Tag Archive for 2015

| December 7, 2015
Comments Off on Let’s Encrypt Lives

Let’s Encrypt Lives

Let's Encrypt LivesLet’s Encrypt, an initiative to set up a free certificate authority (CA) on the Intertubes has entered its public beta phase. All major browser makers including Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer trust Let’s Encrypt certificates. In their announcement Josh Aas, the executive director of California based Internet Security Research Group (ISRG), which runs the Let’s Encrypt service, wrote:

We’re happy to announce that Let’s Encrypt has entered Public Beta. Invitations are no longer needed in order to get free certificates from Let’s Encrypt … We want to see HTTPS become the default. Let’s Encrypt was built to enable that by making it as easy as possible to get and manage certificates.

Encryption to protect communications

Lets Encrypt logoLet’s Encrypt is overseen by folks from Mozilla, Akamai (AKAM), Cisco (CSCO), Stanford Law School, CoreOS, the EFF, and others. Let’s Encrypt was first announced in 2014, (rb- Which I covered here). motivated by a desire to steer organizations towards the use of encryption to protect their communications. A key part of the strategy is offering free digital certificates, which is a radical departure from the very hefty premiums that certificate authorities typically charge.

The Register reports that the free cert is no freebie weakling. Lets Encrypt uses a 2048-bit RSA TLS 1.2 certificate with a SHA-256 signature installed and the server configured to use it. The cert gets an A from Qualys SSL Labs.

Let’s Encrypt to offer free SSL/TLS certs

Secure Socket Layer/Transport Layer Security certificatesLet’s Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by “HTTPS” and a padlock appearing in the URL bar. Unencrypted web traffic poses a security risk. For example, an attacker could collect the web traffic of someone using a public Wi-Fi hotspot, potentially revealing sensitive data.

Besides securing your information going across the Internet from spies and thieves, FierceSecurityIT says another key aspect of Let’s Encrypt is to make it easy to generate and install new digital certificates. The Let’s Encrypt CA uses an open source “automated issuance and renewal protocol” that allows for certificates to be renewed without manual intervention.

automated issuance and renewalThe automated issuance and renewal protocol prevents oversights resulting in certificates for live websites expiring, a situation that does happen from time to time. FierceSecurityIT says that short-term certificates also offer better security by reducing exposure in the event that the private keys are stolen.

rb-

Major technology companies including Google, Yahoo and Facebook have made a strong push for broader use of encryption in light of government surveillance programs and burgeoning cyber-crime.

The point of Let’s Encrypt is that anyone who owns a domain name can use Let’s Encrypt to get a trusted certificate at no cost. This will help HTTPS become the default. This is a big step forward in terms of security and privacy.

Instructions for getting a certificate with the Let’s Encrypt client can be found here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| December 2, 2015
Comments Off on Networking Haters Guide to Networking

Networking Haters Guide to Networking

Networking Haters Guide to NetworkingTom Searcy posted some good advice for CBS News to improve your business networking even if you hate networking. The article is a couple of years old, but the suggestions her makes are still valid. He says:

working in the sweet spot of your skillsIt’s not all about you. Mr. Searcy explains that if you spend your time meeting people and trying to see if there is a way you can be of help to them, you put your mind in the right order and it is easier. Why? Because you may not be a great networker, but you are a great problem solver. If you can help someone else with an issue, idea, or contact, you are working in the sweet spot of your skills. Along the way, good things will happen for you, too.

Set your goals. When you attend an event, the author recommends you pick out 1-3 people in advance to specifically meet.  If they are not there, or they are completely swamped, go to your backup goal. Set a number of new people, the article suggests five or 10, to meet, ask two questions, and swap cards with.

Set goalsOnce you have hit your number, you are off the hook. You met your goal and you can go home, see a movie, catch the end of the game at the bar, it doesn’t matter. You set a goal and you hit it. Networking events are not a prison sentence if you don’t make them one.

Ask good questions. “What do you do?” “Tell me about your company” and “How long have you been with your company/this industry/this association?” are all typical openers and they get typical answers. Boring. Try a few other questions instead:

“What business problem does your company solve?”

“What is the best example you have of how you are doing that?”

“What has been the biggest win for you/your company in the last six months?”

Good handshake“What do you think it will be in the next six months?”

“What is the most interesting initiative you have planned at your company this year?”

“How will that change your company the most?”

The point is that you want to have thought provoking questions that start a conversation out of the norm. These questions should give you that. Once they have answered the questions, you have just one more to ask, “That’s great, is there some way I can help you?

Exit gracefullyExit gracefully. The article says to make the most of networking events take the initiative to introduce yourself, control the conversation with a few questions, and then exit gracefully.

There is a courtesy to be observed at a networking event that involves not monopolizing someone’s time. This rhythm that she set was the right tempo to accomplish what a networking event should do.

