General, Security, Privacy, Technical

A Hacker’s View of Passwords

Passwords You Say?

Passwords. The bastion of authentication. Defenders of data. Bane of those shadowy figures wearing hoods and ski masks in darkened basements whilst attacking your servers. Passwords protect your secrets, but how effective are they really?

Plenty of articles have been written on the short-comings of passwords — mainly around complexity, reuse, expiry, and how these additional “controls” may not truly solve the problems inherent to passwords. I will touch on these, but in the spirit of education I felt a duty to provide context and to answer the inevitable question one hears when they enact some new policy or control in the security world: “Why?”

I will start by saying that, in my humble opinion, passwords are here to stay — in one form or another. “What about biometrics?” you may ask — to which I will reply with another question: “What happens when your fingerprint is stolen?”. You can easily change a password. You can’t (easily) change your fingerprints. What about the tokens used in two-factor authentication? Couldn’t we simply just use those instead? Yes we could, but they can be lost or stolen, and can be expensive relative to a password. Economically speaking, we would have to see executives, as a whole, start taking security a lot more seriously if that is to happen.

So, for now, let us say that passwords will be with us for the foreseeable future. Maybe I’m wrong and some new technology will supplant passwords as the de facto standard — but for now they are here and we have to deal with them.

Now, Let us take a look at the current “state of the art” of passwords.

 

Passwords Currently

Password policy varies from organization to organization, but in general they seem to follow the lines of NIST SP-800 53’s example. Don’t know what NIST SP-800-53 is? Not to worry, it’s the US Federal Government’s catalogue of controls for “information systems” (aka: software systems, etc.).

In other words, it’s a list of things you need to do security-wise if you want to play ball with the US Feds. It’s good practice to do much of this if you are in the private industry as it’s a crazy world out there with crazy-hooded-masked-basement-dwellers around every corner.

So what does NIST SP… bla bla bla … say? It’s quite simple actually. It wants your passwords to:

  • Have a mix of upper-case letters, lower-case letters, numbers, and/or special characters (symbols and such) (Usually 3 of the 4)
  • Have a minimum password length (Usually 8+)
  • Not be the same as your last password (Some say “can’t be one of your last 10 passwords” or so)
  • Expire after some period of time (Usually 60 or 90 days)

Sound familiar?

NOTE: There are a few other requirements, but they don’t directly relate to password complexity so I’m leaving them out. If you really want to check it out, here’s the NIST SP 800-53 standard (pdf). It’s on page 253.

So what passwords fit this criteria?

  • Password123
  • Test1234
  • 12345678ABC!

Why is this important? Because adding complexity makes it hard to guess — in a way. What it actually does is make it hard to do what is called “brute-force”. That simply means to check every possible combination of values.

Time for some math. I promise it won’t be too much.
Let’s look at our criteria again:

  • Upper, lower, number, symbol
    • There are 26 upper-case letters (English alphabet)
    • There are 26 lower-case letters (English)
    • 10 numbers (0, 1, 2, 3 ,4, 5, 6, 7, 8, 9)
    • 16 symbols (~!@#$%^&*()_+,.?) (Yes I know there can be more but I had to choose)
    • TOTAL = 26 + 26 + 10 + 16 = 78 possible “characters” for each position in the password
  • Minimum password length
    • Assume this is 8 (can be longer, set by policy)
  • Not the same as your last password(s)
    • Doesn’t affect complexity
  • Expires after 60 or 90 days
    • Will affect how long we have to crack the code!

With all this, we can calculate how many possibilities there are in this 8-character password:

78 x 78 x 78 x 78 x 78 x 78 x 78 x 78 = 78^8 = 1,370,114,370,683,136 possible passwords

That’s a lot! Even with some decent-powered computers this would take a long time to go through. But a hacker is smarter than that. They know that it’s not worth trying every combination — especially on a live system where an increase in traffic might get noticed.

So they think about how people choose their passwords instead.

