Saturday, April 30, 2011

Password Too Simple - What to Do About It


Update June 15, 2013:
I stand by what I wrote here but please read as well my article "Passwords - The Latest".


Very recently a customer of mine asked me for help because a lot of obvious spam emails were sent from his Yahoo email account.

First we ensured that his computer was clean, that is that there was no virus software or the like running. We found and removed a few remnants of apparently earlier removed malware but nothing showed up currently running. I wanted to know more about where the emails truly came from and with help from a tech forum we established Guam as the geographical source.

And with help from the forum I realized that I had failed to give my customer the most obvious advice, that is to change his Yahoo password. LK, I apologize again for this dumb failure. Once the customer had changed the password the emails stopped immediately.

This proved beyond a doubt that his password had been guessed. This in turn reminded me of questions about passwords that I permanently discuss with my customers.

Tonight I stumbled over an article titled "The Usability of Passwords" that discusses password usability and security in depth but in understandable form and language. The latter truly is a positive exception.

In the future I will base recommendations about passwords on this article; it is the first time that I found anything written about passwords with respect of usability and security. Many other discussions in this area focus on technical aspects of security only and all too often ignore that a really secure password like 5rF#2kLn7@ simply is impossible to fully remember and type correctly.

Passwords are meant to secure and/or guarantee the privacy of our communications and data; correct? In this context I have to admit that the mentioning of Yahoo and/or Hotmail together with "privacy" always makes me cringe; "cringe" because I don't want to laugh deridingly about a customer who uses Yahoo, Hotmail, MSN, Earthlink, Gmail or any other email service that leaves the mails on the ISP's servers.

Why do I cringe? Read this article about data mining on Yahoo and this one about privacy on Hotmail as examples.

If all the articles I linked to here are too much reading that's fine. But please read and heed at least the article titled "The Usability of Passwords".

Thank you.
As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Tuesday, April 26, 2011

Words on Printing

Considering the enormous troubles and cost of printing associated with commonly offered ink-jet printers here in condensed form my take on the average bunch of low cost ink-jet printers.

A few things to keep in mind:

  1. Printer manufacturers don't make money on the printer, they make oodles of money in the ink. Printer ink is said to be the most expensive liquid in the world with up to $35,000.- for a gallon.
  2. Most pictures printed on ink-jet printers will fade after only a few years.
  3. Printing pictures on ink-jet printers is extremely expensive because it uses lots of the expensive ink to have good coverage.
  4. Many ink-jet printers can print pictures only in one format, 4x6 for example.
  5. Printing pictures on ink-jet printers is mostly very slow.
  6. Dried out ink cartridges or clogged nozzles are a major problem for many ink-jet printers that are not being used regularly on a daily basis.

My recommendations for "normal" household usage is twofold:

  1. Photos:
    Edit the photo to be what you want it to look like (cropping, color correction and so on).
    Copy the file to a USB drive (at the time of writing $6.- and up at Walmart).
    Take the USB drive to Walmart, Walgreens, Sam's Club or the like and print your pictures on the machines there.
    Better quality and all in all much less money - but admittedly not quite as "convenient".
  2. Text:
    Drop the dream of color and print your text in black on white.
    Excellent quality b/w laser printers can be had at the time of writing from $60.- and up.

IMHO the biggest advantage of laser printers: They can not dry out! And on top of that the cost per printed page is a fraction of what it is with ink-jet printers.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Thursday, April 21, 2011

ComboFix Or Not To ComboFix

Once more a question from a customer gives me a hopefully good idea for an article. This is what the customer wrote:

We had a family get together last weekend, and during a computer conversation, our one son-in-law said he has this great anti virus software on his computer. This week he sent me the name, with instructions for downloading.

The name is ComboFix, on Bleeping Computer.com website.

I have Microsoft Security Essentials on my computer. Isn't this ComboFix just another piece of anti virus software? Why would I want two like programs running?

I have done nothing, and won't until I hear from you.

Here is my reply: (Begin quote)

[Customer's name],
Good question, Thank you and congratulations on the wise choice to ask first!

