Minimal Security Part 2 – Going All In

Something interesting hit me a few days ago. I was using Google when I noticed the feature “Web History”. Basically, it’s all about saving your web history to Google so that you can access it at a later time. I’m sure that’s an awesome feature, but I instantly got struck by the big “No No No…” which lead to this post.

Most of the people reading this are Google users. I’m a big time Google fan. To be honest, I’m having a hard time trying to remember how I were able to browse the Internet effectively before Google. Their search engine is excellent, the notebook is handy, the online office productivity suite is not so bad either, gMail leaves a bit to wish for but it’s innovative and useful, Google Maps and Google Earth fills the voids that are left since geography class, and there’s of course Google Video and YouTube not to mention Google Groups. It’s fancy, that’s for sure.

What’s even better is that you have one single log in for all these services. Or, is it? If we just let our thoughts run wild here for a bit we realize that with one unique key (john.doe@gmail.com) we can access a persons e-mail account. The same unique key now gives us access to John’s Internet history so we know what web pages he has browsed. John’s spreadsheets and word processor documents are also available using the same identical key, linking them to the previously accessed Internet history as well as e-mail communications. Basically, you have got one key that unlocks a truckload of data about yourself, and you’re putting all this information in the hands of Google.

The “Evil Villain” problem (a.k.a Big Brother Symptom)

Please note that this scenario is not based on the fact that the information holder is evil, but more that the information is present and so are the tools to access it, but I’m gonna go “all in” here in honor of the post title. Just remember that what I’m writing here is not facts, it’s merely a mind play to help you think in a way that’s a bit more aware. In my opinion, there is a difference between awareness and paranoia, and when it comes to this topic I’m just being aware of the risks.

Now, imagine if Google was not at all formed in a garage back in 1998 by two college kids. Google was formed by two agents from the CIA, and it’s been government funded ever since. After a slow start it’s now become more or less every man’s online office. All the information you store as well as your browsing habits and your e-mail/im communications is accessible to you, but also to the people that are in control of the country’s intelligence agency. It might be a bit far fetched, and as I said it’s not based on any facts, but it still leaves one huge question unanswered: Who is really in control of your data?

What this all boils down to is trust. When you link information like this, it’s all about trust. The same question is valid for Yahoo, MSN, and all the other major actors who all offer a “one size fits all”-solution with e-mail, instant messaging, and a huge bundle of other Internet-related services. If you don’t trust the website, look for alternatives or register using incomplete details. Your online bookmarking site perhaps doesn’t need to know your full name or your address for example, while your favorite e-commerce site doesn’t really need to know if you’re married or single.

Sure, the purpose may be purely statistical, but don’t give a web site that you doesn’t trust any information that you would not give a stranger on the street. This is also related to the next scenario, which I’ve decided to call…

Data-leak

…which is a pretty wide term. Leaking of data could be either intentional or unintentional but could in either way compromise security or cause harm. Doing a simple Google search on the topic renders a number of hits, such as “AT&T online store hacked for credit card info”, “Steam Hacked, Credit Card Numbers Taken”, and “T.J. Maxx hack exposes consumer data”.

Credit Card data is probably the most sensitive information that could be leaked. The cards them self are based on more or less ancient technology (magnetic strip) and lack proper security. But other information may also be just as sensitive. Perhaps you wouldn’t like people to go over your web searches, history, or e-mail even if you have got nothing to hide.

Intentional data leak is for example having your e-mail address listed in plain text on your profile page for anyone to see. I won’t cover this too closely, since you’re probably already aware of this risk. You usually browse around on for example a social networking website before registering so you know what to expect. The unintentional leak is what’s more important, and also to know what’s at risk.

Hacking Google!

You know that co-worker that just seems to totally hate you? The guy that goes through your trash can in order to find something to report to your boss? Imagine if that co-worker managed to figure out your Google account details. Within a minute he would have in his hand every search you’ve ever made, which could be very compromising when taken out of context. He would also as previously mentioned have access to your browsing history and your e-mail.

Your single key, that is there only to simplify things for you, have now opened up the entire vault of your private life to someone that should not have access to it. With one single authentication token he can now access every little piece of information there is about your “online life”. Not really a nice scenario.

What to do then?

I covered passwords and online personas in the last post, so read that if you haven’t already. Personally, I don’t use Google or Yahoo for all my online business. I use Yahoo’s web based e-mail, I use Googles web-search, and I have a totally different user account at YouTube. None of the three sites share the same authentication data.

As always, this is a matter of trust. Who do you trust? I’ve chosen to trust my OpenID providers (I currently use two different providers), and I’ve chosen to trust Yahoo to keep my e-mail safe.

Who you trust is up to you. Just remember to think twice before sacrificing integrity or security for convenience.

