CryptoLocker and its progeny

For about the last year or so, there's been a class of malware running around that's become known as "CryptoLocker".  Since there's been another recent outbreak due to some compromised ad servers, I thought I'd address it.

What CryptoLockers do is install themselves on your computer and then encrypt your files, which is to say that it scrambles them in such a way that they can't be unscrambled without knowing a secret code.  You then find instructions on your computer on how to send a ransom to the people involved, usually using something untraceable like Bitcoin.

By the time that you're infected, it's too late to do anything about it.  If you've followed good practices, you have two lines of defense: the first is your antivirus, and the last is your backups. A good enough AV might not stop the initial infection, especially if you accidentally give it permission to install, but it should be able to remove the infection. That won't help your files, though, so for that you'll need to restore from backup.  You'll want to restore a file or two from before the infection, and keep stepping backward until you find ones that haven't been affected.  If you need help restoring earlier versions of files, look at the support for your software, but any reputable third party piece should be keeping multiple versions on hand.

If you haven't been maintaining a backup and/or don't have AV, you're going to be in some trouble.  The only thing that we've found in our practice that's capable of fully removing the most recent CryptoLocker after infection is RogueKiller.  If you don't have backups, or your backup isn't maintaining multiple versions, I have worse news: your files are probably gone.  You can try to pay the ransom, which at current writing usually runs around $350, but that's had mixed results; sometimes the attackers will decrypt the files, sometimes they ask for more money, sometimes there's simply no contact.  You'll have to weigh the possibility of getting the files back against the risk and the cost, and I can't help you with that.

I want to reiterate something I've said before: if you get infected by this, it is not your fault.  It is the fault of bad industry practices and people who care more about reducing their own liability than your protection.  It is the fault of malicious attackers exploiting the vulnerable.  There are ways you can protect yourself, if you are savvy enough, and if you've read enough of this blog and followed my advice you will probably bounce back from this.  But even if not, even if this is your first encounter, understand that a security regime that asks you to be an expert on your own safety in order to use the internet is badly broken. No one would suggest that if your car is stolen it's your fault for not knowing how car thieves work, but all too often with computer security we pretend that unsavvy users are the reason that there is cybercrime. No. Criminals and bad industry practices are the reason that there is so much cybercrime.

Let's talk passwords

I began this post weeks ago, but with the recent Heartbleed problems, it's even more timely and I feel like I need to finish this and get it out there.

Passwords have been an issue for some time, and they will continue to be more and more of an issue. There have now been a few large scale compromises--that we know about--and there will only be more as time goes by. I thought I'd bring this blog (at least briefly) out of retirement to talk about them.  I'm going to knock down some password myths, discuss how to build good ones, and give you some best practices, some good practices if you don't follow the best ones, and some okay practices.

First of all, passwords are terrible.  They're just an awful concept, but we use them because they're approximately the least-worst of several bad options.  Passwords are naturally easy to guess, and hard-to-guess passwords are necessarily hard to remember.  For good security, you need to use a different password everywhere, but the human mind doesn't work that way.  Passwords are a way that vendors, developers, and admins push the responsibility for security onto their users, because passwords are easier and cheaper to implement than actual, functional security measures.  One day, if it hasn't yet happened (it probably has, but you may not know), a password of yours is going to be compromised; know that when it happens, it is not your fault, but rather that the way the world is currently set up guarantees it over a long enough time window.  The best you can do is minimize the frequency and the impact of a compromised password.  This means using passwords that are:

  1. Hard to crack, but more importantly,
  2. Unique to the service you're using them on

If you don't read any further into this article, the best way for a layperson to do this is to use password management software. Password managers have their issues, but they are far better than your other options.  I personally use and love Lastpass, and know other people who swear by 1Password and Keepass, but the fact of using a password manager is more important than which you use.  Note that those are direct links, and there's no kickback involved for me in this (although I don't control the ads that show up on this site in the sidebar).

The reason to use a password manager is that it takes out of your hands the need to come up with a new password for each web site, something people are terrible at doing and so generally won't do.  Come up with a very strong password for the manager (we'll discuss those later), and then import almost all of your passwords into the password manager.  The exception is this: do not use the password manager to hold your primary email password. Come up with a separate (and again, strong) password for this service.  You'll be required to manage two passwords, but this means that an attacker that compromises your password manager doesn't have access to your email, and most services will allow you to reset or retrieve your password using your primary email address.  Likewise, someone who compromises your primary email password doesn't immediately get access to all of your other services, although you'll need to establish a new email address ASAP and start moving things.  What to do when a password is compromised will have to wait for another article, as this one is going to be long enough.

Going forward, you'll want to use the password manager to generate randomized passwords for everything you log into.  Your existing services will take some time, but for any new service, always use the manager rather than coming up with something manually.  Try to be disciplined about this: whenever you log into something, immediately change the password if you haven't already to something randomized.  The benefit of this is that when one of these services is compromised (as one of them will be), the attacker only gains access to that service.  When you reuse passwords, if someone compromises that password in one place they gain access to every place that you use it.

Now, some people are not going to use password managers, for various reasons.  Distrust of third parties, self-reliance, inability to install software on their work computers, all valid things.  In addition, some services can't be used with your manager, and you may not have access in the office.  Many people will require passwords that have not been generated via software.  We're going to go through a few things for you, and for those passwords that simply can't be stored in a password manager.

This is my personal method for coming up with a strong but memorable password.  I'm going to give you an example. DO NOT USE THE EXAMPLE PASSWORD. The example password is also not a password that I have used anywhere, but I encourage you to try it.