 

A Hacker’s Approach to Passwords

Hackers aren’t going to brute-force the passwords. There are just too many possibilities. They are going to use their brains. They’re going to think about how you choose your passwords. They see the standards too! They know you have to change them. They know the complexity requirements. But they also know that it is hard to remember lots of passwords. They take advantage of this by:

  • Looking at “Common Password Lists” that are occasionally published
  • Looking at common themes:
    • 60-90 day password changes are around the time of Fall, Winter, Summer, and Spring
    • Fun Fact: ‘Fall’, ‘Winter’, ‘Spring’, and ‘Summer’ come up in passwords
  • Use of a year range — usually at the end of a word. For example: Winter2018
    • Or, if they know it, your birth year or date in different formats
  • Common substitutions of numbers for letters. For example: W1nter2018
  • General words with numbers at the end. For example: Test1234
  • Noticing that most passwords start with a capital letter and end with one or more numbers
  • Noticing that people use the same or similar passwords for other accounts
    • If another account get hacked, they will look for published password dumps and try those

These are a lot of rules, but let’s take a look at just the “common password list” one.

If the list has 100,000 of the most used passwords, the hacker is expecting to have decent luck and will only have to try 100,000 times per user. That’s far better than the 1,370,114,370,683,136 possible passwords per user we calculated earlier.

Sadly, in many cases this is as far as the hacker has to go to get into a system. Common passwords are published as “common” for a reason. They are out there in numbers.

Let’s take a look at another few rules.

“Starts with a capital, ends with a number” (Ex: Testing1)

The hacker can brute-force using this rule to reduce the possibilities, but brute-forcing will always be their slowest option. They are more likely to use a pre-existing dictionary of words and apply this rule to those words. For example, let’s say that the hacker obtained a dictionary of the top 100,000 words in the English language that are 7 characters or more in length. Then they apply their rule to it:

“abashed” becomes Abashed1, Abashed2, Abashed3, Abashed4, Abashed5, Abashed6, Abashed7, Abashed8, Abashed9, Abashed0 and so on.

We add 10 words for every one word in the dictionary since we are adding a number to the end. If there are 100,000 words in the dictionary, this rule will have 1,000,000 possibilities.

This is a very effective method to guess passwords when a hacker has no other information to go by.

Seasons or Trends

Similar to the “dictionary” method above, except our list of words consist of only Winter, Fall, Summer, and Spring (Or some other noticed trend). The hacker may try a variety of date ranges on the end to try and find old passwords too. For example:

Winter2015, Winter2016, Winter2017, Winter2018, Winter2019

This is quick and dirty, but sometimes works. This is an attack that may even be done manually (no scripts or automation). If a hacker sees a username and password portal, they may try these out (along with username:password combinations such as admin:admin, admin:<blank>, root:admin, etc.)

Fun fact: After the Equifax breach it was found that one of their servers had the admin:admin username and password combo. It works because it is still used. Hackers know.

NOTE: Hackers will also think about who they think you are. If your email is usmarine@marinemail.com, they might just passively try semperfi as the password (US Marine’s motto). Or batman. For some reason the password batman is always in password dumps. Odd. Or awesome. Not awesome. Choose better passwords.

Ultimately, the hacker is going to try and think of ways that people try and remember passwords — because those methods also make it easier to guess. So if the only good password is one that is hard to guess and it seems that our techniques to remember them are making things worse, what do we do?

I’m glad you asked.

 

How Can We Make Better Passwords

Password Managers

The examples above are guessable because they aren’t random. If you had a truly random password there would be no patterns and it would be hard to guess. The problem with this is that it would also be hard to remember. Enter the password manager.

The password manager … wait for it … manages passwords! Now you only have to remember one strong password and it will deal with the rest — better yet, add two-factor authentication for that added kick. +1 to awesome!

In addition to storing and managing your passwords securely, some password managers also give you the ability to auto-generate strong random passwords for you, enter them when needed, and update them when your password expires. Very nice indeed!

