Yearly Archives: 2008

After reading a story earlier today, I thought it may be a good time to look at SSL.  This is the stuff I teach about (the basic introduction into it at least, when I am teaching web students for their certifications).  This is (close to) the answer I give my mom when she asks if buying things over the web is safe (actually – I explain it in easier to understand terms).  And, it’s important for you to be aware of – but not something you necessarily need to dive deep into.

Here’s what SSL is:

Transport Layer Security (TLS) Protocol and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet. (cited from Wikipedia here)

It’s really fairly complicated and complex – but for our purposes here, let’s look at this as the handshake between your computer and the web server.  They discuss how to speak to each other, review the highest possible means to communicate over the web, then use trusted certificates that both your computer and the web server can agree on to encrypt and decrypt data between them.  That’s all done pretty quick and is not something you normally notice or have to deal with.

But, with MD5 now being revealed as breached or broken (and if you read the article, this started in 2004 but today we really need to stop using this method to secure much of anything), we need to look at how this impacts us.  I highly recommend reading the article ‘SSL broken! Hackers create rogue CA certificate using MD5 collisions‘ if you want more in depth analysis of what is going on in this area and how it will (ultimately) impact you and I.

In the near term, the proof of concept that is being revealed would, if fully exploited by hackers, take a few months to get working.  So there is time for companies to implement better security with their existing certificates.  That is good news – the bad news is getting enough attention to get companies to implement needed changes.  My guess is it will take some company’s breach of data hitting a news stand near you before others jump on board to fix the problem.  That is sad, yet true.

You’ve got to love those e-mails we get from friends, relatives, neighbors, and distant acquaintances.  My favorites (to delete) are ones I get from folks who don’t have anything to say to me – they just pass on ‘information’ they received from others.  You know those mails – ‘Bill Gates is sharing his fortune – pass this e-mail on to his tracker (THIS TOOK TWO PAGES OF THE TUESDAY USA TODAY – IT IS FOR REAL – gotta love that headline!)’ or ‘Applebee’s restaurants are giving away $50 gift certificates‘ to folks who forward an e-mail message.

One of the recent ones I have received has to do with Ben Stein and his confessions for the Christmas holiday.  I guess on the bright side this has some partial truth to it, Ben Stein actually did say the words that were attributed to him, but there was other dross added on that wasn’t true at all.

So – how can you tell if this stuff has any truth to it?  Some of it is quite compelling at face value, but if it’s not true – what is the value of the information?  I’d like to pass on some helpful links so you can find out the validity of these claims for yourself.

Test Everything

That’s a great bit of wisdom from The Word, and it applies to every area of life – including your inbox and the internet! Just because it is on the web doesn’t mean it is truth or even partially accurate – and the same applies to the stuff you get in your inbox.  Well intentioned people look at information they receive about our troops, various political campaign fodder (pick a side, any side), or some issue they feel strongly about.  Then, because it agrees with their feelings or views – they somehow feel compelled to forward that message to everyone they know.

No need to check for truth.  No research on accuracy.  And that amazes me!  We’ll look at the issue of our military – that’s an area that has generated a ton of interest over many years.  And while our troops fight a war (necessary in the eyes of some, and not worth it in the eyes of others), the stories that are passed on as fact are nothing short of astounding.  It’s unfortunate that many of these passed on tidbits are nothing more than propaganda.  Some are just a lie, other stories carry a grain of truth, and a few are actually accurate.

So, my first place to look is an awesome site called Snopes.com.  Here you can find information on urban legends, hoaxes, and a ton of other claims and rumors. Some of the information on this site may be a bit ‘racy’ – but look at what you are receiving in your inbox and passing on…your point?

If you don’t find information on the item you are researching on Snopes, then try the Urban Legends area of About.com.  This area is also full of information on many of the same e-mails you have been seeing in your inbox for quite sometime.  It is another great resource in your hunt for fact over fiction.

Lastly, you probably want to know about ScamBusters.org.  They carry information on much more than the urban legends and hoxes they have listed.  It is another highly recommended resource in your quest for separating truth from lies.

What Do I Do With What I Learned?

This is the rubber meets the road area for us all.  I can tell you this from experience.  My standard response is normally to send something back to the person that sent me the information with a link to what I found (either Snopes or some other resource) so they could see what the truth is.  In the body of the mail I would also suggest they may want to send that information back to the list they chose to send to so those folks would also learn the truth.  Some did that, and were educated in how to fish for the truth themselves.  It’s hard to know you have been had and then brought others into that been had mix.

