Category: Networking

When heartbleed leads to heartache, what’s a person to do?

Image

By now, there’s a good chance you’ve heard about the so-called “Heartbleed” vulnerability recently discovered in the software that is responsible for creating the secure connections between us web users and the sites we interact with.

No? Well here’s a quick re-cap.

Turns out that every time you’ve seen that little yellow lock icon and the "https://" in your address bar over the last two years, your private and confidential info wasn’t as secure as you’ve been led to believe. Around two years ago, the group that is responsible for updating OpenSSL (the free software that tons of sites use to enable encryption), made a small change to the way that software handles secure connections. A small change with huge consequences. That change not only made it possible for a 3rd party– and I mean any 3rd party– to listen in on your secure session, it also made it possible to decode what was being said and from that info they could glean usernames, passwords and potentially credit card and other data too. Yup, it’s as bad as it sounds.

Worse still, OpenSSL isn’t just installed on a few small websites. By all accounts, it’s been implemented on a third of all secure websites, including some monsters like Yahoo and even a few of Google’s too. Revenue Canada was one of them.

Now I know what you’re thinking: Goddamn it. Yet another threat to my personal info. What’s with these companies that they can’t take security more seriously? And you’re right, this is yet another instance of our personal info being exposed thanks to insufficient measures being taken by the companies we trust.

But before we hop on a plane, pitchforks in hand, to show our displeasure to these groups who opened us up to such a deep invasion of our privacy, let’s take a second and consider a few things.

First, even though this flaw has been a part of OpenSSL for nearly two years, it was only in the last week that security researchers were able to identify it and exploit it (that last part being frighteningly easy to accomplish). But as easy as it was to exploit, it was not easy to find. That means that if you’re concerned about your personal info having been stolen during this period, you can probably relax a little. The nature of the exploit is such that only the information that was transmitted during a small window of time prior to someone “listening in,” would be available to an attacker. So unless we’re talking about a very sophisticated group of thieves with the resources to set up 24-hour “surveillance” of vulnerable sites (something that has a few folks screaming “NSA!!”) statistically it’s not all that likely that your info was taken.

But I realize that’s cold comfort. Especially now that the flaw has been exposed and no doubt every hacker worth their salt will be trying it out. But there’s some good news.

Because the flaw is a fairly “real-time” vulnerability, meaning it can only be exploited within a few moments of a secure transaction taking place, if you stay away from vulnerable sites until they’ve had a chance to seal up the hole, you aren’t increasing the risk of your info being taken (assuming it hasn’t been taken already).

So hold tight, and check your favourite sites for news that they’ve taken the necessary steps. How? Here’s a simple tool that lets you input the URL and get the results.

Once you’re fairly convinced that the site has got the fix in place, go and change your password as soon as possible. I know I said the risk wasn’t high, but why take chances? But here’s the part you’re going to hate: Don’t just change all of you passwords to the same, new password. Use a different one for each site. Yes, it’s a total drag but I have two suggestions to ease the pain.

1) Sign up for and use a password service like LastPass. It costs money and it takes a bit of a change of habit to use, but these services create very strong, unique passwords for each site and you only have to remember one (hopefully very strong) password to access everything.

2) If LastPass isn’t your cup of tea (or you simply distrust all of your passwords being kept in one place no matter how much like Fort Knox it may be protected), create your own password template and use it for each site. Here’s an example: Come up with a base for the password, e.g. IronM@nIsCool3rThanTh0r (yes that’s kind of long, but when it comes to passwords, longer is always better). Now, figure out a two or three character way of identifying the site you’re on. For instance Amazon.ca could be “Ama” or “Amz”. You’ll have to figure out which three characters to use, but it’s not that hard. Then throw these characters into your base like so: IronM@nIsCool3rAmaThanTh0r

The idea here is that even if Amazon were to be compromised, the attacker would have to find your username and password and then go about the process of figuring out which of the characters you changed on all of the other sites. This is difficult stuff, best done by humans instead of machines, and most hackers just don’t care enough to try – they’ll be plenty busy trying out passwords that actually work because they’re the same on every site.

Lastly, wherever possible, turn on two-factor authentication. Yes, it’s another painful step in an already painful security environment but this one really does make it tough on the thieves. You can give your mobile phone number to sites and then when you go to log in, they’ll text you a code to your phone. If the thief doesn’t have your phone, they won’t be getting into that site.

Good luck!

 

Advertisements

Cisco Valet: Wireless networking as simple as 1-2-3

Cisco Valet PlusWireless networking is the best thing to happen to computing since the invention of the laptop. Cut the cord and roam around your house, office, cottage, or your local coffee shop all the while still connected to the Internet. No wonder so many people have jumped on the Wi-Fi bandwagon and set up home wireless networks.

But not everyone has taken the leap. According to research by IDC, a whopping 61% of Canadian households still don’t have a wireless set up at home. One reason for this might be that these consumers have no need of a wireless environment. Perhaps their one computer is a desktop and it sits right next to the DSL or Cable modem and never moves. Or perhaps it’s that setting up a wireless network can be a bit daunting. Add to that all of the concerns around wireless security and it’s easy to see why there might be a certain reluctance among some folks to get their hands dirty.

