Usually, companies and organizations are eager to increase their exposure and presence on the Internet, and generally take whatever steps are required to drive more clients and potential customers to their sites. The problem is that, given today’s Internet, an increased and well advertised presence can also lead to an increased potential for criminal infiltration, attack, and even extortion. Visibility works both ways; once your Web presence is well known, it’s also bound to attract “undesirable elements” who want to tear it down, deface it, or use it as a gateway to your internal systems.

An article posted on the ITsecurity Web site catalogs the biggest threats most companies will face as their Web presence grows. The best way to counteract some of them involves a serious, detailed review of your current practices, network architecture, and personnel. Yes, I said personnel. Your employees (or family members at home, for that matter) are probably the biggest vector for security breaches. They’re the folks who will reveal personal details to others without thinking about the consequences. They’ll use weak passwords, or will recycle the same passwords on multiple sites. They’ll surf the Web, inevitably happening across at least a few compromised sites that’ll track their activities and your IP addresses, which will lead identity thieves and hackers back to your network.

What will hackers steal once they gain access to your internal systems and confidential data? Sure, they’ll seek immediate financial gain if the opportunity presents itself. No thief would turn down an immediate payout, unless they decided it was more advantageous to lie low and wait for something better. And they might, since they might decide it’s far more profitable to use their new-found access to install spyware, keylogger software, or other malware on your systems instead. The long term profit potential of doing so is potentially far greater, depending on your business and the amount of traffic that traverses your network, than simply stealing data or destroying systems from within.

A good hacker could install packet-sniffing software, keystroke loggers, and other material that might go undetected for days, or even weeks. During that period they would have the ability to read and record user passwords, account numbers, sensitive communications, and the personal identification of hundreds of your employees.

Increasing your network presence is a great way to build a business, and the possibility of infiltration or other thievery shouldn’t prevent you from following that path. A reasoned assessment of the risks involved, plus a great deal of preventative work during design and deployment of your Web presence, will go a long way toward mitigating the risks. Web business is no longer a simple matter of hanging a few servers on a network and setting up a site; the risk management requirements are often far greater than those needed to design and manage the technical details.

How does your ISP stack up against the rest of the field? You might be surprised at the differences in user experience, speed, and overall satisfaction that are discovered during head-to-head evaluations conducted by various agencies. PC World posted an article on the “best and worst ISPs” that listed many large providers and their scores in various areas. Such surveys can be extremely useful for people who are in the process of selecting a new provider—presuming, of course, that they have a choice in the matter and aren’t limited to a single company based on geography. This particular article discusses everything from overall speed to customer and technical service; unsurprisingly, some companies did well in certain areas while failing miserably in others.

Something many people don’t seem to understand is that, in most cases, the speed rating a company advertises represents only the download rate users can expect at a given service level. The available upload speed is often significantly lower. For instance, a company might advertise a 6MB download data rate, but offer only 512KB or even 256KB upload services. This is perfectly acceptable for most users, since their primary use of the net involves the receipt of one-way Web traffic or online gaming data. However, anyone who hosts a Web service from their house (an activity that’s often not covered under standard user agreements) should also closely examine the upload speed available from their connection.

The survey also notes that cable and DSL are the heavyweight contenders these days, with other service types (fiber, dial-up, etc.) far behind in the overall distribution. Dial-up will soon be relegated to only those areas where no high speed service is available, as well as to traveling users who need to connect briefly in order to send and receive mail. It’s a dying medium, and deservedly so given the heavy data requirements of today’s user.
While speed is important, I also recommend that anyone looking at a service provider check into customer and technical support ratings before buying into a long term contract. I’ve had excellent experience with my current provider, and actually abandoned another service nearly three years ago due to their abysmal level of support. Their failures even included a rented modem that regularly rebooted itself due to what I was certain was a hardware problem (I could trigger the problem by moving the power connector). When I contacted the provider, they remotely tested the connection and said it was fine. I told them what I’d found, and the representative’s response was “if we can’t make it happen while we’re testing your connection, we won’t change anything.” This service (a cable company) also regularly died during any sort of bad weather; on one occasion an outage lasted over a day. Finally I switched to DSL via another provider; their service has been excellent overall with few outages and reliable hardware.

