radio/TNR1655?wt.mc_id=DX_840368&MC=MSAzure&MC=CloudPlat&MC=Windows&MC=EntMobile&MC=SecSys


But on Thursday I had already gotten a link to:

https://www.thurrott.com/windows/windows-10/67367/upgradegate-microsofts-upgrade-deceptions-undermining-windows-10?NL=WIN-01&Issue=WIN-01_20160526_WIN-01_114&sfvc4enews=42&cl=article_2_2

(These screenshots are linked to the documents. Click on them for the “full” story.
Open links are below to verify source. For the safest surfing, read the destination [// domain.com/] and copy the link into your browser.)

Microsoft:
https://channel9.msdn.com/Shows/TechNet+Radio/TNR1655?wt.mc_id=DX_840368&MC=MSAzure&MC=CloudPlat&MC=Windows&MC=EntMobile&MC=SecSys

Thurrott:
https://www.thurrott.com/windows/windows-10/67367/upgradegate-microsofts-upgrade-deceptions-undermining-windows-10?NL=WIN-01&Issue=WIN-01_20160526_WIN-01_114&sfvc4enews=42&cl=article_2_2

Tuesday, May 10, 2016

Microsoft will not call you

Pardon the redundant warning ...

I hope this reminder falls in the same category as “buckle your seatbelt” and just reinforces the diligence you already take to treat every offer from a stranger with a grain of salt. My saying it now was inspired by a warning in a WindowsSecrets (1) that there is a current rash of this type of scam.

Microsoft will not call you offering to fix a problem you didn’t know you had. (Neither will Dell, Google, Facebook, the IRS, or anyone else.)

If you get an unsolicited call, email, or popup on your screen  referring to some critical issue that you must use their assistance to repair right now – it’s likely to be a scam!

  • Do not click anywhere inside a popup.
  • Do not install anything that you didn’t go looking for.
  • Do not ever give anyone you don’t know access to your computer or your money.

The exception to these rules might be if you can’t open any of your files and the only thing you can see is a message that you need to send some anonymous entity money – usually via Bitcoin. This is a ransomware infection and it is probably real! In this case, immediately unplug your computer and contact your computer professional. Most likely, you are toast. The only solution is to pay up or start over with your backup data. Also, unfortunately, if you delay or attempt to get around this on your own, you run the risk of even corrupting the good backups you do have.
(2)

Actually, some people may legitimately initiate the call such as to inquire or warn about an atypical credit card charge. If they ask you for privileged information such as an account or Social Security number, you are perfectly right to make them identify themselves. The best thing is to for them to be able to give you a piece of non-public information such as the first digits of a Social Security or credit card. For more ways to verify a caller, see the tips in "Should I Open This Email" (July 2012). If you independently have a contact number for them such as the support number on a the back of a credit card or 911 if they claim to be police; hang up and call them back. do not trust a callback number they give you.

Feel free to share this with all your friends and relatives who have a computer or telephone and use the internet.

-------------
(1)
Here’s the open link for WindowsSecrets, because you never click to go to unknown websites from a link you might not trust: http://windowssecrets.com/newsletter/better-localcloud-management-for-big-data-sets/

And a couple weeks later Windows Secrets alerts us to a "support" scam directed against Dell owners:
Support scam alert for Dell users: http://windowssecrets.com/field-notes/tech-support-scams-take-a-disturbing-turn/ (note: this is a 2-part article; scroll down past "Windows 10 ..." to read the report on the new scam). 
   
(2) Which is where I make my pitch for you to buy your Carbonite automatic, online backup service from me:
http://partners.carbonite.com/thetechnologyinterpreter


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2016- Bill Barnes - Disclaimer - Home Page - Blogs Home

Friday, April 29, 2016

Lost passwords

Lost WiFi passwords

Q. How can I find the WiFi password on my router?

If you know the login information to configure your router, just connect to it as an administrator and go to the Wireless > Security section.(1) The password should display there.

If you have a device that already connects to that router, you may be able to extract the password from it. Windows 7 (and XP) will display the plaintext password under Manage wireless networks in the Network and Sharing section. Some Android devices will also show the plaintext saved password.

If you’ve moved past Windows 7(2) (even as an upgrade), the password is not shown in the interface. It still is available as plaintext if you know where to look in the system. The easiest way to do that is with a utility; which I have recently done.

I usually document my research well, but can’t find exactly what I looked at or why this time. There may be a hint in my caveats, below(3). I thought my original impetus was an article in WindowsSecrets, but can’t find it now. You may be able to search for Key Finders on their site.

I did look at Magical Jelly Bean (https://www.magicaljellybean.com/wifi-password-revealer/) and NirSoft (http://nirsoft.net/password_recovery_tools.html) and eventually used a keyfinder program from Magical Jelly Bean to recover WiFi passwords on a Win10 computer. Both sites had been vetted and recommended … somewhere. A colleague frequently uses Magical Jelly Bean.

The program quickly displayed a list of almost 3 dozen sites I had connected to in the past with this computer with SSID, password, and some technical information. I captured it as a screenshot, blacked out my sites, and printed it to carry with my laptop. Yes, this exposes passwords for many friends and relatives to anyone who steals my bag. But there is no connection between my papers and my friends so all the thief can do is drive around the country looking for the SSID.

It is as important to protect your WiFi password as any other. You may not mind someone using your bandwidth, but anyone connected to your network (either WiFi or wired) could invade any computer on your system – and “computer” includes your phones, game devices, and connected appliances (like a thermostat or light controller) as well. Then any data or settings on them could be vulnerable to attack by stealing the data or malicious destruction. And one of those computers you don’t think of as such is more likely susceptible to becoming a gateway from the outside for bad guys to do even more harm.

---------

Notes and resources:

(1)     If you don't know the login for your router, you can return it to the default settings by pressing a recessed button with a pin. Then you must completely reconfigure all of your settings. Of course, if you don't know the login, you may have never changed the default settings. See my article for tips on critical settings to customize.

(2)     If you’ve got anything with Windows 7 (or XP) that connects with WiFi, you can display the password for each network directly in Windows. With Windows 7, find it at:
Control Panel\Network and Internet\Manage Wireless Networks – Get there from
Network and Sharing Center > Manage wireless networks (on left sidebar) > Security tab

(3)     As always, when researching and downloading non-commercial resources, ALWAYS be careful exactly where you click. (I sometimes use a sacrificial computer* to do my research and downloading.) I have a note with my saved passwords that this program tries to co-install a couple of unrelated programs that will return money to the publisher. For more information on using “free” software, see my post at http://TechnologyInterpreter.info (May 2016).

Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at http://zaitech.com/satellite/contacts.htm.
(cc) 2016- Bill Barnes - Disclaimer - Home Page - Blogs Home

Pages