Good Passwords, have to be better now

Most people on the internet have heard about passwords, and the importance of choosing a good one.   Knowing a bit about how they guess your password can really help a lot in choosing one.  There are also many resources for helping you choose a password, but they do not always focus on the "why".  Why passwords should not be common words, or familiar words, and that is what I will try to answer here.

First, what is a good password?  Most websites, try to help you choose a password by having a list of rules in place to guide you.  They focus on it's length, using mixed case characters and numbers, some also mention using symbols.  And this is the mechanics of a good password.  

People who will try to guess your password read the exact same list of requirements, and use it to limit their guesses to only the passwords that work within those parameters.

There are two schools of thought on guessing a password.  The first is to get to know you, or information about you, and use that information to make an educated guess about what you might have used, this is more commonly referred to as "social engineering", and includes learning one of your passwords and trying it on another account.  The second is to randomly guess words that people commonly choose for passwords, many people mis-use the word "hacking" for both methodologies.

To combat the first, do not choose passwords that have anything to do with you personally.  Never choose simple words, like your pet's name, or a family members date of birth.  Anyone who has ever watched the movie War Games, will remember the scene where he guesses the password to the mainframe by choosing names of people important to the professor.  

The second method, choosing dictionary words, or a password dictionary word, can be combated by choosing strings, not single words when selecting a password, maybe it would be better to think of it as a pass phrase.  

One important thing that has changed recently, is that password guessing tools now take into account substituting numbers for letters.  This is why your password selection may need to improve.  "1" for "l" is very common, as in "we1come", but any substitution that is common, is now found in the guessing dictionary, including "we1c0me" and "we1c0m3".

Here is a handy link to help select an excellent password:


Good luck!


FCC to regulate the internet, but do we want regulation?

The FCC is proposing to regulate the internet, as it has regulated the phone network, so that they would be able to force internet providers to provide the entire internet. 

No matter how you feel about government regulations in general, the best thing to do whenever there is new regulations proposed is to determine why it's being proposed.  Then once you know have determined why, you can better decide if it is worth it.  I say worth it, because its always a cost to add regulation, so there is a basic math question of cost over benifit.  Government regulations, like the one that the FCC is now proposing, generally are created for three reasons.

The first is to help prevent abuse or harm to the public, like a financial regulation to prevent homeowners from being sold loans they can not afford to pay for.  The second is to regulate a market, like the home gas price regulation. Of course there are other reasons, like taxation in order to generate government incom, but since we are deciding if the reguation is worth it to us, let's focus on the first two.

Why regulate the internet?

The reason given by the FCC is to prevent internet service providers from harming consumers.  Commissioner Michael Copps of the FCC stated that he believes the internet needs regulation to help develop innovation.  The other reason, has to do with Comcast, and Net neutrality.  This is another attempt by the FCC to prevent Comcast from having its way.

How does this benefit us, and what does it cost.

The clear benefit is to stop comcast and other ISPs from dicing up the internet, and charging us ala cart to get services that we now have access to, such as YouTube and Pandora.  But what about the cost?  The internet is currently an open market, and it is very crowded with very large companies.  And currently when deciding between multiple ISPs, the only option is speed.  More upload and download speed is usually more expensive.

But what about the cost?  The cost is very hard to determine right now, but to many people, its scary.  They fear that this is just the beginning of the regulations, and they usually mention that this could allow the FCC to regulate internet content, say for preventing hate speech on the internet.  They could also add taxes for intenret use, they could force ISP's to service remote locations, costing them millions (something that would be passed on to conusmers), and the regulations itself might cost the ISPs to conform to them, and those costs would also be passed on to the consumers.

The takeaway

In the end, there no way to know today where this might go.  Currently we consumers are a the mercy of our ISP, but there are multiple choices for ISPs, and currently things are not so bad, and they are getting better with more options being created daily, such as WiMAX.

Since I am not sure the reasons are valid for the initial regulation, and I really can't say what the ultimate cost might be, this regulation is not something i have any interest in supporting.  I would like the FCC to stay out of my internet.