A final note

I have made sure to write this through the article, but it can’t be stressed enough that Google is not an evil CIA corporation that’s trying to steal your identity. This article just used Google as an example, and you can safely go on using it without worrying. This article is not about Google or any other online service provider, but rather about awareness. This is also valid for Yahoo, YouTube or any other name mentioned here.

Mainstream Minimalism – The Big Hoax

It’s not an infrequent event for me to have long, tiring arguments with others over the true meaning of minimalism. And coming from me, you could call that odd. I used to be what I now call a “mainstream minimalist” – that is, one who sacrificed usability in the name of minimalism. And boy was I dumb! I’m not trying to indirectly say everyone who does that is dumb, and everyone who “custo’s” they’re computer is dumb (as I’ve seen the word been flung around here and there without much thought). I had auto-hide taskbars. I had auto-hide systrays. I had visual styles which had auto-hide buttons. I was crippling myself and I didn’t know it.

Usability? Give me a break.

But, you say, how can this NOT be usability? You’re used to it, so you can use it just as much as you can use a desktop that is uncustomized. Simply put, it’s not logical. Would it be logical to auto-hide the wheels on your car? Or auto-hide door-knobs? Or remove them altogether?! I think not. How about this. We all drive miniature cars with no pedals, just a handbrake, and call it minimalism. After all, handbraking continuously at certain intervals would reduce the speed of the car, and who needs big, bulky seats anyway? Let’s have antique cardboard boxes!

Look ma, Art Nouveau!

I believe screenshots should not be van goghs, or Rembrandts. Screenshots are just that – shots of your desktop screen, just as it is, with 5 billion visual styles or not. I just don’t buy into this whole “let’s artsify your desktop” thing. It’s just not me. But if you can do it without sacrificing your time, resources, and usability, you’ve hit the spot.

I’m fine with nitpicking over 3dc and bbstyle colors. That’s great. But when it comes to arguing about how many “un-custo’d” icons you have (MAN I hate that term), or your firefox looks bad because you show all the buttons, or your miranda looks horrible because you have icons showing. GIVE ME A BREAK. That is NOT minimalism. Minimalism means keeping the essentials without sacrificing usability. It does NOT mean h4xx0ring your computer by reshacking ever application on earth with a matching icon. That’s not only pointless, it’s damaging. Perhaps I should have minimal-guru post about the dangers of reshacking applications. I admit, I’ve done it before, and I still have reshacked applications in my system. But reshacking is one thing – wasting hours on end on fixing what ain’t broken is another. I’ve heard many people comment on other’s screenshots, “Oh, if only all *nix’s looked like that…” Good job, pick operating systems by how they look. No thank you.

Lol…

And I’ve also heard people claim their desktops stripped of all essentials are “usable.” It just doesn’t make sense. That miniature car is NOT usable, you can’t get in the door, much less find the handle. Why why why why WHY would you want a desktop stripped of all essentials in the first place? I’ve seen people bashed at for not “customizing” their desktop enough. Apparently it’s a sin to have default icons, or a wallpaper that doesn’t necessarily match the current style, etc… It’s just amusing to see the big cheeses of the so-called “customization community” think of themselves higher than everyone else, so far “customization” is concerned. I believe the term is used way too much, and it shouldn’t be. Get a life. Customization is fine for them, but I really don’t take it well when they start ranting and raving about other, “lesser” screenshots. At most, it’s amusing. So please, stop the madness. If you still haven’t given in to the so-called minimalism rage, don’t. You’ll never get out of it, or if you’re lucky and you do, you’ll have battle scars for life.

Minimal comparisons: Trillian vs Miranda

Welcome to the first Minimal Comparison, Where we compare 2 common applications (usually 1 proprietary, one open source) and give you each one’s pros and cons. First up, Trillian vs Miranda – two very popular instant messengers, Trillian being proprietary (and shareware), and Miranda being open source (and freeware).

Trillian

Trillian has been around for quite a while. It’s main pros include:

• The obvious, multiple protocols
• Skinability
• Lots of eye candy (iconic options dialog, etc)
• Tabbed chat containers
• User friendly

Let’s go through each one of these. First, multiple protocols. While Trillian does support AIM, Yahoo!, MSN, ICQ, and IRC, it could do a lot better. The fastest growing protocol today is Jabber, which is also what Google Talk uses. Most modern messaging clients such as Gaim (now Pidgin), Miranda, etc have support for Jabber – but unfortunately only Trillian Pro supports it.

Second, Skinability. Trillian does have some great skins, but it is a bit annoying to not have it integrate into your environment. There is no option to force it to use windows colors, or even disable skinning.

