I picked up an ASUS eee PC just under a year ago, and after running the Xandros distribution (albeit with hacks) for most of that time, I decided to explore other options. It took longer than anticipated to accomplish (my eee PC kept seeing my pendrive as a hard drive, so I couldn't pick it from the boot menu as I was expecting), but I finally managed to run/install the Ubuntu eee distro.
I wanted to set down my initial impressions while they were still fresh in my mind.
I was able to make a bootable Live USB key easily. There's a GUI tool that makes it a simple process-- no command line kung-fu required. The desktop interface is an elegant, highly functional compromise between a full desktop and a novice switchboard. The performance of the Live USB key was slow/disconcerting, but don't let that discourage you-- it runs faster after you install it on the internal SSD.
A word to the wise about the actual installation process: when I tried to install Ubuntu eee from within the session of Ubuntu, I got to step 5 and found the keyboard was unresponsive. This was a problem since step 5 required entering account information, like name, user id and password. I had to reboot from the USB key and pick the Install Ubuntu option from the default boot menu. Your mileage may vary.
Almost everything worked "out of the box" with the installation. It picked up the WiFi (Atheros adaptor) and easily handled my home wireless WPA2 encryption. After wrestling with Ubuntu on a G4 PowerPC iBook (with a Broadcom adapter), I was expecting trouble. The only obvious hardware-specific snafu was the webcamera (which had been DISABLED in the BIOS).
As far as software goes, I wound up receiving somewhere in the ballpark of 250 MB of updates. No glitches per se, but it had to do the updates in two stages/reboots in order to resolve some dependencies. The synaptic manager is more flexible and versatile than the software update interface found in the Xandros/eee PC distro.
It was a little bit of a rocky start, but the overall experience has been positive and continues to impress me.
A liberal arts grad on the Information Superhighway, stuck in a traffic jam at the intersections of Technology, Psychology and Security.
Saturday, November 29, 2008
Thursday, November 27, 2008
What's on your "Speed Dial?"
Opera was the first browser to introduce the whole "Speed Dial" feature, but it seems like everyone has been adding it to their repertoire recently-- Google Chrome, Firefox (with the help of a third party extension called Fast Dial).
But, let's be honest, the nine car garage doesn't impress anyone if it's empty-- it's what kind of cars you put in it
Here's what I do with my "Speed/Fast Dial" slots:
1) Google Bookmarks
2) my Linksys wireless access point (which I hope will soon be running Tomato firmware!)
3) Twitter
4) This blog/Blogger's Dashboard
5) Google Reader (RSS feed aggregator)
6) my Gmail
7) emusic/Netflix/Youtube
8) Unassigned
9) Unassigned
Enough about me; let's talk about you for a while. What links are on your Speed Dial page?
But, let's be honest, the nine car garage doesn't impress anyone if it's empty-- it's what kind of cars you put in it
Here's what I do with my "Speed/Fast Dial" slots:
1) Google Bookmarks
2) my Linksys wireless access point (which I hope will soon be running Tomato firmware!)
3) Twitter
4) This blog/Blogger's Dashboard
5) Google Reader (RSS feed aggregator)
6) my Gmail
7) emusic/Netflix/Youtube
8) Unassigned
9) Unassigned
Enough about me; let's talk about you for a while. What links are on your Speed Dial page?
Tuesday, November 25, 2008
Technical Neologisms?
If someone buys the latest/fanciest technology purely for status is a "fashionista," then what do we call someone who buys their tech on the criteria of reliability?
I'd like to suggest "functionista." ;)
I know, this post doesn't really fall into the security, technology or psychology realms-- but I couldn't resist the word play.
I'd like to suggest "functionista." ;)
I know, this post doesn't really fall into the security, technology or psychology realms-- but I couldn't resist the word play.
Monday, November 24, 2008
Jonah Chanticleer 公鸡: Google Maps and Google Docs
Almost a year ago, I wrote about making peace with Javascript and my success with the Google Maps/Docs tutorial. My karma being what it is, Google introduced a method that allows people to collaborate on a map, so my entire reason for learning how to power a Google map via a Google Docs spreadsheet became moot.
I've noticed a sudden spike in traffic to the old page about Google Maps/Docs (no idea why-- please feel free to enlighten me in the comments), so I figured I'd better save folks some time and frustration by providing a link to the collaboration piece I mentioned.
I've noticed a sudden spike in traffic to the old page about Google Maps/Docs (no idea why-- please feel free to enlighten me in the comments), so I figured I'd better save folks some time and frustration by providing a link to the collaboration piece I mentioned.