You should come away from the event with:

  • Business cards of contacts with any commitments you made written on the back of the card for you to follow up on the next day.
  • A few new prospects or industry contacts.
  • More information about your industry, competitors, and clients than you had on the way in.

And just a few reminders…

  • Take your business cards to the event.
  • Smile.
  • Be the first to put your hand out and introduce yourself, every time.
  • Send a quick email to every person you have a card from the next day.
  • Thank them for their time and the opportunity to meet them. (This has ridiculous ROI.)
  • Don’t bitch. Just because this isn’t your thing, no one wants to hear that you hate it, the food is bad, the place is loud, the people are weird…

rb-

Congrats you’re there: do your job and go home. Have a process and some guidelines it takes some of the stress out of networking and tolerates it better.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| November 26, 2015
Comments Off on Happy Thanksgiving

Happy Thanksgiving

Thanksgiving 2015

 

Happy Thanksgiving 2015

Detroit News November 30 1967 J L Hudson’s Thanksgiving Day Parade

 

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Holidays | Tags: , , , , ,
| November 24, 2015
Comments Off on Television Sells Your Viewing Habits

Television Sells Your Viewing Habits

– Updated 03-26-2017 –  Vizio will pay $2.2 million to the FTC and the state of New Jersey to settle a lawsuit alleging it collected customers’ television-watching habits without their permission.

In addition to the $2.2 million in payments, Vizio will now have to get clear consent from viewers before collecting and sharing data on their viewing habits. It’ll also have to delete all data gathered by these methods before March 1st, 2016 according to the Verge.

Television Sells Your Viewing HabitsJust in time for the Black Friday consumerism orgy of spending, Help Net Security reports that you are giving away more than cash when you buy a Smart Television from Best Buy or whoever. It turns out that owners of Smart TVs manufactured by California-based consumer electronics company Vizio (VZIO) viewing habits are being tracked and sold to third parties. The Vizio privacy policy says;

Vizio logo… VIZIO will use Viewing Data together with your IP address and other Non-Personal Information in order to inform third party selection and delivery of targeted and re-targeted advertisements … delivered to smartphones, tablets, PCs or other internet-connected devices that share an IP address or other identifier with your Smart TV.

Vizio’s competitors Samsung (005930) and LG Electronics (LGLD) can also track users’ viewing habits via their smart TV offerings, ProPublica‘s Julia Angwin pointed out, but the feature has to be explicitly turned on by the users. The collection of viewing data by Vizio’s Smart TVs is turned on by default, as is the Smart Interactivity feature that manages it.

Data miningAccording to the IEEE, Vizio smart TVs can track data related to whatever TV programming and related commercials you’re watching and link such data with the time, date, channel, and TV service provider. On most of the over 15 million Smart TVs sold, Vizio will also track whether you view TV programs live or later on. Vizio knows what you’re watching even if it’s a DVD being played on a gaming console or a show being watched via cable TV. The identification tracking technology can differentiate between 100 billion data points.

While, in theory, IP addresses are not personal information, they actually can be linked to individuals if there is enough information (specific attributes like age, profession, etc.) tied to it.

Data collectionProPublica‘s Angwin’s sources, tell her that Vizio has been working with data broker Neustar to combine viewing data with this type of information about the user.

Even though users can turn off the spy technology, which will not won’t affect the device’s performance, the problem is that many, many users won’t bother reading the privacy policy or change the default settings once they set up the TV and start using them.

TechHive reports that backlash against intrusive spying has started. Two lawsuits (Reed v. Cognitive Media Network, Inc. (PDF) and David Watts et. al. v Vizio Holdings Inc et. al. (PDF)) have been filed in California against Vizio and their partners about their data collection habits.

The suits accuse Vizio and Cognitive of secretly installing tracking software on the former’s smart TVs in a way that violates various federal and state laws.

Legal systemThe suits allege that Vizio violated the Video Privacy Protection Act. The Video Privacy Protection Act prohibits any company engaged in rental, sale, or delivery of audio-visual content and not necessarily just videotapes from divulging any personally identifiable information about its customer to a third party, except where the customer has clearly consented to such data sharing.

Of course, Vizio has previously argued it’s not a videotape service provider at all, and so this particular law doesn’t apply to it.

rb-

I pointed out as far back as 2011 that Smart TVs are a dumb idea for privacy.

Consumer Reports offers tips on how to stop your Smart TV from spying on you here.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , ,
| November 20, 2015
Comments Off on Shadiest Neighborhoods on the Web

Shadiest Neighborhoods on the Web

The Internet is organized into domains. Readers of Bach Seat are familiar with the .net domain since you got here. You are also probably familiar with other web neighborhoods like .com where Facebook and Google live. The folks in charge of the Intertubes have added more neighborhoods or technically Top Level Domains (TLD), and now we have over 1,000 TLDs, many of which have only been around for the past two years.

