Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: security

  • Has your site been exploited or victimized?

    Has your site been exploited or victimized?

    Nothing frosts my lizard more than someone saying ‘WordPress has been hacked!’ and I’ve finally decided it’s just a case of ignorance.

    I’ve been using WordPress since around the famous 2004 MovableType bait’n’switch, when they decided to go paywall. That was not what made me switch to WP. In fact, I had already installed a b2 site in order to allow anyone in my family post a story about my grandmother (and I should really put that back online one day…). It was a lot of little things that made me switch, and I don’t really regret my choice. MT is very useful, very cool and very impressive, but it wasn’t what I wanted or needed.

    Yesterday, Byrne Reese posted about how WordPress Won the Blog War. He’s a former Movable Type project manager, so I presume he knows what’s he’s talking about. As a former member of the MT community (under a non-Ipstenu handle) and current heavy user of WordPress, it’s very entertaining to hear a behind-the-scenes view of the ‘war.’ I never saw it as a war, and as anyone who knows me can attest to, I’ve never been a rabid fanboi for one OS or another, one product or another, simply because of who makes it. I like my iPad, but if it doesn’t work for you, I’m more than happy to help you find an alternative. I believe in finding the product that works for you.

    What really caught my attention in the post were the comments. The very first had this gem by Matt Haughey:

    Now that they’ve won the battle, I think the biggest problem for WP now is two-fold: One is the constant threat of exploits with your own WP install. It’s crazy and like running Windows 95 without patches. Everyone I know with a self-hosted WP has been exploited in the last year or two and worries about it regularly.

    Two facts:
    1) My WordPress install has never been hacked in the 7 years I’ve had it.
    2) I do worry about it constantly.

    About a year ago, my server was hacked. Ironically it came three days after I’d posted about WordPress security. How was I hacked? Because I followed insecure practices. I’ve touted, for a while now, that security is a tripod:

    • The Web Host is responsible for making sure the sever itself is up to date with the latest patches etc, and that the server is configured in a safe way.
    • Web-apps are responsible for not unleashing needless insecurities to the system.
    • The end-user we pray to the flying spaghetti monster that they’ve not done something to violate security out of ignorance.

    I was hacked because I violated security, which made my server open to attack, which thankfully resulted in my Web Host bailing me out (have I mentioned I love them?). I went to a website on an non-virus-protected PC (yes, Windows), I got what I thought looked suspicious pop-up in IE from a site I knew and trusted, and while the pop-up was there, I opened an FTP (not secure FTP!) connection to my server. I seriously could not have been stupider. Thankfully it was easy to fix, and I since turned off FTP (it’s SFTP or nothing). Actually I also wiped Windows XP off my computer, but previously it was required for my work.

    On Byrne’s post, Mark Jaquith (a WP developer) remarked this:

    I haven’t seen an up-to-date WordPress install get directly exploited in around five years. Seriously.

    I thought about this for a moment, and had to nod. This is true for me as well. Every WordPress install I’ve seen with problems has been due to the web-host or the end-user being insecure. Even when that end-user is me, I’ve yet to have WordPress itself hacked. This does not mean I think WordPress can’t be hacked, just that it’s actually a pretty secure little tool by itself.

    Then Mark went on to say this:

    All of the large scale instances of WordPress being compromised lately were because of web hosts who don’t prevent users on one account from accessing files on another account. In these cases, WordPress wasn’t exploited so much as it was victimized due to a lower level security issue on the server.

    He was far more succinct then I’ve been able to be on the matter, but I’ve touted for a long time that the problem is WordPress, but it’s not WordPress’s fault. Ask anyone in IT why Windows has more viruses than a Mac, and most of us will tell you it’s because Windows is more popular. More people use it, so more hackers/spammers/crackers target it. I wouldn’t say, in 2011, that Windows 7 is more vulnerable than OS X, but I would feel comfortable saying that it is targeted more.

    The answer is the same when I’m asked why WordPress gets so much spam. Because it’s used a lot! The more prevalent your product is (i.e. the more successful it is), the higher the likelihood is that some jerk with a kiddie script will try to attack it. This is just a fact of life, and I’m not going to get into how to solve it.