Don’t Use Predictable Patterns

If you can’t (or don’t want to) go down the password manager route, you can always just up your password-making game, but know this:

  • Common substitutions are almost as easy to guess as if they were just the normal character/letter
  • Don’t follow a predictable pattern such as a single word that starts with a capital letter, then followed by some numbers. You’re better than that.
  • Never use the seasons as part of your password — They are one of the first few passwords guessed
  • Know what the top passwords used are (they get published from password breaches) and make sure your passwords don’t follow any of those patterns
  • If your password expires, don’t make the new password the same as your old password just with a capital or number or other slight change
  • Where possible, use two-factor authentication (AKA: 2FA)

NOTE: Adding 2-factor authentication is good, but the solutions aren’t all equal: Getting a text is the weakest 2-factor authentication you can have. It is better than nothing, but not by much. You can buy a physical token but this has an added cost. It’s ultimately about economics… and how tinfoil-hatty you are.

Passphrases

There has been some discussion that points towards passphrases as a way forward. A passphrase is an entire phrase (as in multiple words) as opposed to a simple password (which is a single word). A passphrase will be longer and include multiple words that make simple dictionary methods fail. They will also be easier to remember.

 

Conclusion

It is my hope that in this journey through the darkened minds of hooded deviants you are able to think a little like them when you choose your next password. Don the tinfoil hat with pride. And know that your data is just a little bit safer because of it.

 

Standard
General, Programming

Software Development, Morality, ‘The Secret Life of Walter Mitty’, and Victor Frankenstein

For those who haven’t watched ‘The Secret Life of Walter Mitty’, I highly recommend a showing. It follows Walter Mitty, a daydreaming “negative asset manager” at LIFE magazine during its conversion to a fully-online offering. It truly is a visually stunning work.

The opening premise, LIFE magazine moving online and the inevitable downsizing and layoffs, struck a chord that has been, and is still, resonating: Is there a place for morality in software developer’s drive toward automation and efficiency?

One would be quite right in saying that the issue of ‘worker layoffs due to automation’ is not a new problem. History is full of examples. What piques my interest, however, is the generality of software automation. The immense reach of software naturally leads to an immense number of avenues for automation.

For example: I found myself talking with a colleague about the problems that they were having with some of their staff. When we finally distilled the problem down to its essence, we discovered that a great portion of his department was dedicated to the handling and sorting of files (originally electronic, then printed, then sorted and filed). I found myself flippantly stating that I could replace most of his department with a script.

My watching of ‘Walter Mitty’ sparked a wave of introspection, and a single question welled within me: If I could write a script that replaces an entire department, should I?

The script would increase the company’s efficiency through a significant reduction in cost. But why is efficiency so important that one would look for avenues to terminate the employment of others? Who benefits from it? Recently, it seems, the cost savings would not make its to the remaining employees but would manifest as bonuses for an executive, or manager, or perhaps dividends for shareholders.

Is inefficiency really that bad? In this case a department is being employed to do work. They are doing the work satisfactorily. Their wages pay for local food, rent, and expenses. This provides a boon to the local economy. If the populace is scraping by financially they surly will not be purchasing cars, houses, or other ‘big ticket items’. Would this not stagnate the greater economy?

Would a 100%-efficient company have anyone working there?

My authorship of this script directly instigates the termination of those employees. The causative relationship is undeniable.

Such scenarios are drenched with hubris as such mechanisms are en-route to also replace developers. In this we are the architects of our own obsolescence and ultimate demise: Dr. Frankenstein would surely have words with us. It is pure arrogance to assume such devices would not also be applied towards our craft.

Some may argue that apparatuses are in place to mitigate such effects, or that the evolution of the market warrants the employee’s termination: ‘They have become obsolete and must retool to stay competitive’, or ‘that is what welfare is for’, or ‘universal basic income is the future for this very reason’. Such comments do not address my question, ‘If one could write a script to replace a large group of people’s jobs, should they?’, rather they address the symptom, or after-effects, of such a decision — The employees are terminated, now what?

Perhaps this is the issue?

At the risk of sounding defensive I must note that I am not one to resist change. Resistance to change in our particular field is a doomed prospect to say the least. But one must address the social and economic implications of their decisions. One must have a conscience.

