Breaches

Breaches

Not Beaches!  BReaches!

Ah yes, breaches.  Not really a much better movie, I’m afraid, yet we keep seeing it over and over.  Big splashy headlines touting eye-popping numbers, followed by unsolicited offers of credit monitoring from companies who are really, really hoping their arbitration clauses hold up.

They do seem to arrive in clusters, also.  The latest one-two punch is Marriott, then Quora.  Marriott managed to get hacked and then not detect it for four years, finally now disclosing that half a billion-with-a-B guest records were exposed.  Credit cards, passport info, all the good juicy stuff.

This revelation was followed-up last night by Quora revealing that “only” 100 million-with-an-M records were breached.  This email notification went out overnight and resulted in 150,000 people going, Dammit, my Quora account got hacked! and 99,850,000 people going, Wait… what?  I have a Quora account?

In any case, the odds are very good that you have been among the nine-or-ten digit totals of a few data breaches already.  Here are a few tips on how you can deal with this and get on with life

  1. Take the monitoring.  When they offer you credit monitoring free for a year or so, take it.  Can’t hurt.  Worth the price. But you probably won’t need it because of the other things you are going to do on this list, like…
  2. Freeze your credit.  Go to each of the major credit reporting agencies’ websites (EquifaxExperian, TransUnion) and follow their process for freezing your credit reports.  Yes, this will make impulsively opening new credit accounts more difficult.   Why do you say that like it’s a bad thing?
  3. Check your statements.  Look for any phony activity.  Your issuer will make good on anything you report as fraudulent on your credit cards if you report it promptly.  Don’t wait.  By the way: banks are not obligated the same way to make good on fraudulent activity on debit cards – even if you use them as a credit card at the point of sale.  So in general, don’t do that.  I only use my debit card in the bank’s ATMs.
  4. Check your credit report.  Like a lawyer, the credit report checking site you want is not on TV!  Ignore all the catchy jingles and flying pigs with smartphones, and go to the only non-scammy site out there: annualcreditreport.com
  5. Manage your passwords.  We’ve talked about it in the past: how your passwords need to be different at every site you log into.  If they got your Quora password, let that be all they got.  For those of you who are not already using a password manager, the best advice I have is this:  START USING A PASSWORD MANAGER RFN.  There are things sites can do to make a password-file data breach lower impact;  hashing and salting are not just cooking techniques!  But not every site does the right things, and not every site does the things right.  And it only takes one failure to give everyone a bad day.  So you have to protect yourself, and using complex passwords that are unique per site is how you do that.  And the only way to keep those passwords all straight is with a password manager.
  6. Enable Two-Factor Everywhere.  Two-factor authentication is becoming widely popular since the vast majority of sites are now able to leverage things like Google Authenticator apps on users’ smartphones.  This means that dedicated hardware tokens are no longer required, and the barrier to users adopting it for their own logins are as low as they can be now.  Be sure you use this wherever it’s available: it means the difference between a password compromise being annoying vs. Game Over.

If you can get yourself to where you are doing these six things, Breaches can be another movie that you just make fun of.

IT v Security

IT v Security

One of my best friends is an IT guy, with about the same amount of career experience as I have.  (We’re old, get it?)

When we get together, I notice that we each show the distinctive mindset of our specialties: he’s always thinking, How can I get this to work?  And I’m always thinking, How can I break this?

And yet, it was he who sent me this:

Don’t be put off by the length – the time will fly by
Uptime 3: Climate Change

Uptime 3: Climate Change

Data centers with thousands of computers in concentrated amounts of floor space do have to expend enormous amounts of energy keeping things cool.  Your home data center can almost entirely ignore this issue, except where your computers have to be enclosed.

Server Closet.  Or at least, a server IN A closet.

At some point, you will want some of your servers out of sight.  Any machine that provides some service via the network without being needed in front of you is a server.  Home aesthetics will at some point demand that the thing get out of sight.

Your computer’s case has one or more fans that circulate air through it for cooling.  The fan draws in room air, heats it some with heat generated by the components operating inside, and then ejects it back into the room.  A typical room is large enough to absorb this without moving the needle much on the overall room temperature, so the process can continue more or less indefinitely.

The problem you encounter when putting a computer into a closet is, soon after the door is closed the computer is drawing in and heating already rather-hot air, and the temperature in the closet starts rising.  Much over 95F/35C, and you’re going to start having components on your system board begin to behave erratically or fail.

So don’t let things in there get too hot.  Check if it’s heating up steadily in there, and open the door a bit if you have to.  If you can, add a vent at the bottom of the door, and an exhaust fan or two at the top.  If you get a couple of 180mm fans that are designed to be installed is computer cases, you can probably work out how to power them outside a case, and you will find that they are really, really quiet.