You don't have to cancel your Facebook account, Yet...

The Privacy Issue

Facebook's recent problems with privacy are many.  One specific problem that Facebook users need to address relates to the privacy of their opinion. Just how public our opinions are, was largely something we understood for a long time.  People understand that what they say in front of people, has an impact on how other people feel about them, and this has not changed.


But what has changed, and is surprising for many users of Facebook, is that their opinions, often being shared without their full understanding, are in full view of many more people then they might have thought.  This is because when users post status updates, links to interesting websites or movies and pictures to their accounts, they often expect the content and their opinions expressed in them, to remain private.  And by 'private', we mean 'only expressed to those people with whom they shared that item'.  What some may not fully understand is that once it has been posted to their wall, friends of THEIR friends may see it on Facebook, and even more of an issue is that those trusted friends may share it outside of Facebook with other individuals. (And it can be difficult to understand; moreover, Facebook can change their policy whenever they want to, and they do it often). 



Don't tell anyone, tell everyone

Most IT professionals already have experiences with this type of 'mock' privacy.  A digital image, and email or an opinion expressed in instant message to a specific someone; once released to the web, can end up anywhere with anyone, logged, indexed and shared, and its life expectancy far exceeds its non-digital counterpart.  We know this, because we have all heard stories of people being fired from their jobs because of email, instant messages, or even comments on Facebook.

One analogy that can be used to describe this type of privacy, is a dinner party. This is an everyday occurrence that people can understand, but keep in mind this is just an analogy and it does not describe how Facebook handles privacy.  

The idea is to think about how you would behave if you were at a dinner party with close friends, and a specific political or hot topic was brought up.  You might feel comfortable enough to express your opinion even if it differed from the rest of the people at the dinner, because they are your close friends, and you do not mind sharing your opinions, say about how you really feel about a specific company, with everyone.  

Now imagine you are sitting at another table the next day, this time, instead of your close friends, you are having a work dinner, and one person at the table works for the company that you were bashing the previous night.  We are all accustomed to how privacy works here, and we understand that what we said last night is protected in some way from this table, and tonight, you might not mention your opinions, because you know it might risk the relationship that your company has with their company.  It's important to note that in this analogy,  your opinion of the company does impact the work that your doing for that company in any way, but if he were to find out about it, your company might lose the business anyway.


This is all very well understood in the real world, but what about on Facebook?  Let's say a friend posted something about the BP oil spill, and you commented or 'liked' it.  Maybe he posted that the BP oil spill was a terrible thing, and he felt BP should be forced to close for what they had allowed to happen.  Now that you have commented, or 'liked' the post, your have, in effect made that opinion your own (even if you only agree with it in a small way.)  Let's further assume, another friend of his, comments on the post, or re-shares it, and finally let's assume they have a friend at BP, whom you work with, and now they read your comment, and the original comment.

This could easily lead to your company being affected by 'your' opinion.  And this is not clear to many Facebook users.  Your opinion travels, and becomes more public as it does, and unlike the dinner party, where a person at the table could share your opinion with that co-worker if that wanted to harm your relationship, on Facebook the information travels without any specific intent to share it. More people are just agreeing with the comment, they are not actually trying to share your opinion with more people, it's just how it works.  Also, unlike the dinner conversation, the online message is much easier to take out of context.  Just because you liked what someone posted, does not mean you want BP to be shut down. 


Privacy is changing

Recent events in Arizona, and all over the country  have made it clear that many more people today, are willing to share how they feel about controversial subjects in public.  Although some laws in the United States prevent people from photographing protests (Handschu Agreement), the laws do not prevent news coverage, nor do they prevent people from walking by and viewing the protesters.

People may still feel that they will not be singled out for sharing their opinions in public, or that this particular opinion shared at this particular venue will affect their lives OUTSIDE that venue, but is that really why they are willing to join the protests?   It may be that people are starting to feel that the topics are too important not to join the action, but it may also be because people feel their opinions are important, and they want them to be heard.
   
Stop sharing your opinion?


