Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

Part of staying secure involves recognizing and rejecting bad advice

A couple of days ago, I came across a blog post by former Mozilla developer Robert O’Callahan that harshly criticized makers of antivirus software. “[I]t’s safe for me to say: antivirus software vendors are terrible; don’t buy antivirus software, and uininstall [sic] it if you already have it (except, on Windows, for Microsoft’s),” O’Callahan declared in his opening paragraph, going on to contend that many Internet security and antivirus suites don’t add value, are not themselves kept updated, and prevent the browsers and operating systems they’re supposed to protect from running smoothly.

By the time I got to the end of O’Callahan’s first paragraph, I was appalled. Urging people to avoid using or installing Internet security and antivirus solution is terrible advice. Left undefended, a typical Windows or Mac installation is susceptible to all kinds of threats, including viruses and ransomware. I make a point of telling my clients that having a best-in-class Internet security suite installed is one of the most important ways they can mitigate their risk.

Notice I said “best-in-class”. Contrary to what O’Callahan says in his post, not all antivirus and security products are created equal. Much of what’s available for sale or download would not earn my recommendation.

I advise clients that it’s not enough to just have any old Internet security product installed; it should be an application that independent testing has shown can actually offer a user valuable protection.

The two firms whose software has generally performed best in the the independent tests I’ve seen are Kaspersky and Bitdefender. I prefer Kaspersky’s Internet Security suite, and am a paying subscriber.

Kaspersky nowadays sells multi-computer subscriptions as part of a package deal for a reasonable price, which means you can get all your family’s computers protected by buying just one plan. Their suite includes a robust firewall and antivirus engine, plus some other extremely useful tools, including Safe Money, which can stop you from falling victim to phishing attacks.

The latest version of Kaspersky Internet Security for Windows has a killer feature that I absolutely love: it scans my Windows operating systems for outdated plugins and third-party applications and offers to update any it finds without my having to do anything.

I keep a lot of what I have installed updated with Ninite, but Ninite won’t update *all* the non-Microsoft software on my computer. Kaspersky is now flagging updates I can’t install through Ninite and allowing me to install them with a couple mouse clicks. I love that.

Kaspersky Internet Security is well-behaved and generally does not get in the way of my other applications. I do not use the Kaspersky add-on for Firefox because I already have NoScript, CookieSafe, RequestPolicy, Privacy Badger, uBlock Origin, HTTPS Everywhere installed. These add-ons collectively serve as my browser armor and help protect me as I surf on a daily basis. But I consider Kaspersky Internet Security essential, too.

In my own testing, the scanner and antivirus engine have done very well. If I mount a volume with malware specimens on a virtual machine Kaspersky is installed on, it will quickly notice the specimens and warn me that it’s found malicious objects that should be quarantined or deleted.

Kaspersky’s Alexey Malanov saw O’Callahan’s post too, and took issue with it here. His criticisms of O’Callahan’s criticisms are spot on, and worth reading.

“In 2016, Kaspersky Lab solutions repelled 758,044,650 attacks launched from online resources located all over the world,” Malanov notes. “Web antivirus components recognized 261,774,932 unique URLs as malicious and detected 69,277,289 unique malicious objects (scripts, exploits, executables, etc.). Encryptors targeted 1,445,434 computers of unique users. Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 2,871,965 devices.”

O’Callahan’s post includes a number of sweeping generalizations that are not backed up with any evidence, like this one:

AV products poison the software ecosystem because their invasive and poorly-implemented code makes it difficult for browser vendors and other developers to improve their own security.

Towards the end of his rant, O’Callahan does link to a 2012 post by Nicholas Nethercote criticizing McAfee (now owned by Intel) for getting in the way of Firefox. But he never calls out McAfee specifically in his own post.

I am not a McAfee fan either, and would not suggest anyone use their products. Fortunately, there are superior offerings available from firms like Kaspersky and Bitdefender that have earned “Outstanding” ratings in independent tests due to their effectiveness in thwarting threats.