I do not have an answer. The creation of software is a technical achievement, a work of art, a labor of love, and wildly creative. It behooves those who embark on such journeys to consider their implications. Perhaps it is our hubristic tendencies as developers, or our arrogance, that drives us to construct our own monsters. Dr. Frankenstein would surely have words with us.

 

Standard
General, Security, Privacy

History and its Uncanny Ability to Repeat Itself

The EFF has published a well-cited and informed article on why they view the current trend of dragnet surveillance to be thoroughly against the constitution of the U.S.

Even if you are not an American, this article touches on the ideals of many. It describes the context around why the Fourth Amendment was included and goes into specific detail as to who and why they thought it so important:

“Using ‘writs of assistance,’ the King authorized his agents to carry out wide ranging searches to anyone, anywhere, and anytime regardless of whether they were suspected of a crime. These ‘hated writs’ spurred colonists toward revolution and directly motivated James Madison’s crafting of the Fourth Amendment.”

I highly recommend reading the entire article: The NSA’s “General Warrants”: How the Founding Fathers Fought an 18th Century Version of the President’s Illegal Domestic Spying

 

Standard
General

The Value of a Secret

Suppose that, while teaching a class some engaging topic, I keep a secret from the class and only reveal it at the end of the term. This secret provides a sudden realization to the students that they can take into their next year — A real ‘Aha! moment’. I only ask them that they do not reveal the secret to any classes that haven’t taken the course yet so that they can have the same experience. This may work for a while, but inevitably one student, through malice or ignorance, will reveal the secret to someone they shouldn’t have. This then spreads throughout the whole student body until the experience for all future classes is ruined.

The value of a secret can be tied inherently to its secrecy. In the case above, revealing the secret leads to a realization and experience that would have been lost if the knowledge was simply given in a standard manner. We see this in varying degrees in many mediums.

Suspense films can rely on building a feeling without ‘revealing’. String along the audience and tease them with sudden glimpses — or was it? Sometimes the ‘secret’ is never actually revealed and the audience is left wondering what ‘it’ could have been — a lasting effect to be sure! Sometimes the ‘secret’ is revealed to the audience but not to the characters, and the audience is left to observe the resulting effect on the unknowing participants. All experiences in the case of suspense are tied directly to the disclosure or non-disclosure of a secret — and to whom.

Consider the explorer. In ages past an explorer set out into unknown lands or seas to make the ‘unknown’ known. Perhaps it was for knowledge, or perhaps it was for fame, but many died in pursuit of it. Today we can say the same about space. Our chosen few who lead our race in discovering one of the last great ‘unknowns’.

Our desire to discover what is not known is insatiable. We thrive on the pursuit. We revel in it.

Now, perhaps, you are wondering why the title of this article is ‘The Value of A Secret’ and not ‘Humans Love to Discover’. And my answer to you would be that it is important to set the stage for things that are yet to come.

Humans do love to discover — Even if it means that the discovery will reduce their enjoyment.

Let’s consider the magician. We can rest assured that the man standing on stage and pulling rabbits out of hats does not, for better or worse, have divine powers. He has honed his craft that is to be sure, but he is no wizard. He is an expert at deceiving. Our wonder stems from the curiosity welling within each person sitting in the faux-velvet seats that, at one time, may have doubled as a beer coaster. It is that curiosity that may also drive us to speculate on how the trick was done or to buy a ticket to see it again. The experience is in the deception. Once the secret is revealed the experience is ruined for all, and the poor magician who mastered his craft must now work ever harder and devious in his deceptions.

There can be value for those to whom the secret is not revealed — and never is. Secrets can be a source of awe and wonder. They can drive one to build a ship and cross vast oceans, throw caution to the wind and trek into unknown lands, and build a rocket and ride it to the moon.

For the explorer, who is driven by such experiences, there is irony in the fact that their very actions reduce the total number of things left to discover — no matter how little the contribution.

With the awe and inspiration that secrets can evoke it is important to note that some secrets are meant to be discovered and shared. What would have happened if Alexander Fleming did not discover penicillin and shared it with the world? What about the snake-oil salesmen and ‘men with powers’ who used their secrets not to entertain but to deceive many to their detriment. We would agree that it is important to expose frauds and predatory practices.