Quit Facebook, or quit being afraid of the opinions you share reaching people you hope it won't.  In my opinion it would be better, if we could all express our opinions, online and in real life, without fear of the wrong person finding out.  I am starting to think about a time where we share how we feel, and we all come to realize that it is normal for us to have friends and co-workers with opinions about topics that directly impact us, that do not align to how we feel, and that this is not a reason to discriminate or hate them.  This is how it actually is, we just don't talk about it.

Don't get me wrong, I do understand that this is a bit naive, but small steps in the right direction would be better for everyone.  Also understand that Facebook has more privacy issues then just opinion sharing, but if your quitting to hide your opinions, maybe it's time to just let the world know how you really feel.  Just don't tell everyone you're mad at BP.

Internet Content Ratings: It's 2010, and its still broken


What content ratings are all about

The main goal of content ratings, is to allow users, and search engines, to determine the types of content that is on your website so that they can decide if it is right for them.  The three main areas that most content ratings focus on are, child safety, accessibility and suitability for mobile devices (however there are many more content labels that can be placed on your site.)

The main initiative that currently has the most momentum is the protocol for web description resources (POWDER), and powder supersedes platform for internet content selection (PICS). POWDER is a generic method of labeling content, and does not by itself offer any method to label content in a standard way so that programs and people would be able to determine if the content was suitable for them.
The Family Online Safety Institute (FOSI) has the IRCA (Internet content rating association), and applied it to POWDER.  This meant that the generic method of labeling content, now had specific ways to lable conent for child safe surfing.  Although I have no statistics to prove it,  I think that very few websites actually use this rating system, and if you look a little deeper into the model at FOSI it still relies on a content badge.

Why content ratings are failing
Content badges are a method of adding trust to a website based on a 3rd party organization, who presumably you would trust, and they would offer a badge to specific websites whom they trust, thus allowing you to trust the website, as much as you trust the organization who offers the badge.  You may be familiar with other badges such as BizRate, Verisign, and the Better Business Bureau, that often can be found at the bottom of many commerce sites. 

The problem with badges, is that they cost money.  The organization that supply's the badge, has to police the badge in order for it to be effective.  In order to get the badge, their is usually a cost, in the case of FOSI, the cost to display the badge is a required membership, and according to its website, the least expensive membership is $7,500, and that is absolutely absurd.   Any site that wants to offer safe surfing for children, would have to pay that much just to say they are safe.  I do not wonder why most websites do not have this badge.  

Another point to consider is that unlike ecommerce, where consumers look for the badges, and want to be safe before offering personal information and spending money, there are not that many parents who would refuse to let their children visit PBSKids.org, because it does not offer the badge to proclaim it is safe for children. 

Alternatives to POWDER

Another very popular method to offer parents a way to determine if your site is safe is SafeSurf.  SafeSurf offers a way to rate your content, and a plug in for the browser that displays that rating to the parents.  Since its does require a META tag, it does have the ability to be searched by search engines.  But it is still essentially a badge system, however it is free.

I applaud the work that SafeSurf has done, but we are all still waiting for a better way to rate content.  Most websites do not offer content ratings still, and this means that we are still reduced to other methods of trying to decide what content is safe for our children.  Today, much of the web is moving to more a more social model, and this means, that more of the content is user created, and rating it is more difficult.

Content ratings should be easy to use, and must be free

Website developers need a simple free method to rate the content they provide.  Most site developers would agree, that they would like to offer a simple method.  This method must be cross  browser, and should not require any plug-in or 3rd party to work, and it must be free.

This is a very tall order, since without any intermediary, there would be no way to support the policing of the ratings system. 

I suggest, that it would be possible, to crowd source the ratings, if there were a 3rd party, free website that offered the ratings, and they could convince all the browsers to use the rating, similar to how most browsers now show website security for ecommerce, and it did not require any work on the webmaster side.  Google offers something now called sidewiki, and it does require a plug in to work, but it works in a way very similar to how I would envision the rating system to work.  