If you’re not happy with your current Internet security suite, you should look into getting a better one as opposed to going unprotected, as O’Callahan unwisely recommends. Merely installing updates from Microsoft and Apple as soon as they’re available won’t protect you from ransomware, viruses, or phishing attacks. But a best-in-class Internet security suite can. Be sure that you have one installed on your computers and those of your loved ones.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

One-on-one with Frank Abagnale, Jr. on identity theft, combating fraud, and staying safe online

Yesterday, I joined several hundred seniors at Microsoft for a captivating presentation by legendary security consultant Frank Abagnale, Jr., whose story was the basis for the hit movie Catch Me If You Can starring Leonardo DiCaprio. After the presentation, Frank generously made time to sit down with me for a one-on-one conversation about identity theft, combating fraud, and staying safe online. The following is a transcript of our conversation.

ANDREW VILLENEUVE: I really enjoyed your presentation.

FRANK ABAGNALE, JR.: Thanks.

ANDREW VILLENEUVE: Can you talk a little bit about medical identity theft? What are some of the trends we’re seeing that are really disruptive and harmful?

FRANK ABAGNALE, JR.: Medical identity theft is kind of a new trend we’re seeing, where people would actually go into a clinic or a hospital because they need medical treatment, but they have no insurance. So in doing so (filling out the application), they list my name, my Social Security number, my date of birth, my personal information, and basically end up having the service done, but my insurance company being billed (or me directly being billed) and I end up getting a bill saying that I had this treatment at this clinic.

What’s not easy to do is when you call and say That wasn’t me! I wasn’t in that clinic! You really almost have to prove that it wasn’t you.

We are protected under the Fair Credit Reporting Act for other types of identity, like your credit card and things like that. That does not cover medical identity theft, so some of these collection agencies do go after individuals, even though it wasn’t them that made that charge.

So we’re starting to see that trend now of people getting medical services using somebody else’s identity.

ANDREW VILLENEUVE: Is this an area where the law simply hasn’t caught up yet?

FRANK ABAGNALE, JR.: They’re going to have to change the laws to take away the liability from the consumer, so the consumer’s not held liable for treatment that you got using my name. Right now, that doesn’t exist. So, I can’t even see my medical records because now you’re on my medical records, and the HIPAA laws don’t allow me to see them, because then I’d see your medical records and treatment. So that’s kind of ridiculous. So I think they’re going to have to change some federal laws to address this issue of medical identity theft, which will become more and more of a problem.

ANDREW VILLENEUVE: Now, you work with the FBI, and have for a long time. And a lot of laws that need updating are federal laws. But of course, we have the fifty states, and they’re often called the laboratory of democracy. Do you have any specific advice for state-level policymakers? What are things that they can do to protect citizens against these cybercrimes and identity theft problems?

FRANK ABAGNALE, JR.: You know, I’ve worked with the FBI for four decades — for forty years — and I get to go out and speak. I spoke at the state attorneys general conference, both their summer workshops and their winter workshops. I had all fifty state attorneys general in front of me. I work directly with the U.S. Attorneys. I teach at the Academy, where we teach U.S. Attorneys. What I try to do is to correct things that are very obvious. Like taking Social Security numbers off of 1040s. Making a Selective Service card be put in an envelope, so people can’t read what you put on there — your Social Security number, your date of birth. Removing the Social Security number from a Medicare card. Changing it off the military ID card.

I’m a strong believer that the government needs to lead. Whether it’s federal, state, county, or city. The government should be saying, this is the proper way you handle this, and this is the proper way you implement this. Instead, the government is way behind. It’s American corporations and businesses who say, Well, this is a problem. We need to come up with a solution and fix it. It’s ridiculous that the government should be behind.

And the government fails to do a lot of things. It ends up it’s the taxpayer who loses, whether it be their identity, or they’re actually losing the taxpayers’ money through fraudulent activity that doesn’t really need to occur.

