Comments

Episode-740- Technology and Identity Security with Jim Miller — 26 Comments

  1. @Jack,

    Follow up on the Education topic. At the end you mentioned that kids are being taught to regurgitate information. True, but (to get a bit political for a moment) I think in many cases it is worse than that. They are trained to MINDLESSLY regurgitate CERTAIN information. For example, Global warming (stopping there to avoid can-of-worm-itis.

    Teaching kids to learn on their own is the LAST thing that certain people want–that makes them much harder to control/sell to/manipulate/vote-buy/etc.

    It’s a real shame.

  2. Some additional security tips from a prepping nerd….

    – If your not a gamer, and just use your computer for surfing the web, checking mail, or doing something with video or pictures……. have a look at Linux (for example Ubuntu). Most hackers target Windows and Mac OS right now and leave Linux alone most of the time. Linux is inherently more secure anyway.

    – Always have multiple backups of your important data. Keep one backup nearby, stash the other one away from your home, in case it burns down :-).

    – You can plug-in memory sticks or cards you found, but use a dedicated machine for that. Don’t throw out your old PC, but reformat it, don’t hook it up to the network, and your ready to go.

    – To make a secure password that you can remember, pick a word or something else you can remember and add some padding to the start and/or end of the password. For example …..::::://///peanut\\\\\:::::…..” is increadibly safe and easy to remember.

    – Don’t surf to any website with privacy sensitive information when your on a public WiFi connection, unless you can access that information via HTTPS

    If your interested in computer security, also check out the ‘Security Now’ podcast of the Twit network over at http://www.twit.tv/sn, great podcast as well!

  3. Great interview. Awesome tips for the everyday person on being extra careful when dealing with the internet. We should all be more protective of our info. Security is only as good as your personal practices.

  4. Biggest threat: “Providing too much information”

    I would expand on that and say that people need to reset their own “normalcy” bias. It’s not normal for companies to ask for tons of info so you can buy something. In general when someone asks you something, you should pause before answering and mentally require justification for the question or request.

    Passwords:
    I’ll contradict Rick on this point. What makes more sense (mathematically) than having special characters, numbers, etc is a long passphrase that is easy to remember. Its a lot harder to crack mathematically and makes more sense in that its easier to remember. This is a common mistake in the IS industry, imo. A lot of systems may have limitations on pw lengths so that’s a consideration also…

    • I meant to say “contradict Jim….” not sure why I typed Rick…must’ve had something going on when I wrote that.

  5. There’s a saying I like to use all the time.

    “Locks only keep honest people honest.”
    meaning, if someone wants something badly enough, they will get it eventually regardless of how expensive and fancy the lock is. The definition of “lock” can be used loosely, i.e., passwords, but the point of the sentence stays the same.

  6. Well….. if your password is really good, and you’ve got your stuff encrypted with it, and of course be aware of any malware that might be sniffing your keyboard when you type in the password, you’re able to create a pretty darn good lock. Remember that with each single character you add to your password you double the time the attacher needs to brute-force your password. More and more cases keep popping up where law enforcement can’t access data from confiscated computers because it has been encrypted.

    For those who don’t know yet: A great (free) piece of software to encrypt your files easily is TrueCrypt.

  7. Live CD + no hard drive = malicious mobile code cries.

    Kinda off topic: I had my computer searched when I entered the USA a few years ago. The wanted me to turn it on so that they could browse my hard drive (Was funny, there being no hard drive installed, just ram). All that there was on the screen was a blinking cursor – the officer looked at the screen, pushed the enter button a couple of times, then gave me back the computer. Geez.

  8. Jack – great show as it touches on an area of most people’s lives that is vulnerable to attack. One important thing people can do is have multiple browsers on their computer, whether they are Firefox, Safari, or Chrome (which I use). The main reason for multiple browsers is to allow you to access the internet if your normal browser is compromised. This happened to my wife a few months ago, and I was able to use Safari to download the fix for the malware and get her IE working again.