Tagged as
Google Docs,
Google Maps
Thursday, November 20, 2008
Phishing web sites
I see many phishing emails because of my job.
The conventional wisdom seems to be to treat phishing email as if it were spam. Just add it to the SPAM filter and forget about it. I don't get it. Spam is a commercial nuisance, but phishing is a deliberate, blatant attempt to defraud people. Blocking subsequent emails won't keep people from falling victim to the emails that already made it through-- nor will it keep other people outside of my workplace from being victimized.
I believe phishing deserves a separate and greater response. This is why I use Phishtank (at home), and am so aggressive (on the job) about reporting phishing emails to the security departments of various organizations that fraudsters like to impersonate. I want to see these phishing sites taken offline; I want to see the perpetrators pursued and brought to justice when possible.
Although I feel sorry for the people who fall for these phishing scams, the people I feel even more sympathy for are the ones who are just trying to run a web site . . . and then discover that someone has violated their server security, and is using their platform on the Internet to rip off and hurt other people.
It goes something like this:
The would-be fraudster finds a web server that he or she can compromise. Maybe they were able to sniff an FTP userid/password over a network connection because it was passed in the clear, or maybe the password was easy to guess or derive because it wasn't a very strong password. The precise method of compromise isn't important, because there's more than one way it can be done. The important point is, they have gained illicit access to the web server-- so they create a fraudulent paypal/bank/IRS website and bury it deep inside a subfolder where no one ever looks, like an images folder. Then they send out emails to large numbers of people with links back to that fraudulent web site, and wait to see how many people take the bait and enter their account information. The person who owns/runs the website in most cases has no idea what is taking place under their noses.
I got to speak with such a person this morning. Nice woman-- runs a small web site for her small school. She teaches kids how to design web sites. She had a vague, conceptual understanding of what phishing was, but I'd be highly surprised if she's received any training on server security. Even if she had, it's unlikely her IT group has given her read access to her FTP logs or uses any encryption with their file transfer protocols. There isn't enough time, resources or skilled people available, and the priorities are always elsewhere.
But here's the thing, people. If everyone shrugs their shoulders and says, "This isn't my problem," then the same stupid cycle is going to keep being perpetuated. And one day, the person who gets fooled and taken for a ride will be you.
The conventional wisdom seems to be to treat phishing email as if it were spam. Just add it to the SPAM filter and forget about it. I don't get it. Spam is a commercial nuisance, but phishing is a deliberate, blatant attempt to defraud people. Blocking subsequent emails won't keep people from falling victim to the emails that already made it through-- nor will it keep other people outside of my workplace from being victimized.
I believe phishing deserves a separate and greater response. This is why I use Phishtank (at home), and am so aggressive (on the job) about reporting phishing emails to the security departments of various organizations that fraudsters like to impersonate. I want to see these phishing sites taken offline; I want to see the perpetrators pursued and brought to justice when possible.
Although I feel sorry for the people who fall for these phishing scams, the people I feel even more sympathy for are the ones who are just trying to run a web site . . . and then discover that someone has violated their server security, and is using their platform on the Internet to rip off and hurt other people.
It goes something like this:
The would-be fraudster finds a web server that he or she can compromise. Maybe they were able to sniff an FTP userid/password over a network connection because it was passed in the clear, or maybe the password was easy to guess or derive because it wasn't a very strong password. The precise method of compromise isn't important, because there's more than one way it can be done. The important point is, they have gained illicit access to the web server-- so they create a fraudulent paypal/bank/IRS website and bury it deep inside a subfolder where no one ever looks, like an images folder. Then they send out emails to large numbers of people with links back to that fraudulent web site, and wait to see how many people take the bait and enter their account information. The person who owns/runs the website in most cases has no idea what is taking place under their noses.
I got to speak with such a person this morning. Nice woman-- runs a small web site for her small school. She teaches kids how to design web sites. She had a vague, conceptual understanding of what phishing was, but I'd be highly surprised if she's received any training on server security. Even if she had, it's unlikely her IT group has given her read access to her FTP logs or uses any encryption with their file transfer protocols. There isn't enough time, resources or skilled people available, and the priorities are always elsewhere.
But here's the thing, people. If everyone shrugs their shoulders and says, "This isn't my problem," then the same stupid cycle is going to keep being perpetuated. And one day, the person who gets fooled and taken for a ride will be you.
