I fairly regularly get e-mails asking why I’m still recommending an “old style” router (802.11g standard) in my security e-book The Hacker’s Nightmare, even though routers boasting a faster/better/more modern standard (802.11n) have been available for quite some time.

It’s been on my to-do list to write an article explaining my reasons for this. However, I’ve just been saved the trouble by the appearance of an excellent article from the keyboard of PCMech writer Rich Menga.

Rich has summed up my own reasons very nicely, and I unreservedly recommend his article to you.

After trying a number of the new-fangled 802.11n routers, Rich has given them all the flick and ordered himself a Linksys WRT54GL — the very router I have long recommended and continue to recommend in The Hacker’s Nightmare.

While you can use it quite satisfactorily straight out of the box, the WRT54GL is very versatile in that it can be “flashed”, or loaded with, third-party firmware (similar to software). My personal third-party firmware favorites for upgrading the WRT54GL are DD-WRT and Tomato. Both are free, and applying either to the WRT54GL makes it a very hard act to beat for overall performance, reliability and versatility.

Of course, there is a lot more to the safe use of any router than just plugging it in, which is why The Hacker’s Nightmare contains extensive, plain language instructions on configuring and securing the WRT54GL.

So where to next?

• Amazon.com is a trusted and reliable supplier to the entire world, and you will find it hard to beat their prices. Click here for the WRT54GL at Amazon.com.

and…

• You can currently snap up a copy of The Hacker’s Nightmare at a 50% discount.

• Oh, and read Rich Menga’s article here.

PR: wait… I: wait… L: wait… LD: wait… I: wait… wait… Rank: wait… Traffic: wait… Price: wait… C: wait…

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

I recently received a question from a reader asking how thieves were apparently able to detect laptops out of view in locked cars, say either covered up or in the trunk (or “boot”, depending on where you live).

This is a topic that’s seen batted around for some time and has attained the status of urban myth, with its share of believers and disbelievers and little in the way of hard facts or proof.

It’s a question I started to look into some time back, but for one reason or another I got sidetracked and never followed through to a conclusion.

Having the question raised again prompts me to present what little I know and request input from anyone who may have definite knowledge, particularly from any technicians who have experience with the types of devices I’ll mention hearing.

I’ll start with what I consider to be the most unlikely method of laptop detection.

Inductive Amplifiers

Now this is just something I’ve pieced together from bits and pieces here and there, so in mentioning it all I’m trying to do is open the discussion. I’m definitely not suggesting this is possible or practical — because I simply don’t know — but frankly I doubt it.

Proponents of this “myth” claim that it is possible to detect the presence of a laptop computer using a device called an inductive amplifier.

There have been quite a few unsupported and unsubstantiated reports that police in Selangor, Malaysia caught thieves red-handed with one version of an inductive amplifier, called a Model 200EP Tone Probe, that particular device being manufactured by Tempo-Textron, but there are of course many others. [Note: I found the Tempo-Textron site to be out of service a lot. Sorry, but nothing I can do about it.]

Personally I’m more inclined to think that any thief in possession of an inductive amplifier would be using it to disable car alarms.

Battery Detectors

Another fairly common suggestion is that the presence of a laptop can be detected by use of a so-called “battery detector”. Various types of battery detectors do exist, but to my knowledge their effective range is very small, and there would be myriad problems using such a device to detect a laptop in a car. For one thing I would expect that the metal enclosure of a car boot would provide a very effective barrier, not to mention all the other power sources that are constantly active in a vehicle.

As to the electrical properties of a laptop, there is ALWAYS some power present, whether the laptop is shut down or not, even if you remove the main battery. On the computer’s motherboard is a small battery much like that which runs your electronic watch. For historical reasons it is generally referred to as a CMOS battery. At the very least this battery maintains the real time clock, and it may maintain other settings as well. I believe voltages range from 3 volts to 4.5 volts, depending on make/model/brand/etc. There may even be more than one such board-mounted power source.

But detecting a laptop in a motor vehicle with a battery detector? I’m sceptical.

Bluetooth Scanning

The more obvious danger is leaving your laptop on or in sleep mode, such that its Bluetooth capabilities (if any) are active. Bluetooth scanning will reveal not only the presence of a laptop or high-end phone, but also its make/model. And such identification opens up the possibility of “steal to order”, allowing high-end devices to be specifically targeted. There’s plenty of information available on Bluetooth detection so I won’t belabor the point further here. Anyone wishing to research this further could try some of these keywords:

• Bluetooth Scanning
• BlueBugging
• BlueJacking
• BlueSnarfing

I don’t think rehashing unsupported myths and suppositions serves any purpose, but if you have any definitive information on how laptops and/or high end mobile phones might be detected inside a locked car I’d certainly like to hear about it. Please use the comments box below…

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

As regular readers will be aware my blog topics tend to be somewhat diverse, but I strive to stick to subjects that will be of interest to at least a good percentage of my readers. So I’m excusing this departure from the technical on the basis that quite a few of my subscribers are in business for themselves.