My next step, if that person keeps me on their friend list for these mass mailings, is to respond to all with the truth findings for the next one I receive.  Again, nothing in my mails are condemning to the person forwarding them out, and my intent is to share the truth and not spread less than that.

It is amazing the transformation I have witnessed.  Normally, for those I just send information to, less than 10% of those folks actually send out a note to the list.  You see, to do so admits you have fallen for something, and even perpetuated it further.  That’s a hard thing for many to do!  I can only assume the other 90% drop me from their mass distribution list for those mails since I don’t get them anymore.  For those that I have responded back to the entire list (my step 2 in my 2 step ‘get well’ program) – they usually get mad and let me know all about it.  I have been written back that the word needed to be spread about this ‘thing’ (issue, whatever) no matter if it is true or not.  Folks have pulled me aside and told me that I was in the wrong for sending back information to folks on the list (these folks don’t even think about what they are doing by leaving all their ‘friends’ in a To or CC list to start with).  But I have learned that it isn’t long before they drop me from these mass mailings as well. (I’m a HERETIC!)

I’m not complaining about the lack of these mails, because usually someone else sends it to me, these take on a life of their own.  What does concern me is folks that have no interest in the truth – so they are comfortable in perpetuating the lies.  It tells me something about them – for actions speak louder than words in many cases.

I hope this article gives you some insight and tools to learn more about stuff you (and I) run across on the web and in our inboxes.  If you have other tools you use, leave a comment – and as always thanks for reading!

I recently wrote about file sharing and P2P networking.  Wow – after I had that machine, 2 more followed right behind with similar behavior.  While I can’t say that file sharing was, without a doubt, the culprit of the issues, the fall out was similar – machines loaded with adware, malware, spyware, you-name-it-ware.

So maybe it’s time to type a bit about this.  In a post I found on the Dell community forums (Request for help to get rid of Virtumonde and Virtumonde.prx) while working with one of these machines, there was some sage advice. Here’s an excerpt:

I am reviewing your log. In the meantime, you can help me by addressing the following:

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. Definition of cracked software: http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. There is a list here: http://en.community.dell.com/forums/p/19241146/19367569.aspx#19367569

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

* During the course of our cleanup please do not do any online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a “RiskTool”, “Hacking tool”, “Potentially unwanted tool”, or even “malware (virus/trojan)” when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert you or even automatically remove them.

Wow – excellent synopsis of the things I do for folks that bring me their machines (and note, this was posted in early 2006).  And I admit it – I mainly ask folks to bring me their machines so I can do this work.  It avoids the need to maintain a ‘hands off’ approach to troubleshooting and eradicating issues during the attempts to restore normal operation of the computer.  Well, it also lets me multitask because I can do many other things while running scans and playing Whac-a-Mole with the baddies.

One of the tools that was mentioned in this post I did not mention in my earlier posting – but wanted to mention it here. Malwarebytes Anti-Malware is a great tool to use when troubleshooting / repairing some of the nastiness you may encounter.  Props from me for this tool!

Now for the good advice – think of what you are downloading and installing on your machine.  If you are starting to notice ‘strange behavior’, think back to what you recently did to or with the machine so troubleshooting the issue is easier.

Some of you understand that things occasionally ‘happen’ on computers that are dificult to explain.  More often than not, there is an explanation, and it has to do with us – either our surfing habits, our software choices (yes, we make a decision to install stuff on our machines), or changes to our computing environment that causes issues.  Occasionally hardware fails, or software malfunctions due to other software being changed (patched, hot fixes, service packs, updates, etc.).  But most of the time we can trace the strange behavior of our machines to a change in the environment.

My advice is to know what you / your machine is doing.  Know who is on the machine, set limitations as to what should be done while using the machine, and pull maintenance (defragment, clean out temp files, run various tools to detect malware, adware, spyware, and scan your computer for viruses) on your machine on a regular basis.  Also, RELIGIOUSLY back up your data!

As the post I referenced above states, other things you can do is – basically the right things.  Don’t mess with cracked software (if you need it – BUY it).  Be aware of the dangers of P2P networks and software (it brings you so much more than music and movies you should be purchasing if you want to own anyway).  Practice safe computing!  Or you may find your computer compromised, opening yourself and others up to identity theft, data being compromised, and a host of other issues.

My most recent ‘sick’ machine came in to be examined right before the holidays.  What a joyous season, one of eating, giving thanks, and looking forward to the birth of The King.  This season found a family with a machine that would not boot, the BSOD (blue screen of death), and concerns that something caused this – namely, the download / playing of free games.

