PC Security Top Five

Everyone seems to be doing top five and top ten lists these days, so I figured it's about time I presented one of my own. Here's my PC Security Top Five for home computers and home computer users:

1.  AVG antivirus. This is a best-of-breed antivirus program that is free for personal use. I've been using it for years.

2. Spybot Search & Destroy. Freeware. Anti-spyware/privacy protection. This is my main tool in the battle against spyware, and as of March 19, 2008, the program includes RootAlyzer anti-rootkit technology.

3. SpywareBlaster. Freeware. Blocks malware (see site for details). You need to update it periodically, but it's transparent otherwise.

4. Mvps.org HOSTS file. The HOSTS file can be used to block unwanted sites and mvps.org provides a constantly-updated list of sites to block. Complete details can be found by following the link. I've used it for more than five years and have never gotten infected by a bad site.

5. Security Now! podcast. Every week, Steve Gibson and Leo Laporte discuss security. If you're not listening, you're missing out on some of the best security advice out there. Tell 'em The Geek sent you!

Cheers!
The Geek

Geeks as cyber warriors?

Check out this article in my new IT Knowledge Exchange blog (a paying gig for a change!). Seems the Air Force (which I'm a veteran of) has set up a new Cyber Command division. I'm sure it'll be the geekiest place in the military.

Cheers!
The Geek

How to Write Down Your Passwords and Not Worry About Someone Stealing Them

I sometimes enjoy playing with codes and ciphers. In fact, a long time ago (eighth grade, 1966), I got my introduction to cryptography from a book aptly named Codes and Ciphers written by Alexander d'Agapeyeff. My friends and I had some good laughs getting caught passing encoded notes in class; the nun couldn't decipher them. Being an Edgar Allen Poe fan, I was fascinated by his story "The Gold Bug," which centers on the solution to a cipher that turns out to be a map to hidden pirate treasure. And then there's that bit with Ralphie, the hero in the classic holiday hit movie, A Christmas Story, where he anxiously awaits the arrival of his "Little Orphan Annie Secret Decoder Ring."

But I digress.

I know this isn't a new concept by any means, but the application of simple cryptographic principles can allow you to generate passwords using patterns that you can safely write down. One of the key elements of authentication is "something only you know" and you can use this to generate secure passwords with simple substitution and transposition ciphers. (WARNING: playing around with this stuff can be habit-forming!)

Let's take a simple example of a substitution cipher based on a date. This one uses two levels of secret "keys": 1. a clue or mnemonic for the date; 2. an abstraction of the encoding algorithm. We'll use Abe Lincoln's birthday in numeric form--02/12/1809--for our plaintext, leaving out the slashes, i.e., 02121809, which will result in a strong, eight character password. Now, for the first key, we can use "BDAbe." This immediately reveals the plaintext, but means little or nothing to anyone else. (NEVER use your own birthday, for obvious reasons.)

Next, we decide to use alternating shifted characters, beginning with the first character. So, for key two, we make an abstraction of that: %x#, for example. It doesn't matter what characters you use, only that they clearly represent shifted and lower-case characters; you could just as easily use AyT or !2@. The pattern of shift-lowercase-shift on the keyboard is what matters to you; the characters mean nothing else. Put the two keys together and you have this: BDAbe%x#. That's your cipher pattern, the "something only you know," with an added level of complexity: it's something only you know (the plaintext) and only you know what it means (the encoding pattern). Anyone who sees BDAbe%x# will have your keys, but it's likely they won't have a clue as to what to do with them. Write it down. Post it all over the place. Buy an ad in the newspaper. Tell everyone you know. Who cares? It isn't your password and only you know what it means; but, it looks like a password and serves as an effective deception.

Finally, we generate the actual password using our cipher pattern of alternating shifted and lowercase characters, so 02121809 becomes our ciphertext of )2!2!8)9: eight characters, each having one of 96 possible choices. In a brute force attack, a modern PC, capable of guessing 10 million passwords per second, would take 23 years to go through all possible combinations of an eight-character password with a 96 character selection space. Not too shabby, eh?

For website logins where high security isn't a concern, you can drop the "www." and use the rest of the URL as your plaintext. In this case, you only need to write down the password length and encoding pattern. Let's say I have a login on the site www.nytimes.com. I don't care if someone reads the news using my password, so tight security isn't a concern. I decide on a pattern of lowercase-shift-shift and decide to use a six-character password. The encoding pattern is x%^, so I can write that down as nytimes.com/x%^. Who's going to know what that means? The password would be nYTiME. At only six characters and despite being based on the URL itself, that password is still relatively secure: it would take a hacker 33 minutes to crack your password; he'd be able to set up his own account in less than 2 minutes. And why would anyone want to crack your password? NYTimes.com doesn't ask for any personal information other than your birth year and zip code, nothing that's worth anything to a criminal hacker.

