What was the name of your first pet?
What is your mother's maiden name?
What was your high school mascot?
What was your first car?
If these questions creep you out a bit when signing up for a yet another website user account, consider this: you don't have to use real answers.
The computers you log in to are just comparing strings of characters stored when you signed up with what you type in when challenged - they only know what you tell them, and they don't know if the answers are "correct" or not. The idea, of course, is that using these questions that don't require anything more than your memory makes for a foolproof password recovery/verification device. But with increasing concerns about identity theft, hacking, etc. you may worry about giving up answers to yet another set of personal questions for this convenience. If that's the case, then don't do it!
Instead, use any string of characters you want. High school mascot? Uh3zy$!98. First car? 6%bo88#5. Use the same or different values for each question, it's up to you. Best practice would be to use different strings of characters to answer these questions across all the websites you visit, keeping careful track of each set as you go.
It will take some effort, but if you get uncomfortable every time you render up still more true answers to personal questions, give yourself some peace of mind and give this a try.
Monday, July 13, 2015
Saturday, May 16, 2015
Help IT Help You
For some reason, most people have some aversion to speaking "computerese". I suppose they are afraid of saying something that is somehow embarrassing, or sounding too much like an actual Nerd. But we all use computers. Every day. Most of us use more than one, not even counting smart phones, tablets and the like.
So, when you encounter an error, or "glitch" or whatever you want to call it, you may need to ask for some help. Here are a few things you can do to get your problem resolved quickly (making YOU happy) by giving your tech support peeps enough info to figure out what's wrong without spending a ton of time going back and forth (making THEM happy).
1. Be specific in describing the problem. If you are interacting with an application that generates an error message, copy it EXACTLY as it appears. Telling your IT support staff that you got an "error message" but you don't know anything more than that does little good. I can't count the number of times I have had someone tell me they received an error message, but failed to read it and don't remember anything at all about what it said. Those messages are (or should be, depending on the author) fairly descriptive. Be as specific and detailed as you can, and you will be helping get your problem resolved MUCH faster.
2. Take a picture. If you can take a screenshot and send it to your support team, definitely do that. Windows 7 and later has a built-in screen grab utility called Snipping Tool that you can find under Accessories. Use it to capture part or all of your screen, and copy and paste that image into an e-mail to your support folks. Aren't sure how to do this? Us your phone to take a picture of the screen. Seriously. They will appreciate it!
2. Can you reproduce the problem? Yes? Good! If you can tell the support team a set of steps that they can take to cause the problem to appear again, that will go a long way toward getting a quick resolution. Write the steps down, like you are making a recipe. "Opened application, clicked on File, Print. Attached error message appeared." Even if you aren't exactly sure what caused the problem, jot down as much as you can.
I know this sounds simple, and hopefully most of us are following these guidelines when seeking support. The good news is computer application errors are far less frequent than they once were. But they still happen. By using the information provided by the operating system and application developers, you will likely get that frustrating problem resolved much more quickly and efficiently. And who doesn't want that?
So, when you encounter an error, or "glitch" or whatever you want to call it, you may need to ask for some help. Here are a few things you can do to get your problem resolved quickly (making YOU happy) by giving your tech support peeps enough info to figure out what's wrong without spending a ton of time going back and forth (making THEM happy).
1. Be specific in describing the problem. If you are interacting with an application that generates an error message, copy it EXACTLY as it appears. Telling your IT support staff that you got an "error message" but you don't know anything more than that does little good. I can't count the number of times I have had someone tell me they received an error message, but failed to read it and don't remember anything at all about what it said. Those messages are (or should be, depending on the author) fairly descriptive. Be as specific and detailed as you can, and you will be helping get your problem resolved MUCH faster.
2. Take a picture. If you can take a screenshot and send it to your support team, definitely do that. Windows 7 and later has a built-in screen grab utility called Snipping Tool that you can find under Accessories. Use it to capture part or all of your screen, and copy and paste that image into an e-mail to your support folks. Aren't sure how to do this? Us your phone to take a picture of the screen. Seriously. They will appreciate it!
