Monday, March 22, 2010

Trust No One?

Just a little case study to show how being paranoid can pay off:

All this winter my screen saver was a lovable group of snowmen ice skating on a frozen pond.  The whole thing was 3D rendered and the younger kids loved it.

It is not, however, the best screen saver to have in March when the snow from our last big blizzard is still fresh in our minds and we can't wait for the unbearably hot global warming just because it means we don't have to shovel any more snow.

*ahem*

In any case, I got the snowmen screen saver from Apple's Downloads section, so I thought I'd head there to see if there was anything more Spring themed.

Apple's Downloads is a directory of both Freeware (no need to fork over cash for it ever) and Shareware (offered as a try-before-you-buy deal.  If you keep it you are expected to pay for it).  As a self-admitted cheapskate I'm specifically looking for freeware screen savers with a spring theme. Oh, this one looks good.



As you can see from the Download Details This particular screen saver is Freeware, so I won't have to purchase it to use it.

Also, the company name is not Apple.  Apple.com is providing a link here but the screen saver has been created and provided by "7art-screensavers.com."

Oh well, that's not so bad, right?  After all, Apple is known for its ultra-strict policies on iPhone App approvals.  I'm certain they won't let any malicious company provide software on Apple's own domain ...

Wait, what's this?



Who in the world is Premier Opinion? Just looking through the user agreement that's popped up on my screen - before I've managed to install my screen saver, by the way - makes me cautious.  I really don't want anyone monitoring anything I do online, since that involves ... oh, you know ... banking, sending email to friends and family, student grades, and so on.

Let's see what a Google Search has to say about Premier Opinion:



Well, that's interesting.  The first link takes me directly to PremierOpinion.com - no surprise there, but most of the links following that are claiming that the company's distributing spyware.

If you see multiple people asking for help to get a program off their computer because they can't do it themselves, then perhaps you might not want to install it yourself.

To wrap up:

  • I encountered this software trying to install itself on my Mac, which is historically a more secure platform.

  • I found the software linked to from Apple's web site, arguably a place that should only include safe software.

  • I still almost installed spyware on my system.

  • If this isn't a case study for paying attention and not blindly trusting any one thing to protect me online, I don't know what is.


Thursday, March 18, 2010

Good Passwords: Make one and use it!

Image from Wikimedia.orgPasswords: Everyone online has them.  Many of us forget them.  Some of us never change them.  But you know what? It's about time to start!

I have students that even now think "qwerty" and "12345" are good passwords.  I have seen more than one adult use "password" as a password "To make things easier."

These are only good things if you want your account to be compromised, so I'm making this post to show a quick and easy way to make passwords that are simple enough to remember without being equally easy to guess.

  1. Start with a phrase or sentence - a long one, but one you can remember.
    Mr. Smith is the best teacher ever and he never, ever brags.
    -or-
    My house is on Maple Street and it has a blue mailbox.

  2. Keep only the first letter of each word.  (To be really sneaky keep only the last letter of each word.)  Good passwords will often have mixed cases (both upper and lower case letters) to make them appear even more random, so I kept the capitalization from the words Mr., My, Maple, and Street.
    Msitbteahneb
    -or-
    MhioMSaihabm

  3. The strongest passwords have both numbers and letters.  I will usually replace a few of the letters that look like certain numbers.  "1" could be "i" or "l."  "3" could be an "e." Of course "0" and "o" are so similar it goes without saying.  You don't have to replace all of your letters - a few here and there are enough.
    Ms1tbt3ahneb
    -or-
    Mhi0MSa1habm

  4. If you're someone who uses different passwords for different services (generally a good idea), you could even add the name of that service at the beginning or end of that string of almost random numbers or letters.  For this example I used Google Mail (or Gmail)
    Ms1tbt3ahnebgm -or- gmailMs1tbt3ahneb
    -or-
    gmMhi0MSa1habm
    -or- Mhi0MSa1habmgmail


Oh, and a few extra tips:

  • Avoid writing your password down if you can help it.  If you know you have no chance of remembering it otherwise, keep it in a wallet or something else that you never leave unguarded.

  • Don't tell anyone your password. They may be your friend now, but what if you have a falling out?  What if they write it down, and someone else sees it because they weren't as careful as you were?

  • That goes double for the people running whatever the password is for! I don't need to ask a student for their password to log into their account.  Blizzard employees don't need your password to access your World of Warcraft account.  Hotmail, Gmail, Ebay, MySpace, and Facebook employees have the same power - they will never ask for your password and if one of them does then they are lying about being an employee.