Step 1: come up with a nonsense word or phrase.  Not something random, like jkasdgkjashg.  We're going to use the brain's language capabilities to give us something both unique and memorable.  Phrases are particularly good, because they include punctuation and spaces.  Let's use "aggle mibble" (we'll be omitting the quotation marks).

See how easy that is to memorize? You've probably already got it down.  It's also not crackable using dictionary methods, because those aren't English words (If you google them, you'll find one is a Gaelic word and one is a name for a code library, but coming up with entirely unique nonsense words is not worth the time for this exercise).  It includes a space already, which means that to crack it with brute force will take orders of magnitude longer (check it against GRC's password haystacks, and you'll see the the single space takes the "massive cracking array scenario" from around 39 seconds to around 7 months).

Step 2: Strengthen your nonsense phrase with some capital letters, numbers and/or symbols. Use the old "change a letter to a number" chestnut, and starting with a cap, gives us Aggle Mibbl3.  Try this against the above cracker, and you'll see that our offline attack scenario is now in the centuries.  Now, look back at that password.  Isn't that much, much easier than the sorts of passwords you'd expect to be that strong?  We've used your brain's ability to handle language to reverse the normal scenario; this password is now very easy to remember and very hard to crack.

Optional step 3: Remember what I said about unique passwords?  Well, even if you're generating passwords with your own mind and not with a software tool, it's still possible to remember a unique password for every site and service.  I'll show you how.

Imagine you log on to, and are asked to create a strong password. You've already followed the process above, and now you'll remember Aggle Mibbl3 for the rest of your life.  Now, to make a unique password for this site is as simple as embedding the site itself somewhere in the password.  We could go with:

yourbank Aggle Mibbl3

or even better: Aggle Mibbl3

But better still is:

Aggle Mibbl3

Now you have a phenomenally strong, easy to remember password that is impossible to crack with a dictionary and virtually impossible with brute force.  It is also unique to this site, and therefore if compromised it won't automatically compromise everything else you log into.


 - Obviously, if this password is compromised, and a human looks at it, they'll probably recognize the pattern.  If that happens, they can attempt to use it against other sites, so if this is compromised you should still go through the process of resetting passwords anywhere you've used the same pattern.  However, if this is compromised programmatically, it is unlikely that an automatic password cracking implementation can recognize the pattern and reuse it, and that's the greatest danger.  Of course, if similar patterns become popular, they will begin to do so.

 - Some sites limit your password length.  These sites are very poorly implemented, but they likely include places you'll be absolutely required to log into, such as your bank.  There is nothing to be done here, and for these I highly recommend the password managers described above.

 - Similarly, some other poor site implementations omit certain symbols, like the spaces we used.  You can replace them with dashes, or dots, or anything else that you feel you can remember, but the fragmentation of password requirements is going to cause you problems.

Ultimately, the real fixes for this need to be on the industry side, but it will probably require a few more high-profile, internet-wide breakages before anything is done on a large scale.  The best you'll be able to do in the meantime is to protect yourself, and fixing your password usage is the first and most important step to doing so.

Happy internetting. I'm sure the more tech savvy of you are already poking holes in my reasoning, so feel free to do so in the comments.

What tablet should I buy?

Image © Copyright Keith Evans and licensed for reuse under this Creative Commons Licence.

This could probably have been more timely what with the Christmas season just ending, but I've been working on other projects.  I've been asked this a lot lately, for obvious reasons, and hopefully I'm addressing it soon enough to get to the post-Christmas crowd.

The first question is what platform you want.  The short answer is: buy the one whose platform matches your phone.  If you have an iPhone, buy an iPad.  If you have an Android phone, buy an Android tablet.  The reasoning here is that you're already invested in the app market for that platform, and many (not all) of your apps will be reusable.  Some developers want you to use different versions for different form factors, and so the phone versions won't transfer, but by and large you'll be able to make use of previous purchases.  You'll also understand the little idiosyncrasies of the system better.  Unless you have a specific function that you know only the other tablet has, this is the way to go.

The second question is the form factor.  A 7 inch tablet is highly portable, a 10 inch tablet is magazine-like and easier to consume content on.  If you don't think you have a preference, I would recommend the larger size.  There are more things that it is capable of, and it's closer to what developers are aiming for when they develop for tablets specifically. You should go with the smaller version if you're on a budget and don't need the size.  If you're on a budget but do need a large viewing space, consider buying refurbished.

If you are buying an iPad, you're done now.  The smaller form factor is the iPad Mini, and the larger is the plain ol' iPad.  The newest version of the latter has Apple's "Retina" display, but the older iPad 2 is still perfectly usable if you want to save a little money.

As far as Android, my specific recommendations as of this moment are the Nexus 7 from Google if you want a smaller tablet and the Note 10 from Samsung if you want a larger one.  This information changes quickly, but you're probably safe with anything that's called a Nexus, and Samsung is widely acknowledged to make very good hardware.

Things to avoid:

  • No-name generic Android tablets abound, but you won't save enough on the cost of the Nexus 7 to justify purchasing something cheaper.  They are generally locked to an older version of Android; most of these are on 2.3 or earlier, while Android has reached 4.2 as of this writing.
  • I think buying a 3G or 4G tablet is silly for most people, as the situations in which you'd use a tablet but won't be under wifi are extremely rare.  With a phone, sometimes you'll want to navigate in the car, or take phone calls or text messages while outside, but unless you're going to do a lot of tablet computing in the park you probably don't need the extra expense at the time of purchase, let alone the data plan.
  • The Surface, in my opinion.  It's an exciting prospect in a lot of ways, but buying the first generation of a new Microsoft product is almost always a mistake, and Windows 8 has some serious problems.