ANDREW VILLENEUVE: Here in Washington — and also in Oregon, which is our neighbor — we do a lot of vote-by-mail. In fact, we’re almost exclusively vote by mail, and when people take their ballots to the post office, they’re supposed to sign the outside envelope. Their name is already on there, because it’s been printed; there’s a barcode, there’s their address. They’re supposed to sign to show that it’s them, and that signature has to match what’s on file with the elections officials. And that’s just going into the mailstream with their signature and their name on the outside of an envelope. Is that an insecure practice?

FRANK ABAGNALE, JR.: Yes. And see, that’s ridiculous. But even better than that is: I’m on Medicare, because I’m sixty-seven years old, but I don’t collect Social Security. So for that reason, they can’t take my Medicare payment — which is about four hundred dollars a month — out of my Social Security check. So they have to send me a bill every month.

And I have to pay it. When they send me the bill, CMS — Medicare — tells me, Put your Social Security number on the check stub under Memo.

I said, You’re out of your mind. Now, you’re asking me to write a check, and have all that information that’s on the check, and then give you my Social Security number on top of that, and put it on there? So if someone sees it, they don’t have to do anything. They just have to see it, and they have all the information about me.

So those are the kind of things that I mean are more common sense things that you could go in and easily fix, and they’re not doing. And even when you bring it to their attention, and say this is absurd, because this is what somebody could do with that, they don’t go in and fix it.

So it’s just ridiculous.

And I have to tell you — and I will email you this piece because it’s hard to believe — but a couple years ago, a woman in the State of [Oregon] applied for a state income tax [refund] and claimed that she earned $3.5 million, and that the state owed her $2.1 million. And the state actually sent her a refund on a card — on a debit card — for $2.1 million. The woman was using the card for several months, but she lost the card.

So then she called the state tax revenue office in [Oregon] and said, I lost my card, I need a new card. And when they [finally] did [look], auditors saw it and said, Whoa, how could this be this big a refund? And that’s how they caught her. And I had that case. Just absurd.

And those are the kind of things that go on all the day.

We arrested a doctor in Michigan who was a cancer doctor. He treated four hundred and thirty-eight patients who came to see him. Every patient, he told them they had cancer. They didn’t have cancer. He treated them with chemo and billed Medicare thirty-three million dollars. We finally caught him; a judge gave him forty-five years, just two months ago, in prison. These are the kind of things that go on all the time. Millions and billions of dollars. But again, there should be a mechanism in place to catch these things.

So when we talk about food stamps, which is done on a card, we look at a delicatessen in Brooklyn that two years ago, is taking two hundred thousand dollars in food stamps. Now it’s taking two million.

So then, when you go down there, it’s a twelve hundred square foot store. So what they’re doing is when you come in with your card, they say, How much you have on that card? Two hundred dollars? I’ll give you a hundred dollars cash for the card, and then I’ll let you buy the other hundred in whiskey and wine — which they’re not allowed to use — on the other part of the card.

These people are driving Rolls-Royces when we go arrest them. They’re driving Ferraris. They have two condominiums. But you wanted to say to the people administering the program, Didn’t it look a little suspicious that the guy went from $200,000 to two million? What is it? He’s got people lined around his building waiting to come in with their card?

I mean, it’s such obvious stuff that it’s absurd that it goes on.

So, how can you blame the criminal for taking advantage of it? And he realizes the government has all the money and the government’s easiest person to rob, whether it be state or federal, because they’re doing the least things to prevent it.

ANDREW VILLENEUVE: So, in other words, people go after the government, ’cause that’s where the money is.

FRANK ABAGNALE, JR.: The easy target. You know, the old Willie Sutton: Why do you rob banks? Because that’s where the money is. Why do you rob the government? Because that’s where the money is.

Plus, it’s easier than to try to rob a bank.

ANDREW VILLENEUVE: So, is the problem with people missing these obvious red flags that there isn’t enough accountability, or is it just that because public servants who work on the taxpayer’s dime are basically doing their jobs, but they’re they’re not costing a company money. It’s not that there’s profits at risk, but it’s the entire public at risk. Is that sort of like a socialization of risk that’s happening? Is that the problem?

