Archive for the ‘Home Computer’ Category

Pennsylvania just enacted the Consumer Protection Against Computer Spyware Act. I appreciate that legislators are finally starting to take computer security seriously though this law may be more bark than bite.

Briefly, the law makes it a state crime for any “unauthorized user” to deceptively add software to your computer without your consent, prevent you from removing their software, changing your computer settings or hiding their own software. It’s a pretty good list of all the bad things that people were doing to our computers in 2008.

Unfortunately, the hackers have moved on and are using different tactics now. But I guess it never hurts to outlaw the old bad stuff. You might at least catch the stupid criminals who haven’t stayed with the times. The real problem, though, is that cybercrime is rarely investigated, much less prosecuted. If this law gets legitimately used a dozen times in the next five years, I’ll be surprised.

Which brings me to my real cause for concern – what are the ways this law could be twisted beyond its intended scope?

This law makes it illegal to change settings, modify bookmarks, impose a homepage, disable software, prevent your own software from being disabled and use techniques like keylogging. All those are bad things when done by an outsider but potentially legitimate tactics for law enforcement, your own company’s IT Security investigations or for your responsibilities as a parent.

On the plus side, PA did include wording that the person adding the software and making the modifications must be an unauthorized person. That’s a good thing. Other states have left that qualification out, making it ambiguous whether the company’s IT department could impose software restrictions on a company-owned computer. PA’s law provides a safe-harbor for the IT Security department as long as they are also authorized users on the user’s computer.

Here’s the rub, though. Several courts have passed down decisions (such as Tengart v LovingCare, US v Ziegler, US v Simons) that make it confusing when the computer is the user’s and when it is the company’s. Similar decisions have made it ambiguous whether a computer is owned by the parent or the child. (And it gets really complicated when you have two spouses going at it as in White v White.)

If the ownership and privacy right is at the company (or family) level, I don’t see a problem here. The IT department (or parent) is an authorized user by definition. One authorized user can still change settings or programs on the computer without the consent of the other authorized user(s). Whether it’s ethical or effective is another question but it would pretty clearly be legal under this law. On the other hand, if the employee (or child) has a “reasonable expectation of privacy” to the computer, then the IT department (or parent) might not be considered authorized under this law.

The fix is easy. PA did a pretty good job with this law – we don’t need to tamper with the law. You just need to make it crystal clear to every other user of the computer that you are the primary owner of the computer and that no other user can have any expectation of privacy that excludes you and your right to monitor. At the company level, you should have that in your written policy manual and probably on the login splash screen. At the family level, you need to insist on having a copy of all your children’s passwords (my one exception to the never share your password rule) and use parental controls. Exert your rights regularly both to reinforce everyone’s understanding of the rules and so that you can show that your actions were a part of your routine security practice, not for example retaliation.

That sounds pretty simple but I predict at least one lawsuit testing the expectation of privacy and complaining about actions that in the non-computer world would be considered nothing more than good parenting. Make sure that everyone knows that you are an authorized user, then you can monitor whenever you find it necessary and you can impose changes on your corporate computers whether or not the individual user likes them.

Disclaimer: I am not a lawyer. I don’t even play one on TV. This is a layman’s interpretation of the law. I like to think it’s an informed opinion but only that – an opinion. If you need specific legal advice, contact a qualified lawyer in your area.

I’ve joked before that Microsoft is evil. They’re easy to hate. My own opinion was equal parts rooting for the underdog (that is, anyone not MS), jealousy (why didn’t I think of that) and frustration at the low level of responsiveness that comes from any monopoly. I derided their security practices and settings while secretly acknowledging that writing good software is hard.

Well, a recent Wall Street Journal article changed the balance when they reported that Microsoft had the chance to completely reset the industry standards for privacy and deliberately choose not to. In early 2008 as they were planning for the Internet Explorer 8.0 browser, the product developers were building in tools and settings that would automatically defeat most common tracking tools unless a user deliberately switched to less private settings. Then marketing managers heard about the plan and, knowing just how much of their profits come from advertising, quashed the plan. The developers were forced to pull that code and changed the default setting back to the non-private mode. True, you can still make IE an almost safe browser if you know how but most people don’t have the skill or time to do so. Microsoft squandered a golden opportunity to take the moral high road and make the internet safer for all of us.