    What I feel we need to be aware of is the education of the user base for any product. My father once gave a memorable lecture I caught when I was about six or seven, about our expectations with computers and why AI was never going to be like we saw on Star Trek. “Ignore the man behind the curtain!” he said to the crowd. Back then, I had no idea what he meant. Today I realize that it was two-fold. On the one hand, we think ‘Automate everything! Make it all just work!’ That’s the magic box theory of computers. It all just works and we don’t have to do anything. The reality is that there is always a man behind the curtain, making the magic happen.

    The ‘two-fold’ meaning is that (1) we want everything to work perfectly without manual intervention, and that’s just not possible and (2) we don’t want to have to learn WHY it all works, just make it magically work.

    My savvy readers are, at this point, thinking “But if I don’t know why it works, how can I fix it?” To them I shrug and agree that you cannot be expected to fix anything you do not understand. Furthermore, the less you understand something, the more likely you are to inaccurately blame someone/something. Which brings us back to why I hate when people say ‘WordPress has been hacked!’ Actually, I hate it when they say anything has been hacked (Drupal, Joomla, WordPress, MovableType, etc etc etc).

    We have a few choices at this point. We can stop ignoring the man behind the curtain and learn how the levers work ourselves, or we can accept that we’re not clever enough and hire someone. Either way, we should always take the time to sort out what’s wrong. When my cat was, recently, in the kitty ER for bladder stones (she’s fine now), racking up a $1000+ bill for services, I wanted to know all about what caused them, why did the food work, etc etc. I’m not a vet. I would never make it through medical school (I don’t like blood). But I know how to use my brain. As my professor, Dr. Lauer, told me in high school, “We’re teaching you how to think, how to talk to adults while you’re a child, so you know how to be a person.”

    Teach people how to think. You’d never take your Mercedes Benz to Jiffy Lube for an overhaul, so why are you trusting a $5/month webhost without a phone number to support your business? You wouldn’t take your child to a back-alley doctor, so why are you hiring some guy with blink-tags on his site to fix your website? Use your brain. If your webhost tells you ‘Sorry, we can’t help you,’ then take your money someplace else. Website support should always include them taking backups at least every day (you may only get yesterday’s backups, but they should still have ’em). A good host will help you when you ask specific questions.

    My host (there’s a link on the top right) will answer the phone 24/7, they helped me craft a backup strategy, un-do the hack on my server, trace down what was using up so much CPU, bead mod_security into submission … the list goes on and on. My point here is not that you should use them (though if you do, tell them I sent you!), but that you should find a host who supports you to the level you need. The brunt of what you pay for hosting is an insurance policy. You’re paying them to bail you out when (yes, when) you need help, and if you’re only paying $5 a month, then you should only expect that level of return.

    Educate yourself, educate your host, but have realistic expectations.

  • Folder Permissions on Windows

    Folder Permissions on Windows

    For what it’s worth, they fixed the copy problem and didn’t need my fix, but because it does work, here’s what the drama was.

    We’re moving 300 odd folders, all named for the group that uses them, from one server to another. For security, each folder has a windows domain group named ‘IPS-GROUP’ (not really, but you get the idea). Only that domain group has access to the folder. I got a call asking me to reset the permissions on them. Manually. I flipped out for about a minute and bitched on Twitter. Then I sat down to code.

    I used DOS because, due to another ongoing project, I’m probably the youngest person this familiar with it in my company. I knew I could do it in *nix pretty fast with a for loop, and I remembered a snippet of code I had out there for CACLs and I came up with this:

    dir/b C:\temp\TEST > C:\temp\tlalist.txt
cd C:\temp\TEST
for /F %a IN (C:\temp\tlalist.txt) DO CACLS %a /E /G IPS-%a:F

    So assuming that all your folders are in C:\Temp\TEST, what this does is make a list of all the folders, by name, and spits it into a file. Then you move to the directory and run the for loop, which says that for every line in the doc you made (each line is a folder name, remember), add the group IPS-foldername to the permissions with full rights.(You can chose whatever permissions you want. I suggest http://www.computerhope.com/cacls.htm as a resource.)