Not long after my earlier article on customer service, in which I pointed the finger somewhat accusingly at one particular company, I received an e-mail from a senior representative of that organization, requesting a telephone conversation.

Matt Meanchoff is Director of Global Support at Absolute Software Corporation, the company behind the “LoJack for Laptops” service that I castigated somewhat severely in this article for their lack of response to e-mail contacts.

I want to emphasize at the outset that Mr Meanchoff didn’t call to criticize my article or to offer excuses for the experience I had with his company. He wanted to explain what had happened and why, and he soon convinced me he was genuinely concerned to fix any problems that adversely impacted customer service.

This in my view is a commendable response and demonstrates a willingness to address problems of which they were unaware. After all, if we have problems with a company, what more can we wish for than that they listen and act?

Is your business making these mistakes?

Publishing an insight into our conversation could provide a timely lesson for other online businesses who are making similar customer service mistakes, possibly quite innocently and unknowingly.

Mr Meanchoff explained that the e-mail address I had used to contact his company was distributed into the company’s sales channel. He is adamant that his own area of responsibility, actual technical support of existing customers, has earned high praise from their customers. Mr Meanchoff came across as pleasant, credible, highly motivated and a believer in his company’s products and services, so I have no reason to doubt his claim in that regard.

He was quick to acknowledge that there was no excuse for the communications failures I had experienced, regardless of what internal department was responsible. He was obviously well aware that if prospects don’t become customers due to communications failures in the sales channel, then his support team never gets a chance to demonstrate their effectiveness.

Customer-friendly tips for every business

Speaking to Meanchoff I became convinced that Absolute Software wanted to address those shortcomings as soon as possible, and I made three suggestions which I believe should be implemented by any company doing business online:

• Turn off the sending of the “read receipts” in the e-mail client programs of all employees. This prevents your customers from receiving the obnoxious “deleted without being read” message. This is not disadvantageous to the customer so long as you also implement the next recommendation.

The actual location for this setting may vary according to your version of Microsoft Outlook, but a likely location is:
Tools –> Options –> Preferences –> Email Options –> Tracking Options
Then select either: “Never send a response” or “Ask me before sending a response”

• Set up an auto-responder to immediately notify a correspondent that their message has been received and that they will receive a reply within a certain time frame. Marketing experience dictates that a specific time-frame should be given. Simply stating “as soon as possible” is not really acceptable, and nor is a long time frame. If you can’t respond to customer inquiries within 24 hours then I suggest you need to take a long hard look at your support infrastructure. If you can do better than that then say so, but don’t promise a response within one hour if there is little likelihood you could always meet that commitment. And don’t just stop with an acknowledgment, go the extra yard. When someone fills out your online form to contact you they aren’t left with a copy of their own message to refer to at a later date. So have your auto-responder include a copy of their original message. Little things like that make a big difference. Oh, and be consistent. Australia’s largest ISP promises a one-day response on their contact web form, and the autoresponse e-mail says you’ll hear from them within two days!

• Finally, provide an escalation contact. Whenever I suggest this one to my clients the response is usually that they don’t want to publicly display an executive’s e-mail address because it will be abused. Well, yes, it probably will, but you don’t have to display it publicly. This information can be provided in the auto-responder message: “If you don’t hear from us within 12 hours or if you are not satisfied with our response please notify our customer service manager directly at escalation@company.com”.

So after speaking with Matt Meanchoff I’m satisfied that my unfortunate experience isn’t indicative of an uncaring corporate attitude, but due solely to weaknesses in the communications chain — weaknesses that they acknowledge and want to address now that they’re aware of them. Again, that’s a positive and commendable response.

Handling bad publicity

So what about those disparaging quotes from Amazon.com that I repeated in my earlier article?

I have no way of knowing whether or not those complaints were justified, but I’m obligated to repeat an example that Matt Meanchoff provided.

The “LoJack for Laptops” service relies on a stolen laptop being used again. Until the BIOS code is executed at system start-up no communications related to identification/recovery can take place. So if a laptop is stolen (say for malicious reasons rather than for use or profit) and dumped in a river, there is no possibility of recovery. Fortunately for the great majority of laptop owners most theft is for reuse or sale, ensuring that the machine will be switched on again and thus given the opportunity to communicate.

No matter the nature of your business or how great your product or how careful you are, you are always going to have an unhappy customer here and there. I’m sure you’ve heard the old saying that goes something like: “A satisfied customer tells one or two people; a dissatisfied customer tells everyone”. In other words, anger and frustration incite people to speak up, while the satisfied just go quietly about their business.

So if you have a genuinely good product and a lot of satisfied customers, you must take positive steps to counter the few noisy ones. People responsible for marketing and customer service need to be constantly on the lookout for comments about their product, whether good or bad. The good can often be used to your advantage, and the bad must be countered.