2. Can you reproduce the problem? Yes? Good! If you can tell the support team a set of steps that they can take to cause the problem to appear again, that will go a long way toward getting a quick resolution. Write the steps down, like you are making a recipe. "Opened application, clicked on File, Print. Attached error message appeared." Even if you aren't exactly sure what caused the problem, jot down as much as you can.
I know this sounds simple, and hopefully most of us are following these guidelines when seeking support. The good news is computer application errors are far less frequent than they once were. But they still happen. By using the information provided by the operating system and application developers, you will likely get that frustrating problem resolved much more quickly and efficiently. And who doesn't want that?
Saturday, April 04, 2015
Build Yourself a Better Radio Experience
Sunday Night Live
I grew up in the Indianapolis area in the 80's, and local radio was a big part of my life. WNAP "The Buzzard" was one of the most popular FM stations in central Indiana, but my favorite was WFBQ "Q95". When I was in high school, Q95 experimented with a show for a couple of years called Sunday Night Live. The show was hosted by Steve Church, and later by Jay Baker, and was a very different, very cool type of talk show.The show would often feature fringe topics such as backmasking, local ghost stories like The Screaming Bridge or The House of Blue Lights, cryptozoology, conspiracy theories, urban legends, etc. It started at 10:00 pm, and was perfect for listening in the dark.
Great Show, Small Audience
There was usually a topic-specific guest, and the audience could sometimes call in with questions or stories. Callers that didn't have something relevant to say would be shut down, for being in violation of The Law of Conservation of Radio Energy (i.e. don't waste precious air time with nonsense). For me, for a while, this was "appointment radio" - something I looked forward to hearing to sort of close out the week.I didn't give it much thought at the time, but Sunday Night Live probably had a pretty small audience. It was air time nobody else wanted or would pay for, because of the low likelihood of listeners. The guys that put the show together could do what they wanted, without fear of losing the time slot or advertisers. That freedom to be different was what made it special, and what it made it impossible to air during times when larger audiences were possible.
Enter the Podcast
Like everything else on the Internet, the sheer number, variety and quality of Podcasts has grown at what seems like an exponential rate. Today, it's so easy for smart, creative people with something interesting to say to create their own show (and at minimal cost) that the essence of what I loved about that old late night radio show still lives on. If you haven't built yourself a better commute/workout/whenever listening experience with Podcasts, you are missing out on a great opportunity! Here are a few tips to get you started.
Getting Started
Choose a Player. You don't need a smartphone. An old iPod or MP3 player will work. Your desktop computer will work. Your player and manager don't have to be the same device. If you have an old iPod Nano for example, you can use iTunes to load it up with Podcasts before going on a run.
Choose a Podcast Manager. Whichever device you choose as your player, you will need an application to manage your subscriptions, take care of downloading files, etc. If you are using a smartphone, there are a number of apps available to help. If you are using an iPod or iPhone, iTunes works nicely as a Podcast manager.
- On my Android phones, I love the DoggCatcher app. I tried a bunch before I found it, and haven't looked at a different one since. The author has been actively honing his product for years, and I can't begin to recall the number of updates I've received with only a $4.99 initial investment.
- For iPhone, iPod, or iPad users, here's how to get started with native Apple solutions, and here's what the folks at Lifehacker have to say about the best Podcast manager for iPhone.
Choose some Podcasts. The Podcast format is really best for great storytelling, documentary-style programs, and interviews. Here are a few lists to help you get started. There is also a nice one built-in to DoggCatcher.
- Podgallery.org - Nice visual compendium of popular Podcasts, with recommendations.
- Stitcher's List - Top 100 most popular Podcasts accessed via the Stitcher app.
- ITunes Store - for Apple users, access a curated list of Podcasts from around the world.
- Radiotopia - Some of the best story-driven shows out there. Definitely check out some (or all) of the shows that are part of this collective. There is a great crowd funding story behind Radiotopia, demonstrative of the surge of interest in quality, off-beat programming.
Some Favorites
- This American Life - great non-fiction storytelling on a wide range of interesting topics. The Podcast is typically an uncensored version of the very popular NPR radio show.
- Radio Lab - sometimes science-focused, but not always. Still going strong after several years, it's original editing style set the standard for many other radio shows that followed.