  9. I know I am going to be the grumpy guy, but I can’t help it. The guest was not an expert– he didn’t know what he was talking about.

    Fortunately, the advice was targeted at non-technical users, and was for the most part sound. However, as someone who actually knows this stuff it was obvious the guy was was dangerously ignorant. He would be an immediate no-hire if this had been an interview.

    The only correction to the advice I would make is that the advice On passwords was horrible. Most of the other advice was good for non-technical users even if it did bug me as a security guy. (I have spent the last 10 years doing security and incident response for Microsoft and a couple of three-letter agencies.)

    • @Joe from the Bay Area, actually I think you are completely full of shit personally and don’t appreciate you attacking a guest and acting like an asshole trying to infer that you are better than others.

      1. OF Fing COURSE this was for non technical users, Jim and I both could certainly talk above everyone’s head but what good would that do? If you are a highly technical user well you don’t need this advice and you already know what to do.

      2. You don’t come off as grumpy you come off like a bitter asshole.

      3. The advice on passwords is not horrible

      No go back to making the lives miserable for the people whose network you run. You remind me of an asshole I fired my first week into a COO position.

    • Your comment isn’t helpful unless you say why the advice is bad and can offer an alternative. I work in IT with a variety of skill levels and don’t see any of this as bad. If he didn’t know what he was talking about, how come you only had one correction? All this being said, tis is basic info. It is what most people need. If you get to technical, you lose them and they do nothing. Your level of knowledge may be higher, but you can’t communicate effectively to transmit anything of value.

  10. Very Insightful stuff. You want to be a hard target. Don’t make it easy for them to get your information. I am not sure of where to go to keep up with the trends of what criminals are doing.

    Also i want to take the work Hacker back. I think a Hacker is a guy who does things a different way. Hacking code together getting things to work. A thinker, a innovator. Taking an old computer apart and taking components to reuse them in a new way is a hacker. Writing code that does something good for them is a hacker. I watched a documentary called “hackers are people too” 43 minutes watch for free on Youtube. Or Google it. I can post a link if need be. Writing code or a DIY project and sharing on the internet is hacking at it’s best.

    A hacker becomes a criminal when the start breaking the law to hurt people and take advantage of others. When a person uses their hacker skills to hurt others and break laws this is now just a criminal.

    • @Lew,

      I am with you on the hacker thing and in fact I am for taking the term black hat back too. Seems I go back a bit further than Jim in the tech world, I remember when black hat meant “elite” I asked him about it but he didn’t seem to know that.

      The same happened in the SEO field, black hat SEOs are the people like me that learned to manipulate the google algorithms and own the engines. We were not breaking the law in any shape or form. 4 years into it we were branded as “black hats” and accused of doing many things we had quit doing 2-3 years earlier when it stopped working. We were attacked for building links in wikipedia but is was fricken google that make a link there worth 20 time (not exaggeration) a link on any other credible site.

      They said we abused hub pages, PR Web and dozens of other content sites but google were the dumbasses that gave them an unfair advantage. Etc, etc, etc. All the crap SEO black hats are branded with are things that haven’t worked in a decade. Hell I am behind the curve no myself, I don’t have time to play with algorithm updates any more, I just make great content but I can tell you that SEO is what got TSP off the ground. If you google survival podcast I own 5 of the top 10, I am not just number one. There is a reason.

      I broke no laws and harmed no one in doing that and frankly survival podcast got only 12 searches a month when I started so this is me owning the market I created, yet the techniques are branded black hat in a very bad way by people that are to damn stupid to even know what the techniques really are or why they work. Then they go sell SEO to customers and say proudly “we only use white techniques”, well, yea, because that is all they know how to do.