You cannot afford to ignore bad publicity and hope that it will just eventually fade away, because once published on the Internet it can always be found — days, months and even many years later. It will turn up in the search results of the very people you want to attract: targeted prospects who are searching specifically for what you offer.

Many professional Internet marketers retain inexpensive offshore contractors to continually search the Web for any mention of their product, their competition’s products, their marketing niche, and so on — anything they can use to give them a competitive edge or, if necessary, protect themselves from bad publicity. Mainstream businesses could learn a lot from the tactics employed by Internet marketers.

Absolute Software should have discovered those Amazon comments themselves when they were first posted. They would then have had the opportunity to contact the complainant’s directly and try to sort out their problems. At the very least they could request some of their many satisfied customers to post positive responses as a counter. This is well worth doing even if you have to offer your satisfied customers an incentive to do so. But if your customers aren’t prepared to speak up for you then they probably aren’t as “happy” as you’d like to believe!

Because the last thing a company wants is to have someone like me, having already had some bad experience, finding a site where 100% of the comments are disparaging. That just reinforces my original impression.

In contacting me, explaining the situation, acknowledging the shortcomings, Absolute Software has convinced me to take the next step and report on their recovery service and technology, something that, hopefully with their assistance, I’ll be doing in a future article.

So long as customer concerns — your concerns — are being addressed, I’m happy to investigate the practicalities of any product or service impartially.

Afterthought…

One last thing I just thought of.

While Absolute Software boasts a professional looking website with lots of resources available, one thing I wasn’t terribly impressed with was the fact that all the testimonials were apparently from law enforcement officers. Sure, it’s good to have people like that on side and saying so, but prospective users of the service will be looking for the experiences of actual existing customers. Law-enforcement is obviously going to have a different interaction with the company than will customers of the service.

I’m happy to report that what I missed the first time around was the Case Studies link.

What’s the difference between a case study and a testimonial? I suppose you could say that a testimonial is a customer experience told in the first person, whereas a case study is more likely to be a story told in the third person.

But regardless of the semantics, there are plenty of customer experience stories to be found — 41 of them in fact at the time of this writing. You can check out their case studies here.

Related articles:

• Is Customer Service Really the New Marketing?
• Ted Mininni: For Sale: Business Culture

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

A fairly common complaint around support forums is that one or more applications do not appear in Control Panel’s Add or Remove Programs list. The Add or Remove Programs feature is a much misunderstood application, hence these queries are rarely resolved satisfactorily in the ensuing forum discussions, and blame for the omission is often misplaced.

While superficially it might seem reasonable to blame the coding of an application which doesn’t have an Add or Remove Programs entry, there are in fact many possible reasons why the Add or Remove Programs list might not be complete, and the program itself is the least likely cause. Yes, the problem can lie with the individual application, but it can also lie with a mis-configuration of Windows itself, or even with an entirely different program which itself may appear to be unaffected.

I don’t propose this article to be an exhaustive treatment of this topic. My aim is simply to alert you to enough of the possibilities to give you the background to search out a solution appropriate to your particular circumstances. Hopefully this information will make that task much easier.

Let’s begin by looking at just how an application gets to appear in the Add or Remove Programs list to start with.

Contrary to popular belief, it’s not up to the developer to directly program his application to appear in the Add or Remove Programs list. An application’s appearance in the list is determined by Windows, which is supposed to create an entry for any Windows-compatible program that has an uninstall component. Thus all the developer has to do to qualify his application for inclusion in the Add or Remove Programs list is to provide an UNINSTALL.EXE (by whatever name), or a Windows-accessible uninstall routine within his program.

Windows will then add details of the application to a special “uninstall list” in the Windows Registry. The list is located at this Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Each entry under that key represents an individual program that will appear in the Add or Remove Programs list, and each entry has several values associated with it, the most important of which to this discussion are:

DisplayName: The name that is shown in the Add or Remove Programs list.

UninstallString: The program or routine that is used to uninstall the application.

All that will be made quite clear by simply viewing some of the entries for that Registry Key in Regedit.

USUAL WARNING
Messing with the Windows Registry
can cause severe headaches!

Manual editing of the Registry key may be appropriate under certain circumstances, such as when an application has been uninstalled but still appears in the Add or Remove Programs list. Deleting the appropriate entry under the Registry key will cause that program to disappear from the Add or Remove Programs list.

There is one particularly important point about this Registry key that you must know in order to fully understand the population of the Add or Remove Programs dialog. Here it is:

The list of programs maintained at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall is ONLY automatically updated when a program is installed in Windows or when a program is uninstalled from Windows. Otherwise…

WINDOWS DOES NOT PROVIDE ANY MECHANISM
TO REFRESH OR UPDATE THIS LIST!

So obviously, if an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall is inappropriately edited or deleted, the Add or Remove Programs dialog will continue to reflect that error until it is manually rectified.

To illustrate just how complex the reasons behind missing entries in Add or Remove Programs can be, let’s look  at just one way that Windows intentionally hides certain program name entries from the Add or Remove Programs list.