So what are your alternatives? You actually have quite a few – so many that the choice can be intimidating. Some people rave about Google Chrome. I don’t have much experience with it but given Google’s documented approach to privacy in their other applications, I’m skeptical. Apple’s Safari has its champions. If you’re already a Mac user, it’s probably a good choice. Opera also has its fans. Opera first introduced many of the features that are now considered standard for browsers and have some of the best features for users who have visual or motor impairments. They have a lead in mobile software (smart phones, Nintendo, WII, etc) but have never really caught on for mainstream users.

My preference, though, remains Mozilla’s Firefox. It has more users than any of the others (after Microsoft) so it has more developers watching for and fixing bugs. And it’s an early and prominent player in the open-source movement, a cause that I believe deserves support. (By the way, that means it’s FREE! Really. No strings. These people do it because they think it’s right.)

That said, there are a couple of features you need to turn on in order to be properly secure even with Firefox. In particular, here are two add-ons I strongly recommend – Adblock Plus and NoScript. They take a little getting used to but are well worth it for the added security they bring. You also have to make some choices in the Firefox settings themselves. In particular, you need to choose your cookie settings. I don’t think it’s realistic to disable all cookies. Too many are used to remember login information and make the websites work. Under Tools/Options and the Privacy tab, check “Accept cookies from sites” but then change the Keep Until setting to “I close Firefox”. I also recommend checking the “Clear history when Firefox closes” button. Use the “Exceptions” button to permanently allow the common, reputable sites you visit such as Yahoo, Amazon, Google, etc.

Do all that and you’ll have a reasonably secure browser. And maybe someday the bureaucrats at Microsoft will realize that they are squandering a chance to be the good guys for a change.

… is an oxymoron. Read this WSJ article for more. Not much else to say except the obvious. When you sign up for a free service, you generally get what you paid for, especially in the area of privacy. Never post anything online that you’d be embarrassed to see on tomorrow’s front page.

This post is likely to be a bit of a rant. Hopefully, you will be able to learn something from my mistakes.

Several years ago, I was using a thumbdrive as my backup. It was plenty big enough and it was often more flexible to keep the originals on the thumbdrive, especially for the financials I was keeping for the local bee club. I might never know what computer would be handy but with that thumbdrive in my pocket, I always had access to the records.

As you might expect, the drive eventually went bad. All the data lost. (Root cause – pulling it out of the machine too many times without going through the correct shutdown procedure.) That was when I discovered that my manual backups weren’t as good as I’d thought. It’s way too easy to procrastinate. Before you know it, well, my last backup had been almost a year and a half earlier. I recreated some records but a lot of hard work was lost nonetheless.

I was angry and frustrated – mostly with myself. I resolved to never let this happen again. Spent over a grand on a dedicated backup drive that would back up not just my files (and the bee club’s) but also the rest of my family’s – other users on the same machine and other computers in the house as well. I had to set up my own mini-network, but if it prevented that heartache again it would be worth it.

Well, I never did get it completely set up right. The network was accessible but the automatic backup software never worked as advertised. Nevertheless, it was an easily accessible backup space and I was much more diligent about making manual backups. And the drive actually spreads the data over several disks so even if one disk goes bad, you pop in a replacement and the drive self-recovers, hopefully with no data lost. (Wikipedia has a good technical explanation of how it works.)

Over time, I began to rely on it as the primary storage for some kinds of files. (I’m seeing a pattern here.) And again, the backup drive failed. I’ve been working for several weeks now to get it restored. Naturally, the failure is not in one of the replacable drives but in the central chip that runs the whole box. The root cause again appears to be the cumulative effect of improper shutdowns, this time the result of power outages. (The service in our area is … not great.) This led to more than my share of frustrating, late-night calls to the drive maker’s Tech Support.