  • If a computer is in an unmonitored public location (like a public library), don't use any of your passwords.  There is a pretty good chance that those computers already have spyware on them.  Use them to check the news, weather, or how your favorite team did last night, but don't check your email.

Tuesday, March 16, 2010

What are you doing?

Today an email started floating around amongst various fellow employees of my school district.  It contained a link to a particular YouTube video along with the caption "This video needs to be shown to teachers!"

I thought it was worth tweeting, and apparently I think it's worth a blog post as well because here we are.



On the surface it's a very upbeat video.  "I can do this!"  "You can do this!"  The part that's left out is the part that belongs to the viewer.

Each of us brings to every new experience all of our baggage.  Our previous education, experiences, likes, dislikes, and so on all flavor how we react to something new.  This can make us more or less inclined to enjoy the new things we encounter.

Having grown up with the idea of a particular type of vampire, for example, I am less inclined to enjoy the concept of vampires introduced in a certain popular series of books and movies.  (I still maintain that Vampire + Sunlight = Charcoal.  Glitter is not in the equation.)

A student introduced to a certain author or story genre in an academic setting may become soured towards those things if they dislike that classroom environment.

A teacher may avoid technology integration in their classroom if the examples they see implemented are too complex to understand, require too much additional work to pull off, or (in a worst case scenario) involve someone getting punished in some way for implementing the integration incorrectly.

And I begin to get to my point.

When I was a traveling visual arts teacher, I enjoyed the fact that I was not only demonstrating easy ways to integrate the arts but also easy ways to integrate technology. Slideshows, DE Streaming, audio, video, document cameras, and more were thrown in whenever I could do it quickly and easily.  In some cases I - the itinerant - was using equipment that the teachers based in those buildings never touched, because they didn't know it was there or didn't think it would be better than the old way of doing things.

Now that I am in the same computer lab for the entire day I'm actually much more isolated than I was before, but I can still get a sense of what's going on.  Now, as before, I enter classrooms to see computers collecting dust or surrounded by enough books and boxes to make it obvious they haven't been used in a while.  I see SMART Boards and document cameras pushed aside in the corner of a room.  I see LCD projectors that have been used more often to show movies during indoor recess than to actively engage students in learning activities.

On the other hand, there are also plenty of teachers in my building that enjoy using their SMART Boards on a daily basis and are having their students use them, too.  There are teachers that encourage their students to use online resources both in and outside of the classroom.  There are teachers that frantically contact me when their LCD projectors are not working properly, because their lessons depend on them.  There are teachers coming to me and asking for advice on how to get their students blogging, how to create online quizzes, and how to have students submit assignments digitally.  And the number of teachers who are like this is growing.

Why?  Because the teachers in my building are sharing with each other.  They attend their collaborative planning meetings every week and talk about how useful these tools are, and the other teachers decide to give it a try for themselves.

No one day professional development session that I've seen will make as much of a difference as one impassioned person who likes to show off what they can do with these awesome tools on a frequent basis.  They are enough to get others to try it, and from there it spreads exponentially.

This is a far cry from a former principal of mine (whom I will not name) who attended a MICCA (now MSET) conference only to say "It's a shame we can't do any of that here."  (As someone who has presented at MICCA for years on what I'd been doing with my own classes I wondered what sessions she attended.)

So what are you doing?  Are you trying new things? Bragging about what works? Trying to fix what doesn't work?  Showing others how the costs of integration are far outweighed by the benefits?  If you're not letting others know how technology works for you, you're not doing enough to help the next generation.

We all bring our prior experiences with us.  At your next collaborative planning, bring some good ones.

Friday, March 12, 2010

Half of what you see...

A day or two ago I encountered this image via Twitter.  Take a moment to go over it, there will be a test afterward.



Looks like your standard "Macs are SOOO expensive compared to PCs are you getting what you're paying for?" ad, right?  A few things struck me when I saw this, but first let me lay down a ground rule:

I am NOT going to try to disprove that Macs cost more!

Sure, I can probably shop around to find a PC manufacturer that costs the same as or more than Mac hardware, but if I shop wisely then chances are I can walk out the door with a PC and more money in my pocket than if I get a Mac with the same specs. One can argue cost over time and yadda yadda yadda, but that is not the purpose of this post.

Now I know Macs don't come that cheap, particularly the towers (which tend to be more high end than the iMacs), but that number still seemed high to me so I thought I'd take a visit to Apple.com and see if I could recreate that total.

  • I avoided the Education store.  As a teacher I can get some nifty discounts, but for this test I felt that would be cheating.

  • Apple does not offer a 1.5 TB drive.  I went with a 2 TB drive instead.


Here's the parts I don't quite agree with.  To get the total they list...