It’s this group of people that Cisco is targeting with a new line of wireless routers, known as Cisco Valet. If you’re familiar with Cisco’s line of Linksys routers, the Valet devices will look very familiar. They share the same thin, rounded-wedge profile as their Linksys brethren but sport a friendly silver and white paint job which gives them a more approachable look when compared to the shiny-black Linksys units.

When you open the box, there is no instruction booklet - just the router and a USB key.

When you open the box, there is no instruction booklet - just the router and a USB key.

The key difference between the two product lines is simplicity. While the Valet routers pack much of the same leading-edge wireless software and chipsets as the Linksys boxes, they come ready out-of-the box requiring almost no set-up or customization.

The Valet is aptly named. The whole experience is just like dropping off your car with a (good) valet: you hand them the keys and your parking troubles are instantly dealt with. In the case of the Cisco Valet however, it’s you who gets the key – a USB key in fact – that comes with the router. It’s this key that is, er, key, to the easy set-up.

1. Grab the USB key and plug it into any wired or wireless computer in the house.
2. Grab the Cisco Valet and connect it to your DSL/Cable modem and a power outlet.
3. Follow the step-by-step on-screen wizard on your computer.

valet-screen-1

Click for larger image

A few screens and easy to understand choice later, and you’ve set up a fully secured Wi-Fi network that lets you surf the Internet (and do tons of other things) from anywhere in your home.

If you need to get other computers connected, just remove the key and repeat steps 1 and 3.

A few weeks ago I wrote about one of my favourite new products – the Kodak Pulse digital frame. It’s a photo-frame that lets you update the images via email, without needing a PC. But as someone rightly pointed out in the comments, the frame is useless if the person who buys it (or gets it as a gift) doesn’t have a Wi-Fi network. The Cisco Valet is the perfect answer to this problem, since even though it *does* require a PC for the initial set-up, the process is so painless, it makes an ideal companion to the Kodak frame.

valet-screen-3

Click for larger image

In case you’re worried that the Valet is so dumbed-down that it lacks the advanced settings needed to do more sophisticated things like port forwarding, don’t be: Behind the elegant Valet user interface is a full web-based set of menus which give you the same access to the router’s inner-workings as you would find on any of the Linksys products. But I have a feeling very few people will ever want to peek behind the curtain.

My favourite feature of the Valet – beyond the incredibly easy set up – is the “guest” function. When you set up the router, it automatically creates a secondary network, one that is completely separate from the network that now connects all of your home equipment.

This second network is effectively a tunnel directly onto the Internet, to which you can grant access at any time, and to any person. Say your friend comes over with their iPod Touch and wants to download a new app. No problem. You simply give them the name of the secondary network and an easy-to-remember password and they’re online in seconds. But at no time can they access any of your computers, networked storage devices or any other piece of equipment in your house. Best of all, if your guest happens to be one of your children’s friends, you can impose the same rules around which websites are off-limits.  That way no one ends up seeing something they shouldn’t.

The Cisco Valet is a Wi-Fi N product which means that if you have a Wi-Fi N equipped PC or other device, you will experience greater speeds and much greater wireless range than the previous “G” generation of wireless products. In fact, even if your devices are still the older “g” standard, you will likely get better range and performance, if not faster speeds, than your older “g” router.

You can pick up the Valet in one of two flavours: the regular Valet which at $99 is the best value for small homes and businesses, and the Valet Plus at $129 which is a better device for larger homes or businesses that need additional wireless range.

If you’ve ever considered creating a wireless network for your home or office, but have feared the complexity of such a set up, Cisco’s Valet family of products is easily the best solution.

Which apps would you like to see on the iPad?

Image courtesy of ThinkFlood

Image courtesy of ThinkFlood

Okay, so the iPad wasn’t quite what people were hoping to see when Steve Jobs took the stage last month to unveil Apple’s latest gadget. But let’s not dwell on the past. Instead, given what we know of the iPad’s specs, how can app developers take an overgrown iPod Touch and turn it into a device that we can’t imagine living without?
Here are two activities that would make the iPad worth the price of admission for me…

1. The best darn universal remote – Period.

I’ve been a long-time fan of Logitech’s Harmony universal remotes. They combine ease-of-use, no-hassle programming and fairly intuitive help feature when things go awry. But their touchscreen edition – the Harmony 1100 –  is $399 U.S., only $100 less than a base iPad.

Why not use the iPad instead? I’m not the first person to think of this. Add-on and app developer ThinkFlood, which has already created a universal remote solution for the iPhone/iPod Touch, known as RedEye, is now working on their next iteration for the iPad. ThinkFlood uses Wi-Fi to communicate with their infrared transmitters which means walls and other objects aren’t an issue. It’s superior to other solutions that use BlueTooth.