    Now, this ONLY worked because on my server, the folder name and the group names are mostly the same. A couple are not, but the script kicked this out:

    C:\temp\TEST>CACLS FOO /E /G IPS-FOO:F
No mapping between account names and security IDs was done.

    That let me go back and manually fix the ten or so that failed.

    I hope this helps someone else down the line!

  • The Latest Malware Malfeasance

    I preface this with I really don’t have time to de-malware everyone’s site who emailed me, so please don’t ask for help right now, I’m not a freelancer for a reason and I’m booked till … Uh, August at this rate. So, no. I’m not going to be able to help you. I am going to post HOW to fix it, but if you need serious help after that, at the bottom are links of people to help you.

    If you find this helpful, great! There’s a donate link to the right on my site, but personally I feel it’s more important people get the right information!

    So you logged into your site and the admin side looked something like this:

    The odds are that you’ve been hacked by the latest malware. Malware is short for “malicious software” and basically it’s someone screwing with you. Why? Because they can. I’m not going to get into why, it doesn’t matter. What matters are two things:

    1. How can I fix it?
    2. How can I stop it from happening again?

    Before we go any further, though, go run the Sucuri Scan. That will tell you if you’ve really been hacked, or if it’s something else. For the rest of this post, I’m assuming you’ve been hacked.

    How can I fix it?
    Make a fresh backup of everything on your site. Download it all. Yes, it’s probably got the virus in it, but that’s okay. It won’t hurt your desktop. Also backup your database to your desktop computer. The hack doesn’t seem to have affected your database, but you should always make a good backup before you try this stuff. Make note of your theme name (and where you got it from), as well as all your plugins. You’ll need this in a moment.

    Put a copy of the following files/folders in a safe place, separate from the rest of your backup:

    /public_html/.htaccess
    /public_html/wp-config.php
    /public_html/wp-content/uploads (and ALL files and folders under this)

    Now, delete everything from public_html on your server. Yeah, everything. This is why I said make a backup, folks!

    Once the server is naked, change your passwords for FTP/SSH. If you’re using a non-Secure method of accessing your server, stop and get something like WinSCP or CyberDuck or anything that allows SECURE FTP access. SFTP should be the ONLY way you FTP to your site.

    Download, from WordPress.org a new copy of the latest and greatest core WordPress files (at this posting, it’s 2.9.2, but 3.0 is in beta, so that may change shortly). Install from that, NOT from your site’s automated installer. You should be able to copy all the files up and then add those files I told you to put aside. Remember them? The .htaccess, the wp-config.php and the uploads folders all go back up.

    Under no circumstance should you upload anything else from your backup at this time! Also don’t bother visiting your site, it’ll look weird.

    Once your files are back, go to http://wordpress.org/extend/plugins/ and download all your plugins. One at a time.

    Repeat with your themes, going to http://wordpress.org/extend/themes/ or wherever you got your theme from in the first place.

    If you made your own theme, it’s a little harder, since you’ll need to go over every single PHP file in your theme and look for ‘weird’ code. Sucuri has a cleanup script, but pretty much open them all up, look for encoded information that will look something like this post from Sucuri. If you see that in a file, kill it with fire.

    Finally, go into your /public_html/cgi-bin folder. If there’s a file called php.ini in there, delete it. There may not be, so don’t worry about it too much if not.

    How can I stop it from happening again?

    I’ve got some advice, but right now, if you’ve been told ‘Just upgrade WordPress’, well, that’s not enough. Yes, I know that GoDaddy was claiming for a LONG time that’s what you needed to do. I’m here to tell you this: GoDaddy is incorrect when they tell you ‘Just Upgrade.’

    That doesn’t mean you shouldn’t upgrade, in fact, you may note I said to get the latest and greatest WordPress version (again, 2.9.2 as I write this). That’s because it’s going to have every security fix they’ve come up with to date. It’s almost always best to use the latest version of software. For most of you, it’s always better.

    You may want to look into something like WordPress File Monitor, which emails you if files are changed. Just turn it off when you plan on making a lot of changes!

    By deleting your files, getting a secure FTP client and changing passwords, you’ve closed the biggest security hole: You. I hate to say it, but every time I’ve ever been hacked it’s been right after I opted not to follow security protocol that I know damn well. And here’s my protocol: Always use secure connections to your website when editing data or accessing sensitive areas.