Use Windows Explorer (WinKey+E) to locate the folder %System Root%\Windows\inf\. On most computers that will be c:\Windows\inf\. Within that folder locate the file SYSOC.INF and open it in Windows Notepad (or any other PLAIN TEXT editor — NOT a word processor).

Here’s what a small section of SYSOC.INF might look like:

Games=ocgen.dll,OcEntry,games.inf,HIDE,7
AccessUtil=ocgen.dll,OcEntry,accessor.inf,HIDE,7
CommApps=ocgen.dll,OcEntry,communic.inf,HIDE,7
MultiM=ocgen.dll,OcEntry,multimed.inf,HIDE,7
AccessOpt=ocgen.dll,OcEntry,optional.inf,HIDE,7
Pinball=ocgen.dll,OcEntry,pinball.inf,HIDE,7
MSWordPad=ocgen.dll,OcEntry,wordpad.inf,HIDE,7
ZoneGames=zoneoc.dll,ZoneSetupProc,igames.inf,,7

Those entries containing the word “HIDE” (case is not important) will be hidden from the Add or Remove Programs list. If editing any of these entries, remove only the word “HIDE” but leave the commas in place, as shown in the last line above. A system reboot is necessary before any changes will take effect.

It should be noted that I have also heard reports that changing the “HIDE” status of certain entries in SYSOC.INF will not always see that change reflected in the Add or Remove Programs dialog. I assume that’s because one of the many other reasons that entries may not appear in the list is also having an effect.

Another oddity sometimes encountered with the Add or Remove Programs dialog is that it can have a long gap of white space between one entry and the next. One program known to cause this is certain versions of AutoCAD. The operation of AutoCAD itself appears to be completely unaffected. I’ve also heard reports that the white space may appear after the AutoCAD entry in Add or Remove Programs, or it may appear after some other different and unrelated entry, even though AutoCAD is the cause. The reason for this odd behavior appears to be a negative icon number in a Registry entry related to AutoCAD. For example:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BIG_HEX_NUMBER_HERE}

Value Name: DisplayIcon

Value Type: REG_SZalue Data: C:\Program Files\AutoCAD LT 2000i\aclt.exe,-1

The solution to the problem is to change the “-1″ at the end of the Value Data line to “1″.

I must emphasize that this small “bug” in some versions of AutoCAD in no way affects the operation of the program itself. This example serves to illustrate that even the most expensive, upmarket, highly regarded professional applications can suffer these little quirks without any adverse reflection on the quality of the application itself. Perfection would be nice, but lack of perfection doesn’t necessarily equate to disaster or a substandard product.

Another completely different example of cause and effect…

Entries in the Add or Remove Programs list can also be affected by the Windows installation itself.

The Add or Remove Programs applet relies on the presence and correct formatting of 18 separate Registry keys. All of those keys must have been correctly set by registering the control program APPWIZ.CPL. While such registration should occur during Windows installation, it has been known to go wrong, and Registry entries could also have been affected by other subsequent events. Such events could include Registry mangling by a rogue application or some form of malware attack. If this possibility is the cause of any problem with the Add or Remove Programs list, it may help to try registering APPWIZ.CPL manually. Here’s how:

1. Click Start, click Run.
2. Type this three-letter command into the “Open” text field: CMD
3. Click the OK button.
4. At the prompt, type: REGSVR32 APPWIZ.CPL
5. Press the Enter key.

All being well APPWIZ.CPL should be re-registered and all 18 relevant Registry keys correctly entered and formatted in the Windows Registry.

Following many such discussions in technical and support forums over a long period of time leads me to the observation that, more often than not, computer users tend to jump in and lay the blame for a missing entry in Add or Remove Programs on the particular application itself, which in fact is probably the least likely reason. I can’t think of any good reason why a responsible developer would risk drawing criticism by trying to intentionally prevent their application from appearing in the Add or Remove Programs list, especially if they provide an uninstall option anyway. It just doesn’t make sense.

There is a lesson here that I’ve alluded to many times in the past:

Be wary of laying blame in relation to complex Windows problems. Not only may you be unjustly denigrating a blameless application, but you also risk trumpeting your own lack of knowledge as well. It’s very easy to make a fool of yourself by going off half-cocked.

Well, hopefully that gives you a useful glimpse into the complexities of the Add or Remove Programs applet, and perhaps some ideas on how to rectify related problems you may encounter.

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

TOPIC #1: Video Problems

Well I really owe y’all an apology. I’ve been so busy with the new membership site that I hadn’t logged in to the blog administration for a while, so I didn’t know all those comments were awaiting approval.

And as a result of that omission I wasn’t alerted to the fact that the video wasn’t displaying.

The reason for that remains a mystery. I certainly wouldn’t completely exclude the possibility of an error on our part, but I’m inclined to think there was a glitch in YouTube.