FRANK ABAGNALE, JR.: Yeah, and you know, I hate to have to say that, because of my association to the government, but that’s how it is.

One, it’s not their money. Two, nobody wants to take responsibility. No one really wants to do a whole lot about it, you know, whereas in a private company, you have people to answer to. There’s stockholders, or shareholders; there’s people that expect a profit.

In the government, there’s really nobody answering to anybody, so nobody’s really doing anything about it. And then, we impose some things, too, that make it difficult. In defense of the IRS, for example… they process a hundred and fifty-three million returns during the month of April.

Now, years ago, when you filed a paper return, and you said to the government, You owe me $2,100 back as a refund, they had eight weeks, ten weeks, to get you that refund. So during that time, they checked your W-2, they checked it across the state’s wage-earning files and so on, and they investigated your return. Now, the government says, you’re paying electronically, and you file electronically, [so] they tell the IRS, you need to pay these people within fifteen days.

Well, the IRS [worker] says, I can’t… I can’t look at, I can’t check all these things in fifteen days. I have millions and millions of returns.

So, again, Congress is mandating something they can’t physically do, and in the end, the criminal’s taking advantage of Congress doing that. Where, if you ask most Americans, Would you mind waiting a few more weeks for your return if you knew it was going to save the taxpayers billions of dollars from criminals getting the taxpayers’ money? They’d say, yes, but they don’t.

ANDREW VILLENEUVE: And that’s the kind and sort of question that has like a no-brainer answer, right?

FRANK ABAGNALE, JR.: Right. Exactly.

ANDREW VILLENEUVE: So, you know, you ask those questions, people will say yes, I’d like to be more secure. In fact, people are always talking about the liberty and privacy versus security trade-off. And people say they value security, but it seems like we’re less secure with everything moving online, but we don’t have a long-term plan for securing that data that we’re moving online.

FRANK ABAGNALE, JR.: No, and we, as ourselves, give away so much information, you know. We get on and tell our mother’s maiden names, our pet’s names, where we went on vacation, where we’re going on vacation. You know, what kind of car we drive, what places we like to go eat. And there are people who take that information, because they can build profiles. There’s so much they can do with it.

But the thing is, you can’t con a con man, and that’s because the con man is already thinking with a deceptive mind, and he already sees your scam coming at ’em. Most Americans are honest, and because they’re honest, they don’t have a deceptive mind. They’re not sitting there thinking about, well, what would someone do with that piece of information? What could they do with that? That’s why it’s so important to educate people, to give them the proper tools.

So, when I go out and speak at a lot of universities, I’m really surprised by the kids’ questions, because it’s more about their personal security than it is about How’d you like Leonardo DiCaprio playing you in the movie? It’s more about, how do I use Facebook safely? What is it okay to do online, and not okay to do? And so, you know, they’re concerned. But they want to know how: Where’s the information?

ANDREW VILLENEUVE: One of the things that has really bothered me over the years is I’ll get some sort of form or application that’ll ask me for my Social Security number. I’ve never felt comfortable giving that out. I don’t like giving it out, but they say they have to have it… and a lot of these companies collecting this information say they really need it. Is there any way for consumers and customers to stand up and say, no we don’t want to give you a Social Security number?

FRANK ABAGNALE, JR.: No, they don’t need it, because federal law says… on your hand, you can count how many times you’re required to provide your Social Security number by law. And that, you know, [includes] things [like] when you apply for credit, when you apply [for a job], your employer has the right to have your Social Security number for collecting taxes. The IRS… law enforcement can ask you for your Social Security number.

But when you go to the doctor’s office, the doctor really doesn’t need to have your Social Security number. The problem is, if you say to the doctor, I’m not giving it to you; I’m not giving you my Social Security number, the doctor’s going to go through your insurance company and ultimately get it from your insurance company, who does have your Social Security number.

So they find a way to get it anyway. But most of the time, you shouldn’t be offering to give it to people, and if somebody gets it, and you see really no reason for them to have it, then you should just tell them no. And a lot of times if you just stand firm, so no I’m not giving it to you, they’ll go around and do whatever they’re supposed to do anyway.