  • I had to use the Apple RAM, which no Apple user in their right mind would do.  You can get the exact same RAM from places like Crucial.com for much less.

  • Ditto for the monitors.  You can get the same quality and size for a lot less if you go elsewhere.  Just do a Google search for "24" flat panel monitor."  Anything less than $900 will save you money.


Is the Apple option more expensive anyway?  Yes.  But the creator of this image played their cards right to make the price be as high as possible to emphasize their point.  I'm not blaming them for this - advertisers do this all the time.  It's our job as consumers to notice this and take it into account.

There's one last thing I'd like to point out.  Let's focus on a single line:

Why look at that!  Everyone knows Macs aren't upgradable!  This makes total and complete sense!

... or not.

If they had made this comparison with the iMac or any of the laptops, they would have had half a leg to stand on.  (You can upgrade the RAM and hard drives, but admittedly to conserve space the rest of the components are soldered together like they are in PC laptops.)

But they went high end, trying to show as powerful a pair of computers as they could.  Mac towers are just as modular as PC towers.   With the possible exception of the motherboard (I haven't messed with those for a few years) I can swap out the components in a Mac tower as much as I want.  There are plenty of bays for other drives, and I can even turn it into a RAID if I want.

Half of what you see ...

Is there some truth in the image?  Yes.  I did not display it to say it was 100% false.  But it is not 100% accurate.  It assumes those purchasing the Mac will make several bad decisions that I would not expect someone with the need for that much hardware to make.

It has enough truth in it to make people relax and accept the rest of it as fact as well.

Most advertisers do this.

Many people spreading hoaxes (see my last post about phishing) do this.

And it is our job, as consumers of information, to realize this before we react to what is handed to us.

Wednesday, March 10, 2010

Don't Be A Phish

This post has been brewing for a while. What's finally gotten me to write it down is the recent spread of compromised Twitter accounts. Teachers - DEN Stars and more - are falling for phishing scams because they don't recognize the warning signs.  If this post prevents just one person from having an account compromised, I will consider it worth writing.

Definition


Phishing involves tricking people into lowering their guard and giving up something.  It could be a Twitter account info or your online bank login.  Whatever it is, the phisher has conned you into doing something.

That's right, the people who do phishing scams are con artists.  Only instead of convincing your grandmother to invest your inheritance in a nonexistent company they're convincing hundreds (or thousands) of people to type their PayPal information into a site that looks just like PayPal ... only it isn't.  Phishing isn't one guy with a pole, hook, and a worm, it's a fleet of ships with nets that stretch for miles.

And once you get phished, in most cases you unwittingly join that fleet.  Compromised Twitter accounts send out messages to other people encouraging them to go to the same sites and enter the same information that doomed them.  The same behavior can be seen in email and even online video games like World of Warcraft.

Oh, and phishing is NOT hacking.  I've a friend or two that foam at the mouth when they hear the words used interchangeably, so this paragraph is for them.  In some cases I've heard it called "social hacking," which is at the same time a better and worse description of what's taking place.  There is no teenager with more piercings than a pincushion hanging out in his mom's basement typing zeroes and ones into a terminal to get into your Facebook account.  More likely it's someone with ties to organized crime thinking up emails that would convince your mother that her bank has asked her to log in and verify her identity.

Prevention


I've divided anti-phishing techniques into three categories: Hardware, Software, and Social.

Social

Biggest category first.  Get the best hardware and software together and someone can still convince my mother to disable all the safeguards and let in the troublemakers.  Sorry, Mom.  I love you, but it's true.

1. Trust nobody. Just because the email header says its from your best friend does not mean they wrote it.  Just because your sister sent you a Direct Message in Twitter does not mean she found a picture of you that will require you to log into Twitter - again.  Email headers have been getting spoofed for years, and anyone who has been successfully phished will usually have their compromised account sending out the same message that tricked them to all their friends/followers/contacts.  When in doubt, contact them through another media and ask them if they really sent you that message.

2. Look at links. PayPal's web address is "PayPal.com," not "PayPaI.com."  Look the same?  One ends in a lower case "L" while the other ends in an upper case "i."  You'll also find wider variations like "Paypal.ohcomeonyoucantrustusreally.com"  Replace PayPal with essentially any web based service you can possibly think of.  The more popular it is, the more likely someone out there has made a phishing scam for it.

Why does this matter?  If you go to the wrong address and enter your login and password, you're not actually logging in.  You're giving your information to the scammer.  Now they're logging in as you and doing whatever they want - usually by changing your password first.