This is not to say that secrets should never be revealed but to explain that there is value in many secrets staying secrets. This value may be in the form of awe, wonder, suspense, entertainment, and inspiration just to name a few. Alas it is important to note that secrets also protect you.

How do you hide dissidents from oppressive governments without secrets? Just because one lives in a developed country does not make them immune to policy change and legislation. What about communication? How can you talk with the assurance that there isn’t anyone listening in to your conversation? Shouldn’t your bank information be kept secret from prying eyes?

Sometimes is it important to have secrets. Secrets that are hidden from everyone but the very few people you trust to hold them. If one of your trusted few ever reveals the secret they are removed from the privileged few.

Many governments in recent times should be removed from the privileged few.

Standard
General, Technical

Privacy: A How-To

Introduction

With the leak of classified NSA documents and their entailing revelations, Edward Snowden has become a household name. He single-handedly caused millions of people to rethink their electronic lives – and their assumptions of privacy. Now, those people (and businesses) are scrambling to find solutions to a problem they didn’t know existed, or chose to remain blissfully unaware, a number of months ago.

There have been numerous blog posts and documents about enhancing your systems to increase privacy protection, and I thought that I would summarize many of them from the perspective of someone who works in the industry. The sections of this article are organized in order of complexity (and tinfoil hattiness). The easiest and most basic measures will be in section 1 while the most complex and restrictive measures will be in the last.

Before we begin, it is important to talk a bit about expected threats and mitigations. Mitigations are simply the measures you take to deal with a threat satisfactorily – Hopefully completely, but not always. A threat is anything that is considered an opponent to your security and privacy in this case. It is important to figure out what kind of threat you are dealing with and take the appropriate actions to mitigate it.

For example, mitigations that stop basic malware and bots from getting your information may not be as effective against, say, a skilled and motivated attacker – such as an NSA operative, or hacker, or cleverly-designed system.

It is unlikely, honestly, if they really wanted your information, that you could mitigate the NSA threat. The NSA is an enormous government agency that is well-funded and extremely motivated. They employ intelligent and educated people who do this for a living. The goal is to raise the difficulty in tracking you just enough to exceed the minimum effort level that their automated systems will take for granted. Automated systems include bots and malware, along with other classified technologies, that gather information automatically – with no human in the loop. These threats we can mitigate.

Now that we have that out of the way, let’s dive in.

[Disclaimer]: These suggestions are a combination of sources (listed at the end) and my own. As such, this information is not fully my original content and I did not create it. I am simply listing it here for your convenience. Sources are cited as to the origin of suggestions.

Section 1: Basic Measures

Tin Foil Hat Level: “I read an article once about privacy and it scared me. I need a list of things I may, or may not, do.”

Threats: Basic email scams, scraping bots, potential job prospects, your mom

Be careful about what websites you go to and what you download. This includes e-mails and popups. If you don’t know it don’t click it. Also, don’t post anything that you wouldn’t want exposed. There is an old saying: “Once it’s on the internet, it’s forever”. This includes social media websites. Even if their terms of use say that they won’t use it, what is to stop them from changing it later on?

Don’t post identifying information if you don’t have to. In fact, don’t provide any information that isn’t needed. So you want to sign up for a music website? Why do they require you to include your mother’s maiden name, age, location, phone number, and birthdate? This includes mobile apps!

Google yourself. See what comes up. Try Bing or other search engines. If something comes up that you don’t like, try to take it offline and add new content with the same keywords that you used to find the offending item. It takes time. There are professionals that do this.

And lastly, don’t share passwords and account information with anyone!

No, that prince from Nigeria doesn’t need your account info to deposit millions of cash. No, you won’t win a free trip to Hawaii if you click that link that goes to http://www.haha_i_got_you.com. No, you shouldn’t look at that attachment from a person you’ve never heard of before – from an email address you’ve never seen before. If the deal looks too good to be true, it almost always is. Sorry.