    And that’s really simple. If I use cPanel or WebHost Manager, I connect via HTTPS, which is secure. If I use shell, I’m using SSH (secure!). If I’m FTPing, I’m using SFTP. You see the trend? I’m also only using software I know and trust. My browsers of choice are Chrome, Firefox and Safari. The last time I used IE 8, I got hacked. My SSH terminal is the Mac Terminal or PuTTY for Windows (which I only download from http://www.chiark.greenend.org.uk/~sgtatham/putty/ – there are other, fake, PuTTY sites). My FTP clients are (for Macintosh) Transmit and CyberDuck. For Windows… Well I actually don’t FTP much from Windows. I have been known to use WinSCP, but I’m not comfortable recommending it, as I haven’t had time to really look into it’s security. In addition, I don’t connect to my site’s back end from non-secure WiFi. That means I don’t go in on my laptop in StarBucks. Anyone can jimmy my connection!

    Now that you’re being secure, go to talk to your web host. Tell them what happened. Since you have a backup of your files, you can even show them the hack! Any decent web host will sit up and pay attention. Sometimes they’ll be a bit shady, but pay attention. If they say ‘We’re going to look into this, but in the meantime, please upgrade and change passwords.’ then they’re okay. If they just say ‘Yeah, its’ your fault, upgrade.’ then you’re in trouble. When I was hacked, my host helped me sort out what it was, admonished me appropriately where I’d screwed up, and pointed out ‘Here’s when and where it happened.’ To which I said ‘Shoot! That was all on me!’ But they took the time to work with me.

    If you’re on GoDaddy, LEAVE. GoDaddy Doesn’t Give A Damn, or at least they’re acting like they don’t. A user found the code used to inject malware and it’s not a WordPress specific file. In fact, this annoyance is attacking multiple servers, multiple hosts, and multiple PHP based apps.

    Besides, Go Daddy is telling people to upgrade to fix the issue, but they’re running an old version of WordPress on http://community.godaddy.com (which is where they happen to be telling people to upgrade).

    It’s 2010, and apps like WordPress are here to stay. Mark Jaquith wrote a deft admonishment to web hosts, telling them to adapt:

    WordPress is the number one user-installed web app, and its growth is showing no signs of slowing. If you are a web host, and you don’t have a specific strategy for WordPress, you’re likely operating your service inefficiently, and may be opening yourself up to security issues. This is the year to adapt, or be left behind by nimbler upstarts.

    As a side note, GoDaddy has contacted Sucuri, saying they are looking into it, but they’ve taken weeks from when this issue first sprung, Athenaesque, into the spotlight. The full-grown goddess has a spear, guys. Pay attention. If they had said, from the get go, “Gosh, this is weird, we’re looking into it!” or asked for information, or not dismissed willing technical users, they might not be on my shit-list right now. As it stands, I cannot recommend them as a host.

    GoDaddy has a special contact form just for these security issues. If you were infected, use it.

    Me? I use LiquidWeb
    Dedicated Servers by Liquid Web

    So you still need help?

    Ask your host for help. If they can’t (or won’t), try to get them to do a restore from backup. But some hosts are better than others about this.

    Your next step is to open your wallet:

    Those are three people I ‘know’ (as much as you can know anyone on the net). Plugged In is the only one who, up front, says she’ll remove malware, but the other two are savvy enough that I suspect they may as well. If not, they’ll tell me. Kim Woodbridge assured me that she does indeed remove malware (thanks, Kim!). and I’m fairly sure WP Turnkey might, but if not, based on his services listed, he can get you up on a new server that isn’t GoDaddy. Chip, of WP-Turnkey also said he does this, so there you have it! Ask them, and please feel free to tell them ‘Ipstenu sent me!’

    And yes, these are going to cost you money. Well, running a website costs money. Welcome to the costs. I’ve paid out the nose to bail myself out of these situations before, which is why I’ve learned what to do. And even then, I pay a good host a lot of money a month to help when I’m in over my head.

  • Hack’n’Slash Security

    I was intending on a totally different post, but, well, this came up instead.