Users vote with their pocketbooks, and poor providers don’t retain customers. Ask AOL or MSN, both of which have had poor ratings for years and have consistently lost subscribers as a result. Internet service is becoming a utility, but often more choices are available in a given area than is the case with electricity or water. Shopping around and researching provider ratings is a very wise course of action.

Recently a Microsoft security director released a list of bugs patched and yet to be patched in both Vista and XP, and claimed that although Vista includes more un-patched defects they’re “less critical” than those found in XP. While I don’t have a list of the exact defects and their severity available, it’s interesting that (as an article on ITworld.com noted) “Microsoft has patched 12 out of 27 disclosed Vista vulnerabilities in the six months after it first shipped last November. During XP’s first six months, Microsoft’s security team patched 36 out of 39 known bugs.”

The whole process of bug confirmation and classification reminds me of the old Disraeli quote noting that “there are three kinds of lies: lies, damned lies, and statistics.” Having worked as a software developer, I’ve been put in the situation of classifying a bug according to its severity. It’s not easy, since much depends on the nature of the bug and its effect on the application as well as the system. Some bugs are easy: if it’s guaranteed to crash the machine or cause unrecoverable data loss, it’s severe. Others are more nuanced: what if a bug causes a serious application error, but fewer than 1% of all users are likely to encounter it? To that 1% it’s a severe problem, but it’s irrelevant to everyone else. If such a bug is added to the list of defects to be corrected, is its severity higher or lower than another bug that only causes a temporary hang, but is experienced by 50% of the user base? Triage, especially in the case of large applications or operating systems, can be a tough call. So it’s hard to say exactly how Microsoft has arrived at the determination that Vista’s current crop of bugs are “less critical” than those encountered by XP during the same period.
It’s also difficult to determine whether the “less critical” nature of the Vista defects is due to lower rates of adoption than were the case for XP over the same time period. As a source for the ITworld.com article also noted, “it will be more interesting to look at vulnerability statistics once Vista becomes more popular than XP, and the target of more hackers.” Another commented that Microsoft is not including defects related to third party software, such as the “thousands of exploitable ActiveX controls that… vendors include with a Windows system.”

Users don’t need to worry about just the OS, but also about applications and hooks that access components of the OS. While some third party vendors are extremely cognizant of security concerns and the overall effect of bugs on the user base, others are surely less circumspect. Freeware or shareware applications are especially vulnerable, since their vendors often have fewer resources to devote to extensive QA and regression testing prior to releasing new versions or updates. Happily, Windows has gotten somewhat better as of late in respect to isolation of user processes from kernel-level access, but such isolation is of little use if, for instance, users continue to make use of accounts possessing administrative access privileges.

Vista may be less vulnerable and more bug free than XP, or the statistics may simply be misleading. Keep your security software updated.

In a move that should be emulated by other PC vendors, Dell announced today that it would allow buyers to purchase systems that aren’t packed with “bloatware” - a common term for commercial applications, whether limited “trial” or demo-only packages, that come pre-installed on new PCs. It’s become a common practice to fill new machines with such applications, many of which are of no interest whatsoever to many users. Apparently, users on Dell’s blog site complained about receiving machines infested with dozens of applications that took up disk space and memory; they also required hours of work to remove successfully.

According to the article, “Buyers of Dimension desktops, Inspiron notebooks and XPS PCs can now click a field in Dell’s online order form that will block the installation of productivity software, ISP (Internet service provider) software, and photo and music software.” Some applications will continue to be installed, including Google toolbar, Adobe’s Acrobat Reader, and an antivirus package. All are excellent choices, as they’re actually useful to many users. Plus, the presence of an antivirus package should encourage more buyers to purchase a full license, which usually includes a year’s worth of automatic definition updates and patches.

The reason many PC vendors currently include photo manipulation and other software packages is simple: software companies pay these vendors to include their applications, in the hope that new users will opt to purchase a full license. This isn’t necessarily a bad idea, and it’s preferable in some ways to the older practice of including CD after CD of trial and demo software, most of which became fodder for landfills. However, many users already know which audio or video management software they want to use, and are unlikely to change vendors based on the presence of a different package on a newly purchased PC. In my experience, most users choose their software based on the applications they use at work or school (the latter is a significant reason for vendors offering massive discounts to schools and universities – they know they’re creating future customers by doing so). People who are used to Microsoft Office or Adobe Photoshop are unlikely to buy the WordPerfect suite or Corel Paint Shop Pro for use at home, unless they’re on a budget and have no other choice.