How it would work
A not for profit website would have to be created, and it would offer functionality to users and webmasters to rate the content of their website.  Browsers would have to be modified to display this rating (and a plug-in could be used to start the process rolling, but it really would need to be replaced by the browser itself showing the rating.)  Websites could also display their ratings using a badge, once they were rated, if they desired to do so, and this may also help to get more support for the content labeling system.

Users who visit a website would see the website's rating (possibly based on the webmasters submission to the 3rd party), or they might see that the site has not yet been rated.  If the choose to, they can then rate the site by answering a few short questions.  This can be done anonymously, or they can choose to have an account with the 3rd party company.

Of course their could be disputes about a websites rating, and this could lead to issues with the circle of trust surrounding the system, but overall I think it would be much better then what is offered now.  I don't want to reinvent the wheel here, and it seems that with content ratings, that has happened many times.  If you know of a better solution, please do let me know. 

To secure the internet for children, just remove all the content

 
Family Online Safety Institute European Conference 2010

The theme of FOSI's European conference was Putting the Pieces Together: Building a Comprehensive Online Safety Plan.  Topics included securing your online information while engaging in social networking, supervising your kids online and privacy policy topics.

Spokesmen for AT&T and Telefónica, both companies had sponsored the event, commended FOSI for their hard work and dedication.

"As one of the world's largest telecommunications companies with a presence in 25 nations, Telefónica understands the importance of promoting safe and responsible online use, especially for young people," said Julio Linares, CEO of Telefónica. "We commend FOSI's continued dedication to promoting this pressing topic at an international level."

The idea of creating a safe place online for children is something we can all agree on. But when the sponsers are all large ISPs who want to charge for the use of content, things may not always be how they seem.  Cesar Alierta (Telefónica CEO) said that their company had to start to charge google to and other search engines to be used on their networks.  AT&T has also expressed it's desire to create a revenue stream in a similar fashion.  In October of 2009, Jim Cicconi urged families and friends of the company to help them fight the FCC.

We all like the idea of children being safe, but we should also like the idea of having a free and open internet for all.  Large organizations like AT&T and Telefónica certainly can be supportive, but we have to be careful about their influence.  Most people do not want to secure the internet by charging for content that would be characterized as 'unsafe' by large ISPs.

Mac's get Google Chrome 5

Google Chrome 5 for Mac OS was released yesterday, as a stable build.  For mac users, this means they now have another very strong browser to choose from, and as we noted before, IE is starting to loose some market share.

For most mac users in a corporate world, they still have IE installed and in use on their macs, right next to Safari and Firefox, mostly because there are still some sites (most notably Mircosoft Exchange web access) that perform much better with that browser.  However, it's important to note, that browsing the web with that browser is really not the best idea, since it's has no new downloads, and has not been supported by Microsoft for quite some time now.

For security reasons, you should only browse the web with Safari, Firefox or the new choice, Chrome.



This video has links to learning more about Chrome.

Safe browsing!

Internet and Facebook privacy

Here is another post about facebook being insecure.  I thought the author did an excellent job making his point, and yes I am a frog, who's facebook account is more public then I may have thought it to be.   On the more radical side, I am not convinced that I mind.  Certainly, I do not like facebook creating confusing policies about my, or others information, and it has done so, but my debate is not about facebook, it is the more fundamental question, How much do I need to keep private?

Sure I do not want to be stalked, and I do not want to have to worry about strangers.  But the problem is not with those people, the very small minority of people who are malevolent.  The problem is the people who are using the information without realizing that it might harm me.  It is the friends of friends, who are looking the images of me, and making decisions about who I am.  It is the possible co-worker who knows someone I know, and thinks maybe I should not be friends with them, or thinks that I should not be a member of some organization that leads us to try to hide the information in the first place.

It is getting harder to hide those things, and maybe that is a good thing, but how can anyone be sure?  Is supporting the EFF a problem? It might be for some people you know.  What about NRA?  Would that be a problem?  I leave the judgments up to you.

I am not sure if this is the time for you to decide not to be afraid of letting people know who you are, and what you stand for, and if you are sure it is not, there are alternatives.  But I for one, am going to stick with the friends of friends, and see how it turns out.