ANDREW VILLENEUVE: Right. If you’re filling out one of those forms that, let’s say, an independent contractor and so forth fills out… would you recommend that people get an EIN that’s separate from their SSN?

FRANK ABAGNALE, JR.: Yes, absolutely. I always use a federal tax ID number, even when I was just me, and I was self-employed. I wasn’t going to go around giving everybody my Social Security number. So I have to have that if I’m going to pay you and send you a 1099 [and the other party says] I need your Social Security number. I just gave him a federal tax ID number, and that’s what you should do. If I was that independent contractor, that plumber, that business, I would never be giving them a DBA [doing business as]. I would never be giving them my Social Security number. I would just be giving a federal tax ID number.

ANDREW VILLENEUVE: And people can easily get those.

FRANK ABAGNALE, JR.: Yeah, it’s not difficult. You just apply for it, and they give you a number, and that’s the end of it. Yeah, it’s not difficult to do.

ANDREW VILLENEUVE: President Obama recently announced he was creating a U.S. Digital service to try to get some of the really talented folks who have maybe been working in the private sector to lend their energy, their talents, and their expertise of the public sector. Is that something we need to do to better combat identity theft and improve cybersecurity?

FRANK ABAGNALE, JR.: Yeah, because I don’t think we have the people, the manpower, or the brain power in Washington, D.C. to do that. I think this is where you need to go out and get outside help, because a lot of those people don’t have the knowledge or the experience or the background or the training to deal with a lot of those problems. So I don’t think there’s anything wrong with the government going outside the government and getting the people that know how to fix these problems and get them to come in… and at least ask advice on how to go about fixing these problems.

The only thing I would say: If these people come in, and they give you good advice, and you know it’s good advice, then implement it! Don’t just listen to them and then walk away and [go back to] business as usual. Otherwise, you’re wasting more money.

ANDREW VILLENEUVE: One last question. A lot of people I know are people who make lots of active use of social media. They’re on social media all the time: Twitter, Facebook. What are two or three common best practices you recommend to strengthen people’s social identity?

FRANK ABAGNALE, JR.: It’s real simple. One: Don’t put a straightforward photograph of yourself on Facebook. [Two]: Don’t state where you were born on Facebook, or your date of birth. [Three]: Don’t make statements that you don’t want someone to read that you said.

So, if you’re an eighteen-year-old and you make racial slurs, someone’s going to read those racial slurs five years from now when they go to give you a job, and that could hinder you getting that job. Or putting a picture of you that was a picture of you nude on a beach with a bunch of drug paraphernalia all over your body, knowing that some employer down the road may look at that, and that’s going to be held against you.

So just be [aware]. Realize that everything you write, someone’s going to read besides the people you want to read it, and that it’s all retrievable. So you’ve just got to be careful, again, not to be giving away things. Stop and think: Do I really want to put that out on social media where someone may see that, later on, down the road, four or five years from now.

ANDREW VILLENEUVE: Right. So you have to think long-term.

FRANK ABAGNALE, JR.: Long term. Absolutely.

ANDREW VILLENEUVE: Thank you very much.

FRANK ABAGNALE, JR.: Thank you, Andrew. It was a pleasure.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

How *not* to patch a security vulnerability

If you’re a vendor… don’t do what Fiat Chrysler did:

Fiat Chrysler has started distributing a software patch for millions of vehicles, via a USB stick sent in the post.

In July, two hackers revealed they had been able to take control of a Jeep Cherokee via its internet-connected entertainment system.

The car firm has been criticised by security experts who say posting a USB stick is “not a good idea”.

It’s hard to believe a company as Fiat Chrysler could be this boneheaded about security. But somehow, this ridiculous plan to send USB sticks out to Jeep Cherokee owners got greenlit. Some 1.4 million Jeeps are said to be affected by the aforementioned vulnerability, which is a lot of vehicles.