    Recently, WordPress, my preferred blogging software, has been under attack by both hackers and critics. There were actually three attcks that all got lumped into one so I’ll try and break this down. If you’re of the ‘Too long! Didn’t Read!’ variety today, you can get by with knowing this: If your WordPress install is not secure and if your web host is not secure and if YOU do not follow security practices, then you will be hacked. Period. Security relies on you, your web host and your web apps all being sensible about the whole thing to be effective. Remember, it’s okay to ask for help!

    Also go read Hardening WordPress right now.

    Okay, so security.

    Back in Feburary/March, there was a sudden influx of users complaining their sites had been hacked by inii.info, whereby the hack was to edit the wp-blog-header.php and change it so any time a search engine bots visited your site, they went to inii instead. This matters because search engine bots collect information about your site and use it to rank your website against all the other sites about a given topic. There was a second hack where a file named ... (yes, three periods) had even more redirect code in it. And it was heavily encoded so you couldn’t read it without decoding.

    The reason I call this a Media Temple hack was that it seemed to be prevalent to Media Temple installs. While at first people jumped the gun and said ‘It’s WordPress!’ Media Temple came out with a detailed Q&A about the matter and the attack appeared to affect ALL webapps via compromised passwords. If Media Temple ever revealed what happened, I’m not aware of it, but it wasn’t just WordPress that was affected. They ended up changing DB passwords for every webapp, from Drupal to vBulletin.

    In early April, there was another rash of hacks, this time targeting Network Solutions. This time, it looked like a clear cut case of database changes. WordPress, like most PHP/SQL apps out there, uses a database to store all its information. In this instance, the database entry for the site’s URL was changed from (for example) https://ipstenu.org to an iframe link I’m not reproducing here.

    At the same time, there was a ‘Pharma’ hack, where links with ‘pharma’ in them were slipped into your site, in a rather genius fashion. Chris Pearson has a decent explanation on the matter, but I feel he’s barking at the wrong car for part of it.

    Chris and Media Temple and Network Solutions and a horde of people on Twitter and forums every where jumped up and said “AHA! It’s a WordPress hack!!!111!” Which … well, yes, but not exactly. As the very wise Andrea_r put it, there’s a difference between attacking WordPress installs and targeting WordPress installs.

    An analogy if you please. There’s a rash of break-ins in a small town. The houses that are broken into are all bungalows. People shout ‘Aha! It’s a problem with bungalows not being secure!’ The police look into the matter and find out that in every house broken into, the bathroom window was left open. Now, is this the fault of the builder, who designed bungalows to have a window people could fit in through or is this the fault of the residents who didn’t close and lock their windows?

    If you said ‘It’s a little of each!’ then thank you, you can stay after class and clean the erasers.

    Security depends on many things, but to the topic at hand, server security is a tripod, and relies primarily on these three legs:

    • The Web Host is responsible for making sure the sever itself is up to date with the latest patches etc, and that the server is configured in a safe way.
    • Web-apps are responsible for not unleashing needless insecurities to the system.
    • The end-user we pray to the flying spaghetti monster that they’ve not done something to violate security out of ignorance.

    To understand how these hacks all worked, yes all of them, you have to look at the perfect storm. This is what had to happen in order for all these accounts to be compromised:

    1. Someone saved their wp-config.php file in a way that it was readable by the free world.
    2. Someone scanned for and found that file.
    3. The user was using their ID and Password, rather than creating a DB user just for the blog.
    4. That account had read access to other accounts on the same server
    5. The malicious user used the account to scan for other wp-config.php files, even if they were saved securely and compromised their accounts/databases as well.

    That’s a lot of wrong on one box. With most webhosts, you’re on what’s called ‘Shared Hosting’ which means a whole mess of people are on the same server, each with their own ID and password. Much like if multiple people have IDs on a desktop PC, the inherent security of the server does not allow Joe to look at Jane’s files, unless she saves them in a public space. Alas, one a couple sites, this was not the case. SO Joe, who saved his wp-config.php file with 777, and used his server ID and password to access his database in that file, was compromised. And once the hacker had Joe’s information, he scanned the entire server and hurt everyone.

    Ouch.