Yes, no doubt, Combofix is a good and VERY powerful program. In this power lie the pits waiting for a normal user to fall into.

Just read the first few paragraphs of the instructions "How to use ComboFix" on Bleepingcomputer.com (this is the only legitimate web site to download this program from).
I have added red color to the important parts that your son-in-law IMHO might not fully understand in all consequences.

ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.
. . .
You should not run ComboFix unless you are specifically asked to by a helper.
Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.
. . . .
Please note that this guide is the only authorized guide for the use of ComboFix . . . . It is also understood that the use of ComboFix is done at your own risk.
Let me summarize:
  1. It can detect but sometimes NOT automatically remove some malicious software.
  2. You run it at your own risk if you use it on your own.
  3. The information it displays is for trained people, NOT for the casual home user!
  4. If you run into problems there is NOBODY who might be able and willing to help you!

If your son-in-law is a trained helper than he does well; if he is a "normal" self-taught user he will create problems for himself down the road.

Since you asked here my advice to you:

Don't touch it!

Again, thanks for asking this question. This is so intriguing that I might make an article for my blog out of this.

(End quote)

And now a few additional remarks:

Some things I did not mention in my reply:

Microsoft Security Essentials (MSE) is a full fledged anti virus program that is always running and continuously monitoring ALL file operations (and much more) during normal operations of the computer.

ComboFix is an on-demand scanner that DOES NOT RUN continuously scanning file operations.

Just having ComboFix sitting on the computer and occasionally running it can IN NO WAY be compared let alone equaled to the workings of a "real" anti virus program. It is beyond my understanding how someone can assume that to be sufficient protection.

ComboFix gets updated fairly often; it has NO provisions at all to dynamically download new virus definitions or the like when it is being run. You would have to download it every time you want to run it just to have the latest and greatest version. That is a far cry from a dependably self-updating program like MSE.

The people that maintain BleepingComputer.com know what they are doing; I depend since many years on their evaluations and advice. To ignore the clear warnings and instructions in the short quotes above IMHO is blatantly foolish and ignorant. Dear unknown son-in-law, I apologize for eventually hurting your feelings but that's how I see it.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Tuesday, April 19, 2011

Phishing Revealed In Detail

Here is an outstanding article on how to spot a phishing email. Although taken from real life this example naturally does not cover exactly what you may encounter. But the principal method to spot phishing emails is always the same, simply be observant and use common sense.

Yes, I know, the problem with common sense is that it is not all that common . . .

I suggest you stop reading when you reach the header line "The Attachment" unless you want to learn the geeky stuff. This has several reasons:

  1. When you already suspect an email to be phony than still downloading an attachment would be outright dumb and suicidal. Pardon my French.
  2. I REALLY don't want you to even try to download a suspect attachment! Way too many virus infections happen this way.
  3. After the discussion of the attachment it gets very quickly very technical.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.

Thursday, April 7, 2011

How A Rogue Program Gets On Your Computer

Folks, this is really important because rather sooner than later your computer will get nailed! if you don't know what to look out for, here is an excellent example to learn from. 

I am a (paying!) subscriber of the Windows Secrets newsletter. The latest issue begins with an article on LizaMoon, the newest mass threat from the internet. The article begins with these words:

A nasty piece of malware known as LizaMoon has hijacked links on millions of websites in the past weeks, including some normally safe iTunes and Google links.

The author describes in detail what happened and that he had to deliberately co-operate four times(!) for the real infection with that rogue program to take hold on his computer.

I highly recommend the article to all who read this!

If you want to know how to avoid LizaMoon (or other rogue programs) if it shows up on your computer reading this above mentioned article is a must!

Now that you know how to spot this sort of thing you want to know how to combat it? Firstly, know how to close these kind of program windows without giving them a chance to interpret your action as an invitation. This kind of infection needs your cooperation and at least one click on the "wrong" link or button. Please read this article here in this blog for more information. One of several methods to "kill" these attacks is detailed after the heading "How do I stop the attack that just started?" towards the end of the article.

As usual I welcome comments and suggestions right here in the blog. Thank you in advance.

Click here for a categorized Table Of Contents.