Personally, the trend toward pre-installed demo and trial software is one reason I still build my own PCs. I want to know exactly what’s on my machine, and I want full control over the use of memory and disk space. Savvy users are very particular about such details, and the presence of frequently intrusive and useless applications, not to mention a desktop polluted with unnecessary icons, is likely to chase away more users than it attracts. More PC manufacturers should give buyers the option to purchase machines uncluttered by annoying bloatware. Dell made the right decision; with luck, other vendors will follow suit.

While looking at new motherboards recently, I noticed more are offering hardware RAID controllers as standard. Intrigued, I decided to check into the current status of RAID on a home PC, and ran across an article that discusses its implications for the average home user. While the information in this article is valid, it’s also a bit misleading. Many factors must be considered before you implement RAID.

First, some concepts. RAID usually stands for Redundant Array of Independent Disks, though sometimes “Inexpensive” is favored by some proponents. As the article on PC World notes, several flavors of RAID are available on the market: 0, 1, 0+1, 5, and so forth; each is useful in a different context and may or may not provide higher disk performance than a single drive. The most basic level, RAID 0 or “striping,” involves the distribution of data across two or more disks. Data that would ordinarily be on one drive is distributed across all the drives in the RAID set. This does have the effect of increasing performance, though some minor penalty is incurred due to the slight overhead of the RAID hardware’s processing of requests (in my experience, software-based RAID isn’t worth the effort or hassle because it’s too processor intensive to have much of an effect on performance).

The article briefly states that RAID 0 actually decreases data security, but doesn’t go into any detail. The reason is that the loss of a single drive in the RAID set leaves the data striped across the drives in an unreadable state. Half of one file might be on the first disk, while the other half is on the second. If the second disk fails, you’ve lost half the file. Given that the RAID controller could have been alternating between drives while writing that file, the bits on the remaining drive are probably non contiguous and therefore completely unreadable. So while RAID 0 might help performance, you’re absolutely required to keep good, regular backups in case of a failure. Recovery of data from a blown array is difficult, if not impossible.

RAID 1, however, does provide increased data security since it involves 2 disks that store exactly the same data (it’s also known as “mirroring”). Whatever goes to the first drive in the RAID set also goes to the second, thus basically ensuring that no data loss occurs due to the failure of a single drive. RAID 1 doesn’t provide any performance boost though. It’s excellent for mission critical applications where data loss is totally unacceptable, but it’s not good for improving the performance of your games or video software. Also note that it means the mirror disk is solely used to retain copies of data from the primary – 2 40GB drives gives you only 40GB of usable storage (not 80!).

You can combine 0 and 1 to get 0+1 (”striping and mirroring”), which provides the best of both worlds. This requires a minimum of four hard disks, so the associated performance improvement may not be cost effective for the average home user. Likewise, RAID 5 requires a minimum of three disks, so it suffers from the same cost-related problem. And does your PC case contain enough free slots and power connectors to accommodate all the required drives?

RAID can be useful in some contexts, but you really need to think about it before investing a lot of time and money implementing a technology that might not provide much of a return. You might experience a better outcome by simply spreading your data across two or more standard disks!

It may come as a surprise to many readers, but many of us don’t really make use of the full capabilities available from our PC’s hardware. One of the reasons is that frequently the easiest way to upgrade an older machine involves the purchase of a completely new one - CPU, disk, monitor, etc - when all we really need is more memory or disk space. As I’ve said before, few people really exercise the CPU much, especially if they mainly use their system for Web and e-mail activities. This is one of the reasons I recommend that users look hard at their budget and usage profile before throwing down a big chunk of change on a new machine. Recently I doubled the disk space and memory in my primary PC for a grand total of about $150, or less than half the cost of a decent new system.