Tagged as
Psychology,
security
Tuesday, November 18, 2008
Windows XP SP2 and WPA2 AES
Like many people, I read this item at Lifehacker about how a PhD candidate found a way to compromise WPA2 security and switched my wireless router's settings from TKIP+AES to AES alone. Everything seemed to work fine afterwards, so I scratched it off my To Do list and went about my business.
A few days later, I discovered my work laptop (Win XP SP2) would no longer connect to my home wireless setup. It would still connect to WiFi connections in other locations, though.
It took two days to make the connection between the wireless router setting change and the delayed isolation of my work laptop-- but I confirmed my hypothesis tonight by returning my router's encryption settings back to TKIP+AES, and the Windows laptop automatically connected almost immediately. I turn the setting back to AES only, and it loses the connection.
I'm sure there's a hotfix/patch from Microsoft to address this issue, but the policy for getting Windows Updates on workplace computers is bewilderingly confusing and slow. For example, our web browser standard is and continues to be Internet Explorer 6-- which makes for marvelous conversations with third-party vendors. So the question is, should I manually invoke Windows Update on my work computer and get God only knows how many patches, fixes and updates, and potentially risk introducing new issues, or should I just leave my router on the less secure of the two settings?
Discuss amongst yourselves. ;)
A few days later, I discovered my work laptop (Win XP SP2) would no longer connect to my home wireless setup. It would still connect to WiFi connections in other locations, though.
It took two days to make the connection between the wireless router setting change and the delayed isolation of my work laptop-- but I confirmed my hypothesis tonight by returning my router's encryption settings back to TKIP+AES, and the Windows laptop automatically connected almost immediately. I turn the setting back to AES only, and it loses the connection.
I'm sure there's a hotfix/patch from Microsoft to address this issue, but the policy for getting Windows Updates on workplace computers is bewilderingly confusing and slow. For example, our web browser standard is and continues to be Internet Explorer 6-- which makes for marvelous conversations with third-party vendors. So the question is, should I manually invoke Windows Update on my work computer and get God only knows how many patches, fixes and updates, and potentially risk introducing new issues, or should I just leave my router on the less secure of the two settings?
Discuss amongst yourselves. ;)
Sunday, November 9, 2008
Security, from a different angle?
When people talk about security and technology today, we usually assume they mean controlling who can see information. There are people who are entrusted with access to that information, and then there are people who are not. The type of information varies-- it could be financial, medical, academic, but the overall point is that access to the information should be restricted.
All that is true, but it leaves out a piece.
Suppose you and eleven other people all have access to the same information. Any one of you can read or change that data at any time. One day, you log in and find a subset of the information has been reverted back to a point six months ago in time. You don't know which of the eleven other people who had access made the change, you don't know why they made it or even if the change was intentional or (more likely) accidental.
All you know is that you didn't do it, and it happened further back in time than your backup plan will allow you to restore.
The sad truth is that there are some threats to data security "inside" your organization. It might be an incompetent server admin who accidentally overwrites your files with old data during a backup/restore operation. It might be a malicious co-worker who is pissed off because they got passed up for a promotion and they want to make someone else on the team look bad. It might even be a scenario beyond our collective ability to imagine (i.e. the technology visionary in your office decided it was time to do some spring cleaning in their home folder on the network-- except they were in the wrong folder.)
There's a myth about security-- that you can build a bullet-proof solution and nothing bad will ever happen to your information. The question we should be asking is not "What will we do IF something happens to our data?" It should be "What will we do WHEN something happens to our data?"
Timely awareness is key to an effective response. You wouldn't wait til tomorrow to treat a gunshot wound. You shouldn't wait 24 hours to deal with a situation involving the corruption of your data. You need to be made aware of changes on an almost daily basis. In some cases, this is as easy as turning on auditing processes in your server's operating system.
In some cases, like a shared FTP directory on a remote web server, it becomes harder. But harder doesn't make it any less necessary. I'm working on a solution, involving WebDrive and WinDiff, that will let me get a recursive list of all the files and folders on our web server on a daily basis, dump them into a text file, and then compare it with the list from the previous day so I can see the deltas. I'm sure there are probably better tools out there for the task-- ones that lend themselves to more scripting and automation, for example, but for the time being, I need to get this up and running with the tools I have rather than waste days trying to learn new tools and figure out how to get them working.