Now that wasn’t too hard! This works decently if your information isn’t on the internet already. Unfortunately, if you want to protect any information that is already online, this may not help.

Section 2: Novice Measures

Tin Foil Hat Level: “I read this article about privacy and the NSA and I need some help to protect my information! …Only if it’s not too intrusive though.”

Threats: most bots, scams, most malware, viruses, basic hacking attempts, account username/password attacks

OK, so you are already doing the basic measures but still don’t feel safe. Fair enough. There are lots of threats out there that can easily get past those mitigations if your information is already online. Let’s take it to the next level.

If you haven’t already, install antivirus software, malware protection, and cleaning tools.

For Windows, I use Spybot Search and Destroy 1.6.2 (or Malwarebytes), CCleaner, and Windows Security Essentials (or Windows Defender). Spybot does not prevent malware from getting on your computer, it simply removes it once it is on there. CCleaner cleans up your temporary files including cookies, etc. MS Security Essentials is an integrated system that “guards against viruses, spyware, and other malicious software. It provides real-time protection for your home or small business PCs”. Really, any antivirus software will be good, but you can look at reviews to see which one best suits your type of usage.

The key here is to layer. Defense in depth. MS Security Essentials may not get everything so you need Spybot or some other mitigation.

Update often. Honestly, you should be doing this already. This is a security tip, but security and privacy are inherently linked as preventing a breach in one helps prevent breaches in the other. This includes (for Windows) Windows Update and any software that you have installed (Java, Flash, browsers, etc).

Make sure you have a firewall. Windows has one built in. At least use that one.

Create strong passwords. Yeah the website asks for minimum 8 characters, but really, computers are wicked-fast. Brute-forcing passwords is getting easier. And there’s no reason not to make stronger passwords including longer strings of characters, numbers, capitals, etc. Also, stop using the same password for all of your accounts. If someone hacks one account, they get the keys to all accounts. Bad news.

Configure your browsers to delete history and cookies on close. This prevents a lot of cookies from hanging around after you’re done with them for no reason.While you’re at it, take a look at the security and privacy settings in your browser. Make sure that things are not being tracked and that add-ons can’t be installed without your consent.

Install a well-reputed security app on your smartphone. Malware for mobile devices is on the rise and you don’t want to get caught up in it.

Try to use HTTPS as much as possible (will show https://www.google.com instead of http://www.google.com), and learn what a certificate is, what it is used for in HTTPS, and why it is important. Avoid accepting less-than-reputable certificates.

Start reducing the amount of information you provide to social media sites such as Facebook, Twitter, Pintrest, Google Plus, etc. Does that information really need to be on there? Here’s a question, why is Facebook worth so much if it provides a free service? How about, why does Google give you so much for free (e-mail, documents, social media, etc) without charging anything? Fun fact: Google is an advertising company. A note about Google: “You are not their customer, you are their product”.

Section 3: Intermediate Measures

Tin Foil Hat Level: “The NSA is out there and I need to protect myself!”

Threats: bots, scams, malware, viruses, hacking attempts, account username/password attacks, XSS, Session Hijacking

Start installing browser add-ons!

Install “HTTPS Everywhere”, which forces HTTPS sessions with all websites that you go to. What does this do? HTTPS is the protocol for secure communication over the internet. HTTPS ensures that attackers can’t listen in on your communicaitions over the internet.

Install NoScript to your browser. NoScript will default-deny all scripts from running until you allow them. This can be very annoying at first, but once you have allowed the “elements” from the sites that you usually go to, it’s not that bad – Just make sure to check the icon if a movie isn’t playing or a page doesn’t load correctly. Also, you get to see what, exactly, is run behind the scenes on all of your favourite websites!

Install “AdBlock Plus” to your browser. This – you guessed it – blocks ads. Ads can be the vehicle that delivers malware. Don’t let them near you.

Install “Self-Destructing Cookies” to your browser. This add-on removes cookies as soon as they are not required.

Install the “Disconnect” add-on to your browser and to your phone. “Disconnect lets you visualize & block the invisible websites that track you”.