Note: however you route your network cables in and out of the closet, be sure the door is not pinching them every time it opens or closes.  Eventually, a conductor in there will break and you will get to 1) do a really “fun” troubleshooting session, then 2) shop for a new network cable. 

Another thing you will want to avoid during the heating season is letting the air get too dry.  If that happens, you will have a tendency to build up static electric charge on yourself as you move around.  You can potentially zap your computers when you touch them, damaging random expensive things inside them. 

If you can add humidity to your environment, do so.  Get the relative humidity to about 50%, give or take 10%.  But (and this is important!) do NOT use a misting humidifier, one that sprays droplets into the air to evaporate there.  Be sure to use a humidifier that evaporates the water inside it, so the vapor that comes out is pure water.  If your humidifier sends droplets of tap water into the air, when the water evaporates, it will let the salts and minerals dissolved in it float down to the surfaces in the room, forming a fine white dust that you will see everywhere.  This dust has the potential to short out connections on printed circuit boards, causing all kinds of very expensive havoc.

Also don’t let the wiring in your server closet get away from you.  Like this guy did.

There are worse than this.  See /r/cablegore

Uptime 2: The Power

Uptime 2: The Power

Your home is your data center.

Maybe this sounds like a stretch but, unless you live a very low-tech existence (like this guy, perhaps?), this is how we all live now in the 21st century.  Oh sure, you are not going to have to have raised floor to accommodate miles of wiring, or forty tons of lead-acid batteries for power leveling, or gigantic Liebert chillers for cooling down hundreds of servers.  Still, it would be a good idea to give some thought to how your environment can be more comfortable for the dozens of computing devices that make modern life tick.  We don’t necessarily have to keep our homes to the strict environmental standards of large data centers.  Still, it pays not to subject our computing devices to too much environmental stress. 

Consider power. If a device works from a battery, which you recharge when you can, then it will be less sensitive to fluctuations in the power that comes out of your wall sockets. But devices that work straight off your line power can be quite sensitive to spikes or sags. Even if they take the power through a transformer (“wall wart”) it probably offers little or no protection from spikes that can damage the equipment.

Batteries directly power the large data centers, while being continuously recharged from line power or generator 

You won’t have a large roomful of batteries through which to pass all your electricity, providing an absolute filter against voltage sags and spikes. But for any of your digital devices that run on AC power out of a wall plug, you need to consider how to condition the power they get.  Though there are many options, the ones I want you to consider are a good surge suppressor and a UPS. 

Surge suppressors are best for:

  • Devices that have some internal battery capacity, e.g. laptops
  • Devices that will not lose data if the power drops — at least, no data that you care about

Not all surge suppressors do much in the way of suppressing potentially damaging surges.  Some are no more than power strips with a marketing makeover.  I use sites like The Wirecutter to figure out which ones are worth my attention.

For devices that have much more severe consequences when the power drops, you should be looking at a UPS.  A UPS is a teeny-tiny version of that roomful of batteries you see above: the line power keeps a battery inside the UPS charged, and that battery is what actually sends power to your equipment.  Consider a UPS for:

  • Desktop computers
  • Servers
  • DVRs
  • Networking equipment – cable or DSL modems, firewalls, switches, WiFi access.

UPS’s are sized in “VA” which means volt-amps.  Think of a VA as a unit of current to be supplied.  The more VA you have, the longer power will last after a utility failure.  But the larger the device(s) being powered, the faster it draws down VA from the UPS, so the less time you get. You can use a larger UPS to get more time or to power more devices.  Remember, for a desktop computer, you’re going to want to power the display, and any attached external hard drives as well.

I typically use a UPS between 750-1000 VA for a desktop computer.  This gives me enough time to finish up what I am doing, or at least get to a decent stopping point before I run out of juice.  If I can shut down my computer on my own terms during a power outage, I count that a win.  But in case you are not home, be sure every desktop and server is using the critical feature of most UPS’s: to connect a data cable and run a small background app that gracefully shuts down the system when the UPS informs it that the batteries are almost drained.  Otherwise, all you will have done by hooking up the UPS is delayed the sudden power failure by a couple of hours.

Another trick I have enjoyed during a few thunder-stormy evenings is using a smaller UPS (maybe around 500-600 VA) to power all my network gear.  The network stuff is less demanding and so lasts longer.  The result is, after two hours with no power from the utility, my server and desktop are dark.  But my iPad and my phone are happily using the WiFi to fetch email, check social media and even watch a little Netflix if I want.  I can even use that UPS to recharge my mobile devices as needed.