This rapid growth raises questions about how well those in charge of these new TLD’s secure their neighborhood against malware and other threats. CSO Online explains that just like any city, the Web has neighborhoods where dubious activities often take place: spam, scams, the distribution of potentially unwanted software (PUS), malware, botnets, phishing, and other suspicious activity.

Web security and WAN optimization firm Blue Coat Systems (BCSI) regularly analyzes hundreds of millions of Web requests from more than 15,000 businesses and 75 million users to track “shady activity” on the Web. In September, it released Do Not Enter: Blue Coat Research Maps the Web’s Shadiest Neighborhoods (PDF), with a list of the 10 top-level domains (TLDs) on the Web that are home to shady sites.

Blocking traffic to the riskiest TLDsBlue Coat recommends that organizations take steps to protect themselves, including blocking traffic to the riskiest TLDs and cautioning users to be careful clicking on any links that contain these TLDs. It further suggests that users who are unsure of a source hover their mouse over a link to help verify that it leads to the address displayed in the text of the link, or “press and hold” links on a mobile device to do the same verification

Blue Coat’s list of TLDs most associated with shady sites is constantly in flux but here is their September list.

  • .review – The .review TLD is shady mostly due to scam sites, Blue Coat’s Larsen says. “Just looking at the list of domain names, I would say all of the top 15 are scam sites,” he adds, “.review does not seem to be making any effort whatsoever to keep the bad guys out.”

How to read a URL

  • .country – The security firm says the .country TLD appears to have been colonized by scam networks that like to use a game/survey “reward” or “prize” as bait. Blue Coat’s Larsen told CSO there is a strong connection between some of the supporting ad networks on and known PUS networks (adware and spyware). Mr. Larson says, “So if you’d like to block that entire TLD on your Web gateway, I wouldn’t blame you.
  • Faux-lebrity.kim – The .kim TLD hosts some legitimate domains, most notably a Korean tech blog and several Turkish sites. According to Blue Coat, the TLD earned its shady online reputation due to the presence of scam networks linked to PUS, malware, and at least one domain that hosts a domain generation algorithm (DGA) used to pump out domain names that can be used with malware according to the blog.
  • .cricket – Named for the world’s second-most popular sport, the .cricket TLD is another shady neighborhood on the Web. The author notes that while home to some legitimate sites, researcher Larsen points to many instances of search engine poisoning. For instance, StarWarsMovie.cricket pulls lots of random Star Wars items into one place to get traffic — including images clearly lifted from other places.
  • .science – The .science TLD may be a victim of its own marketing. In trying to raise the TLD’s profile, the registry gave away free .science domains and became one of the shadiest TLD’s on the web. Blue Coat’s Larsen described their downfall in the CSO article. “Generally they tend to run into trouble when they run promotions for bulk registrations for really low prices … If you can register a domain for a buck, generally there will be bad guys there registering domains.” He says the .science domains seem to be largely associated with spam, and scam sites. The shady activity included a sizable network of ebook sites, which led to a download network that’s been associated with PUS activity in the past.
  • .work – The .work TLD seems to be more about spam and scams than malware, though Larsen’s team did find a few tentative connections to PUS networks. There were some legitimate sites, though Larsen notes that they might be worth blocking as well. Examples include a Turkish porn site. 
  • .Party domainparty – Mr, Larson told CSO that a number of the sites on the .party TLD may seem legitimate. However, he warns, “There are some yellow flags.” of search engine poisoning. The TLD also hosts a number of MP3 sites — probably piracy or something malicious. There’s also a site that hosts what appears to be a shady tracker.
  • .gq – The .gq TLD is the country code for Equatorial Guinea which Blue Coat’s Larson notes is in many ways a lifetime achievement award winner. He says, “If we look at all of the .gq sites … nearly 99 percent are shady”. Most of the abuse of .gq noted by Blue Coat has been in the form of search engine poisoning and many cookie-cutter “shady video” sites associated with PUS. It also features some “shocking video” spam/scam sites that spread via social media and a smattering of malware, phishing, and porn sites.
  • Barrel full of monkeys.link – The .link TLD is rife with porn content delivery networks and piracy sites, neither of which is counted as “shady” by Blue Coat. There are apparently a handful of legit sites in .link but beyond these legitimate domains are a host of survey scam sites. “Historically, it’s been a place for spammers to live,” Larsen says.

Of course, there are well-run TLD’s. The best according to Blue Coat are:

Safe web neighborhoods

rb-

These TLD’s are why companies like BluseCoat, Websense, and OpenDNS are in business. (OK- Websense and OpenDNS are no longer stand-alone companies anymore. Websense was gobbled by defense contractor Raytheon and then spit out as ForcePoint and OpenDNS has been assimilated into Cisco (CSCO).

You can use these tools to just block almost anybody from going to these shady parts of the web for the reasons explained above.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »