Skip to content

Blog

Teaching Computer Security Basics

Over the past few years, I have ended up coming into contact with many computers belonging to individuals. My reason for doing so has varied, but usually I am helping them with something unrelated to security.

I found myself constantly saying the same things when I noticed bad security practices — “you really should update or remove Java”, “you need to actually stop clicking ‘Postpone’ and restart the computer some time”, “untick that box to install the toolbar” and so on.

Computer security is hard.

But, particularly when it comes to computers belonging to individuals, we have let the perfect become the enemy of the good. We have allowed anti-virus vendors to parrot messages about “total protection” instead of teaching sound principles and encouraging good practice.

Computer security, at least in this context, is in large part a human problem, not a technology problem.

So, a while ago, I had an idea to put together a really quick, 5-minute presentation that would encourage computer security principles that could dramatically lower the risk of individuals’ machines getting infected. I stripped it down to what I saw as the four most important principles (few enough that they might actually be remembered!):

  1. Keep software up-to-date — with emphasis on the importance of updates, despite the inconvenience, and mention the high-risk software titles du jour whose updates may not be entirely hands-off (Flash, Java, etc.).
  2. Keep up-to-date antivirus — with emphasis on such technology as the last line of defence, not ever a solution in and of itself.
  3. Install software from trusted sources — perhaps the most important principle that requires behaviour change, this is about getting people to feel confident enough to build a trust model for software and then make informed decisions about each and every installation they make.
  4. Be suspicious — in particular about communications that invite clicking on things and so on, including using alternative channels to verify legitimacy of things that look suspicious (e.g. never clicking unexplained links!)

I’ve not given this talk yet, but I’d like to. It feels that computer security on home PCs is, in general, so awful, that even a very basic set of ideas that are memorable enough to implement can probably make a significant difference to the health of our personal information infrastructure.

I would welcome feedback from others on these slides, as well as the idea.

I think it is quite important to keep it to five minutes, make it concise enough that it will be memorable and actionable, but I’m sure this idea can (and needs to) evolve and improve over time.

If you would like to use the slides, feel free to do so under the Creative Commons BY-NC-SA 2.0 licence. It would be great if many people could hear this message.

Valuing Corporate Values

Much is said about Google’s “don’t be evil” corporate motto. That is not what this post is about.

This is about corporate values — and a (rather smaller) company I have found myself appreciating because of their words and actions on the subject. This stuff can be easily overlooked when the market demands a rush to the lowest price, but to consumers like myself, it is possibly the most important thing.

This isn’t some murky sponsored post (although I do have an affiliate link at the bottom) — this is all genuine and from the heart.

Cloak

Cloak logo

I found out about Cloak through their co-branding with 1Password, my password manager of choice. They are a VPN service designed to give you a way to encrypt your traffic when you are connected to untrusted networks. Their service is technically brilliant, but what is more important than that is the honesty, openness and realism they have shown so far in their communications.

At first I felt a little apprehensive about their corporate values and how well they were upheld in practice. Their privacy policy was scant in detail — using claims along the lines of “we don’t store any of your data”, but with an exception of data that they’d need “to make sure you’re not sending out spam”.

Well, what does that mean?

» Read the rest of this post…

Horse

Horse (Path)

I have missed Instagram’s filters since it was gobbled up by Facebook — a change which meant I could not continue using it.

So, it is nice to have similar functionality in Path. The added bonus is that unlike in Instagram, your photo is not rescaled down to quite the same degree!

Above is a, hopefully tastefully subtle, use of Path’s filters in this photo of a horse in rural Dorset.

Telephone box

Telephone box

You just don’t see ’em anymore, especially not in full working order!

Restoring a Windows 8 Bootloader

Screenshot of the Hyper-V Manager on Windows 8

Microsoft’s Hyper-V is a really cool virtualisation technology I have been having fun exploring. You cannot run a Hyper-V Server on a Windows 7 host, however, so in order to run it, I installed Windows 7 and Windows Server 2008 R2 side-by-side, and used it in the latter.

All that has changed in the era of Windows 8, however, and you can run a Hyper-V Server on the client version of Windows 8, if it is Windows 8 Pro. Hooray!

So, to cut a long story short, post-upgrade, I felt I didn’t really need my separate Windows Server 2008 R2 partition for Hyper-V, so I deleted it and expanded the Windows 8 partition to fill the space. Only to find that Windows now wouldn’t boot. Oops.

I originally installed Windows 7 first, followed by Windows Server 2008 R2, following best practice to install newer operating systems after earlier ones. What had happened now, though, was that I had just wiped out the bootloader that was sitting happily on the Windows Server 2008 R2 partition.

» Read the rest of this post…

Cleaning up the IP.Board url4short mess

XDebug to the rescue…

The condensed, I-just-want-to-fix-my-site version:

On your server, try:

grep ‐ri \$mds /wherever/your/website/folder/is

to locate the injected code, and while file it resides in. You can then go into that file and remove it.

Also try re-caching all the skins and languages in the Admin Control Panel. Make sure all IP.Board updates and patches are applied to prevent the compromise happening again.

Reset your passwords and keys. Take measures to detect and continue detecting other infiltrations.

My friend Niall Brady dropped me an email, saying that some of the users of his Windows-Noob forums were reporting getting redirected to a spammy-looking site (url4short dot info) when clicking on search results to the site.