This said, there are also ways to extend the capability of your existing machine by playing around with certain hardware settings, as well as graphics drivers and other toys. You’ve probably heard of “overclocking,” which involves changing BIOS settings on your motherboard to fool it into thinking your CPU is faster than its rated speed; it’s a fairly common activity among tweakers and tinkerers and can (note: “can”) produce a significant speed increase. By way of warning, it can also make your PC unstable and could even damage the hardware.

There’s a good article on basic tweaking that you might want to read before trying it on your machine, and you should also be aware that it may not help at all if you’re not already significantly using the CPU for heavy graphics, games, or video. The act of overclocking can add to the heat load inside your machine’s case, so extra fans and sensors (not to mention one of those fancy liquid cooling systems) might be a good idea. I know of some guys who ran old 486 machines up to several times their rated speeds; they actually stuffed the motherboard into a freezer to keep it cool enough for the tests. I don’t suggest this unless you really know what you’re doing!

Another great area for tweaking involves graphics drivers. Recently I ran into the Omega Drivers web site and downloaded the software for my video cards. I didn’t see much improvement on my desktop system until I ran a video-intensive game, which performed much more smoothly using the Omega drivers. My laptop was another story - it now uses a significantly faster video refresh rate, and even graphics intensive applications like Second Life run smoothly on it. I’ve experienced no instability, crash issues, or other problems using these drivers, and they didn’t cost a penny, except for a donation to support the developer’s efforts.

Tweaking can be time consuming, and the return on investment can be either significant or next to nothing. It all depends on the hardware, the OS version, and a bit of luck. Just remember that some tweaks (like overclocking) can void your warranty or even render a system unusable, so be careful and keep track of what you’ve changed. The scientific method is your friend!

A concept called the “reasonable person principle” states that, given a set of requirements, everyone will be reasonable and adhere to the common goals of the community. This may be the case in certain situations (i.e. when well educated professionals are involved and are aware of the reasons behind the requirements), but it often fails miserably when computer security is entrusted to legions of users who often have little understanding of the whys and wherefores of security rules.

This problem is noted in an article on ZDnet, where various “security sins” are mentioned. The basic failure of user managed security involves a lack of training and understanding of the overall problem, as well as the human tendency toward laziness. People generally despise password management for instance, and commonly use one (less than adequate) common password for all their accounts. This failing can be mitigated somewhat by forcing the use of more complex, longer password strings, but this very policy can actually worsen security if taken to excess.

I once worked for the US Military. The rules stated that user passwords had to be a minimum of 10 characters in length; they also mandated the use of system generated, nonsense-word password keys (like “bq7rt3b45w”). User terminals were often festooned with Post-It notes denoting each user’s randomized password. The military’s policy actually resulted in seriously compromised security. Left to their own devices, users of that era would have chosen their first name, spouse’s name, or home town (password dictionaries didn’t yet exist). These are just as insecure, and easier to guess.

Likewise, the article discusses the two way nature of data traffic and its relationship to the mentality that the worst threats lie outside the organization. Much of today’s security is focused on intrusion prevention and the detection of inbound data containing hazardous materials (spam, viruses, malware). However the worst security threats often originate within an organization, frequently in the form of disgruntled, dishonest, or just plain clueless employees who violate standards by transporting sensitive data outside the firewall or disable security software installed on their workstations.

I’ve personally seen cases where employees have e-mailed sensitive documents to their external ISP accounts so they could work later from home. These people didn’t understand that email isn’t secure and is simple to intercept. A consulting client (a medical doctor running a research study) recently told me I was wrong about mail being insecure. He said that it was secure at his facility since each user had to insert a key card into their personal workstation in order to gain access. I explained that this wasn’t the concern - the real issue involved exposure of unencrypted data while it was in flight between his client and the recipients (who were outside his facility, in Europe!) and vice versa. He had no idea email traveled in this manner.

The object lesson is that users don’t understand security, and you shouldn’t leave enforcement in their hands. Don’t presume people will be reasonable in this situation. Basically, they want to accomplish their work with as little effort as possible, and security constraints add effort to any task. Self-policing users will almost invariably take the easiest path, and in doing so will compromise security. This is an area where top-down, mandatory policies are your best friend. Users will grumble, but grumbling is preferable to a high profile hacking incident.