Post Office update

Google seems to have made some under-the-hood changes to Chrome that broke Post Office.  It's now updated and appears to be working again, but let me know if you're using it and have problems.

For those who don't know, Post Office is a Chrome extension that I wrote to help manage multiple email accounts.  There's a full description in the Chrome Store, but the gist is that it allows you to selectively send to email links via webmail rather than your computer's default mail client.  I have to maintain a large number of email addresses, which makes this useful for me.  It may or may not be useful for you, which is why it's available on the store.

In case you're curious, now has a GitHub where you can see open source code projects.  Currently, this only includes Post Office.

Why not Linux servers for small businesses?

I occasionally get asked why I don't use Linux more often for my clients. I've now spent about ten years as a networking consultant, six of that in the small-to-medium business space, which on the surface sounds like the ideal market for free-license software.  

This doesn't work for many reasons, which differ between desktop and server systems.  Today I'm breaking down the problems, as I see it, with Linux servers in the SMB market.

Time is money. Specifically, my time is expensive.  I work for companies that can't even close to afford to hire me full-time, and if they do have a "computer guy" on site, it's someone's nephew who kind of knows his way around a DOS prompt.  This divides the "computer work" into a few different categories:
  • High-level design and administration.  My bag.  This is fine under Linux, if not somewhat better in many cases.  It takes somewhat more time to build a Linux machine, but it probably takes less support over the lifetime of the device, so that's a wash. This is where the big savings is possible; Windows Server 2012 Standard licenses cost about the same as 7-10 hours of my time for a small business, depending on the number of employees.  Setting up a Linux network with a small number of servers takes longer than a Windows network (yes, it does), but not 7-10 hours longer per server, and you may save on support calls going forward.
  • Mid-level support. This is either done by someone moderately savvy, or by me walking someone through the steps involved.  This is a real drag under Linux, because the people I'm talking to aren't familiar with the interface, but it can be done and probably still works out better overall.
  • Day-to-day tasks. This is essentially impossible for end users to do on any version of Linux yet released without massive retraining.  In order for this to work, Linux needs to offer a desktop that is either as close as possible to Windows so that it looks familiar or is absolutely brain-dead to use. E.g., there's no real "desktop" unless you manually invoke it; you just log in and there are big buttons that say RESTART SERVER, RESTART X SERVICE, FIX PRINTERS (which clears the print queue), etc.
Application compatibility. This is big, and probably insurmountable without a giant push for more open-source software.  There are no good small business accounting packages on Linux (no, there aren't).  There are no truly solid ways of running Windows software, and if there were the vendors wouldn't support it.  Most small businesses are completely dependent on integrated accounting packages like Quickbooks or Peachtree.

That said, this is becoming less of a problem, as these services become hosted.  Most small businesses are now better off with hosted mail, and the fact that there's no Linux-based equivalent to Exchange/Outlook for mail/calendar/contacts matters much less.  These accounting systems are also going online, but as of yet the costs are prohibitive.  As they come down, more functionality can be pushed off site, and eventually most users will just use on-site servers for centralized account management and file sharing.  That's when small business Linux will become much more viable.

Packaged applications. Setting up a Windows server to host a dozen services is brain-dead simple and extremely fast.  No command-line work is necessary any more, everything is GUI- and wizard-based, and the defaults are almost always sufficient to get you 90% of the functionality you need.  Once I'm done designing a network, I can send a much more junior systems installer to handle the rest of it.  And Windows is only becoming better at this (although the UI in Server 2012 leaves something to be desired).

With Windows, one can set up services like DHCP, DNS, file sharing, centralized authentication, and even more advanced systems like VPN and a virtualization hypervisor with the push of a few buttons.  All of these things are available in Linux systems, and in many cases run better, faster, and with less intervention, but the setup goes from something essentially trivial to something requiring expert knowledge even for the most basic services.

Unfamiliarity. Linux just sounds scary to a lot of business owners (barring that small number of technophiles to whom it sounds great).  It's gotten branded as a geeks-only operating system that can't be used by mere mortals, which is a reputation that is only partly deserved, but it is partly deserved, primarily for the reasons outlined above.

None of these is insurmountable, but most Linux flavors don't even make the attempt.  Red Hat is doing very well in the enterprise space, and Ubuntu seems to be aiming at the desktop and tablet market rather than at small businesses.  There is a lot of room to compete with Microsoft in this space, in my opinion, but it can't be an afterthought.  Even a wizard-based GUI-installed flavor of Linux that sets up DHCP, DNS, and file-sharing would go a long way, although to be a real competitor it needs to have an easy-to-use counterpart to Active Directory, and that doesn't seem to be forthcoming.

All of that said, I do use Linux in my practice, but it's a relatively small part.  Linux is great when I've already got an Active Directory server in place and just want to set up a file server (although AD integration could be miles better than it is).  Linux handles certain services far better than Windows, like simple web servers, FTP servers, and firewall systems (although for the latter an appliance is usually the best choice).  And Linux is a great way to re-use dying hardware for non-critical applications.  Even with all of that, though, it's maybe one in ten clients for whom it makes sense, dollar-for-dollar, to set up a "free" OS.