Install the “Better Privacy” add-on to your browser. “Remove or manage a new and uncommon kind of cookies, better known as LSO’s. The BetterPrivacy safeguard offers various ways to handle Flash-cookies set by Google, YouTube, Ebay and others…”

Your web browser is the window to the internet. It can be a benefit as well as a curse. These add-ons mitigate much of that “curse” aspect.

Section 4: Advanced and Restrictive Measures

Tin Foil Hat Level: “The NSA is just the tip of the iceburg, man! They’re watching everything! Nobody’s safe!!!”. Also, people complement you on the size of your tinfoil hat. You are the tinfoil-hattiest!

bots, scams, malware, viruses, hacking attempts, account username/password attacks, XSS, session hijacking, motivated attackers, attackers who may be able to gain physical access to your computer

These measures will require technical skills, and they will restrict what you can do online significantly, but they will provide the best defense of your privacy in comparison to the previous measures suggested.

The Phone:

Install ‘Replicant’ or ‘CyanogenMod’ on your phone. These are replacement operating systems for your phone. They will give you far better control of what information is sent to ‘the outside’.

Install SecDroid (for Android). This app controls what apps can use the internet.

Use F-Droid instead of the Google Play Store. The goal is to avoid Google products.

Look into making a custom case/”glove” for your phone that blocks out electronic signals (http://killyourphone.com/)

Use Chromium (Open-source browser – is not Google Chrome), or Mozilla Firefox – with the add-ons suggested above.

The Computer:

Ditch Windows and Mac altogether. Go Linux: Ubuntu (a linux operating system) is a great alternative. There may be a bit of a learning curve, but it is not as bad as you may think! There are plenty of distributions of linux to suit your needs.

Encrypt your hard drive. Look into TrueCrypt or other similar tools. Encryption ensures that, even if they get your physical computer, the attacker can not access your files without your password.

Look into using VPNs (Virtual Private Networks) such as those provided by “Private Internet Access” (PIA), and see if they are right for you.

Look into “The Onion Router” (TOR). See if it is right for you.

Use Chromium (Open-source browser – is not Google Chrome), or Mozilla Firefox – with the add-ons suggested above.

Wrapping It Up

Many of these suggestions are extreme, and the list is far from complete. These are simply a great place to start no matter the size of you tinfoil hat.

I won’t judge.

Sources

Helpful hints about privacy from Microsoft: http://www.microsoft.com/security/online-privacy/prevent.aspx

What is information and internet privacy?: https://en.wikipedia.org/wiki/Information_privacy
and: https://en.wikipedia.org/wiki/Internet_privacy

Microsoft Security Essentials: http://windows.microsoft.com/en-CA/windows/security-essentials-download

Detailed discussion about advanced mitigations for privacy: http://www.reddit.com/r/privacy/comments/1x5c2r/rebuilding_my_privacy_from_the_ground_up_looking/

“HTTPS Everywhere” browser addon: https://www.eff.org/https-everywhere

Replicant: http://www.replicant.us/
and: https://en.wikipedia.org/wiki/Replicant_%28operating_system%29

CyanogenMod: http://www.cyanogenmod.org/

Ubuntu: http://www.ubuntu.com/

TrueCrypt: http://www.truecrypt.org/

Private Internet Access: https://www.privateinternetaccess.com/

SecDroid: https://play.google.com/store/apps/details?id=com.shadcat.secdroid&hl=en

F-Droid: https://f-droid.org/

The Onion Router (TOR): https://www.torproject.org/
and: https://www.torproject.org/projects/torbrowser.html.en

Thunderbird: https://www.mozilla.org/en-US/thunderbird/

Autistici: http://www.autistici.org/en/index.html

Standard
General

Showing Up

Richard Branson talks at length in his book “Like a Virgin” about various topics in the business world. He addresses issues brought up by aspiring entrepreneurs and seasoned veterans in their journey to provide great products and services.

One of those points Richard addresses is the importance to simply show up. I remember reading that section and thinking that I would take this advice with a grain of salt. What if I am competing against some of the best in the world?

I was skeptical.

