six0blog

17August2008

Snap!

Posted by Todd under: General Banter.

Wow, I have been busy. I have a project in the works and got some life issues that are taking a lot of time, as well as taking a bit of a break so to speak without getting burnt out. I’ll be back soon with some more nonsensical gibberish and watch as my Feedburner stats fluctuate between 4 and 0 readers. *snort!*

11August2008

Passwords and Security

Posted by Todd under: Web.

For the longest time, when i have been fixing computers and/or setting up programs and e-mail accounts for people I have always, ALWAYS told my customers/clients, “Please use an alpha-numeric password with special characters so your account(s) do not get hacked. Here’s how.”

Too many times, I have seen people use accounts that are just “joesmith” or like President Skroob in Spaceballs;

1 2 3 4 5? That’s amazing! I’ve got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!

Too many times, I have asked someone for their password to fix something or to help them with an issue and heard basically the same thing, which is, “Oh, my password is my (phone number, birth date, SS#, etc.).” or “The password is ‘password’.” Or “admin” or some other instance of something real easy to remember and real easy to steal.

That’s when I kick into teaching mode and educate.

I was reading these two articles;

Article 1 | Article 2

Article One deals with the issues of simplistic passwords and how simple passwords aren’t enough. Take this quote from the article;

Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.

and that is true. People have to, they MUST use better judgment. I strongly suggest to people, customers, clients, friends and family alike, please, please, please think before you click! Look at the address in the address bar, look at the address bar in the status bar on your browser of choice when you hover over a link, does it look right? Does it seem right?

OpenID is suggested but half the companies that use it don’t want to integrate with other companies because of the liability factor. There must be, and should be consistency throughout the web with this technology if this is going to work. right now, there isn’t and it isn’t the best technology available. What is? I have no clue, but it certainly isn’t web-based passwords or the plethora of OpenID-like technologies.

the second article deals with Facebook and the laughable things that they do. obviously, the ball if often dropped over there at Facebook.HQ. They tell users, never to enter passwords on other sites because of the security factors, yet they ask for your e-mail passwords when you try to find a friend via your e-mail address books at Hotmail, yahoo, AOL or some other e-mail account service you own.

Like the title reads: Never Ever Enter Your Passwords On Another Site, Unless We Ask You To.

So it’s OK to preach about security and tell users to please practice what you preach, but when it comes to actually practicing what you are preaching… you don’t. Isn’t that counter-productive or ironic?

As a Facebook user you can help us protect you by doing the following things:

* Report any spam message or posting you see. The more reports we get, the easier it is for us to respond decisively.

* Never share your Facebook password with anyone. Never. No Facebook employee will ever ask for it, and no one else should know it. If you are ever prompted to log in to Facebook, make sure it’s from a legitimate Facebook web address. If something looks or feels off, go directly to www.facebook.com to log in.

I have two problems with this quote;

Why would I be getting ANY spam in the first place, oh yes, because anyone can post an ad about anything and send someone messages unless they’ve cranked up the security in the account options. Never mind the fact that the “Report Spam” link is only found in the Inbox - Updates section. I couldn’t find a “Report Spam” link anywhere else. Not in the Notifications tab, not the Messages tab, not the Wall posts, nowhere. I looked for 20 minutes. Nothing.

and;

“If something looks or feels off, go directly to www.facebook.com to log in” How about REPORTING IT to Facebook?! Don’t you think someone at Facebook would want to know there is a phishing site or some mirror/spoof site that is trying to gain access to accounts using these techniques?! Look at Paypal, they tell you to send them an e-mail when you get a suspicious e-mail. I have quite often, hopefully resulting in the culprit being caught or at least stopped.

Now, the head of your “Security” department, head of security Max Kelly, a former FBI computer forensics examiner, should be doing his job. So far, security at Facebook has grown considerably since it’s inception, but there still needs to be strides made. Common sense items such as the issue I raise, still goes overlooked. That’s common sense. Change it.

From the second article, comes this quote;

The Facebook security team have stated what is good practice on their blog, perhaps its time for them to direct their energies internally and evangelize support for oAuth and other open data formats as both a more secure and convenient mechanism for data exchange.

and this holds true. Nearly $500M in funding can surely get you someone there with a little common sense to look at the obvious items that need to be addressed instead of paying someone $100k a year to slap a “Report Spam” link on one page, under one tab of your socisl networking site. Can you hear me Mark Zuckerberg? I’ve seen better security screening at an TSA checkpoint in LAX.

Someone is riding in the security wagon that your team comes to work in, but who is driving? Apparently, not Mr. Kelly.

In short, if you are reading this, there are obvious steps to take to protect yourself online as far as passwords go;

1. Never give out your passwords to anyone or any website. Period.
2. Change your passwords weekly or monthly. Notate this on a notebook and lock it up in a lock box or safe.
3. Use letters (upper-and-lowercase), numbers, and special characters for your passwords.
4. Do not use the obvious for your passwords.
5. Don’t use special characters for letters or numbers, that has now been figured out for the most part by malicious users looking for passwords.
6. If a website asks you for your password somwhere else, just say no.
7. Always watch the address bar, it takes only a second to glance up. If the address or URI/URL seems weird, get out of there.
8. Don’t click on every add you see and enter your e-mail for everything you read. If you hate spam like I do, these will only attract more spammers to send you more garbage.

Now, these may seem naive, coming from someone not well-versed in internet security, but I think that list is only a list of common sense approaches to protecting your e-mail and your passwords. If anyone wants to add anything to that list, feel free to leave a comment.

10August2008

The Font Game

Posted by Todd under: Typography; Web.

Over here is a really fun game of guessing the typefaces of fonts.  I got 15 the first time around then fared better the second time around with 22/34. Have a crack at it and try and score the best! 34/34 is the best and I don’t know how they did it, but they must know their typefaces!

9August2008

Shocked

Posted by Todd under: General Banter; Life.

RIP, Bernie Mac

RIP Bernie. I was shocked to read this tonight. Very shocked indeed.

9August2008

I Took It

Posted by Todd under: Web.

and if you’re a web professional, so should you.

The Survey, 2008

It took me awhile to post it, but I finally have gotten around to it. Take it if you’re in the web field. Designer, developer, whatever the case may be. Then, when the numbers and stuff are released, if you’re like me, you’ll be interested in the results.