Microsoft escapes the top ten threat list

Microsoft's security team is killing it: Not one product on Kaspersky's top 10 vulnerabilities list - The Next Web: Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.
Although, arguably, it has more to do with how very terrible Adobe's products are.  Half of the top ten are Adobe products.  Frankly, internet safety would be in a much better place today if Adobe had never incorporated; the vast majority of the infected machines that I deal with were infected by compromised PDFs or Flash vulnerabilities.

Why Does Everyone Hate Windows 8? Should I Upgrade?

Why Does Everyone Hate Windows 8? Should I Upgrade?: Windows 8 is getting a bad rap from a lot of people, but it really does have a lot of good stuff going for it. After all, people hated XP when it came out, too. Here are some of the things people are complaining about, and why they probably don't matter.
Lifehacker has a significantly different view of Windows 8 than I do.  For one thing, I think that the argument that you shouldn't worry about the Start menu going missing because you can download third party tools to replace it is very weak.

Paypal pushing users into binding arbitration

You probably just received a notice from Paypal, and you probably didn't read it.  That's okay, I do these things so that you don't have to.  Paypal is binding any users who don't opt out through physical mail to internal arbitration without outside legal recourse.  They've done this before, but without the opt-out procedure it's proven legally thorny for them.

Paypal is, of course, notoriously difficult to deal with, and we'd all like to have legal recourse should it be necessary.  Here, from their agreement, is the opt-out method:
  1. You can choose to reject this Agreement to Arbitrate ("opt out") by mailing us a written opt-out notice ("Opt-Out Notice").  For new PayPal users, the Opt-Out Notice must be postmarked no later than 30 Days after the date you accept the User Agreement for the first time.  If you are already a current PayPal user and previously accepted the User Agreement prior to the introduction of this Agreement to Arbitrate, the Opt-Out Notice must be postmarked no later than December 1, 2012. You must mail the Opt-Out Notice to PayPal, Inc., Attn: Litigation Department, 2211 North First Street, San Jose, CA 95131.

    The Opt-Out Notice must state that you do not agree to this Agreement to Arbitrate and must include your name, address, phone number, and the email address(es) used to log in to the PayPal account(s) to which the opt-out applies. You must sign the Opt-Out Notice for it to be effective. This procedure is the only way you can opt out of the Agreement to Arbitrate. If you opt out of the Agreement to Arbitrate, all other parts of the User Agreement, including all other provisions of Section 14 (Disputes with PayPal), will continue to apply.  Opting out of this Agreement to Arbitrate has no effect on any previous, other, or future arbitration agreements that you may have with us.
If everything just went fuzzy on you and you woke up in another room after trying to read that, the gist of the gist is that you must send snail mail to Paypal by December 1 of this year indicating your intent to opt out, or thirty days after you first sign up if you are not a current Paypal user.  It has to include your name, address, phone number, and all email addresses you use with Paypal.  The letter must state your intent to opt out of the Agreement to Arbitrate, and probably should be labeled "Opt Out Notice" at the top.

Here are the requirements in easy-to-digest list form:

  • Labeled "Opt-Out Notice"
  • States that you opt out of the "Agreement to Arbitrate"
  • Signed
  • Sent through physical mail
  • Includes your:
    • Name
    • Address
    • Phone number
    • all email addresses used with Paypal
  • By December 1st 2012 OR thirty days after you sign up for new users
  • Send to:
PayPal, Inc
Attn: Litigation Department
2211 North First Street
San Jose, CA 95131
I strongly recommend that all readers do so as soon as possible.

Windows 8 preview: you will hate it

St Mary's Church, Brome: stained glass windows (8)
St Mary's Church, Brome: stained glass windows (8)
Image © Copyright Basher Eyre and licensed for reuse under this Creative Commons Licence.

This title sums up what I think will be the likely response to the newest operating system from Microsoft, but let me go over a few things:

The good:  There are a lot of changes under the hood:

On the same hardware (Lenovo T420, 8GB RAM, Core i5, SSD), for me, bootup/shutdown times have been much faster.  I get an hour more battery life, which is basically worth the upgrade in and of itself.

The interface is cleaner and the whole experience feels snappier.  Basically all programs that anyone would reasonably use have proven to be 100% compatible; the only things that I use that aren't get really deep into the operating system and do things that you're not really supposed to do but that I occasionally have need of.

Hot corners are implemented better than I've ever seen them before.  If you've ever accidentally moused into the corner of someone's Mac, you know that you can make the whole screen freak out in unexpected ways if you're not used to it.  Windows 8, by contrast, merely pops up an unobtrusive UI element that can be clicked to invoke something without taking over your entire visual field.  Which is good; they'd better be implemented well because you'll be using them a lot.

Skydrive is something whose time has come, and the MS implementation of cloud sync is far, far better than Apple's.  You also get 7GB of online storage for free, a number obviously aimed at tweaking Google's nose. If you're not yet using a cloud sync service, the integration here will gently push you on board, mostly without telling you, which probably sounds annoying but is honestly much better than a default-off option.  I frankly consider this sort of thing to be a social good; legions of unsavvy folks will cease to lose their important documents and pictures when they just start popping on to the cloud.  You still need a real backup solution, but this puts you halfway there.