I’ve got to confess, I have a free game player here in my home, and some of the adware I find on that machine is annoying.  But we haven’t had the machine die because of it.  So, with my curiosity meter pegged, I started to troubleshoot.

Once I cleaned up some errors on the hard drive (by removing it, slaving it into my laptop using a nifty device that turns it into a USB accessible device – Sabrent USB-DSC5 Serial ATA or IDE 2.5-/3.5-Inch to USB 2.0 Cable Converter Adapter with Power Supply) the machine would boot into Windows XP.  Then, it’s off to update and run some of my favorite free tools that I have touted in an earlier post.

Hello – what’s this?  15 virus alerts, numerous spy, ad and malware alerts.  The culprit?  A P2P (peer-to-peer) file sharing program.  Now, before I get to busting on P2P networks, I want you to understand that these are not evil, and actually they are good!  Used for specific purposes, they are very necessary and useful.  But my guess is the lure of ‘free’ stuff (music, movies, games, etc.) was the use in this instance.  And while P2P in itself is not evil or illegal, it often is used for exactly those things that are (making music available for free downloads, games, software, movies, pornography, etc.).  And while we’re being honest, we need to be up front in saying that many of the users of these networks may not be the most noble intentioned folks on the planet.

The software that was installed on this computer was Limewire.  For a good look at the settings you may want to use if you choose to use this software, review the article LimeWire – More Things You Need to Know (previously titled LimeWire Users – Read This to Avoid Danger) written by Pascal-Denis Lussier.  Again, I’m positive the person in the family that used this was not meaning any harm – I believe they wanted some free song or music.  But what happens in the P2P world is that you open your machine up for all kinds of information theft and malware attacks.

If I could convince adults to read a single article on this (preferably other than this one), it would be P2P Networking – Kids Know! Do Mom and Dad? by Jerry Ropelato.  That is what started me writing this post!  Since I have a child, a family, and operate my own computer network at home, I make sure I stay as up to date as possible with changes in the technology and industry.  But I also make it a point to talk to my family (and through my readers here) about issues.  P2P is one you need to have awareness of.  Why?

Viruses

It does not take someone much time or effort to put in spurious code into a file that could reek havoc on your computer or the network it is on.  My standard preaching in this area is have a virus protection software package installed on your computer and keep it updated with the current definition files.  New viruses are created and unleashed every day – don’t neglect this important aspect of computing, no matter what your platform is.

Once you have the software installed, use it!  If you have downloaded something using a P2P program, take the time to go to the downloaded file and scan it with your virus program – don’t assume that this was done automagically!

Malware / Spyware / Adware

While you may think you’re getting something for nothing, more often than not you are getting more than you bargained for.  Many of the files shared have been altered to give you gifts that keep on giving!  Is it really worth all the extra gifts?

Immoral / Illegal use

Here is where the proverbial rubber meets the road.  Is it worth breaking the law to get that song / movie you don’t have?  If that song / movie is so important, don’t you think supporting the group or people that took the time to write, act, sing, produce it is the right thing to do?  Why not purchase it instead?

You see – times have changed.  I’m old enough to remember when ‘those magazines’ were behind the counter of the local store and wrapped in a brown wrapper.  Now, those same images are very accessible on the web.  And if that is your cup of tea, more than likely you know that you can find much more than still images using any P2P network.  The same goes with music – we’ve moved on from the days of purchasing a 45rpm for singles or 33-1/3rmp for the full album!  Why should I pay for this when I can get it for free?  After all, all my friends are doing it…

If It’s Free, It’s For ME!

I’m not going to give you a story of starving artists, because many are living quite comfortably.  But doing the wrong thing is not right – so no excuses allowed.  If you find the software useful (in the shareware world), pay for it.  If you like the song, pay for it.  It’s simple!  But trying to find other ways to get these items can (and often does) lead to troubles for your machine.  Read the EULA of the software, realize the FBI Warning Screen before movies is there for a reason, and recording artists have copyright warnings on what they produce for a good reason (see this 2005 article on Kazza).

To conclude, this article is just food for thought.  The family member that I’ve written about is not fictional, and the machine issues they experienced were real.  And I’m certain they had no ill intentions, just wanted some tunes.  But there was a price to pay.  And I can’t tell you (or them) the extent of potential risk they were at or what files may have been accessed due to the use of this P2P software.  The issue is the users on the network of file sharing, not file sharing itself.  And that should give all of us enough to think about – who do you want rootin’ around in your computer files?