- 99% Invisible - 99% Invisible is a tiny radio show about design, architecture & the 99% invisible activity that shapes our world. Give it a try, it's really, really good!
- Dan Carlin's Hardcore History - Each episode or series examines an important era of human history in detail. Dan is a great storyteller, breathing new life into what you may have found to be dull and boring material back in history class.
- Freakonomics Radio - Produced and hosted by Stephen Dubner and Freak-wently featuring his co-author economics professor Stephen Levitt, this show explores "the hidden side of everything". If you like their books, you will like this one, too.
Finishing Touches
Invest a little time in configuring your chosen Podcast manager application. You can generally set the number of episodes to keep on your device, what to do after you've listened to an episode (e.g. automatically delete), how often to check for new episodes, etc. It will take a little experimentation and patience to get things set exactly how you like them.As you learn about new Podcasts to check out, and perhaps decide some you have tried really aren't for you, you'll need to make changes to your configuration.
If you do it right, you'll end up with the equivalent of your own unique, private "radio" station - one with shows that genuinely interest you - refreshed automatically, available anywhere, ready to start, stop and rewind whenever you want.
Show the Love
Although some of these shows are beginning to gain enough popularity to secure sponsors, they really need our help to get off the ground and build the followings needed to attract sponsor interest. Donate what you can to support the ones you like.Like I mentioned in Cable Cutters: 18 Months Later, it feels good to pay for just what you are using. You might feel like that morning drive time radio is free, but the time wasted listening to ads is really how you are paying for it. So trade in that wasted time for some great stories, learn something new, and pitch in a few bucks to show your support.
How do you listen? What are your favorites?
Sunday, November 02, 2014
A Word About Passwords
This piece is intended to help the reader understand some basics about how website password security should be implemented. It's just a bit technical I suppose, but don't let that turn you off. Read on if you want a better understanding of how easy it is to do passwords right, and how consumers just don't have a way of knowing who deserves an A and who deserves an F when it comes to this critical element of cyber security.
From time to time, we see headlines about massive data breaches, in which millions (recently over 1 billion) sets of user credentials have been stolen by cyber criminals. Scary stuff, right?
Most people don't realize that what happens behind the scenes, the actual security practices employed by the software architects and engineers, can vary widely in their efficacy. So having your credentials stolen from a poorly managed site is a potentially much worse thing than one that does things the "right" way. There really aren't any laws, or even a widely accepted seal of approval for sites that employ best practices in this area. This fact should be even more scary than the data breach headlines, but it takes a minute or two to fully understand, and thus doesn't get much airplay.
But, that's not necessarily true. Here's why.
1. If the site is actually storing the password you enter, that's bad! And there's really no way for you to know that unless they tell you.
2. Despite many, many warnings, a lot of people still use the same password for multiple sites. Maybe even for ALL business they transact on the web. For these folks, having their password stolen from one site could be a BIG problem.
If passwords were handled properly by all web developers, you could literally use the same password everywhere without fear of it being stolen by cyber-criminals breaking into this or that website's database. Yes, really. How? See "The Right Way..." below.
Example: "password", when run through a typical scrambling (hash) function, yields:
5f4dcc3b5aa765d61d8327deb882cf99.
There are a number of commonly used hashing functions these days. Unfortunately there are also pre-compiled lists of common words that have been already been hashed. They are called Rainbow Tables. Click the link I inserted on the hashed value above and you'll see that someone has already figured that one out.
The solution for a developer is pretty simple, just tack on some extra random stuff to the user's password before running it through the hash function, and keep that "extra stuff" secret. This is called a "salt", and thus a "salted hash".
Let's try again, using "password" plus a made-up salt value of "4d^yy8@2zqnde$3" appended on the end. We get: 061398b4d8ba7374aa11d61272360572, which doesn't show up in a Rainbow Table and cannot be reversed engineered. Use a different salt value and you get a different result. Try for yourself here, it's fun!
If you are still following along here, you see now that as long as sites all use different salt (aka secret key) values, and only store the result of the hashing function, you really could be perfectly safe using the same password everywhere without worrying when the next cyber-breach takes place.