When the video was posted it was originally set to Private while we checked it out, then reset to “Share your video with the world”. But it appears that either it didn’t reset to Public, or it subsequently reset to Private again later.

I’ve changed it again to Public, so here’s hoping. Please drop back one post and try viewing the video again. If you still have problems try viewing it on YouTube by clicking here.

TOPIC #2: Affiliates and the New Membership Site

Since I announced in an earlier article the impending demise of The Hacker’s Nightmare e-book I have received several contacts from people concerned about the loss of an affiliate program.

For those readers not familiar with the concept, in Internet terms an affiliate is someone who has built a list of contacts to whom they promote various products and services.

Legitimate affiliates are NOT spammers. People on an affiliate marketer’s list have expressed an interest in the marketer’s area of interest and have given their permission to receive newsletters, announcements, promotions, etc from the marketer. An ethical and reliable affiliate marketer can be a very useful source of information on new products/services, interesting events and other up-to-date information.

In return for their efforts affiliate marketers receive a commission from the manufacturer or publisher of products they promote.

Of course, as with everything else, there are both ethical, principled affiliate marketers and there are self-serving cads who won’t hesitate to recommend complete rubbish if there’s a buck in it for them. Smart affiliate marketers know only too well that their future success depends on their reputation for honesty and integrity, so they won’t hesitate to call a dog a dog if that’s what it is.

Now, from my perspective, affiliate marketers can play a very important part in the success of the upcoming CAOS members’ site. An affiliate marketer with a large list of people who trust his recommendations can spread the word faster and more effectively even then paid advertising.

Although I know that we’ll be providing a valuable quality service that is needed by a lot of people, obviously it can only be of value to those people who know about it, thus getting the word “out there” is extremely important.

So believe me, I fully appreciate the value of affiliates and I’m not taking the affiliate issue lightly.

The conflict exists because of my insistence that membership be affordable by absolutely anyone. And I mean REALLY affordable, like the cost of a couple of coffees per week! I still haven’t figured out exactly what it has to be in dollar terms to cover my costs, but as I promised in a previous article, the only shock will be just how low it is.

Anyway, getting to the point, I’ve thought long and hard about this and I believe I can satisfy everyone after all.

There WILL be an affiliate program, but…

It will apply to every member rather than just to semi-/professional affiliate marketers. There are still some details to be worked out, but here’s what I’m thinking…

• Every registered member will be eligible for a small cash incentive for every person they refer who in turn becomes a member. Considering the extremely low price point, this should be such an easy “sell” that it would be more like doing your friends a favor than convincing them of anything.

• You’ll receive your commission every month so long as both you and your referral maintains membership.

• I’d like to work it so that as few as three referrals would be enough to cover your own monthly membership. Anything above that we’ll send to you in cash each month — say via PayPal. I’m hoping that just having their own membership covered will be attractive to those members who have no real interest in becoming serious affiliates.

• Professional affiliates accustomed to commissions in the dozens up to hundreds of dollars will, in one respect, be disappointed. However, the ridiculously low membership fee should mean (a) practically zero buyer resistance if you’re targeting the right market, and (b) an extremely low cancellation rate. I’m not suggesting you will be able to order a new Porsche, but paying the registration and fuel shouldn’t require much effort.

What do YOU think?

For or against? Foresee any problems? Questions? Recommendations?

The new membership site is intended to be for its members, not for me, so it’s important that it meets your wants, needs and desires. I KNOW you will be delighted with the content and services inside the membership area, but there are other aspects to be considered also.

So please don’t be shy — use the comment box below to give me your thoughts.

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

This article is a slightly edited extract (Chapter 29: Passwords I—Choosing & Using) from Bill Hely’s security e-book The Hacker’s Nightmare. The contents are Copyright © 2004-2009 Bill Hely and all rights are reserved.

-oOOo-

In order to access private data on a protected system you are usually required to enter a Username and a Password. This is a necessary precaution to verify to the system that you are a person with legitimate rights to access that data.

While the importance of Passwords - and the importance of treating them with respect and circumspection – should be self evident, the important points are ignored so often that some repetition is warranted.

Here are the most important things to remember about Passwords:

1. Do not tell your passwords to anyone. If you are asked by someone to reveal your password, say NO. There is simply no reason. The only person who might have the “right” to access your account using your own private credentials is an accredited System Administrator. If someone tells you he is an Administrator and needs to know your credentials, be very sure that you are absolutely certain you know who you are talking to. Take your guidance from the policies of online banking services: No one at their end knows your password; no one at their end can even look up your password; and no legitimate representative of an online banking service will ever ask you for your password. If a System Administrator really needs to access your account it’s a simple matter for him to change your password, log in, do what he needs to do, and advise you of the new password.
2. Don’t write your password down on a Post-It note and stick it to your monitor, or anywhere else in your workspace. If you really need to write it down, put the note into your purse or wallet, but never anywhere on or near the computer. And don’t write on the note “My computer password”! There are plenty of ways to disguise what the note is about.
3. Don’t save a password file on your computer in any sort of readable file. If you have a lot of passwords and can’t remember them all, write them down (see point 2 above). If you really want to save them in a file, use some secure form of encryption. Best of all, use a secure password manager such as RoboForm.