      In the beginning in SEO it was the same a black hat wasn’t considered a viagra spammer he/she was an elite marketer that understood what others did not. We have a lot of problems with words being ruined by ignorance. Just recently on TSP we have seen the following words being ruined

      depression vs. recession
      black hat
      hacker
      unschooling
      sovereign citizen
      organic

      Another word that has been ruined is psychosomatic people think that means a person isn’t really sick it is just all in their head. Fricken Hollywood at work there, psychosomatic means, “mind body” meaning the mind and the body both contribute to something which is true about most illnesses, though pharmacology doesn’t want to admit that. All in your head is psychogenic, some think this doesn’t matter but ruining the word makes honest discussion difficult.

    • @Jack, we do need to take back words and not let media put a negative light. I would like to learn more about SEO(Search engine optimization). Your 5 minutes with Jack Podcast was a good intro to SEO. It is silly that you would become an outcast for doing your job in a better way. “come on let me show you a better way”. Maybe we all need a little more humility. Humility is good thing to have.

      I am not sure how we can shed light on subjects without sounding like a jerk.(you don’t want to be the “know it all”). I think TSP is doing a great job for putting a positive light on Survival. Doing TV shows that will be about “how crazy survivalist are” but i think it will do some good to get people thinking. I think some people will never accept survival as a live style and the TV show will only strengthen there thinking. A better way is growing a garden. Some people just do not think logical. Story: I told someone about copy canning and they said “will that would cost a lot.”

  11. The best hackers are the Amish. Trust me – Google: “Amish Hacker” (I mean, what’s not to like about “Amish Electricity” or pneumatic power.

  12. @Joe from the bay area,

    You are grumpy. Jack tries to keep a positive spin on his show. An ad hominem attack on a show guest is neither positive nor helpful in any way. Jack is no dummy and wouldn’t have someone on the show that didn’t know their stuff. As a Chief Information Officer for over 20 years, I believe that Jack and the guest tailored the show content for the intended audience not three-letter agencies.

    If you truly have the vast experience and knowledge that you claim, we would all be better off if you shared some of it. If you do not want to share, then please listen to my wise Mother’s advice, “If you don’t have something nice or constructive to say, keep it to yourself.”

    • I’m a CISSP as well. I’ve done IDS/IPS, intrustion detection and analysis at one of the more complex data outsourcing companies in the world. Jack should be able to figure it out if he knows my location. I doubt MS’s network has shit on what I’ve done.

      I thought Jim’s advice was reasonable for the audience. I think his password advice is outdated. The idea of having special characters is, frankly, one of those that has taken on a life of its own in the IS industry. If you can, a long pass phrase is mo’ better, period. Some systems won’t support long passwords. In those cases, special characters, upper/lowers/numbers, etc is second best.

      Joe was being a dick.

  13. Computer security is about layers, but that being said usability is first, security second, otherwise its just a pain in the arse.

    I’d never install McAfee or Norton as their nearly as bad as a virus, reporting data back to their companies, slowing down your PC and making it hard to remove every last bit of them if you want to remove them. Kaspersky is a solid AV and does not seem to slow down a computer much.

    Easy steps to securing yourself.
    1. Install an antivirus and firewall package.
    2.Update your software.
    3. Use a router/AP and switch WPA2 on.
    4. Don’t give out personal data, unless its a trusted source.

    If someone is going to get your details, it is more likely going to be from compromising a website/online shop you use. People go for big targets with lots of information, the only time people go after one person is if you have happened to piss them off.

    When your PC get compromised it is not targeted at you, it is targeted at anyone that has gone to a given site. Everyone that gets infected are the people that don’t update and don’t run an antivirus/firewall and don’t update, although 0days are posable.

    If you have a memory stick, use truecrypt its free.

    http://exoticliability.libsyn.com/ is the only podcast I know on computer security that tell it how it is.