Fiat is making a bad problem much worse, as Pete Bassill explains:

“This is not a good idea. Now they’re out there, letters like this will be easy to imitate,” said Pete Bassill, chief executive of UK firm Hedgehog Security.

“Attackers could send out fake USB sticks and go fishing for victims. It’s the equivalent of email users clicking a malicious link or opening a bad attachment.

“There should be a method for validating the authenticity of the USB stick to verify it has really come from Fiat Chrysler before it is plugged in.”

He said that using a device like this had wider implications.

“Hackers will be able to pull the data off the USB stick and reverse-engineer it. They’ll get an insight into how these cars receive their software updates and may even find new vulnerabilities they can exploit,” he told the BBC.

Fiat did issue a voluntary recall, allowing owners to bring affected vehicles into dealerships to get their firmware upgraded. They should have left it at that — if pushing out updates over the air wasn’t possible. Perhaps Fiat went with USB sticks thinking it would be an inexpensive way to help their customers update their vehicles’ firmware. But in the long term, I imagine it’s going to be more expensive, because of the can of worms they’ve opened for themselves.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

Ad-blocking is good from both a security and privacy standpoint

Every now and I then, I come across a story which reaffirms my long-held belief that ad-blocking is good from both a security and privacy standpoint. That happened again recently when I saw this article in The Register:

Online advertising has become an increasingly potent threat to end-user security on the internet. More hackers than ever are targeting the internet’s money engine, using it as a powerful attack vector to hide exploits and compromise huge numbers of victims.

Malvertising, as poisoned ads are known, is as deadly as it is diverse. Hackers are able to poison advertisements with the world’s most capable exploit kits, then pay to have it served on a large number of prominent websites. Up to half of users exposed to the very worst forms of malvertising fall victim, yet tracking the attacks is often tricky. Advertisements are dynamic and served only to certain users, on certain websites, in certain conditions, making attacks difficult to study.

As the article goes on to explain, malvertising has simply exploded in recent years, and is now an extremely serious problem. But unfortunately, big players in the web advertising business aren’t doing enough to combat it:

The industry’s top malvertising experts are unanimous: For all intents and purposes, advertising companies have no idea who is buying their ads, and they make what amounts to no attempt to understand their customers. In an industry that moves fast and operates on tight margins, whitelisting and security checks seem costly and unwanted speed bumps.

The two biggest online advertising organisations, Google and Yahoo!, did not respond to a request by Vulture South for comment after initially flagging interest in interviews.

What can users do to protect themselves from malvertising? The answer is simple: Block ads and block JavaScript from executing by default.

There are ad-blockers available for all major browsers, notably AdBlock Plus, which has extensions for Internet Explorer, Firefox, Safari, and Chrome/Chromium. All the major browsers also contain controls that are capable of turning off JavaScript execution, but since most of us want sites to trust to be able to run scripts (for example, I want to allow JavaScript to execute my own domain and my credit union’s domain), it’s better to install a tool like NoScript, which allows JavaScript to be selectively turned on for trusted sites. (NoScript has 2 million users and maintains an average review of five stars. It’s well-deserved).

Using these and other tools (like HTTPS Everywhere, RequestPolicy, Better Privacy, and Cookie Controller) can greatly improve our security and privacy as users. The tools I’ve mentioned essentially act as browser armor, and can safeguard against all sorts of threats on the Web, not just malvertising. We all stumble into bad neighborhoods on the Internet from time to time, often by accident. Having browser armor in place greatly minimizes the risk of harm to our computers. Prevention, as they say, is the best cure of all.

I’ve heard some people make the argument that ad-blocking is unethical. I disagree. I believe that as users, we all have the right to decide what content we want to come into our homes and workplaces through our personal computers, tablets, and smartphones. That means having the freedom to block JavaScript, cookies, cross-site requests, ads, images, or anything else. We all ought to be able to control our own computing and decide how the Internet connectivity we pay for gets used.

This is especially important in the context of mobile Internet access, because most of us are on plans with fixed data allotments.