I wish I could say that it’s either my fault of the drive makers. But other than living in a better neighborhood with more stable power or spending way more than it’s worth on a power-cleaning box, I don’t know what I could have done differently. So I’d like to say it’s the drive maker’s fault. The brand, by the way, is TeraStation. I started this post ready to slam them for the failure. I remain more than a little frustrated with their technical support team, a few of whom tried to be helpful but several of whom came across as supercilious and condescending. In their defense, though, two of my colleages have had the same brand for years with no problems so far.

The story’s not over yet. I am still attempting to restore the backup drive. I can restore most, though not all of the data from other sources if necessary. The biggest lesson for me is that despite all the marketing hype, a RAID Array (that mechanism that distributes the data across several drives) is still one device and therefore a single point of failure. I still need a better backup routine…

My dentist was asking about his computer this evening. He’s been having some trouble that might indicate a virus or could just be a sign that the computer’s getting a bit old. Along the way, he talked about some add-ons that seem to have added themselves to his system and he wasn’t really sure what they were. Between the novocain and the drill, I’m sure my answer was completely incoherent so here is an attempt to better answer the questions “What is an add-on” and “Should I let it be added to my computer”.

First, what is an add-on? (Other names include plug-in, extension and sometimes theme. More on that later.) An add-on is an optional software component that, in theory, increases the functionality and/or usability of the original program. Most people learn about add-ons in the context of their internet browser, especially if you are a Firefox user. Add-ons can improve your computer’s security (by blocking scripts and ads), make certain actions easier (like viewing pictures or updating webpages), improve compatibility with other programs such as Java or QuickTime or just customize the look and feel of the computer.

Add-ons can also be malicious trojan horses, bringing along all sorts of viruses and vulnerabilities to your computer. If you find an add-on you like – and there are some good ones out there – be sure that you get it from a reliable source. If you’re looking for add-ons to Mozilla’s Firefox, for example, go to Tools/Add-ons and look for the Browse all add-ons link. That will take you directly to the official Mozilla site. Internet Explorer has a similar path.

Some add-ons can be very helpful. I really like NoScript and AdBlock for Firefox. Between the two of them, they make my browsing much safer.

Many add-ons are neutral from a security point of view – they may make your browsing experience better but they neither help nor hurt your computer’s security.

Some are downright dangerous – add-ons that include some hidden code that lets the author control your computer or that otherwise subvert your security. Those tend to get filtered out of the legitimately sponsored sites pretty quickly but they are a real danger in chat rooms and unmoderated forums.

And an unfortunate number of add-ons are offered with a good heart but either badly written or just don’t take into account all the possible configurations that are out there – and when used in combination with some other add-on or program, they create new vulnerabilities that didn’t exist before. I put all the Google and Yahoo Toolbar add-ons in this category – well-intentioned but fundamentally unsafe.

Add-ons also tend to go out of support fairly quickly. They are often written by volunteers, after all. Microsoft has a financial incentive to keep programmers pounding away, patching their products. If a hacker finds a hole in an add-on, it may or may not get fixed quickly.

If you find an add-on you like, read the reviews to see what other users say about it. See if anyone has had concerns about unexpected interactions or problems. See if it’s been updated recently and find a legitimate download site. Then back everything up on your computer before you install it.

On the other hand, if your computer “spontaneously” offers to install an add-on, the right answer is almost invariably to reject it. If it looks like it might be useful, go to a legitimate site and read the reviews, then decide for yourself.

When an add-on is primarily designed to change the look and feel – background colors, fonts, logos, maybe even layout and organization of buttons – but not to change the underlying function of the program, that’s usually called a “theme”. There are literally thousands of themes available including ones for just about every sports franchise imaginable. They are commonly available not merely for your browser but also for your phone and for many other computer applications such as Media Player. Themes are usually safer to load since they are not supposed to affect the program but be careful. Something advertised as merely a theme can still include malicious code. And a badly written theme can cover up functions you do need, like say, the undo button – it’s still there but you can’t reach it because some other button is in the way. Like other add-ons discussed above, only consider themes from reputable sources. If you’re not sure, stick with the default theme.