    But wait, doesn’t that mean it’s WordPress’ fault for saving passwords in the wp-config.php file in a way a hacker can read them!? Well, yes, it’s certainly WordPress’ ‘fault’ but you have to realize that doing so is an accepted risk of most PHP/SQL webapps, in that for the SQL DB to be read, the password to that database must be kept in clear text (i.e. not encrypted). This is in the wp-config.php file.

    Okay, so it’s Joe’s fault for saving his file in a readable fashion? Somewhat. By having their wp-config.php file set so that anyone can read it (bad permissions – 777 for example), Joe put himself at risk. This IS NOT a flaw in web-app or the ISP, it’s just … well, ignorant (unless the ISP is forcing the file to be 777 to run WordPress, at which point it’s their fault, and yes, there’s an ISP that does that!). In addition, I know a lot of people who, instead of making a DB user for their blog, will put their server ID and password in that file, which means once it’s been read, ANYONE can log into that server as them. I suspect this is done from ignorance as well. By the way, your server ID and password is the same as your FTP user ID and password in most cases.

    Back to WordPress, shouldn’t they check for that? Maybe. But it’s not that easy, since there are a lot of different ‘acceptable’ security settings for that file, and it all depends on the server. Maybe one day WordPress will figure that out, but right now they tell you to make it secure.

    What about the web server? They are responsible for making sure that if Joe User set his WP config file to 777, and put their server ID/Password in there, the worst they can do is shoot themselves in the foot by preventing them from reading anyone else’s user directory. Limit the destruction on a per-user basis. There are a lot of Shared Hosts out there with lax security policies, which makes this more prevalent than I’d like.

    Hopefully that made sense.

    All of these hacks seem to be looking for people with wp-config files that can be read, logging into the account as the user (or the database user), and either adding files that edit the database, editing the database, or both editing the database and adding the fake plugin files.

    Once your server is insecure, because of compromised IDs and Passwords, you have to go back to zero, reset ALL your passwords, scan your PC for viruses, and be careful. Remember, if they have your password, they can do everything you can do.

    Good luck out there. Be smart, be secure, be safe.

    Edited to add…
    Also check out Mark’s well written post about how your security? Is your responsibility. Because dude, is SO is.

  • Are we getting smarter?

    A recent study said that 81% of computer users had changed their web surfing habits in order to avoid spyware and malware. My buddy, Beebear replied ‘And the other 19% are AOL users.’

    Taken at face value, that number seems to be a little too high. I agree, that just about everyone I know has changed their browsing habits to avoid spyware. All the Mac users I know told me ‘I haven’t touched IE since OS 10.2.’ I suspect Ipstenit was a bit of hold out, but when I upgraded her to OS 10.3, I took IE off her computer. She was a Netscape Fan, and never liked IE in the first place.

    The browser wars, though, really are a peculiar place. Here’s IE, the most prolific browser known to man (that works better if you say it in a booming ‘g-d’ voice), and it sucks donkey balls. The GUI is acceptable. It loads pages, it makes HTML look decent. What more could a person want? Well, let’s look at Safari, which is my Macintosh browser of choice.

    1. Spell Check.

    I have an already included spell check tool, so when I post my blog, I can right-click and correct typos. Also, the tool is tied into my system wide dictionary, so everything that uses it knows ‘Ipstenu’ and ‘blog’ are real words, thanks. There’s a tool called IE Spell that can do this for IE, but it’s not exactly the same. The Mac one can be set to remain on and it’ll underline in red squiggly lines the unknown/misspelled words. Just like Word. Hmm. And IE is missing this?

    2. Easy Searching

    I have a search field on my menu bar. I can type in ‘The life cycle of documentation,’ hit enter, and away I go. Google has a toolbar you can add in to IE and get this done, but again. It’s built in on the Mac.

    3. Tabbed browsing

    One window, six websites. Thank you and good night. Supposedly IE 7 will include this, but reading the IE blog off MSDN leads me to think it’ll be pretty basic. They suggest a couple third party apps that can put in tabbed browsing on IE 6, but one is $15 and the other is free but appears to be it’s own application (that is, a new browser).

