Researchers at the University of California, Berkeley tested several popular web-based password managers and found serious vulnerabilities.
Although it’s a good idea to use password management software, any web-based service is going to be a tempting target for nefarious persons, since discovering one password will typically open a treasure trove of additional passwords.
We recommend using an offline password manager like Bruce Schneier’s Password Safe or Password Corral.
The search engine DuckDuckGo has received a lot of attention because of its attitude towards user privacy. Unlike Google, DuckDuckGo doesn’t store your search queries. Their motto is ‘The search engine that doesn’t track you.’
Not everyone cares whether their online activities are tracked. But for those who do, DuckDuckGo’s Fix Tracking! page is an excellent source of information. Once you’ve selected your web browser, you’ll be presented with a list of tools and techniques that can help to reduce the amount of tracking that is done when you use that browser.
The Fix Tracking! page also contains a section describing Common Tracking Methods. Recommended reading.
Brian Krebs runs an excellent security blog called Krebs on Security.
One particularly useful post on Brian’s blog is Tools for a Safer PC, in which he presents his recommendations for securing your PC against various threats. There are numerous similar lists on the web, but this is one of the best, and I have no qualms at all in recommending it.
The formerly excellent free OSI service provided by Secunia has been discontinued. I used the OSI service because it was an easy way to check for vulnerable software on any Windows computer.
Recently, OSI stopped working, and Secunia chose to retire the service rather than fix it. There’s probably more to their decision, but they’re not saying, at least not publicly. The OSI web site says only “We have discontinued the Secunia Online Software Inspector (OSI).” and recommends alternatives.
The primary alternative to OSI offered by Secunia is the “Personal Software Inspector”. As with OSI, PSI was developed in Java and requires Java to run. Unlike OSI, however, PSI runs as an application outside the context of your web browser. This has at least one advantage, in that there’s now one less reason to leave Java enabled in your web browser.
Unlike OSI, which was a strictly on-demand service, PSI by default sets itself up to start with Windows, checking for vulnerable software and updating it automatically. I’m not a fan of automatic updates: I want to be in control of what gets updated and when. Fortunately, PSI can be configured to only notify you of software that can be updated. You can also configure it NOT to start with Windows, but there are some additional steps you’ll need to take if you want to use PSI strictly on-demand.
PSI installs two services: Secunia PSI Agent and Secunia Update Agent. These services are configured to start automatically with Windows. If you want to run PSI on-demand only, you’ll need to change the Startup Type for both of these services from Automatic to Manual. When you run PSI, it will start both of these services. When you close PSI, it will stop the Secunia PSI Agent service, but leave the Secunia Update Agent running (it appears as sua.exe in the Windows process list). You’ll have to stop it manually.
Once PSI is running, it presents a list of installed software, along with status and options for each. We recommend changing the display to ‘Detailed View’ – click ‘Settings’ at the bottom of the PSI screen and enable that setting. While you’re there, you can also disable ‘Start on boot’ and select ‘Update handling: Notify’. For each application listed, the Status column shows the most obvious options, including ‘Download’ and ‘Update’. Right-clicking the entry for an application will show a context menu that allows you to see additional details about available updates, or choose to ignore updates for that application.
Warning: PSI seems to start scanning your computer before it presents any part of its user interface. That means you have to act quickly the first time you run it, if you want to configure it for on-demand scans only. Hopefully now that OSI users are migrating to PSI, Secunia will listen to their requests and make PSI more friendly to people who prefer the on-demand approach.
Additional information on setting up and using Secunia’s PSI can be found on this site’s ‘Scan for vulnerable software‘ page.
I don’t have a smartphone. I’ve fiddled with them, and I use one for app development. But the mobile device I actually use for day-to-day phone communication is an ancient Nokia 2610b.
I’ve never had any issues with call quality, or any other problems with this phone. It lets me download media from arbitrary web locations and use any sound file as a ring or other tone. It’s sturdy; I literally use it as a beer bottle opener. Of course it doesn’t have a full keyboard, and the buttons are tiny, but I’m no rapid-fire texter anyway. The display is very basic, but it works for me.
I’ve been tempted on many occasions to buy a smartphone. The coolness factor alone has almost triumphed, but so far I’ve resisted its lure. Sure, smartphones can do lots of cool stuff, and I have no doubt that if I owned one, I’d spend a lot of time playing with it. But in the end, the only features I would really use are the phone, contacts, text messages (including alerts from Google Calendar), and occasionally the timer and alarm.
Until today, I thought I might end up using the 2610b until it died (which is unlikely), the battery stopped holding a charge (original battery is still going strong), or somehow it was no longer supported by my carrier (also unlikely).
What changed my mind? Microsoft released a mobile version of Remote Desktop. That’s the software I use to remotely control the Windows PCs I administer. I use it to administer the media computer downstairs, and the server next to me. I use it to manage client computers in this and other cities. And I use it to access my main PC when I’m elsewhere. It’s indispensable. And now it runs on Android and iPhone devices.
This changes everything: now I have a valid reason to buy a smartphone. But I’ll continue to resist as long as I can.
This month’s ‘Ouch!’ newsletter from SANS covers password managers. A password manager is a small program that stores all of your passwords, in an encrypted form. When you forget a password, you only need to remember the password manager’s password to access your collection.
I’ve been using the freeware Password Corral for years and recommend it.
I’ve tried a lot of different broadband speed tests. Up until the last year or two, they usually agreed fairly closely when measuring my connection. Recently, the reported speeds have been much more diverse.
Why do the results vary so much? Is there a truly accurate test out there?
It turns out that most of the speed tests offered by Internet Service Providers (ISPs) are actually using the same Flash-based test, provided by a company called Ookla. I’ve read that Flash-based tests are all currently unreliable due to technical limitations in the current versions of Flash. Here’s an excerpt from the TestMy.net web site:
There is buffering between the application and the browser and throughput bursting due to CPU usage. Flash based tests need to make adjustments for this… rough estimate adjustments of up to 40 percent. How can the test be accurate if it’s being adjusted by 30-40% to offset an unknown variable.
Emphasizing this problem with Flash-based tests is my recent experience with very slow speeds from my provider, Shaw. Shaw’s own test showed results that match exactly what I’m paying for: 25 Mbps down; 2.5 Mbps up. This made no sense, since even basic web surfing was painfully slow. I reported the problem; Shaw eventually found the cause and fixed it. Everything went back to normal: web surfing was extremely fast again. But what did Shaw’s Flash-based test show? The same results as when speeds were clearly slow.
So I started looking specifically for non-Flash tests. I’ve found two HTML5-based tests that seem to be much more reliable and accurate than the Flash-based tests: SpeedOf.Me and TestMy.net. Both of these tests avoid the problems inherent in Flash-based tests. Both also offer additional features, such as comparisons with previous tests and other test results in your region and from your ISP, and graphs that show previous test results.
But my overall favourite is SpeedOf.Me, because it comes closest to showing the actual speeds I’m experiencing at any given time.
Here’s a list of the speed tests I’ve looked at:
Even before Windows 8 was released, you could find third party tools for resurrecting the missing Start menu. New software from Stardock goes even further in eliminating inexplicable Windows 8 behavior.
It’s called ModernMix, and its most notable feature brings back the ability to show applications in multiple windows concurrently. Apparently much of the underlying functionality was there in Windows 8 all along, and ModernMix just makes it possible to access the hidden goodies.
I knew eventually the world would hammer the Windows 8 mess into something usable. Attaboy, Stardock. ModernMix is currently priced at $4.99.
boot13