The bad: no Start button.  This is really going to mess with people. Navigation is all about hot corners, and getting to your applications now requires mousing to one corner or another depending whether you've got it pinned to the no-longer-named-Metro Start interface.  But notMetro isn't robust enough, so every time you go tere you will immediately click the "Desktop" tile to take yourself into real Windows, where you keep all your actual stuff.  No Start button also means no instant text launch, which my SSD-enabled self had come to depend on in 7.  As much as I hate to say it, Windows 8 could benefit from an early-XP style walkthrough of features, which it seems to lack.

The integration with social services, which should be under "the good", is instead half-hearted and Microsoft-focused. Background syncing is terrible, sloppy, and inconsistent, meaning that I'm generally better off going to the actual web app than waiting for the integrated "tile" to update.  The numbers of unread messages, tweets, etc. listed on the lock screen are always wrong.

The built-in mail app is terrible, and one of the few hideous things in the OS.  The only thing I should need to say is that you can't click-and-drag messages into folders. That's unforgivable.  For what it's worth, in the upcoming Office 2013 preview (spoiler alert) you'll find that's also gone high-contrast eye-bleaching white, so this seems to be a theme.

The built-in messaging notMetro app only integrates with MSN and Facebook, which is ridiculous and again unforgivable, especially as Google Talk uses a perfectly open platform and connecting to it is trivial.

The beautiful-but-irritating: notMetro is gorgeous, to my eyes.  I wish the tiles would work, because it's a much better method of catching and displaying all of your necessary information.  The presentation is lovely, if annoyingly tablet-focused, but the latter is almost certainly the right decision.

But it's different, and there's no clear indication of the ways that it's different.  It took me a couple of days to become comfortable navigating it, which means that I have clients who never will be.

I think this is probably purposeful, though.  The way to get people to adopt a new UX style is not to gradually change what they're used to; they'll fight you every step of the way.  The method that works is to go much too far, wait for the backlash, and then back off just enough that you seem like you're compromising.  Microsoft's partnership with Facebook is probably where they learned this technique.

Here is what will happen: Windows 8 will ship but with downgrade rights to Windows 7, at least for a year.  A few bleeding-edgers will purchase Windows 8 machines, and there will be an internet firestorm which will put everyone off of it.  Windows 7 adoption will actually accelerate, and folks will convince themselves that by downgrading they are sticking it to Microsoft.

Threeish years later, Microsoft will release Windows-whatever-9-or-something, with some moderate rollbacks to the UI changes, and it will be hailed the same way that Windows 7 was in the aftermath of Vista.  It will be rapidly adopted, especially as the Windows 7 downgrade window will have closed, and folks purchasing new machines will have to choose between 8 and 9-or-whatever.  The UX changes that Microsoft really wants implemented will become a fact of life.  Also, by this point tablet computing will have completely eclipsed desktop computing, so 9ow will make sense for the average user.  This may or may not give Microsoft a chance to dent the lead that iOS and Android will have in tablet computing by leveraging Office, which is the only truly dominant suit that Microsoft has left.

This sort of wandered out of the field of previewing and into Nostradamus, but still, you don't come here for the usual tech blog stuff, do you?

Which Android should I buy?

060.365 - March 1, 2010 (347 (Y2))

So you've read my previous post and decided to go the Android route.  You have a bewildering array of choices and want to know what to pick up.

Short answer: the newest thing in your category (phone, tablet, etc.) with "Nexus" in the name.  Currently, the Galaxy Nexus phone and the Nexus 7 tablet.

"Nexus" is the brand name that Google uses when they partner with a manufacturer to create a "reference" item, which showcases their newest operating system and updates.  Nexus devices are required to have basic Android without any vendor software laid over the interface; most other Android devices have some other user interface stuff thrown on top by the manufacturer to show off their coding skills and lock you into their system.  The problem with this eye candy is that it means lower compatibility with apps, slower updates (when Google releases a new Android patch, the manufacturer has to test the overlay stuff before releasing it), and possibly being locked out of some functions on your own phone.  For example, Verizon phones tend to want to force you into Verizon's own software rather than the free and frankly far better offerings from Google.

Nexus devices are also (often) available directly from Google, unlocked, so you needn't necessarily go through your carrier and sign a contract to get them.  You won't get the subsidies that you would for signing a new contract--no free phone, or even a $200 one--but Google Play tends to sell them rather more cheaply than you can get them elsewhere.

The reason to get something other than a Nexus device is if you have a hard requirement that they don't meet.  Some people absolutely require a physical keyboard from their phone, and no yet released Nexus has that.  Some want a larger tablet, and the Nexus 7 is an eponymous seven inches.  Sometimes a specialized device makes sense; I use a Kindle Fire instead of a Nexus 7 because I am fairly invested in Amazon's infrastructure, although I'm still tempted to switch and give the Fire to my fiancée.  The 7 is a nice device.

If you have special needs, then unfortunately for you, the playing field changes so rapidly that I can't give specific recommendations.  If you already have a cell provider and are looking for a new phone, check their selections for Android devices, and aim for something that is a little on the more expensive side if you can afford it.  It's not quite "you get what you pay for" due to the subsidies, but the free phones are usually out-of-date hardware and will start to feel very slow as Android gets updated to use and expect multiple cores, more RAM, etc.

Samsung's "Galaxy" series enjoys a good reputation (and indeed the "Galaxy Nexus" is one of the best choices currently available, as is the Galaxy S3).  Motorola and HTC have a more middling reputation.  Those people I know with LG devices have universally hated them.