ThinkFlood transmitters aren’t a bargain at $188 U.S., but their app is free as are all updates that they release.

2. Appliance/electricity monitoring

Helping people make more efficient use of their electricity and other energy sources is something that a number of the big tech companies are working on. Google’s home-grown PowerMeter initiative gathers data from the smart meter on your house and displays the stats on your iGoogle homepage.

Intel's Home Energy Dashboard proof of concept

Intel's Home Energy Dashboard proof of concept

Intel has created a proof-of-concept called the Home Energy Dashboard, an OLED touchscreen panel that is intended to display the vital stats of your home’s energy consumption. Using a new wireless technology known as ZigBee (a wireless protocol similar to Bluetooth and Wi-Fi intended for tiny, power-sipping sensors and other home appliances), the panel can also gather consumption information directly from individual appliance from around your home. Similar to PowerMeter, the idea is that by simply seeing your energy use in real-time, you are more likely to engage in conservation. Unfortunately, Intel’s concept is just that – a concept, with no pricing or availability dates.

 A similar execution by SilverPac, will cost $600 and is scheduled for a Fall 2010 release.

But why buy a dedicated device when the iPad could easily fill this role? It only lacks ZigBee communication but I’m sure a small ZigBee dongle could be fitted to the iPad’s dock connector, or better yet, someone could build a ZigBee-WiFi bridge that would facilitate communication between the two protocols.

The app could be created by Google, which would make sense if it displayed PowerMeter data, or by individual utilities. Here in Ontario, home owners who have a Toronto Hydro Smart Meter can already access their energy consumption online. A recent Toronto Hydro program called PeakSaver, gave away free iPod Shuffles and a $25 rebate check to customers who agreed to let the utility take control of their AC systems during high-demand periods. Giving away free iPads would make an even smarter (if more expensive) incentive for reducing electricity needs during peak times.

So there you have it – a Universal remote and a home energy monitor. Two potential uses for the iPad that go outside the traditional spheres of web surfing and media consumption. What else would you like to see the iPad do?

Update Feb 18, 4:25 PM

If you’re still doubting the case for an iPad as an uber-remote control and/or energy monitor, check out what the President of Savant AV, Jim Carroll, has to say about the release of the device. He’s very impressed by the iPad, and that means something. Savant is the creator of a whole-home automation system based entirely on Apple technology. I recently had a chance to see the Savant system in action and was amazed by the way everything in your home could be controlled from a touch-screen interface. Savant’s control scheme not only looks a LOT like the iPhone interface, they’ve created an app that can run the whole system from an iPhone or iPod Touch. Clearly a specialized version of this app for the iPad’s larger screen is the next move for Savant. I have no doubt the combination of Savant’s automation technology and the iPad will be positively drool-worthy!

Take your Wi-Fi with you anywhere with MiFi

Image courtesy of slashgear.com

Image courtesy of slashgear.com

The answer, until recently has been “sorry chum, you’re out of luck”. That is unless you have a rocket stick for your laptop and you do some clever network tweaking in Windows 7.

Thankfully, there is now a much more sophisticated and robust solution in the form of the MiFi 2372 Intelligent Mobile Hotspot. Just released on the new Bell Network, think of this tiny gadget as 3G rocket stick and Wi-Fi router all rolled into one, plus a handy MicroSD slot which can act as a shared drive of up to 16GB.

You’re even free from the hassle of finding an AC outlet as the MiFi sports an internal rechargeable battery which the manufacturer claims can last for up to 4 hours on a single charge.

Here are the detailed specs:

  • Connects up to five Wi-Fi enabled devices simultaneously
  • Computers, PDA’s, cameras, music players, personal and game players and more
  • Rechargeable Lithium Ion Battery
  • GPS- enabled
  • Advanced internal antenna system
  • NovaSpeed® capable
  • Auto-install and auto-connectivity
  • 10M (30 ft) range of network coverage

The possibilities with a gadget like this are endless, but some of the ways it could be used include:

  • Turn your car into roving internet access port. When on vacation with the family, all of the passengers could be running internet-connected devices from netbooks, to MP3 players to portable gaming systems like Nintendo DS or Sony’s PSP and PSP Go.
  • Set up ad-hoc gaming parties in almost any location.
  • Internet for the cottage, campsite or cruise ship: You no longer need to wonder if there is internet access when you head out on vacation.

The MiFi allows up to 5 devices to connect via Wi-Fi and can support download speeds of up to 7.2 Mbps and uploads of up to 5.76 Mbps.

For more info on the MiFi and Bell’s 3G data plans, check out Bell.ca.

Update: May 10, 2010

Looks like there’s a wee problem with Novatel’s MiFi product. Apparently the battery may “swell” and that, obviously, isn’t good. If you own one of these units, either through Bell or one of the other service providers that offered the MiFi, be sure to get in touch and see what they will do for you. Bell customers are getting their MiFi’s battery swapped free of charge, and during the 6-8 week turnaround time, they will be sent a Novatel TurboStick 3G to tide them over.