Third, eye candy. Sure, eye candy is fine, but really, too much of it is just unnecessary bulk. I was a hardcore Trillian user until I found Miranda. One of the most annoying features IMO was the options interface. I’ve never been fond of huge iconic control panels in several categories. Oh well, probably all a matter of opinion.

Fourth we have tabbed chat containers. Probably unnecessary to mention, since most modern instant messengers today have them. Trillian’s tab functionality could be a lot better though, and a lot more flexible, like Miranda.

Another “feature” you should be aware about is that Trillian 4 hogs about 10 mb more RAM (this is plugin-less) than Miranda with several plugins loaded. ’nuff said.

Miranda

I’ve been using Miranda ever since I left Trillian, without fail. I have never thought once about switching to Pidgin, or the like. Nothing can beat Miranda’s functionality without sacrificing speed and usability. Let’s talk about a few of the many features that Miranda boasts:

• Extremely fast
• Support for Jabber
• Developed constantly and rapidly (no need to wait years for another release)
• Extremely customizable
• Lightweight

Don’t take my word for it that Miranda is faster than Trillian. Try it yourself. And don’t let the default look scare you away. I was also intimidated by it when I first got it, but as soon as I found out I was in complete control, I was hooked. If you’re a first time user, here are a few plugins that are essential:

• Scriver - minimal, tabbed chat module with only the essentials, but it certainly can look good, too.
• Clist nicer – as the title suggests, it’s a much nicer contact list, and much less bulky than clist modern. Clist modern is fine if you prefer eye candy and 5 billion buttons.
• IEView + SmileyAdd – Not necessary, but they add a nice kick to the look and feel. IEView actually lets you use HTML and CSS to customize your message log any way you want (or just download a pre-made style!), and SmileyAdd lets you have smilies.

One of my favorite features of Clist Nicer (IIRC, clist modern also has this functionality) is the ability to float frames. Frames are essentially the individual components that make up your contact list. For example, you could have your My Contacts frame float and remain title-less, so you could have a handy little bar in an unobtrusive area of the screen to always have your contacts at your fingertips. Not only that, you can download other frames from the addons site, such as My Details, which allows you to have that Trillian-like panel at the top of your contact list for quick access to status and nick changes, and more.

All in all, Miranda clearly wins in all areas – speed, functionality, and good looks. Got questions? Feel free to ask here, or at #miranda.

Minimal Security Part 1 – It doesn’t have to be hard

Welcome to the first part of Minimal Security. In this series of articles I’m gonna give you some pointers on how to make your system more secure, and also hopefully show that it is no rocket science – It’s just a matter of thinking one step ahead! So, let’s get started!

Passwords – What are they?

A password is basically an authentication token, something that is used to identify you and give you access to something, for example your system, your e-mail, or your Internet banking web page. Normally this token consists of not only a password, but also a user name (or your e-mail address).

So, passwords are secure, right? Well, they can be. Passwords are mostly compromised due to them being easy to guess, too simple, by the use of social engineering or irresponsible users. For example, having the password “fluffy”, after your dog, is probably not a good idea. Neither is your phone number, girlfriends name, birth date etcetera. I think you get the idea here.

So what is a safe password then? Well, for the passwords I use, I tend to settle for no less than 10 characters. They also consist of both uppercase and lowercase letters as well as numbers, and no words that can be found in a dictionary. The easiest way to make the “fluffy” password a little bit more secure is to add something else to it, for example “fluf13fy”. Your dogs name have now been split in two parts and had a number added somewhere in the middle, and, obviously it’s not that easy to guess any more.

You can also use a third party application to keep track of your user name and password, like for example PasswordSafe which is also able to generate random passwords for you. Your credentials are saved in an encrypted file with a master password, and in order to log in to f.ex. a website you just enter your user name, double-click the entry in password safe, and paste it in the password box. When you close PasswordSafe, the clipboard is automatically wiped.

Irresponsible users

I mentioned social engineering and irresponsible users earlier. These two go hand in hand, and both of these are actually related to the huge amount of credit card and Internet banking frauds lately. Your password should never ever be shared with anyone else. The banks explicitly state this in the security information etcetera, and yet people still hand out this information to “bank employees” over the phone in order to sort out some complications with their checking account. Here comes another part I mentioned, think one step ahead. The bank will never need your password. The bank runs the system. If they need to access your details, they can do so without your password.

The same goes for e-mails received from the bank with the proper bank logotype etcetera, and included is an attachment said to be a “anti-virus software” or similar. You can be pretty certain that your bank will never ever send you an anti-virus program or any other program for that matter via e-mail.

It is just as irresponsible to hand your password over to your friend, your family etc. As a general rule of thumb, don’t give your password to anyone you would not trust with your keys and your wallet.

Saved Passwords

Saved passwords are excellent. I admit that I use them too. You know, that fancy box that pops up when you log on to a web site; “Would you like Firefox to remember this password”. It’s an awesome feature, but these passwords are saved and made accessible to anybody that is using your computer, and not only to you. The simple remedy to this problem is to enable the master password. In Firefox, this can be done in the options dialog in the tab “Security”. Check the box “Use a master password”, and use the command button next to it to change the master password. The next time Firefox feels an urge to auto fill a login box with your user name and password, it will prompt you for your master password (if you haven’t entered it during the session, that is).

Your saved passwords are now available to you, and only you.

Security on your Workstation

All operating systems based on the 2000/XP kernel have got a pretty sophisticated security layer running under the hood. This security layer, or subsystem, validates every request made and ensures that you have access to the object or the function that is requested. These credentials are validated during the login, and are then used every time a file is accessed or another file system or registry operation is taking place.

It also offers the excellent ability to lock the workstation, either by hitting Ctrl-Alt-Delete and selecting “Lock Workstation” (for this to work, you have to disable the “Fast user switching” in the control panel), by hitting Win-L (if you’re using Windows Explorer) or by hitting Win-Space (if you’re using bbLean). Screen savers can also be set to prompt you for your password before allowing you access to your system after the screen saver has closed. This is an excellent feature to keep nosy people away from your system, protecting your sensitive data and making sure things are still the the way you left them when you return.

If you are using NTFS as your file system, you can also encrypt your files in order to make sure that they are safe from curious eyes and nosy people. To protect a file or a folder, right-click it and select “Properties”. Then click “Advanced” on the first property page, and check the box next to “Encrypt”. This file (or folder) is now a little bit more secure if your hard drive would ever be lost or compromised.

You can also use virtual encrypted drives to protect your sensitive data, the best one I have found so far is TrueCrypt, which is also open source and 100% free. It works by creating a file on your hard drive of a specific size, and then “mounting” this file as a virtual drive. You could for example create a 2 GB virtual drive as C:\myfiles.tc and have it appear as D: when the password has been properly entered. This file is in turn protected by strong encryption based on your password, and a possible key file (for example an image, a mp3-file, or just a random text file stored on your hard drive or on a USB memory stick).

Virtual Identities

Wow. That’s a fancy word for sure. What is a virtual identity then? Basically, a virtual identity is something that identifies you in the virtual world. Very often this is associated with your e-mail address or similar information, for example your yahoo username “johndoe123″ which has a corresponding e-mail address “johndoe123@yahoo.com”. The same is valid for MSN messenger, where your virtual identity actually is your e-mail address.

Here in Sweden it has become more or less of a trend to have fancy web pages where you can win stuff, such as a plasma television or the latest cellphone, if you just recruit enough people to the website. Basically, the one who makes the most friends sign up will win the grand prize.

Who wants to enter all their friends e-mail addresses? Nobody. Instead they offer a box to allow the web page to sign in to your messenger account and automatically inform your friends of the ongoing competition. I am not 100% certain, but I am pretty sure that there are no grand prices in the end. At least not for the users. The thing is that when you share your virtual identity like this, you are first and foremost sharing your password with a third party that you don’t really trust. This is bad. But what’s even worse is that you are also exposing your friends virtual identities to the website. These sites mostly harvest e-mail addresses, that are then sold to spam networks, and what you end up with in the end is not a new fancy big screen television, but instead a flooded inbox. Once again, think one step ahead.

Summary

Security doesn’t have to be hard. It just requires you to think a little extra, just like you do when you swipe your credit card in the store and is about to enter your pin-code. You won’t pound in those magical 4 digits with someone looking over your shoulder. Or in a terminal that’s been glued together with a clerk looking more than suspicious. Yet, most people think it’s okay to recommend contests to their friends by giving up their user names and passwords. And honestly, isn’t your IM password the same as the one for your e-mail? And for your computer?

Think one step further.

double trouble

Two desktops. Each 1 day apart. Trying to decide which one I like better.

1. 
2. 

m-Run updated

Wildcards, multiple file opening, and more.

Grab the latest one here.

unplugged

m-Run v2.0

Earlier version posted at LostInTheBox.

m-Run is a minimal runbox replacement written in AU3 (AutoIt3).

Screenshot:

Download

SOAM: Minimal Neatness

Ah yes, another noccy-tation! This time they’re cursors, quite minimal ones. You can’t go wrong when they look a lot like XFree cursors! There are 2 versions, black and white. Download them today!

V pwn.

Yes we do. Please join me in welcoming minimalguru to the lolminimal team…of one person. until now.

You may better know him as noccy, famous for his tools such as WebWidget and Minimal Neatness cursors, and now, taking over bbClean development at lostinthebox. He’ll hopefully help with some editing and posting articles.