I understand the economics of publishing and content creation, and I agree we need to support artists and writers. The best way to do that, though, is to purchase a subscription to a favorite publication, or put money in a site’s tip jar.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

Tips for crafting a strong password for your Wi-Fi network

Recently I had an opportunity to evaluate the latest incarnation of Actiontec’s MI424WR (GigE) router, a workhorse designed for use with FiOS service offered by Verizon and Frontier Communications. While navigating through the administration console of the router, I noticed that the security settings page now incorporates a long list of useful tips on crafting a strong Wi-Fi password. (WPA2 is also now the default security protocol, which is great, because WPA and WEP are flawed and easier to compromise). Here are the tips I found, which concur with the guidance I offer to clients:

User Guidance on Password Selection

Your wireless network security depends on having a good password. A good password contains Sixteen (16) or more letters or numbers, with each letter or digit chosen at random. This initial password shipped with your router is an example of a good password. The initial password is printed on the serial number sticker under the router. The Letters in the password are case sensitive and the initial password provided on your router is in Upper Case
If you wish to change your wireless password, try to pick a password similar to your router’s initial password. You must include at least one letter and at least one number in your password. It is recommended that the password should be at least sixteen letters and numbers, with no spaces or special symbols. However, you can shorten the password at your own risk. At a minimum there has to be 8 characters and a maximum of 63 can be used.

Here are some suggestions to help you choose the safe password:

  • The password should be 8 to 63 ASCII characters long, and it is highly recommended to use 16 or more.
  • Characters that are upper case. ASCII is categorized as Alpha and Numeric characters.
  • DO choose each letter or digit at random. Try one-finger typing with your eyes closed.
  • DO use a longer password, and write it down somewhere safe. A short password is easier to remember, but also much easier for attackers to guess. It is OK to let your PC save your wireless password so you don’t have to remember it.
  • DO NOT use anything directly related to you, such as your street address, phone number or car license plate.
  • DO NOT use the name of any person or place in your password. The attackers know all the common names.
  • DO NOT use any word from the dictionary. The attackers have dictionaries, too.
  • DO NOT use a phrase or sentence. Once an attacker learns any portion of the phrase or sentence, the rest is easily guessed.

This is great advice. I often find when asking for the Wi-Fi password at a particular location that it is just a couple of words, the telephone number of the establishment, or the address (spelled out).

A secure password should not include any personally identifiable information. Birthdates, license plates, phone numbers, addresses, Social Security numbers, and other sensitive data should never be used in any password, ever. Length is good. Random characters are good. Mixed-case letters are good. Punctuation, if allowed, is great. Here is an example of a weak, bad Wi-Fi password:

555-567-8095

The following, courtesy of the Strong Password Generator, would be a strong Wi-Fi password:

Ay#{$.}n7 s$Q~sM*;.}73*CS

It’s easier to remember as ALPHA yankee # { $ . } november 7 [space] sierra $ QUEBEC ~ sierra MIKE * ; . } 7 3 * CHARLIE SIERRA

Do yourself, your family, and your business (if you have one) a favor and set a strong Wi-Fi password, using the WPA2 protocol. You’ll be glad you did.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

Open for business!

Today marks the launch of andrewvilleneuve.com, my new business website. I’ve decided to become a security consultant, specializing in WordPress security, because it’s plain to me that there are a lot of individuals, businesses, nonprofits, and groups out there who need someone to be able to advise and assist them with locking up their websites and implementing best practices.

I’ve always been a believer in the mantra, do what you love… and I love helping people stay safe. More and more societal interaction and commerce is taking place in the digital realm, and while that presents opportunities for collaboration and networking that weren’t possible before, it also comes with downsides.

We are not doing enough to protect and safeguard our digital domains, perhaps because the Internet is still a new medium and changing rapidly. However, there are parallels between cyberspace and the physcial space we inhabit. For example, a website is analogous to a house, usernames and passwords are like keys, and emails are analogous to sensitive documents carried around in a briefcase.