Short: Batteries

Getting the most possible life out of your electronic devices' batteries is a lot easier than it used to be.  The old nickel-cadmium, or NiCad, batteries used to work best if they were periodically completely discharged and then charged back up to full.  That's not the case with modern battery architectures, like the Li-ion (lithium ion) batteries that are currently used almost exclusively in smart phones and laptops.  Those actually operate at their best when they are allowed to charge fully; they'll manage their own internal charge and cut over to AC power when full.

The one exception is when you have a device that you plan to turn off, but keep around for a very long time, like multiple years. In that case, the battery is best discharged to the halfway point and then removed from the electronic device.  Ideally, it should also be cold-stored in a fridge or freezer, too.  This is not the treatment to give your laptop or your smartphone, but if you are a collector or if you have a bunch of spare batteries this is the best way to treat them.

Wait, what's going on tomorrow?

You're probably hearing about "DNS changer", a worm/virus that is getting a lot of hype right now because of something the FBI is doing tomorrow.  I'm going to break this down for you, but first a quick lesson.

DNS stands for "Domain Name Service", and it is the way that computers find each other.  You see, computers don't work with human readable names, so in order for your computer to find the servers at, say,, or, your computer takes the address that you type (or that you're linked to) and then looks it up against a table of numbers.  First, it checks its own database to see if it's got a recent record of that site.  If it doesn't, it contacts your "DNS server", to see if that server has a record.  If that server doesn't, it sends the request on up the chain until it gets to the internet's "root DNS servers", which are central servers that maintain the address list for the whole internet.  What it gets back is a numerical address, which it then uses to send and receive information.

You can actually see these addresses, if you'd like.  If you are comfortable opening a command prompt on a PC or a terminal window on Mac/Linux, you can use the command nslookup to find the number associated with a domain, e.g., nslookup, which will give you a list of numbers because Google uses many servers.  One of those is, and if you follow that link or type it into an address bar, you'll see it takes you right to Google's main site.

What the "DNS changer" worm does is point your computer at servers that give you bad info, and then use that to control your web browsing.

Or rather, that's what it did, until some time last year, when the FBI seized those addresses and pointed them at servers they control.  Now, rather than telling people who were infected about it, or just shutting down their internet access, they let these people browse the web normally.  This is potentially a serious breach of privacy, as the FBI now knows every web site those people have been to in the past year, but it does mean that internet commerce was unaffected.

Tomorrow, however, they're shutting down this network.  If you're infected, you'll be redirected to an FBI site instead of being allowed to use the web normally until you've cleaned up your computer.

You're probably not infected by this.  All recent antivirus and antimalware programs are capable of catching and removing this thing.  If you are, you're still pretty safe, although your browsing prior to the FBI seizure was compromised and everything since has been recorded.  You'll know tomorrow.  If you'd like to check ahead of time, head here to check for infection, and follow the steps given for cleanup if you're infected.  Otherwise, just wait a day and you'll find out.

Edit:  the previous link used to go to a different spot, a server in the US, but it looks like there may be an attack currently launched against that site.  The updated link goes to a server in Canada, which seems unaffected.

This isn't much to worry about, but I do recommend everyone install something like Malwarebytes just to check their machines periodically, in addition to an antivirus program.

I think I have a virus. How do I know? What do I do?

First, if you're seeing any suspicious behavior, immediately stop using your computer normally.  Close any open programs.  Don't sign in to anything, and definitely don't use the web to buy anything.

If you're still able to browse the web properly, and you're on a PC, go to and download their software. The program will be called mbam-setup-<a number>.exe, where <a number> is the current version of the software.  If the file you're downloading doesn't begin with "mbam", you've either got the wrong file or your web browser is being redirected, and in that case we'll come back to you.

If Malwarebytes installs correctly, go ahead and update it and then open the program.

Don't bother with the trial of the full version, and start a quick scan.  Now, go make a snack while that runs.

If it comes up completely clean, I'm astonished; it will almost always find at least some tracking cookies that web sites use to follow your behavior.  Whatever it does find, it's generally safe to allow it to clean up. WARNING, sometimes a virus has so badly infected your system that cleaning it up will break your installation.  In this case, you will have to reinstall Windows and all of your software, but it is likely that you would have had to do so anyway.

When Malwarebytes is done with the cleanup, it will probably ask you to restart your computer.  If it doesn't, go ahead and restart it anyway.  Now, run a second scan with Malwarebytes and also with your antivirus program. If and only if these scans also come up clean can you consider it safe to use your computer again.  Install system updates immediately, and keep installing them going forward.  If they don't come up clean, allow them to do whatever cleanup they recommend, and also download Microsoft's own removal tool.

If, and only if, after running these three tools--Malwarebytes, your antivirus scanner, and Microsoft's tool--your computer still seems infected, you should download and run ComboFix.  This is a big, bad removal tool that is capable of ripping some really nasty viruses out by their rootkits.  It is also capable of completely ruining your operating system in ways that the previous tools can only dream of.  But if you have a virus infection, you are done using that computer until it's clean.  Then, install any system updates that are available, and keep installing them going forward.

After Combofix runs, scan again with the three previous tools.  If they come up clean, you're in good shape.  If they don't, you need to decide whether you have any data on your computer that you haven't backed up or stored elsewhere.  If you're properly backed up, and you have the CDs to install any software that you didn't download, wipe and reinstall your computer using the instructions that should have come with it.  If you're not backed up, shame on you; your punishment is that you're done with this blog post and now you have to hunt down a computer professional to attempt further cleanup.  We've gone as far as I can take you.