Uptime

Uptime

Every one of us has a data center to care for.  Not everyone takes it as seriously as some do.

The mouseover text for this one reads:

The weird sense of duty really good sysadmins have can border on the sociopathic, but it’s nice to know that it stands between the forces of darkness and your cat blog’s servers.

Point being, what’s trivial to you or me is not so trivial to someone.  And if that someone is a member of your household then you need to take it seriously, if for no other reason than shalom bayit

Think about the things a data center does to create a fundamentally good environment for the computers it houses: climate control, power protection, redundancy, fire protection, physical security.  

But Kahomono, I hear you saying, my house is not a data center!  Oh no?  Let’s talk about a job I had a few years ago.  OK, quite a few years.  But still: we were opening a new data center for a major NYC bank.  We had three computer rooms: the Mainframe room had 8 IBM 390s.  The Time-Sharing room had 4 Honeywell DPS-8s.  And the Mini room had about a dozen computers of various makes: Data General, Pr1me, Tandem, Digital.  There were also a handful of IBM PCs floating around, with which nobody was very impressed.  So let’s round up and say that this “Data Center” — and it was surely that — had about 30 computers housed in it.

How many computers in your home now?  Do you even know?  I can say that in a typical home housing a family of four, you probably have… more than in my 1980’s era data center.  40?  Maybe close to 50?  Consider that your phones and tablets, your set-top boxes, DVRs, gaming consoles, “smart home” controllers and endpoints, not to mention every “smart” appliance you connected to your poor overtaxed WiFi, are all computers at least as powerful and capable as that VAX in our Mini room back in the day.  So if you only counted your desktops and laptop computers, you missed the mark by around 90%, is my guess.

And every one of those computers is capable of violating at least one tenet of information security.  (Remember CIA?) 

  • Confidentiality: it could leak information about you and your activities that you would rather it didn’t.  
  • Integrity: It could damage or alter information it holds, making it less useful or even harmful to you
  • Availability: you could lose information you don’t want to lose.  Think emails, tax returns, photos, music collections, movies, saved game progress.

So what do you do about it that doesn’t turn you into that guy in the cartoon above?  More on that to come.

this post originally appeared on Kahomono – It Means Lucky. 

Digital Assistants

Digital Assistants

AKA permanent spyware

You must assume: if they can hear you ever, they can hear you always.

Amazon is offering bedside units with cameras.  What could possibly go wrong?

In 1984, Orwell speculated the state would force us all to have in-home surveillance.  We did George one better and went out and bought our own voluntarily.  From Smart TVs to Alexa: I know of no way to consider these things safe to have in your home.  My advice is to throw them all in the giant disk-drive shredder.

April Fool?

April Fool?

It’s an established fact that any headline in the form of a yes/no question can safely be answered, “no.”  And so it is with today’s post, as you will see.

One of the things we humans have to watch out for is, who can use data we generate almost unconsciously.  We have to be careful about the data that flows from our fitness devices, smartphones, home gadgets and web browsers.  The web browser is a hotbed of information about you on many levels, but today we are going to focus on one of the most fundamental.  It’s something we can think of as the absolute rawest version of your browsing history: your DNS data.

DNS stands for Domain Name System.  Simply defined, DNS is the Internet utility that turns server names into numeric addresses the Internet can use to get your requests to the right place.  So to read this post you entered a request for “safer-computing.com” and it was DNS who knew that means 45.79.69.96.  Therefore your web browser’s request for this page was routed to that Internet address, and from there, this content was returned to you.  If you had to manually look up a similar address for every website you wished to visit, I am going to guess you would not use the web very much.  Or at all.  I would surely not.

Now you may have a browser function for “Private” or “Incognito” browsing.  So if you wanted to hide the fact that you read a certain website, you would invoke that function, then read your “taboo” site, then close it out.  You would trust (or maybe you verified) that once you close that session, no record of your forbidden activity is preserved.  And that might indeed be true – but only so far as the computer on which you did this browsing is concerned.  In order to get the content at all, your computer had to send in a DNS request for the site you wanted to read, which had to be interpreted and executed.  Which means your ISP had access to the request and can build from that a very intricate history of your browsing habit.

Not only that, but the ISP may decide to do more than watch.  (They are going to have to have the numeric addresses in any case, so the list of sites is not really the main issue here.)  But ISPs have been seen to use their built-in DNS to hijack some requests and outright deny others.  The so-called “Great Firewall of China” is in large part, a corrupt DNS.  ISPs in “free” countries have been observed injecting ads and altering web pages, especially those of competing services.  The current FCC, in the USA, is unlikely to provide any relief.