3. If you can't find it after typing the site address in manually and logging in, then it isn't true either. This relates to #2.  I'm constantly getting emails telling me my PayPal account has been compromised and I need to click on a link in the email and verify my settings or I will lose everything oh no!  (Of course I don't have a PayPal account so I wasn't phased by this at all, but plenty of others do.)  If you get an email like that for any service and you think it MIGHT be legitimate, type the web address in by hand.  In this example, I would go to PayPal.com and log in.  If I can't find the same notice on that site, then I just avoided getting phished.

4. If it sounds too good to be true, then it usually is.  You did not win the lottery in London.  (Protip: you have to buy a ticket first.)  No one in Nigeria wants you to help funnel money out of their Country.  Blizzard is not giving out exclusive in-game mounts to select World of Warcraft players.  I've had people trying to scam me with each of these.  Report them if you have that option, delete and forget the messages if you don't.

5. Change your password - often.  This won't exactly prevent phishing but it's a good security tip nonetheless so I'm throwing it in here.  While you're at it, make it a password that's hard to guess.  "12345," "qwerty," the name or birthday of someone close to you, and (for the love of all that is holy please not this one) "password" are all horrible passwords and should never be used.

Software

There really isn't any software that will 100% prevent you from getting phished.  There IS, however, software that will lessen the blow should you happen to get tricked.

1. Firefox.  If you're running a Windows based computer, there are some things you just have to use Internet Explorer for.  At work, I use IE to add networked printers to the computers in my building and install certain software packages.

For everything else, use Firefox.  It is more secure than Internet Explorer has ever been and when security holes ARE found they get fixed FAST.  I've heard some people tell me how slick Google's Chrome browser is, but it still doesn't compete with Firefox for security.

2. NoScript.  Firefox is awesome in part because it allows you to install different addons to give you different features that aren't available out of the box.  I'm not too crazy about installing every useful addon I find, but I simply LOVE NoScript.  In a nutshell, it blocks all javascript, java, cookies, flash, and anything else that can potentially be used to compromise your system.  You can add sites that you trust to NoScript's white list of allowed URLs to enable things from those domains on a permanent or temporary basis as you see fit, so sites broken by having their flash based content blocked won't stay broken if you really need to see that dancing monkey.

As an extra bonus: By its very nature, NoScript blocks the more annoying ads that you see on various web sites.

3.  Antivirus.  Find a good one and keep it updated.  Do not install any "antivirus" that you see in a pop-up ad, as many of those are in fact spyware.

Also, only use ONE antivirus.  Antivirus programs have recognized each other as viruses in the past.  You don't want them trying to remove each other on you.

4. Anti-Spyware Same as Antivirus except Spyware programs will often play nice with each other.  Get at least two and run scans frequently.  Many phishing sites will attempt to install keyloggers on your computer.  These particular spyware programs will remember everything you type (as in - your passwords) and send that information back home.  Countless people have been phished once and recovered just in time to have another account compromised because the first attempt opened up a back door.  A good anti-spyware program can help prevent that.  AVG is free and not bad, and Microsoft has released their own as well.

5. Another OS.  Most of the world may run on Windows, but that doesn't mean WE have to.  Linux and Mac OS X are both operating systems that are frequently ignored by people who write spyware and/or viruses.  Using them isn't a substitute for paying attention to the things under the "Social" section, but it DOES add an additional layer of protection.  Linux is often free and can run off of something as simple as a thumb drive, so if you're curious you may want to download a version and try it out with no risk whatsoever.  Currently Ubuntu is one of the more popular flavors of Linux - I have a whole post about that brewing for later.

Hardware

I saved this one for last because there's not a lot to it.  People have ignored these facets for years and still avoided phishing attempts.  That being said, I think both points in this section are at the very least worth consideration.

1. Get an authenticator.  These devices are not widely used yet, but they add a layer of complexity to logging in to services that most phishing scams have yet to take into account.  World of Warcraft - arguably one of the most popular video games ever - has been publicizing its authenticator for some time now.  Other services, like PayPal, are compatible with authenticators as well.  This episode of the Security Now podcast is a little dated, but offers a decent description of how they work.

2. Get a Mac.  I'm not going to set myself up for a fall by saying Macs are invincible.  Any time something is made to be foolproof someone goes and builds a better fool, after all.  However, as Macs are a much smaller portion of the market they tend to be overlooked by some aspects of phishing scams.  Spyware made to run on a Windows machine is not going to run on my Mac.  Does this make me safe?  No.  Does this make me safer than if I used a computer running Windows?  Potentially yes.

Security should not be your only incentive for getting a Mac, but if you're already thinking about it this is something that could be an additional point in Mac's favor.