Yesterday’s discussion of security sins elicited more thoughts about password management. This topic is probably more confusing and misunderstood than any other security topic. So let’s do a deeper dive into password management practices, as well as the whole rationale behind the things in the first place.

First, some background. Security involves two basic concepts that are often misunderstood by the public, and even by some security professionals: authentication and authorization. The first, authentication, is “who you are.” When you flash your driver’s license, employee badge, or other ID, your photo and physical characteristics are used to confirm who you claim to be, i.e. that you really are John Smith. Authorization is “what you’re allowed to do.” Generally the two go hand in hand: if you have a valid driver’s license, it means you’re legally permitted to operate a car. That same license does not, however, give you authorization to operate an aircraft. Your corporate ID may give you general access to the company’s facilities, but you may not have authorization to enter the data center or employee records facility. Authentication may, or may not, equal authorization.

In computing, authentication usually involves logging into a system using an ID and password. Sometimes, in higher security environments, physical key cards are used in conjunction with or as a replacement for passwords. However the objective is the same: logging in as user John_Smith with the proper password or key card is how the system determines who you are. If someone has stolen or guessed your password, they can impersonate you. In real world terms, they’ve stolen your employee ID or driver’s license and have altered it in a manner that convinces others they’re the real John Smith. (As a side note, think about the last sentence in terms of identity theft…)

Once authenticated, someone can take advantage of the authorization level you’ve been given for a particular system. If they’ve managed to convince a Windows system they’re the real Administrator, they get to do anything – they can add and remove programs, read and write any file, format disk drives, change system settings, and so forth. If they’ve gained access to a less privileged account (i.e. one with a lower authorization level) they will have limited access that prohibits certain activities, such as formatting drives or accessing all files.

The above scenario should tell you two things: first, the Administrator account or the root account on a UNIX/Linux system should always have a password. It should be a particularly strong (difficult to guess) sequence, since this is the most highly privileged/authorized account and it wields ultimate power over the entire system. Second, you shouldn’t use this account for everyday activities; instead, you should create standard user accounts with fewer privileges. Administrative accounts should be reserved for use only when their special powers are required. (As a side note, the use of a single account for all activities on a system, especially if multiple users are involved, seriously impairs a third dimension of security: accountability.)

Passwords are no joke, and must be taken seriously. Their importance can be more clearly perceived when changes in Windows password handling over the last decade are considered. Windows started off with no authorization at all. NT introduced basic login ID/password management, but Windows 95 and 98 used an “optional” methodology that was easy to circumvent. Windows 2000 forced the use of accounts and passwords, XP strengthened the authentication subsystem even further, and Vista introduced even more changes to make user accounts more secure. All these alterations were responses to increasing requirements for better authorization and authentication management. Why? As more systems became connected to the Internet, especially via “always on” links like cable and DSL, they became increasingly vulnerable to attack. Also, corporate security standards became more stringent as computing resources became increasingly important and were used to retain massive amounts of sensitive data.

We’ll discuss details of password selection rules, dictionaries, history tracking, and other criteria in Part 2 of this series.

A concept called the “reasonable person principle” states that, given a set of requirements, everyone will be reasonable and adhere to the common goals of the community. This may be the case in certain situations (i.e. when well educated professionals are involved and are aware of the reasons behind the requirements), but it often fails miserably when computer security is entrusted to legions of users who often have little understanding of the whys and wherefores of security rules.

This problem is noted in an article on ZDnet, where various “security sins” are mentioned. The basic failure of user managed security involves a lack of training and understanding of the overall problem, as well as the human tendency toward laziness. People generally despise password management for instance, and commonly use one (less than adequate) common password for all their accounts. This failing can be mitigated somewhat by forcing the use of more complex, longer password strings, but this very policy can actually worsen security if taken to excess.

I once worked for the US Military. The rules stated that user passwords had to be a minimum of 10 characters in length; they also mandated the use of system generated, nonsense-word password keys (like “bq7rt3b45w”). User terminals were often festooned with Post-It notes denoting each user’s randomized password. The military’s policy actually resulted in seriously compromised security. Left to their own devices, users of that era would have chosen their first name, spouse’s name, or home town (password dictionaries didn’t yet exist). These are just as insecure, and easier to guess.