If your computer isn't behaving well enough to let you download the Malwarebytes file, especially if it won't boot at all, shut it down and find, borrow, or beg for another computer.  Download the Kaspersky Rescue CD, and either burn it to a disk or make a USB key using the instructions that they give you.  Boot your computer from that CD/USB, and follow the instructions that you see.  Once that's done, attempt to boot into the operating system again; if you're successful, follow the steps above starting from the Malwarebytes download.  If it doesn't boot after the rescue CD, you're also stuck reinstalling the operating system or finding a computer professional, as above.

On a Mac, you should run a scan with your antivirus program (or install Sophos if you don't yet have one, shame on you), and also install any system updates available, which will close security holes as well as run the Flashback and Mac Defender removal tools, which will clean up the best known problem pieces.  Because Mac malware is a relatively smaller problem, sophisticated removal tools like Malwarebytes don't really exist yet.

Likewise, Linux does not yet have similar easy-to-use tools, but it's much less likely to get infected.  You should still be using an antivirus program, though, and can run a scan with that.  If you suspect an infection on your Linux machine has gotten through your antivirus, you'll probably be stuck manually tracking down the infection or reinstalling.

If you're not seeing suspicious behavior, you may still be infected--a well written virus can sit in the background and do whatever its tasks are without letting you know.  It's worth your while to tell your antivirus program to scan periodically, as well as to install Malwarebytes as above and run a manual scan with that every month or so.  Passive antivirus that runs in the background only offers so much protection.

Maker breakdown: Toshiba

This will probably end up a series on each PC maker, giving an overview of why one should or should not buy their products.  I wanted to address Toshiba first, because they are the most controversial of my recommendations-or-lack-thereof in the previous post.

First, I have to eat a little crow: Toshiba's reliability numbers have gotten a lot better since I was a Toshiba warranty technician.  As in, second place in the world in consumer reliability surveys.  HP has fallen all the way to last place, which doesn't surprise me.  So your Toshiba laptop is less likely to fail than almost any other out there, even an Apple.

If it does fail, though, I have some bad news for you.  Toshiba's warranty is one of the worst in the business, and they will generally require you to ship the device back for service.  They have no service time requirement built in, and no on-site service options like some Dells or Lenovos.

That said, ASUS is apparently considering purchasing Toshiba.  It was remiss of me not to mention ASUS previously, but I didn't want to throw out too many options.  They make excellent products, and are particularly known for their netbooks and nettops, as well as their internal components for build-your-own machines.  They have an excellent reputation.

All-in-all, Toshiba should be upgraded from "don't buy", as I said previously, to "buy only if you particularly like their designs, or a given machine is an excellent deal".  If they do merge with ASUS, that should go up to "buy".  That's been in the works for a couple of years now, though, and may be a no-go.

MySQL Password Auth broken

MySQL Vulnerability Allows Attackers to Bypass Password Verification | PCWorld Business Center

This is a little outside of the mission of this blog, but it's sort of huge and I know some of my readers run their own web servers:

the code that compares the cryptographic hash of a user-inputted password to the hash stored in the database for a particular account will sometimes allow authentication even if the supplied password is incorrect.
Simply put, MySQL on affected systems isn't and can't be password protected without an update.  Patch things up right now.

What new computer should I buy? - June 2012

Image licensed under Creative Commons from Viewology

I get this one a lot, and it's hard to address because it's a moving target.  Computer hardware updates so rapidly that anything I post here is going to be horribly dated in six months.  So, I suppose the answer is to make this an ongoing series and update it every so often.  With the new Macbook update, this is a good time to start.

First, PC vs. Mac: buy whichever one you like better.  Seriously the two operating systems have never been more similar, and a Mac can run PC apps easily via Parallels or Fusion--and there aren't any killer Mac apps that your PC is missing.  Yes, there's Linux, too, and we'll get to that later*.

If you don't have a preference, buy what you're used to, which will probably be a PC.  If you've never used a computer before, ask the person who's reading this to you what they prefer, and go with that; there are no serious operating system features in either that are worth more than working with something familiar, and what your nearest technically-oriented person knows.

If your needs are very light, you can get away with a "netbook", which is a small, inexpensive laptop without a lot of power.  All you can really do with these is email and web surfing, and maybe light word processing, but the tiny keyboards can make that difficult.  These will run between a few hundred and a thousand dollars, and only really exist for PCs; the Macbook Air is the closest that Macs get, and it's really a lightweight, fully-functional laptop, and has a cost commensurate with that.

If you're looking for a Mac, this will be easy, because there are only a handful of models to choose from.  The Mac Mini is the entry-level Mac desktop that works with your existing keyboard/mouse/monitor, and is astonishingly small.  The iMac is their more standard desktop all-in-one (and the only exception to my later advice about all-in-one machines).  The Macbook line is for notebooks, and most will be happy with the Macbook Air, the less expensive and lighter version; the Macbook Pro is for those with greater needs and greater cash.  The Mac Pro is the full-size desktop and only really necessary for professionals who have need of really impressive hardware to work on.

For a PC, we'll need to choose a make first, and I can only really recommend either Dell or Lenovo these days.  Sony makes some nicely designed hardware, but they install a bunch of extra software on top, and the cost is unjustified.  HP used to be a nice place to find hardware, but if you haven't heard the stories they've gone badly downhill in the last few years.  Look at the two linked above, and compare prices, and you'll end up with something respectable.