A few months passed and I received an email from a prominent financial institution; it detailed a contest where Canadian postsecondary students can submit an essay on what their vision of a responsible financial institution is.

I was intrigued.

I started thinking. I am not a financial institution expert or well-versed in what makes them responsible. All I could do was think of my own convictions. What did I think a financial institution that was responsible look like? It ended up looking like a simple essay with a list of suggestions – and it was. I was certain that I would not win, but I felt strongly about it.

I am surrounded by smart people all day. I would wager that most of them are far smarter than me, but I was the only one who entered the contest. All of them said something similar when I asked them if they would enter the competition: there would be people far smarter than them who would write something and win.

I definitely had those same thoughts, but instead of giving up before I had even written a single word I figured that I would at least try. I showed up.

I wrote something that I felt strongly about. Why wouldn’t I show people?

I placed second in the Canada-wide contest.

New York Magazine published an article in February of 2011 that covered research on just this topic. The studies that were referenced identified links in children that were told they were “smart” and their likelihood to try something that was not inherently natural for them. In general they found that children who were constantly praised for their intelligence were more likely to quit when things didn’t come naturally.

I am extending this idea to include self-deprecating mentalities in adults who believe themselves to be intelligent.

Intelligent adults will assess the situation and gauge their ability to succeed based on their own perception of their capabilities. The difference between the study with the children and my extension into the adult realm is that the children actually try before their failure is realized. The adults encounter their difficulty before attempting anything. The result is the same. Both groups do not complete the attempt.

This brings further reinforcement to the saying “you are your own worst enemy.”

I suppose I should be grateful for that mentality as it allows others, such as myself, to try and succeed. I cannot help but wonder, though, what breakthroughs might have happened if those people would actually try.

Sources:

New York Magazine, How Not to Talk to Your Kids: The inverse power of praise, http://nymag.com/news/features/27840/

Like a Virgin: Secrets They Won’t Teach You In Business School, Richard Branson, http://www.virgin.com/richard-branson/books/like-a-virgin

Standard
General

“Smart”

When I tell someone that I am a Computer Scientist, and that I am working towards finishing my Master’s Degree in it, many of them remark on how “smart” I must be to achieve such a goal. I am taken aback by this response as I do not view myself as any more intelligent than they are. What, then, makes Computer Scientists fall into such an automatic assumption?

The answer may lie, not in the intelligence of the individuals, but in the way that they interact with their surroundings. Their world.

I am a Computer Scientist, but my skills do not fall solely within that realm. I am an avid baker. I surf and skateboard. I am mechanically inclined and can fix my own vehicles. I can play multiple instruments. I am known to write occasional prose and poetry. I read frequently – and in various topics. I keep up in current events. I have an extensive knowledge of movies and music. I play billiards at the competitive level. I am an amateur scotch taster.

The question is why did I decide to develop these hobbies and skills? The answer, for me at least, is that I was curious. I started baking bread because I was curious how it would work out. I got quite good at it through trial and error. Now, I can bake a decent loaf or two with no trouble at all. I have even made artisan loafs at the request of friends. When I saw a Youtube video of someone playing the ukelele I thought that it would be fun to play. I went to the music store, bought a cheap ukelele, and started to play some basic tunes from online tutorials. Now I can play a variety of songs – which goes well for when I’m surfing.

Many Computer Scientists are just like me. It is unacceptable for them to “not know” what to do if they need to, say, sharpen a knife. They will go out and learn how to sharpen their own knives. If there is a problem, they try to fix it. If there is something they do not know, they try to learn about it so that, next time, they will know. We are constantly learning. This might be brought on by such a fast-paced field – where first-year textbooks can be outdated before the students graduate.

This trait is not limited to Computer Scientists. There are many who are driven to better themselves. Sure, it takes some grades to get into Computer Science, but it takes grades to get into many fields of study. The “smart” that seems to be automatically associated with Computer Science may derive from this need to better ourselves – and solve problems. This builds a large skill-set that helps us solve even more problems.

And solving problems is something that we are very good at doing. Maybe that is what “smart” is after all.

Standard