Likewise, the article discusses the two way nature of data traffic and its relationship to the mentality that the worst threats lie outside the organization. Much of today’s security is focused on intrusion prevention and the detection of inbound data containing hazardous materials (spam, viruses, malware). However the worst security threats often originate within an organization, frequently in the form of disgruntled, dishonest, or just plain clueless employees who violate standards by transporting sensitive data outside the firewall or disable security software installed on their workstations.

I’ve personally seen cases where employees have e-mailed sensitive documents to their external ISP accounts so they could work later from home. These people didn’t understand that email isn’t secure and is simple to intercept. A consulting client (a medical doctor running a research study) recently told me I was wrong about mail being insecure. He said that it was secure at his facility since each user had to insert a key card into their personal workstation in order to gain access. I explained that this wasn’t the concern – the real issue involved exposure of unencrypted data while it was in flight between his client and the recipients (who were outside his facility, in Europe!) and vice versa. He had no idea email traveled in this manner.

The object lesson is that users don’t understand security, and you shouldn’t leave enforcement in their hands. Don’t presume people will be reasonable in this situation. Basically, they want to accomplish their work with as little effort as possible, and security constraints add effort to any task. Self-policing users will almost invariably take the easiest path, and in doing so will compromise security. This is an area where top-down, mandatory policies are your best friend. Users will grumble, but grumbling is preferable to a high profile hacking incident.

Today Apple announced that Safari, its own entry in the browser wars, is currently undergoing Beta testing on Windows.

I’ll repeat that. Apple’s browser now runs under Windows.

This is pretty significant, since it’s one of very few cases I can think of where an application moved from Mac to Windows (usually it’s the other way around - certain multimedia applications, like Photoshop, started life on the Mac). It’s also another case, I’ll suggest, of Apple facing reality and moving to implement more mainstream technology. For years, Macs were the “outsider” platform in regard to desktop computing - PCs and Windows were seen by Mac aficionados as “computing for the masses” while the Mac was a cut above. Apple produced its own hardware, designed its own bus, and stayed aloof while IBM opened the PC architecture to the world. The ISA bus, and later EISA and PCI, became ubiquitous and therefore inexpensive. PCs used cheaper disks based on the IDE, EIDE, and then the ATA subsystem while Macs continued to use faster but more expensive SCSI drives. And sales continued to plummet.

Then, suddenly, a few years ago Apple adopted PCI and began moving toward other components used by PCs. Now their browser will run under Windows. Do we sense a trend here? I’m not sure yet, but it’ll be interesting to watch the progression over the next few years. Apple’s commercials still attempt to maintain its counterculture image, portraying a dowdy business-only PC in comparison with the hip Mac, but the difference is now largely confined to the OS and presentation layer. Under the covers, there’s no longer that much separating the two.

There are no reviews of Safari on Windows yet, but Apple’s site claims it’s blazingly fast (1.6 times faster than Firefox 2.0 running Javascript, and more than twice as fast as IE 7 when performing the same task) and contains a full suite of security-related features designed to mollify Web users who are understandably twitchy about accidental disclosure of personal data. The Web site containing a link to the new browser also trumpets features like easy bookmarks, pop-up blocking, tabbed browsing, autofill for online forms, RSS support, and a number of other features that…IE and Firefox already have. I haven’t seen the claimed “elegant user interface” or other features yet since I haven’t tested the Beta release, but various sites are promising to release side-by-side comparison data fairly soon. Stay tuned.

One potentially cool new feature is something Apple calls “SnapBack.” It’s designed to help users who have gone astray from their original intent after searching for some term. According to the release information, “SnapBack lets you instantly snap back to your original search results or to the top level of any website, even after you’ve browsed down a few levels.” This means you’re no longer stuck hitting the “Back” button repeatedly in order to navigate back to your original query - potentially a very useful thing in contexts where you’ve lost your way or been sidetracked when doing research.

As a result of this announcement, we now have another browser entering the user acceptance wars. The heavyweights are IE and Firefox, with everyone else fairly far back in the crowd. Will Safari make inroads into the Windows market? I’m not sure yet. I like Firefox and use it whenever possible, but I’ll download Safari and give it a whirl.