The forums run the Invision Power Board (IP.Board) software. There had been some reports of vBulletin boards being hit with this kind of spammy redirect, but fewer suggestions that this was an IPB problem. There had been a patch for a critical IPB issue released in December, but that had, obviously, been applied to the site as part of normal good practice.

Nevertheless, I was concerned. Clicking on a search engine result should definitely not be redirect somewhere other than the result page!

Without evidence that the issue was not limited to one machine, or one connection, however, it could not be ruled out that it was just malware on that visitor’s machine.

» Read the rest of this post…

Protecting your browsing with Certificate Patrol for Firefox

I read this BBC News story about mistakenly issued security certificates recently, which allowed the people with those certificates to impersonate any Google websites and intercept traffic to them. It struck me as quite significant that this particular story made it to &#8216mainstream’ tech reporting.

There is a more detailed, and perhaps more accurate, commentary on this attack on Freedom to Tinker. It perhaps may not have been ‘cyber criminals’ as the BBC reported it when I first viewed the story!

Anyway, given the attention to this issue, I thought it a good opportunity to review this kind of attack against SSL/TLS — the security system upon which we all now depend. More importantly, I wanted to show Certificate Patrol, an add-on for Firefox that would allow you to notice a suspicious change to an certificate and thwart this kind of attack.

The weaknesses inherent in having too many organisations that are able to issue security certificates for any domain are becoming more clear. While this kind of attack is extremely rare, at the moment, ‘at the moment’ is a very poor security response! Hopefully, more awareness of these limitations of the internet’s authentication infrastructure can help put pressure on browser vendors, website owners and CAs to make everyone more secure.

Raspberry Pi

Raspberry Pi logo

In other 2012 gadget acquisition news, I got my hands on a Raspberry Pi this year, too.

Raspberry Pi in box

Ordered in the summer, and only delivered last month, due to the high demand, it is something I have not yet had an opportunity to play with as much as I would have liked. The advantage of having to wait that long, however, has been a beefier 512 MB version of the device!

In the spirit of my recent iPad mini post, here are some first thoughts on the device:

  • It is amazing how much you can do on such a tiny and inexpensive device. With the Debian wheezy build that is the Pi’s default operating system, you have access to almost the same rich range of software packages on any other Debian system. I was able to install Nginx to serve up web pages at rapid speed, and I am quite sure it would be possible to completely replicate Van Patten Media’s Managed Hosting platform that I have spent much of the year working on, even on such a device!
  • It is unashamedly geeky. This will probably be enough to put off some people who have received a Pi, but perhaps who don᾿t have the support in place to best use it. It isn’t that difficult to get started, but you do need to be able to get the OS onto an SD card. For me, though, I like that opportunity that it gives you.
  • It legitimises the hobbyist again. This pleases me a lot. Many great things were achieved by (originally) hobbyist hackers; re-igniting that spirit has huge potential.

There is some irony in that the Pi is, in a number of ways, the polar opposite of the iPad — it is hobbyist rather than consumerist. The Pi gives you complete control but requires some fiddling, the iPad gives you little control but is so intuitive.

I leave this year much more satisfied about the state of computing because of these two devices.

Why? There is now opportunity for both consumer hardware, and hobbyist hardware, to co-exist and complement each other.

iPad mini

iPad mini

Ever since its initial release, the absence of an iPad, or indeed any kind of tablet device, from my computing devices was notable. After all, this was the ‘future’ — and I was just getting left behind, right?

Truthfully, the full-size iPad always felt to me to be difficult to justify. While significantly more portable than any laptop, the size difference between it and its clamshelled cousins did not feel big enough. I’d just want to reach for the laptop, right?

It seemed that all that changed with the iPad mini. I hadn’t anticipated it at all, but ‘merely’ making the device smaller suddenly made me see where it fits for me.

So, what does it do better than any other device? Why is it now justified?

  • It is hands down, the best (type of) device for ‘casual’ browsing. Whether for checking something quickly, or browsing around at the end of the day, it makes web browsing informal and comfortable in a way that sitting in front of a desktop or laptop just does not. Being physically smaller than a laptop makes it easier to do this.
  • It is that much easier to take with you. Yet unlike a phone, which will always have limited screen size (or else not fit into a pocket), it is big enough for ‘full’ websites, richer app experiences or even in my case, full-screen SSH connections!
  • Battery life and instant-on. It makes an immeasurable difference that it can just be left on, and is always ready to use. No need for chargers, mice and various other accessories.

Something about this smaller form factor suddenly made it click for me — perhaps even just made it feel less threatening to the role of my traditional computers! I am very happy indeed with my iPad mini. I had concerns about lack of a retina/HiDPI display, but I have found that in real-world usage, it is not a deal breaker. (My personal opinion is that the physically larger the device gets, the less that HiDPI actually matters.)

Consumer computing is changing. Whether ‘traditional’ PC people like me are ready or not.

International Mac Podcast #222

International Mac Podcast logo

It turns out that I have had an unintentional hiatus from podcasting for a number of months.

I’m glad, then, to have broken that with the release of Episode #222 of the International Mac Podcast“Bezos’ Bezels”.

We talked about the state of all things Apple and iOS, speculated wildly about the future of the processors we will find in our Macs and made mention of the titular Amazon CEO’s strategy as compared to Apple.

It is always great to be invited on by Stu and the team and I thank everyone for the great show!

You can listen to the show on this page, download the MP3 file directly and also subscribe in iTunes or via RSS.

I am available for other podcast engagements; I would particularly be interested to talk about Apple, Linux, web development or computer security. Please do get in touch!