But again, it's really up to the folks who design the software that powers a particular website as to how they choose to implement password security.
Bottom Line #2: If you manage this function in your company and don't know how this is done, you should find out immediately. Storing actual passwords is not a good practice, and should never be done unless there is some super-good reason.
From time to time, we see headlines about massive data breaches, in which millions (recently over 1 billion) sets of user credentials have been stolen by cyber criminals. Scary stuff, right?
Most people don't realize that what happens behind the scenes, the actual security practices employed by the software architects and engineers, can vary widely in their efficacy. So having your credentials stolen from a poorly managed site is a potentially much worse thing than one that does things the "right" way. There really aren't any laws, or even a widely accepted seal of approval for sites that employ best practices in this area. This fact should be even more scary than the data breach headlines, but it takes a minute or two to fully understand, and thus doesn't get much airplay.
False Sense of Security
Some sites require complex character combinations for passwords, while others don't seem to care. Have you ever wondered why some sites have very specific requirements on length, or the inclusion of special characters, and others don't? There is a general feeling that an interactive red=weak, green=good! indicator as you type means you are dealing with a firm that takes security seriously, and that you have less to fear than with sites which don't take such care.But, that's not necessarily true. Here's why.
1. If the site is actually storing the password you enter, that's bad! And there's really no way for you to know that unless they tell you.
2. Despite many, many warnings, a lot of people still use the same password for multiple sites. Maybe even for ALL business they transact on the web. For these folks, having their password stolen from one site could be a BIG problem.
If passwords were handled properly by all web developers, you could literally use the same password everywhere without fear of it being stolen by cyber-criminals breaking into this or that website's database. Yes, really. How? See "The Right Way..." below.
What about https:// and that lock icon?
Most of us know that SSL (https:) and its associated lock icon (and green bar, sometimes) are things you should look for when logging in to a website. Secure Socket Layer (SSL) provides encryption between your computer and the server it's communicating with, and it provides third-party identity verification for the website's operator. That's it - it does not have anything to do with how your credentials are stored on the other side of the connection. Don't assume everything is secure just because you see https in the URL.
The Right Way: Never Store a Password in the First Place
The right thing for the website developer to do is convert your password using a mathematical function (hash) that acts as a sort of one-way scrambler. I'm calling it a "scrambler" here, but it always yields the same result for a given string of characters. Without getting into the math, a hashed value cannot be reversed to determine your password. And what makes it really useful is that a hash function always yields the same result for a given string of text. Once set, the code running the website simply uses the same one-way scrambler every time you log in, and compares the value with what is stored for your account. If they match, you get in. And NOBODY (including people who work on that site) can know what you are using for a password.Example: "password", when run through a typical scrambling (hash) function, yields:
5f4dcc3b5aa765d61d8327deb882cf99.
There are a number of commonly used hashing functions these days. Unfortunately there are also pre-compiled lists of common words that have been already been hashed. They are called Rainbow Tables. Click the link I inserted on the hashed value above and you'll see that someone has already figured that one out.
The solution for a developer is pretty simple, just tack on some extra random stuff to the user's password before running it through the hash function, and keep that "extra stuff" secret. This is called a "salt", and thus a "salted hash".
Let's try again, using "password" plus a made-up salt value of "4d^yy8@2zqnde$3" appended on the end. We get: 061398b4d8ba7374aa11d61272360572, which doesn't show up in a Rainbow Table and cannot be reversed engineered. Use a different salt value and you get a different result. Try for yourself here, it's fun!
If you are still following along here, you see now that as long as sites all use different salt (aka secret key) values, and only store the result of the hashing function, you really could be perfectly safe using the same password everywhere without worrying when the next cyber-breach takes place.
But again, it's really up to the folks who design the software that powers a particular website as to how they choose to implement password security.
Bottom Line
Bottom Line #1: Since you don't know if the websites you use are handling passwords correctly, you really, really need to use different ones for each site.Bottom Line #2: If you manage this function in your company and don't know how this is done, you should find out immediately. Storing actual passwords is not a good practice, and should never be done unless there is some super-good reason.
Subscribe to:
Posts (Atom)