  14. I wanted to expound on what Jasper touched on with TrueCrypt (+1 to Jasper for mentioning it first!)

    I use this encryption tool to make encrypted containers to store my information on any of my drives, or usb flash drives. This is a fairly normal concept. EXCEPT TrueCrypt also lets you name these files whatever you want, like JoesAdic.jpg, and it also lets you choose a “keyfile” (ANY other file that you specify) if you want to add a layer of security to your password setup. In other words, the perp would have to find your TrueCrypt container, know your password, AND know / have access to your keyfile!

    Also, another tool that TrueCrypt has is that it let’s you encrypt YOUR ENTIRE HARD DRIVE! When you log in, you enter a password (just after the “black screen” portion (bios) of the boot up cycle) to decrypt the hard drive for use. You can even edit the password prompt to say something like “no OS found” so the person logging into your computer thinks it’s broken!

    Adding these layers of encryption to your data can protect you from computer theft, as well as data theft. If your hard drive is encrypted AND your critical data is in an encrypted container, then you’re safe from both offline, and online attacks. (for the most part.) You may even have “plausible deniability” for when you need to cross the boarder back into the US:
    http://www.truecrypt.org/docs/?s=plausible-deniability
    http://www.cba.org/cba/practicelink/tayp/laptopborder.aspx

    *Note: these are the thoughts of a computer super genius, and as such are above reproach from mere mortals, muwahaha!!!

    No really, I do work in IT, so I have a little knowledge about that stuff…

  15. Listened to this today, and had to note that one afternoon I was sitting in a Starbucks waiting for someone and in the 15 minutes I was there, I listened to someone talking (face to face) to their accountant or lawyer or something like that, and they had to call a bank for them, and I got their account number, their address, their mother’s maiden name, and a bunch of other incidental stuff. And that was all not trying, and needless to say, no criminal intent.

  16. Agree on truecrypt – it’s good software.

    I disagree about “free software being worth what you pay for it” and the recommendation that you run on of the big boy’s antivirus software.

    Microsoft (!) has a product called security essentials that is free, keeps itself up to date, and (like norton and mcaffee) is able to keep the nasties off of a machine. http://www.microsoft.com/en-us/security_essentials/default.aspx

    I’d also highly recommend MalwareBytes as a way to recover from an infesta

  17. Jack,
    As I listened to your show on computer and identity security last night, I realized I got suckered… I gave out info I shouldn’t have. I quickly called the bank, who these guys were supposedly representing, and confirmed that it was a fraud. I put an alert in with the bank… Then I signed up for lifelock because I didn’t know what else to do. I also called the 3 credit agencies to report the fraud (Equifax, Experian and Transunion).

    The one thing your show didn’t cover that I’d sure appreciate right now is this: What do you do once you realize you’ve been had? I’ve done everything I can think of…

    Any other recommendations would be appreciated…

    Feeling like a doofus,
    Clinton

  18. @Mark
    I would be a little more concerned about kaspersky products. Though they may not be as much of a cpu hog, they have some issues. How many times has that company been hacked? Also if you look at their wider “internet security” products, you will find they make your firewall weaker than the built in windows default firewall, especially when you are on public or company networks. (http://myitpath.blogspot.com/2010/10/personal-firewalls.html)

    As a few extra tips for everyone

    1) when you are setting up accounts on any service’s website and they ask you password reset questions, Lie. Don’t end up like Sarah Palin.

    2) Never use the same password for your primary email account as you use anywhere else. Most services ask you for the address, so if that site is compromised, or your email is compromised…everything can be compromised.

    3) Find the unnecessary services that run on your machine and shut them down. This gets a bit more technical, but will increase the performance of your system and greatly reduce your attack surface. If you machine is for personal use only, a lot of services that run by default won’t be relevant for you (such as netlogon, remote registry, computer browser, server, etc). You can google “disabling windows services for personal computers” to get examples per windows OS. For linux machines, some installations set you up with a lot of server services by default like email servers, web servers, etc. Shut down anything extra that you don’t need.