OK, so what about choosing the actual password itself?

If I had to make a rough guess, I’d say that 99.9% of the world’s computer-using population would immediately – and without any thoughtful consideration at all – choose exactly the sort of password they should not be choosing.

When creating a password, you should never choose a word or phrase that others could easily guess. Don’t use the name of your spouse, your cat, your street, or the manufacturer of your computer or monitor. In  fact, don’t use any meaningful word from the dictionary – they are easy prey for a hacker’s dictionary attack.

The best password is a long, random string of mixed case characters, numbers and punctuation marks.

If you really need something easy to remember, take parts of words and combine them into something that you can still speak, but that make no sense. Then attach a few numbers to complicate matters further.

What makes a good password?

In answering this question I think it helps to understand what makes a bad password. It’s been found that the worst of the most frequently used passwords are:

god	fred
password	master
111111	boss
The name of your organization, department, unit, etc.
The names of spouses, boyfriend or girlfriend, pets.
Anything to do with your address-home or work.

All of the above (and variations on them) are obvious and easy to guess or track down. That makes them, from a security standpoint, just plain stupid. Yet they are used by literally tens of thousands, if not millions, of people on a daily basis.

So what makes a good password? Three prime considerations are:

Things that are not dictionary words (in any language).

That do not repeat characters.

That are long enough to make it hard to watch or attack using ‘brute force’.

Now I admit that while those are standard recommendations, those few pointers don’t help all that much, because it’s still difficult to understand what you should choose. After all, you still have to be able to remember the password.

The trick is to pick the right mixture of words/characters that make it impossible for someone else to guess or to discover by research. This is where the password system itself (i.e. the password field that you are required to fill in) may not help as much as it should.

Ideally a password field should accept up to 40 characters, and acceptable characters should be anything you can find on the keyboard. In practice you may not use all 40, but if you need to use a top quality password at least you have the option to do so. The problem is that all too often you’ll encounter password fields that stipulate “6 to 8 characters in length, no punctuation or characters other than letters or numerals”.

You need to pick something you feel comfortable typing, and which uses at the very least 8 characters – a character being anything on the keyboard, including all the non-alpha-numerics if permitted. The trick is to pick a couple of words you do know, preferably not related to each other, and add a few special characters to them so they are no longer dictionary words. Here are a few examples:

• Table!house*
• Knight(soil)
• Dem0n**manager
• TheWarOf1775
• TailThe****donkey
• N0thing failslike succe$$

The last is a common quotation (attributed to journalist Gerald Nachman) which is not usually a good idea, but it’s still hard to guess or attack, especially if you don’t know where the spaces are, or where letters have been replaced with other characters. An “o” can become a zero, for example, and the “$” sign is an obvious replacement for the letter “s”.

Passwords need to be changed from time to time and choosing a frequency also requires a little thought.

A password that protects something vital needs to be changed often, but you need to be able to remember it. Having a long, convoluted password generally means you don’t need to change it so often. So if you can cope with the typing, pick a long password and it can endure longer.

Unfortunately, as stated above, many systems impose a very short maximum length for a password field. This is regrettable and anti-security. A six-character password of upper case letters is a few seconds work for an experienced attacker with the right tools. Even using all possible characters, a length of six isn’t the job of many hours.

The inclusion of punctuation and other non-alpha-numeric characters makes an attackers job exponentially more difficult. In July 2003 a group of Swiss researchers published a paper on a method they developed for “speed cracking” Windows passwords. One thing that emerged from their work was that the inclusion of punctuation characters in passwords significantly increases the difficulty of cracking them.

Now, as I said earlier: You still have to be able to remember the password. The tips above should give you some ideas on how to construct a non-dictionary password that is easily remembered. That’s a practical approach for passwords in stand-alone programs.

For password-protected websites there is an infinitely better way, and I don’t mean using the same password or two for all occasions!

Earlier I recommended the installation of the utility program RoboForm, which has an excellent password generator. Here’s an example of a secure 32-character password generated with just a couple of mouse clicks (the figure below shows how it was generated – note how configurable RoboForm’s password generation is, allowing you to preset the maximum length and include or omit certain types of characters).

53^t5rouhhUnJK66zW%dBgua4S!oNVr6

On first sighting a really secure password like that, your reaction will probably be something like “Oh my goodness! How would I ever remember that?” The answer is…

You don’t have to!

As explained earlier, RoboForm is, among other things, a password manager. It remembers your passwords and the Web pages they are associated with, and offers them up as needed. The passwords that RoboForm “remembers” are protected by a single master password, which is the only one you have to remember yourself.

In the interests of your own security you must develop a healthy respect for the importance of passwords.