So the smart course of action is, in my opinion, to move away from the ISP-provided DNS.  And I have used a bunch.  OpenDNS was lovely until it was bought by Cisco and started shedding features and performance.  For a while, therefore, I have been using Google’s 8.8.8.8 service.  Not bad, not great.  Google gets to spy on my web browsing habits — but they do that anyway, so I’m no worse off.

Then, yesterday, on April Fools’ Day (!), Cloudflare announced a new DNS service.  The address of their main server is 1.1.1.1.  Four 1s, they said, so of course they simply had to announce it on 4/1.  They promise not to retain logs or any identifying information, so there is nothing to resell or exploit.  If they breach that promise, it will come out.  For now, the service is touted as “Privacy-First.”  And oh yeah, it’s very fast.  15 milliseconds is considered a pretty good response time for DNS.  The North American results I have seen for this have it returning responses in under 5ms.

So for now… my DNS setting is number 1! 1! 1! 1!

And no, it was not an April Fool.  The habit of tech companies to announce fake services they think will get a laugh… all it gets is an eye-roll.

The Wirecutter on 3-2-1 Backups

The Wirecutter on 3-2-1 Backups

3-2-1 is the watchword for how to do backups.  3 copies, on at least 2 different media, and 1 offsite.  I have written about this a lot, as I consider it the most basic of security basics.

If your data is backed up offsite, ransomware can’t get to it, fire and flood can’t get to it.

Now The Wirecutter has thrown its backup hat into the ring.  They might have a few (million) more readers than I do, so I will go ahead and link to them.

I am not a huge fan of their cloud pick, Backblaze.  I have tried it and found it to be unacceptably slow.  But it’s probably the easiest to use for the non-technical user, so my disagreement is little more than a quibble.

I am currently backing up with Duplicati and then syncing my backups to pCloud.  Duplicati is awesome but I can tell you: when it comes to ease of use, it’s no Backblaze!  If you just read that and felt like you were going to enjoy that challenge, I say, go for it.

pCloud is just as easy to use as Backblaze, but it does not offer anything like as much functionality as Backblaze.  But it’s comparable in price, and if you can handle Duplicati, pCloud won’t even make you break a sweat.

Anyway, here’s the TL;DR:  Make. Your. Damn. Backups!

Whose Net? Our Net!

Whose Net? Our Net!

On Dec 14 the FCC carried out its corporate masters’ plan to gut net neutrality, responding to millions of astroturfed “comments” from dead people, etc.

This action made the work of the Electronic Frontier Foundation all the more critical.

On Feb 7, one of the EFF’s key founders, John Perry Barlow, passed away.  Some remembrances: Cory Doctorow, EFF, Kevin Kelly.

This was a very, very great loss for freedom… freedom of the mind that only a chaotic and open Internet can guarantee.  It was a great loss for humanity as well.

Kottke shared Barlow’s rule for being an adult.  I think it’s worth reproducing here.  Read them and aspire.

1. Be patient. No matter what.
2. Don’t badmouth: Assign responsibility, not blame. Say nothing of another you wouldn’t say to him.
3. Never assume the motives of others are, to them, less noble than yours are to you.
4. Expand your sense of the possible.
5. Don’t trouble yourself with matters you truly cannot change.
6. Expect no more of anyone than you can deliver yourself.
7. Tolerate ambiguity.
8. Laugh at yourself frequently.
9. Concern yourself with what is right rather than who is right.
10. Never forget that, no matter how certain, you might be wrong.
11. Give up blood sports.
12. Remember that your life belongs to others as well. Don’t risk it frivolously.
13. Never lie to anyone for any reason. (Lies of omission are sometimes exempt.)
14. Learn the needs of those around you and respect them.
15. Avoid the pursuit of happiness. Seek to define your mission and pursue that.
16. Reduce your use of the first personal pronoun.
17. Praise at least as often as you disparage.
18. Admit your errors freely and soon.
19. Become less suspicious of joy.
20. Understand humility.
21. Remember that love forgives everything.
22. Foster dignity.
23. Live memorably.
24. Love yourself.
25. Endure.

I like the dynamic tension between some of them.  For example, 4 and 5, or 9 and 10.

I feel a responsibility to continue on what he started for us.  You can help: donate to the EFF, the Freedom of the Press Foundation, and other causes that speak to you and that will help us hold the line against creeping corporatist fascism.

The Internet is the greatest opportunity humanity has had yet to avoid the tragedy of the commons – let’s not blow it.

Rest in Peace