Have other insight or comments?  Feel free to leave them here, and thanks for reading.

At the end of last month I started to get some interesting e-mails.  You see, when you have customers and submit their information to so many search engines and sites, you’ve got to understand that interesting e-mails are pretty normal.  But these mails were ones that caught my attention – because they were claiming that a domain name was about to expire.  Below is an example of one of the ones I received, but all you need to see is one because everything else pretty much was the same.

One of many mails received claiming I needed to respond...

One of many mails received claiming I needed to respond...

When these were being received hot and heavy in my inbox (and I’m certain there were thousands of other folks getting these as well) Network Solutions had a great alert and warning on this growing issue.  By the time I’m typing these words, that warning is no longer a ‘top news’ item.  But it gives me the chance to share some information with you on the practice of phishing.

Wikipedia starts their definition of phishing with these words: In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. (Full Wikipedia information here)

How did I know?

Well, it was pretty easy for me.  I don’t use Network Solutions as my domain name provider.  So my curiosity was in how did I become the recipient.  And that wasn’t too hard to figure out (and it wasn’t what you may think).  At first, I thought someone just did a ‘whois‘ lookup and sent mail to the contact information that the query returned.  But looking at some of the mails I received, that was not the case at all.  It looked like a normal spambot attack where e-mail addresses are spammed and the return address is spoofed.  So this is nothing new or special – it happens all too often to all of us!

What can help me?

If you noticed in the image I included above, I happen to have all these mails go to a Gmail account.  They do a great job of putting up that red banner that gives a warning that something has been tampered with – in other words, spoofing has taken place.  So if you want (or need) to check out a super and free (did I mention FREE?) mail account with over 7Gb of space, maybe you will give Gmail a try.

But not everything requires a tool for help.  The first line of defense is you, and your thinking.  Take your hand off the mouse (so you don’t click on any links).  Take a hard look at what your mail says – it may seem legitimate.  But then, look to see who it is from – and by that I mean examine the header information.  I’ll assume you know how to do that, but if you don’t – be sure to check the help files in your e-mail client you use.  It will tell you how to do this.  You see, that name that shows up may give a legitimate name you trust, but the actual respond to address may be different.

The money (or the catch) is that these folks are trusting you to click on a link in the body of the e-mail.  It matters not who is in the respond to line, it’s all about clicking on links in the body of the e-mail.  So restrain yourself.  Don’t do it, just keep your finger off the mouse!  Once you’ve clicked, you may be launching some bad installer to put malware on your computer.

I hope this helps someone – if you have information or insight that will assist others, why not leave a comment?  Thanks for reading!

This is a follow up to my posting on Communications.  I’ve been intrigued at the concept of church marketing.  And – I’ve been thinking about how we do it at the church I belong to.  Our mindset in many church environments is one of letting the paid staff do the work of ministry.  That work, while including spreading the gospel (‘Isn’t that what we pay the pastor for?’), ministering to those in need, etc. seems to always be something staff should do.  It is why they make the big bucks!

I’m thinking….NOT!  I don’t want our church staff to be the creative or end product of our efforts to market!  It would be like asking them to be graphics artists – and the last experience they had with art was either doodling on a church bulletin (or in a hymnal if you’re old enough to remember them…) during a boring service or creating their paint-by-numbers masterpiece as a youth.  What madness!

In that spirit, I ask for 5 minutes.  You may laugh really hard at this.  You may not…hard to tell on the web.  I see this is a great portrayal of church marketing, as revealed in something most of us can relate to.

So…marketing…what do we do in this area?  What can we do better?  When can we get started?   These were questions I asked in a similar post on our church blog. But it got me to thinking – what about marketing in our web efforts?

Hire a Professional

This may be the best option, or … worst.  I think it could be the best option because a professional is well versed in many marketing methodologies that could help your customer as well as you.  There are many things to learn from professionals in other areas that are not our (web designers) area of expertise.  Our tendency is to shy away from this option though because it costs money and somehow shows we have an area of weakness (as if we were suppose to know it all).

It is not a bad thing to bring a professional on the team in this area.  The benefits for your customer could be enormous (increased sales, product recognition, branding, etc.).  The benefits for you would be a fantastic opportunity to learn more in this area so you could apply the principles to other customers.  Yes, it comes with a cost, but the payback could keep giving for years to come.