The example above is the sort of password you should be using to protect your on-line banking access (within the limits of the constraints they enforce as to character types and length), wireless router and the like.

Unfortunately RoboForm can only manage the passwords for web browsers, not separate, stand-alone programs installed on your PC. For stand-alone programs I urge you to consider the password creation techniques discussed earlier. They result in word and character combinations that are far from obvious, yet are easy to remember.

But for Internet password management look no further than RoboForm. It’s an incredibly useful application with so many uses. For example, it can also remember a lot of information about you, store it securely in password-protected “profiles”, and use that information to automatically fill in all manner of web-forms, an onerous task at times. If you haven’t already installed RoboForm, do so now. It really is a must-have  application that you’ll never regret installing.

-oOOo-

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

When you’re blocked from visiting a known-good website, it could be your own system being over-protective.

Some protective applications use a special Windows file called ‘hosts’ to intentionally prevent the computer user from browsing to certain Web sites. This is achieved by inserting a special command line into the Hosts file that specifies that if any attempt is made to browse to a nominated Web address (e.g. BadHacker.com), the browser should be redirected to another URL or simply fail. Such a command when placed into the hosts file might look like this:

127.0.0.1 clickbank.net # This is a comment.

That line of script simply means that any attempt to browse to ClickBank.net should be redirected to the IP address 127.0.0.1. Optionally, any random comment can be placed after a hash sign.

127.0.0.1 is the standard IP address used for a “loopback network connection”, which basically means that if you try to connect to the IP address 127.0.0.1 you are immediately looped back to your own computer. In other words, the browsing request goes nowhere.

Some applications that use this ban-list technique will write literally thousands of “prohibited” URL entries to the Hosts file. Many people swear by this technique to protect them from malicious websites, but I have two problems with it:

1. Very, very few average computer users are aware of it and are thus understandably confused and frustrated when they fail to connect to a website that they know exists and with which their friends and associates experience no problem.
2. Who decides on the selection criteria for determining which URLs should be included in the “prohibited” list? The desirability of avoiding certain sites is clear-cut; if a site is well known as a source of malware or obnoxious content then its inclusion is clearly justified. But there are certain Web sites often included in these large ban-lists that are, to my mind, impossible to justify with any degree of logic or common-sense.

One site often included in these “ban” lists is ClickBank.com. Here is some information about ClickBank from their own website:

ClickBank is the world’s largest online retailer for those engaged in developing, selling and promoting digitally downloaded products and services. They process in the vicinity of 25,000 transactions daily from around the world and have 110,000 active affiliates. The company functions as a virtual business network facilitating the interactions and transactions between buyers, sellers and affiliates while providing guaranteed tracking of sales, state-of-the-art fraud protection and a totally secure platform.

The vast majority of the copies of my popular security e-book The Hacker’s Nightmare have been sold using ClickBank as the payment processor since 2004.

The problem regarding whether an inclusion is justified or not stems from the fact that most of these “ban” lists are compiled by hard-core geeks, a class of Internet user often associated with an anti-commerce stance. One provider of such a list, hosts-file.net, justifies the banning of ClickBank (which it classifies as an “FSA” site) as follows:

FSA – sites engaged in the selling or distribution of bogus or fraudulent applications. This classification is assigned to site’s being used for the distribution of ‘rogue’ security or other such applications, for example: SpyHunter, SpyFalcon, SpywareQuake, AdwareAlert, etc.

So apparently the list compilers want ClickBank to assume responsibility for thoroughly vetting all 35,000+ products offered through its marketplace. Whether you think that’s reasonable or not is besides the point. ClickBank is not itself a harmful site, and the most significant effect of its inclusion on such lists is to cause confusion and frustration to many computer users, and a completely unnecessary flood of support e-mails and phone calls as they try to get to the bottom of the problem.

In defending this position I’ve been accused in at least one discussion forum of calling the layer of protection offered by these lists as “silly”. That is not, nor has it ever been, my opinion. The judicious use of the Hosts file to protect computer users from known malicious websites is both valid and useful. But what is silly and harmful is the inclusion of websites like ClickBank which are clearly not malicious in any way. If you are going to use one of these lists you must at all times remain conscious of the fact that it is in play, so you know that a close inspection of the Hosts file should be your first action in the event of failure to contact a known-good website.

In a standard Windows installation the hosts file can be found in this location:

C:\WINDOWS\system32\drivers\etc

It is a plain text file simply called hosts and has no extension to the filename.

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

This is an edited reprint of an article I first published over a year ago, but it addresses a concern of which Windows users need to be constantly reminded.

Since the first edition of my security book “The Hacker’s Nightmare“ was released in 2003, it has always carried a 100% satisfaction guarantee.

Yet in all that time we have received a negligible number of requests for refunds –- no more than a handful in five years. As anyone familiar with the marketing of information products online will know, that’s an extraordinary statistic, and one of which I’m very proud. It’s a clear indication of the value of the book and the information it contains.