Now for the really perishable information: for a Mac or a PC (laptop or desktop), you'll want at least 4GB of RAM for just basic computer use, 8GB for basic video gaming and more serious usage.  12GB-16GB if you want something that really screams.  RAM (random access memory) governs how large a program you can have running, and how many can run at once.  The operating system itself (whichever it is) will use around 1-2GB; whatever is left after that is available to programs.

If you're buying a Windows PC, make sure you get 64-bit Windows 7.

Macs and Intel-based PCs should have a Core i3 or better--ideally an i5 or (for something really powerful) an i7.  AMD-based PCs should have something preceded by A4, A6, or A8.

A "hard disk drive" (HDD) will have a lot of space, but a "solid state disk" or SSD is going to perform much better.  If you can live with the more limited storage, the latter is very much recommended, but check your storage needs first, and see how much your current machine is using.

Some things to avoid:

  • Acer or Toshiba hardware.  These manufacturers use bottom-shelf parts and have the worst warranty support in the business.  They're always about 10% cheaper than the equivalent elsewhere, but you should buy an HP before either of these.
  • All-in-one machines, unless they're iMacs.  These marry the most perishable piece of equipment in your setup--the computer itself--with the one that best retains its value, the monitor.  It means that, when it comes time to upgrade, you'll be throwing out the screen with the rest of the computer.  iMacs are the exception, not because this doesn't apply, but because Macs on the whole retain their value better and use more reliable hardware.
  • Building your own PC, because while you used to be able to save money doing this, that's no longer the case.  Manufacturers move so much volume these days that they get enormous economy-of-scale discounts, and the labor component of building a PC is minuscule--for someone who builds PCs all day.  You can expect a couple of hours of putting things together and installing your operating system, and even then you will have spent more on parts than buying something prebuilt.
* Linux, if you don't know, is a free operating system, one that comes in many different versions.  The most popular are variants of Debian Linux, in particular Ubuntu.  You can save some money by going this route, but there are some big caveats.  You won't be able to (easily, before the Linux folks start shouting about Wine) use your Windows programs, so you'll be stuck learning new software.  Linux is more rare and thus harder to find someone to support.  And Linux is largely locked out of Netflix, which is probably the single biggest barrier to entry out there.  If and only if none of that worries you, a Linux machine can be a great choice.  You can usually get away with older, less-powerful hardware, which can save you some money as well.  Both Lenovo and Dell have stopped selling pre-built new Linux machines, but the Dell Outlet sells older, refurbished machines that would suit Linux well, and installation has never been easier; you can download Ubuntu directly or order CDs and DVDs. 

Routers and firewalls

Wall Of Flame
What is a "router" or "firewall router" and do I need one?
Short answer: yes, you need one.  Go buy one, follow the instructions that came with it, and set it up.  You shouldn't have to touch it again, except perhaps to occasionally reset it.

Longer answer: a modern router is really (at least) two things together: a device which routs internet traffic to one or more devices on your network, and a "firewall", which prevents incoming access.  Most routers also include a "switch", which connects several devices together, and many are also wireless and allow laptops and other devices to connect to your network with their wireless radios.

Let's take these separately:

Routing takes your network traffic and checks whether it is local or internet traffic.  Local traffic is routed directly to the other machines in your "local area network" (LAN).  Internet traffic is forwarded through the router to the internet.  This allows your network to treat the two types of traffic differently.  Unless you're doing something sophisticated, like hosting a game server, this should all be transparent to you.

A firewall is a very important security measure, and no one should be connecting a computer to the internet without one.  It prevents any incoming connections you haven't asked for from reaching your machine; so, if you browse a web page, that page can come back to your computer, but someone trying to log in remotely doesn't get through. Your PC or Mac should have a firewall built-in, unless you're using a Windows version prior to XP's service pack 2, in which case you should install that right now.  That built-in firewall is a good thing, but much better than that is to have a firewall between all of your traffic and the internet.  Both are important; nothing is foolproof, and even having a firewall in your router won't prevent one of your computers from getting infected all the time.  Those built-in firewalls will protect you to some extent when that happens.

The switch aspect isn't really anything you need to worry about, but it's what lets local network traffic get from machine to machine if you need to.  It's also transparent if it's working correctly.

The wireless access is an optional feature that makes your wireless router also a wireless access point.  If it's included, it will have its own setup instructions.  Wireless devices have gotten super cheap these days, and home users who aren't running something like their own home media server don't need an expensive one.  As long as you're buying new off the shelf, it will be fast enough that you won't notice the difference between wired and wireless access; modern wireless devices are able to move data much more quickly than your cable modem, so they'll never be the bottleneck.

If you're looking for a home router, Belkin and Linksys (which is now part of Cisco) make good ones.  For business use, because your data is more valuable you want something with capabilities that I haven't discussed here.  SonicWALL makes an excellent business-class product that, when properly configured, meets HIPAA and other security requirements.

Google accounts targeted

Google Online Security Blog: Security warnings for suspected state-sponsored attacks: Today, we’re taking that a step further for a subset of our users, who we believe may be the target of state-sponsored attacks. You can see what this new warning looks like here:
Google is rolling out a warning to a subset of its users whose accounts have been targeted by state-sponsored hackers.  The link above goes over what to do if you're seeing the warning; only those who see a message about it when logging into Gmail or other Google services are thought to be affected.  Even if you're not seeing it, it's a good time to invest in setting up two-factor authentication for Google accounts, which I highly recommend.  It's minimally difficult to use once it's set up, and makes your Google account almost rock-solid against hacking attempts.

As always, if you're using the same password for other accounts, you need to change all of those passwords.