um ... who?

Workaday Haiku

I was witness to a conference call recently that was so absurd, the only appropriate response was haiku.

Passionate fighting,
Palpable feelings of angst.
Arbitrary rules …


They argue with zeal,
Geeks inspired by InfoSec.
Who would have thought it?


Creating a Secure Password

Don’t Panic!

Creating a secure password can be a nervewracking experience.  It seems like every system you log into has different password requirements, and they never tell you what the requirements are until you’ve racked your brain to come up with something and type it in – then you find out you can’t use this or that symbol, or you have to have a capital AND a numeral, or you have to have so many characters.  And you wonder, if I make a long enough password with all those numbers and things, how on earth will I ever remember it?

You’re right – it is complicated, and challenging too.  It’s so frustrating, in fact, that even after all the dire warnings many people still just give up and use a pet’s name, a child’s birthday, or something as simple as Welcome1 or ABC123. You might as well use “hackme” as your password if you go this route.

Don’t give up!  You CAN have secure passwords that you can remember.   Here is your handy guide to creating a memorable, secure password that should work on almost any system.

Take a phrase that you know you’ll remember and use the first letters of each word.  Capitalize one or two letters, and substitute numbers and symbols for some of the others.   Voilà!  Instant secure password.

Here’s a 5 step guide to walk you through it the first few times.  After that, it comes easily! (more…)


When you’re moving in the positive …

StevieYesterday, the first day of spring, had a Stevie Wonder soundtrack. I listened to “Master Blaster” (Jammin’, not the Mad Max character), “You are the Sunshine of my Life“, and other great songs. It was an excellent theme for the morning, as I walked the puppy from the east side over to the west side, around the neighborhood and back. 3 hours of non-stop Stevie.

The combination of Stevie, sunshine, puppy energy, and flowers & leaf buds everywhere made for a fantastic morning.  Bass and enthusiasm and undying optimism.  Even the righteous anger of “Cash in your Face” has a sense of determination that stems from hope and joy.  Stevie can make unrequited love a matter of hope and optimism.  It’s a great way to start the weekend and the spring.

Today is LoFi.  Lots of piano pounding and distorted guitar.  I think tomorrow may have a punk-funk fusion motif:  RHCP, Cake, Death, and Sublime.  Don’t know Death?  You should definitely get acquainted.


iPhone Security Vulnerability

Industrious hackers have developed a new way of compromising the iPhone. The good news: the user is warned in advance and has to take an action that allows the compromise. The bad news: the warning looks legit.

phony iPhone security update

You see, there’s a feature on the iPhone that’s little known to most users that allows nice IT folks to mass-configure a bunch of iPhones at once and roll the new configuration out to users in their company. This is a Good Thing: you don’t have to bring your iPhone to the IT guy to have it updated, and she doesn’t have to touch 300 iPhones individually. Users see a notice like this one, telling them who is making the update and if their identify is verified or not. The user decides, based on what they see and what they know, whether to click the [Install] button or the [Cancel] button.

Unfortunately, black hats have figured out how to fake the identification and its verification, so that a bogus update can come in the guise above. In this example, the notification looks like it’s official, like it’s verified that the update is coming from Apple. In fact it’s a hacker, looking to change the configuration on your phone.  Remember, Apple always provides its updates through iTunes, and never by using these notifications.

How could this be used maliciously? Well, they could use it to route your web browser (like Safari) through their own proxy server, capturing your user IDs and passwords as you log into your bank, your utility company, your corporate intranet, your FaceBook account.  Or they could simply use it to mess with iPhone owners by changing your email or carrier settings or other things, basically making your phone stop working for you. And they can even make it so you can’t remove the configuration file, meaning you have to wipe your iPhone and start over.  CryptoPath described the issue and some of its ramifications in technical detail in January.

What do you do if you get one of these – from Apple, or from some other organization that’s not supposed to be touching your phone?

Repeat after me: Click [Cancel].