Even of those few we’ve refunded, the majority have obviously been “scammers” if that’s the right word. A thief is a thief, whether virtual or real-world. Anyway, it’s easy to pick the thief; he buys your product and within a few minutes (just enough time to download it) he claims a refund, usually directly from the payment processor, ClickBank or Paypal. OK, we know there are dishonest people out there – that’s life.

The other few “refundees” usually offer (unasked) a good reason and even appear apologetic for making a claim. These we are happy to refund and I never give them another thought. One gentleman telephoned from the UK to Australia to say he couldn’t follow the directions and could he have a refund because it was all a bit beyond him. Turned out he was a raw beginner who had just bought an Apple Mac. No wonder it was all “double Dutch” to him – wrong Operating System!

No refund request is ever denied, but once in a while a “reason” given for requesting a refund irks me for days after.

So what’s all this got to do with security?

Steady on. I’m getting to it.

A while back one of my assistants processed a refund request for a lady who gave this reason:

“The reason I’m not satisfied with it is because most of the recommendations entail buying software to protect my computer and frankly I am not in a position to spend any more money than I already have on my computer.”

Now, first up, that’s a misleading claim for several reasons.

Many of the techniques and tools I recommend – and describe in considerable detail – are completely free.

In some cases there are free versions of commercial software that I class as “adequate”, but give reasons why the full commercial version would be a better choice. Ultimately that choice is up to the reader.

Finally, there are cases where I flatly declare and avow that a specific item of commercial software is mandatory and that the alternatives – free or cheaper or whatever – are not worthy of consideration, and I give detailed and substantiated reasons why. But even in these few cases the cost is never significant.

Then there is the educational value. It has been proven on many occasions, in many different businesses, that just reading “The Hacker’s Nightmare“, and taking no actual action, will leave the average computer user better educated, better prepared, more aware and safer for the experience.

How come? Well, you see…

The first line of defense against many Internet-borne threats is THE HUMAN BRAIN!!! And just reading through “The Hacker’s Nightmare“ will imbue an awareness that the average reader did not possess beforehand.

Mind you, “read only” is certainly not what I recommend. Far from it. But sometimes that’s the only course open to some people.

For example, at least two police forces that I know of use “The Hacker’s Nightmare“ to educate officers in the basics that will better equip them for taking complaints on computer crime. Obviously the officers are “discouraged” from implementing preventive measures on their force’s network! In an organization that’s the responsibility of the IT support person.

Similarly, several companies have purchased multi-user licenses for “The Hacker’s Nightmare“ and make its reading a mandatory condition of employment for all staff.

Most organizations have an “IT person” responsible for configurations and installations, and general staff are (wisely) forbidden from engaging in such activities themselves.

Yet smart management is awake to the fact that computer and Internet security is as much a mindset as it is a course of action. By insisting that all employees read “The Hacker’s Nightmare“ they are taking that extra educational step that can make all the difference to their organizations overall level of data security.

In other words, action without education is a half-assed approach.

And finally…

If you’ve got this great book that will tell you in plain language how to “do security stuff”, why do you need any other programs at all?

Good question. Here’s why:

There’s a lot of “stuff” missing from Windows, and there is a lot of “stuff” in it that the average user would be better off without.

There are also software components included in Windows that don’t do a very good job; the built-in software firewall is a good example.

Each of those situations is either the source of security holes or the reason we need to add extra functionality to Windows. We do that by the judicious inclusion of 3rd party programs. Unfortunately just “tweaking” what’s already there won’t come close to securing a system against even the common threats.

So what’s YOUR position on buying a computer, with Windows pre-installed, and not spending just a little bit extra on safeguarding it? One consequence that’s almost guaranteed is that the first serious malware incursion you suffer will cost you a lot more than “The Hacker’s Nightmare“ and a few protective utilities.

But if you’re still one of the reluctant crowd, here’s a little eye-opener for you. Try a Google search for the terms:

honeypot, computer or PC, and minutes

Here’s a ready-made link for you:

http://www.google.com.au/search?q=honeypot+PC%7Ccomputer+minutes

Scary, huh?

Still want to go it alone?

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

Yep, it’s “Patch Tuesday” again…

And this is your monthly reminder that Microsoft has just released its latest batch of software patches & updates.

Regardless of what browser you prefer to use on a day-to-day basis, you should use Internet Explorer to find and apply patches & updates.

Use the Internet Explorer
menu option:
Tools -> Windows Update

IGNORE PATCHES & UPDATES AT YOUR PERIL

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.

This is your monthly reminder that Microsoft has just released its latest batch of software patches & updates.

Regardless of what browser you prefer to use on a day-to-day basis, you should use Internet Explorer to find and apply patches & updates.

Use the Internet Explorer menu option:
Tools -> Windows Update

IGNORE PATCHES & UPDATES AT YOUR PERIL

©2010 Bill Hely's "Computer & Online Security" Blog. All Rights Reserved.