    4. Popup Blocker

    I hate popups. I despise them with the fiery passion of a thousand burning nuns. Okay? Popups, popunders, and similar IN YOUR FACE advert scams piss me off. They need to die. Safari? Menu bar, Safari, Popup Blocker. Click, done. IE? Download something like Google’s toolbar and then you can have it.

    Of course, Microsoft sees all this and says ‘Look at how expandable our browser is!’ To a point they’re right. I like IE because you can add on to it. The problem is the items I want to add on should already be there. Microsoft’s fatal flaw right now is complicity. They assume that people who are using IE aren’t going to be buggered to change their habits and get a new browser.

    Microsoft needs to look at that 81%.

    And before you say Apples/Oranges about the Safari thing, with the exception of the spell check, Firefox does all that too. Firefox also has an easy to implement spell check, and yes, I use Firefox on my Windows PC, and IE only when I have to.

    Is Microsoft going to ‘lose’? Eventually, maybe, possibly. It’s hard to say. Do I care? Not as much as you might think. I love Macintosh because it works for me. It lets me work without muss or fuss and it lets me geek when I want to. That’s really all I want with a computer. I do like certain things about Windows. I like the squareness of it, sometimes. It’s obvious that my Windows Machine is to get the job done. But it’s John Wayne. My Macintosh is ‘How can I help you?’ Polite, well groomed, funny. It’s the Fab 5 from Queer Eye.

    Neither one is better than the other, any more than one cell phone is better than another. They all have different functions, and their form is best suited to the user. I think custom PCs should be the way to go, for the users. Make a PC the way someone wants to use it, and they know where to come for fish! I mean, they’ll be likely to come back.

    As for Apple? Well. I love them, I use them, and my Mac is me beloved. I prefer the way it’s handles pop-up alerts. I like being able to hide the geeky UNIX underpants and I like being able to access said panties. I don’t think it’s perfect. Apple’s making a push against Office, with Pages, but frankly after using Pages for a month, I’ve switched back to Word.

    The perfect world for me is an OS that can run anything I need (preferably made by Mac) and my resultant documents/output is compatible with everyone I need to work with.

    Hey, wait … I have that with my Macintosh.

  • Sed quis custodiet ipsos custodies?

    Who watches the people who watch what I do on my computer?

    Like many corporations these days, my office has instituted a ‘no internet for personal use, thank you’ policy, which has trickled down to no use of personal email. I won’t begin to snark about how I feel there, since frankly, I can see both sides of it and I know it’s a matter of me not liking it.

    I still spend a significant time on the net, but frankly, I’m looking up information about the desktop, security, etc. And if I get yelled at for it, well, I’ll have to ask what they mean by ‘for work only’ since I think I’m not causing much harm and I’m still ass kicking my projects.

    Who keeps an eye on the people who are monitoring my internet usage?

    Who keeps an eye on the people who monitor the databases where my personal information is kept?

    The other day, while venting about something stupid at my office, we talked about the latest security breach at a major company (Lexis-Nexis). Personal information was shared all over the place. Credit card information, you name it, it was hacked. And no one knew how much stuff was snagged or who was affected.

    Pause and do that golf clap as you say ‘… Well done!’

    I’m considered a mild paranoid (I don’t think everyone’s out to get me, but I keep abreast of the issues in personal privacy/security). I was asked if I was worried. No, no I’m not. Because I know for $8 or so, I can dig up the personal information, credit card history and rating, criminal records, drivers information, and a slew of other things. And yes, I did mean $8. That’s the second lowest rate I could find for paying a PI type website to snoop. I’m pretty sure if I asked at my local spy shop- excuse me, locksmith- I’d get a better and more secure rate.

    Don’t think for a second I’m going to give my credit card information to a website that specializes in, oh, selling information. That’s right up there with Tossed Salad Man and shooting my own ass. But. I also tossed the idea of becoming a licensed PI for Illinois just to have access to the cool tools I know Veronica Mars uses. Yes, it’s a TV show, shut it. I’m just saying it would be cool to be able to pull up that information when I wanted to. For a monthly fee.

    But that has it’s own problem. What if you, like this poor woman in Florida had your Sheriff get your personal information from the DMV? Okay, so he could have gotten the information he wanted off of Google. Instead, he used a very legit tool for a squidgy reason. It’s not illegal per-say, but maybe it should be.