I encourage you to come up with your own method of applying this to your passwords, and of course, I welcome your comments and questions.

Cheers!
The Geek

Have a question? It can be about anything from cooking to science, whatever you're interested in: Click here to Ask the Geek! Kenny "The Geek" Harthun has been playing with geeky stuff since 1965. He's a former research scientist, currently works as a Microsoft Certified Systems Engineer at Connective Computing, Inc. and loves to learn about anything and everything.

Update 2008: How to make a bootable thumb drive virus scanner for NTFS

The original article and subsequent updates requires a change of procedure. Avira, who acquired NTFS4DOS, apparently changed the installation procedure and included a new program to create a bootable floppy disk. If you use the program floppywz.exe to install NTFS4DOS to your thumb drive, you end up with a 1.44 MB thumb drive and cannot install F-prot.

DO NOT run floppywz.exe, but navigate to the installation directory: by default, C:\Program Files\Avira\NTFS4DOS and simply copy the NTFS4DOS to your thumb drive. Copy F-prot and then boot to your thumb drive. You'll no longer see a startup menu, but just a DOS prompt. At the prompt, type "ntfs4dos" without the quotes and hit enter. Then, you can run F-prot.

Here's the last update prior to this one: http://askthegeek.kennyhart.com/2007/03/update-how-to-make-bootable-thumb-drive_20.html

Cheers!
The Geek

Technorati tags: antivirus, ntfs4dos, ask the geek, thumb drive, f-prot

The Zonbu Laptop - Hassle-free, Affordable, Secure

Having recently had the pleasure of interviewing Zonbu's CEO, Mr. Gregoire Gentil, and also having had the pleasure of testing the laptop, I have to say I'm impressed by both the business model and the product. But my being impressed is just one opinion; what are others saying about Zonbu? Rather than my writing my own review, I present  a random sampling of quotes from email and other reviews along with my comments.

Mr. Zonbu says: "The company has consistently delivered new releases, fixing bugs, enhancing the system and updating the key software packages. None of the updates have broken anything on my system and Zonbu has listened to the public feedback and made changes and adjustments to continue to improve and refine the overall experience for the end-user. I was skeptical about their ability to keep up the pace and handle things smoothly, but so far they have exceeded my high expectations...If you don’t want the hassle, let Zonbu take care of it for you."

Yep, it's completely hassle-free and mostly automatic for even the most novice user.

John Biggs of crunchgear.com says: "The Zonbu notebook costs $279 with a 2-year $14.95/month subscription to Zonbu’s update and storage service. This, clearly, is Zonbu’s real MO. They offer unlimited support and upgrades along with 50GB of Amazon S3-based storage. If you opt out of all of the support, you pay $479 for a fairly basic laptop.

"Here’s the rub, kids. With the service pack you’re paying $637.80 for a Linux laptop."

The key words here are "unlimited support and upgrades along with 50GB of Amazon S3-based storage." Most people don't have a clue how to back up and secure their PCs, much less do upgrades. Geek Squad will give you "Basic Security" for $229. With Zonbu, you plug it in, it works, it's secure and you never have to worry about it. As long as you're under the subscription plan, if the unit breaks, they ship you a brand-new one. That says "affordable" to me.

Arsgeek.com says: "On turning it on, you’ll see the typical Zonbu startup screen where various icons light up to show you what phase of the boot process it’s in. After about a minute or so I was on the desktop. Zonbu, no matter what else they may have going for them certainly have great wallpapers. The desktop is crisp and clean, with a few icons in the upper left and a few items in the taskbar on the bottom.

"I was immediately greeted with a network connection wizard which walked me through getting online using my home wireless connection. It was painless and in a minute I was happily online. I logged in with my email and password and I was ready to play!"

I had the same experience on first boot. Even a novice could get on line quickly, in my opinion.

Security? I can compromise your PC in just a few minutes at some of the sites I know of. I have been unable to compromise either the Zonbu desktop unit or the laptop.

The Zonbu laptop isn't necessarily for Geeks to use, but it will certainly lower the amount of free tech support you have to give to your friends, neighbors, mom and girlfriend who all own Windows PCs.

Cheers!
The Geek

Technorati tags: Zonbu, laptop, linux, secure computing, hassle-free computing, affordable