If this works the way I believe it will, I'll be able to see what files have been deleted, added or modified in the previous 24 hours. If I start seeing a spike in activity ("hmm, that's weird, someone deleted 300+ files yesterday . . . ") I can start investigating it right away, rather than finding out about it too late.
All that is true, but it leaves out a piece.
Suppose you and eleven other people all have access to the same information. Any one of you can read or change that data at any time. One day, you log in and find a subset of the information has been reverted back to a point six months ago in time. You don't know which of the eleven other people who had access made the change, you don't know why they made it or even if the change was intentional or (more likely) accidental.
All you know is that you didn't do it, and it happened further back in time than your backup plan will allow you to restore.
The sad truth is that there are some threats to data security "inside" your organization. It might be an incompetent server admin who accidentally overwrites your files with old data during a backup/restore operation. It might be a malicious co-worker who is pissed off because they got passed up for a promotion and they want to make someone else on the team look bad. It might even be a scenario beyond our collective ability to imagine (i.e. the technology visionary in your office decided it was time to do some spring cleaning in their home folder on the network-- except they were in the wrong folder.)
There's a myth about security-- that you can build a bullet-proof solution and nothing bad will ever happen to your information. The question we should be asking is not "What will we do IF something happens to our data?" It should be "What will we do WHEN something happens to our data?"
Timely awareness is key to an effective response. You wouldn't wait til tomorrow to treat a gunshot wound. You shouldn't wait 24 hours to deal with a situation involving the corruption of your data. You need to be made aware of changes on an almost daily basis. In some cases, this is as easy as turning on auditing processes in your server's operating system.
In some cases, like a shared FTP directory on a remote web server, it becomes harder. But harder doesn't make it any less necessary. I'm working on a solution, involving WebDrive and WinDiff, that will let me get a recursive list of all the files and folders on our web server on a daily basis, dump them into a text file, and then compare it with the list from the previous day so I can see the deltas. I'm sure there are probably better tools out there for the task-- ones that lend themselves to more scripting and automation, for example, but for the time being, I need to get this up and running with the tools I have rather than waste days trying to learn new tools and figure out how to get them working.
If this works the way I believe it will, I'll be able to see what files have been deleted, added or modified in the previous 24 hours. If I start seeing a spike in activity ("hmm, that's weird, someone deleted 300+ files yesterday . . . ") I can start investigating it right away, rather than finding out about it too late.
Sunday, November 2, 2008
Micro Center - Combination Notebook Lock
Micro Center - Combination Notebook Lock: "A physical and visual deterrent to theft, easy to use and extremely portable."
More like horrible mess and nightmare. One night a week, I have to leave my laptop at the office over night so it can perform an auto-scheduled backup of my web sites. I worry someone's going to "help themselves" to it-- we've had a bit of a problem with that lately. Personally, I blame the dreadful economy. So I bought this product, figuring my laptop would be less prone to vanish if it was tethered to my desk.
First, it says it works with any computer that has a VGA port. Sadly, it should read "works with any computer that has a VGA port with attaching screws." My ASUS eeePC has a VGA port, but no attaching screws, so this product wouldn't work for it.
Second, it's a pain in the ass to use. Directions are better than average, but the complete operation (setting the combination, locking the lock, unlocking the lock) is not intuitive. Do this, press this button, do that, press this other button sideways-- AUUGHH!
Third, when I used it, and tried to unlock/unscrew this cable from my work laptop's VGA port, it literally would not unscrew and pulled the attaching screw off from the side of my VGA port instead.
Trust me, it's not worth the hassle or the money.
More like horrible mess and nightmare. One night a week, I have to leave my laptop at the office over night so it can perform an auto-scheduled backup of my web sites. I worry someone's going to "help themselves" to it-- we've had a bit of a problem with that lately. Personally, I blame the dreadful economy. So I bought this product, figuring my laptop would be less prone to vanish if it was tethered to my desk.
First, it says it works with any computer that has a VGA port. Sadly, it should read "works with any computer that has a VGA port with attaching screws." My ASUS eeePC has a VGA port, but no attaching screws, so this product wouldn't work for it.
Second, it's a pain in the ass to use. Directions are better than average, but the complete operation (setting the combination, locking the lock, unlocking the lock) is not intuitive. Do this, press this button, do that, press this other button sideways-- AUUGHH!
Third, when I used it, and tried to unlock/unscrew this cable from my work laptop's VGA port, it literally would not unscrew and pulled the attaching screw off from the side of my VGA port instead.
Trust me, it's not worth the hassle or the money.
Subscribe to:
Posts (Atom)