Learn from Others

You may have an opportunity to barter with others that have knowledge and skills in this area.  By all means – take advantage of adding this into your box of tools and skills.  Or, you may take some classes in this area.  Another opportunity would be to learn more about it by books, or even information on the internet.  I am quite certain good can come out of that – but there are also opportunities to get hooked into some wild schemes as well.  So a bit of caution when dealing with these areas (much the same as many of the get rich quick schemes you may get in your inbox).

Listen to your Customer

Finally – your customer may have already hired a professional.  They may be your best teacher in this area, so don’t be afraid to ask them questions!  I freely admit that I learn so much from each and every one of my customers in the area of marketing (among other disciplines).  And I do my level best to teach them as well.  Don’t discount this area of your design and business skills – it could be one of the most important lessons to learn.

So for marketing it is more than a flowery thought – it is a must for your customer’s business.  And it is something you need to learn as well for your own.  Perhaps you have information or ideas that you would like to share?  If so, feel free to comment on this article, and thanks for reading!

WebDunnRight recently relocated (read that, our family moved).  Having to move brings on a whole new set of needs and opportunities.  I am very familiar with the ins and outs of our former home, could tell you where I had the best connectivity (wireless, that is – wired was pretty much decent everywhere), and could show you nuances that most would not notice.  All that has changed since the move.

Get the professionals out!

The first thing I did right was to contact my ISP and review my options for the upcoming move.  One of the services they offered was to send out a technician to check the lines at our new place of residence and ensure everything received the best possible signal.  We quickly learned it was money well spent.  We were in splitter city, which brings on signal loss, and our technician was on top of it.  After tracing down where lines entered the residence, he installed a signal amplifier and we’re golden throughout the home.  I’d highly recommend this to anyone moving, but your ISP can also provide this service to you if you don’t plan on a move anytime soon.

Checking my speed

After setting up just a portion of my gear (I’ve got to be connected), I went over to Speedtest.net to see what kind of speeds I’m getting.  Mind you, I’m typing this on my laptop working wireless over a Belkin IEEE 802.11g compliant router.  Going from here to a server in Washington, D.C. I turned a speed of 14252 kb/s for downloads and 2808 kb/s for uploads – not shabby in the least!

Why is this important?

All this talk about speed has real implications for your online experience.  Your connectivity is a deciding factor when we look at issues such as choppy audio and/or video, the way various web sites load in your browser, and a host of other issues (banking, interactivity with shopping or support sites, etc.) that have a real impact to the experience we have and the impressions we take away.

Imagine attempts to create and manipulate various web sites.  While I do this on my computer and experience little or no lag time (after all, I’m working off my computer’s hard drive only) while making and testing my creations, it is a totally different experience once the site is on the web.  That is when you get to experience it!  But what if I have a hard time writing files up to the server (my connection is slow)?  Will I be a happy camper?  Probably not, and you wouldn’t notice one bit (since this is all about me and my ISP, I can either get what I pay for in speed or I settle for what I hooked up to if I chose not to get the professionals out to the home).

Perhaps more practical is the connectivity to sites like YouTube or news sites where watching video or listening to audio (streaming, of course!) means lag times or choppy ‘reception’ of the media.  One of my customers has asked me to fix a video that was perceived as choppy, but the video was fine – it was all about the bandwidth and connectivity of my customer.  And that can be disappointing!  Remember, computing has moved forward quite a bit.  I’m old enough to recall my first 300 baud modem (yes, I was alive way back then) and logging on to my first Wildcat BBS.  When I bumped up my old Amiga modem to 2400 baud, I thought my computer was the cat’s meow.

Times have changed…

With this change comes newer hardware, newer software, and new capabilities.  We now have so many choices!  You can still connect via a dial-up connection, just realize your speeds will be limited by the capabilities offered in that arena (56 kb/s will be tops, and that is utopia – expect speeds of 52 kb/s or less).  Or getting a broadband connection which is what many folks are doing or have done as this rides on their existing cable connection.  Others are opting for FiOS connections, and it’s hard to tell where the future may take us as compitition for speed heats up.

What’s it mean for a web designer?

As I have written before (in my Images and the web article) we should still design for the ‘lowest common denominator’ standards.  Don’t forget that not all your customers will be visiting you on some high speed access, there are still plenty of people coming to our sites using dial-up.  So do the right thing with your images (properly size them and use thumbnails as needed) and media files (make them streaming).  Remember, it’s not about you and your capabilities – it is always about the person on the other side of the computer screen – the customer.

Interested in your speed?

Below are links to some speed tools.  Have fun!

If you have other tidbits you’d like to share with me, feel free to comment.  Thanks for reading!