Most of us would never leave our home unlocked and unprotected… we take reasonable precautions to guard against theft of our personal property and real estate. A website is no different than a house. It needs to be cared for, looked after, maintained, adequately secured.

Out of the box, WordPress is simply not secure. It’s like a brand new house that is structurally complete, with plumbing and electrical systems installed, but without improvements that would make it more secure, like a reinforced door, a guard dog, dowels in the sliding doors, or an alarm system. WordPress can be made, secure, though, and a top objective of my practice will be helping clients lock up their WordPress sites so they can greatly reduce the likelihood of being compromised.

I’m looking forward to beginning this journey and seeing where it takes me. If you’re interested in hiring me, please don’t hesitate to get in touch.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

Force Kubuntu to let you install new login themes

Problem: You’re tired of the default Kubuntu login theme and want to install a new one. But when you try to add new themes by going to System Settings > Login Screen (under the category System Administration) > Theme, nothing happens.

Cause: A flaw in KDE

Solution: Open Konsole and type:

kdesudo kcmshell4 kdm

This will open the Login Screen module, but as root. Now try installing a login theme. You should be able to see the newly installed theme in the list once you install, and be able to specify it as the default.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

Help Thunderbird display emoticons in messages sent from Microsoft Outlook

Problem: Mozilla Thunderbird (running on a GNU/Linux machine) doesn’t display emoticons in messages that were sent using Microsoft Outlook. Instead, emoticons appear as the letter “J”.

Cause: Microsoft’s lack of concern for web and email standards

Solution: Install the “Wingdings” font so that Thunderbird can actually render the emoticons. On the latest versions of Ubuntu, this is as simple as clicking on the wingding.ttf file and then clicking Install. You can get Wingdings from your Windows computer. Just go to C:WindowsFonts and look for wingding.ttf. It should be near the end. Copy this file to your GNU/Linux machine and install it. Next time you start Thunderbird, you should be able to see emoticons in any message sent by a friend using Microsoft Outlook.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

What to do when GParted crashes on your Live CD

Problem: GParted crashes while starting up when launched from the Ubuntu 10.10 Maverick Meerkat Live CD, or from a Maverick USB installation. Restarting the computer and beginning another live session fails to help matters.

Solution: There’s actually a pretty simple solution for this very annoying problem: Upgrade GParted. A user dealing with this problem could, of course, fall back on an older Live CD with an older version of GParted. But older versions may run into “unknown errors” if a newer version of GParted has been used to configure a drive. Furthermore, it makes sense to just grab the latest and greatest version.

If you’re running Maverick on a USB stick, just open a terminal and type:

sudo apt-get install gparted

Ubuntu will upgrade GParted. Next time you try to start it, it should come up okay and not crash.

If you’re running a live session from a CD or DVD, use the disc to make a USB stick that can save data. Then upgrade GParted using the command above.


Notice: Only variables should be assigned by reference in /var/www/html/wp-content/themes/hardpressed/content.php on line 10

What to do when Flash audio stops working on Ubuntu/Kubuntu

The situation: You’re trying to watch a Flash movie in Firefox and you can see video just fine, but the audio is stuttering like a broken record, making it impossible to hear the sound. Audio does not stutter in non-Flash applications. You have the latest version of Flash from the Ubuntu repositories.

What’s going on? This appears to be a bug that many Ubuntu/Kubuntu users are experiencing. It looks like it’s a glitch with Flash. Messing around with your sound architecture is unlikely to help matters, so don’t do that.

Solution: There is a fairly simple workaround. Go to Tools > Add-ons. Select “Plugins”. Disable your Flash plugin. Restart Firefox. Then, go back to Add-ons and enable the plugin. Try playing a Flash video again and see if the audio works. Repeat this workaround if the problem occurs again.

In some (but not all) other browsers, this problem can be alleviated by simply restarting the browser.

Comment: If you’ve found this post, I hope the above troubleshooting advice helps. I can’t wait for the day when proprietary software is no longer required to view video on the Web. Flash sucks. The advent of HTML5 will hopefully make Flash problems irrelevant and a thing of the past.