    What’s to stop a bank teller from looking up a neighbor’s bank account? What stops Mrs. Landingham my IRS person from taking my personal information and ripping me off?

    Social conscience.

    And we all know how reliable that is.

    I’ve known for years that anyone who knows my name can find out a shit load about me. A stalker could find my address and phone number, regardless that the latter is unlisted. Hell, I own a domain, and I know exactly how easy a whois would be for anyone looking for me.

    Not that I was a hell of a lot safer pre-internet. A couple phone calls, a trip to the DMV, and bam. After all, it has to be legal for a Repo Man to, well, repo. So the information must be accessible. It’s only logic. Next go look at colleges. Every last stinking one I’ve been to uses your SSN as your student ID. Easy to remember for the student. Easy to tie into databases for the school. And when I got a bill? Damned if my SSN wasn’t printed right there on my bill. Everyone knows (or should) that tampering with mail is a federal offense, but let me walk you through how my mail was delivered on my high school campus.

    1. Mail is sent to a PO Box
    2. Mail is picked up by a teacher
    3. Mail is sorted into two piles ‘Teacher’ and ‘Student’
    4. Student mail is put in a box
    5. Student assigned to mail takes the box to our unlocked, public mail boxes and sorts
    6. Students pick up mail

    We’re trusting three key elements here: the guy at the PO Box, the Teacher who gets and/or sorts the mail, the student who ‘delivers’ the mail.

    Yeah, your personal information has never been secure. It’s just faster to find now.

    It’s weird, but I’m going to bring this around to the Pope, so hold on for a sec.

    Bruce Schneier wrote a great article about Hacking the Papal Election, when he explains the ins and outs of how they vote. The short story is this: Hacking the Papal election is nigh impossible! The entire thing is manual, so no hanging chads or manipulated computers. Only the Cardinals are allowed in, and it’s not like you can play dress up and sneak in. You have to walk up, in front of everyone, to vote, and since the votes are counted twice and chucked if there are too many or too few, you can’t stuff the ballot. The only places where it might be easy to change votes is when the votes are counted the second time (the person could slight of hand a vote, though given the dresses- I mean robes– they wear, it’s hard), or when a transcriber writes the vote for a Cardinal who’s unable to write. And if you get caught doing that you get excommunicated. So not worth it.

    I bring this up because it goes back to social conscience. What ever you think about the Pope and Catholics, you can probably agree with me when I say that these Cardinals really want to do the best job they can. They’ve got so much shit thrown at them, from JPII being so damned popular to sex abuse and STDs that they need to get some positive spin on them. In their case, it’s freakishly reliable that they’re going to do the best they can. Now, I do think there’s a lot of bullying, bribery, promised, etc going on pre-vote, but I expect that. “If you vote for Cardinal Glick, I’ll tell everyone about the hooker you had in your room when we were just priests.” See, I’d totally do that shit, and you know they would too. I know the votes are secret, but you can’t expect me to believe people won’t try and persuade each other.

    How does this reflect on security and your personal information?

    It’s indirect, I admit, but follow this: Personal information which is compromised leads to identity theft, which can be used to commit voter fraud, which can re-elect George Bush, but which can’t be used to make an American the Pope.

    Yeah, you were worried about your money.

    Okay, look, here’s the real point of all this: You’re not safe. You never were and you’re really never gonna be. There are things you can do, starting with paying better goddamned attention. Get an email that looks iffy? Delete it. Buying stuff online? Make sure it’s from someone you can trust. Have a different password per site that you use in conjunction with your money. And be careful.

    You know that you can’t rely on the social conscience of others to not fuck you over, so all you can do is keep a close watch on what you do.

    After all, how is it any more secure to pay for your dinner with a credit card than it is to do so online? They take your card to a back room, run it through the card scan to make sure you can pay, and bring it back. Shit, they could photocopy it in that time, and they have an example of your signature!

    Which is why all my cards say ‘Ask for ID.’

    And people so rarely do.

    I don’t have the answers, but if this blog has scared you then I’ve done my job. Be aware.