Home Peter's Rules Topics of Interest About Us Contact Us

Peter's Rules of
Computer Information Hygiene
Updated: 1/6/2018

Much has changed in the 5+ years since I last updated my Rules. What hasn't changed is that there are still Bad Guys® out there who want to take your money.

What has changed (and continues to change) are the specific mechanisms the Bad Guys use. The jaw-dropping security failure by Equifax in 2017, along with the recent announcement of 2 new jaw-dropping hardware vulnerabilities, is what has prompted me to finally do this update.

Note bene: If you call me asking for help and you haven't done (or at least attempted to do) everything on this page, then I will do some combination of laugh at you, deride your woeful inability to protect yourself, or hang up on you. What you won't get is sympathy or respect. You have been warned.

What You Need to Do

Even if you're a hot shot tech person, you need to make sure you have taken the following actions. If you already know how to do these, then read the list and go do them. If you don't know how to do them, I will try to head you in the right direction.

I try to give fairly detailed instructions on how to do each of these in the section Things You Can Do NOW!.

So What Happened?

Two separate events: The 2017 Equifax Credit Breach and the announcement of not 1 but 2 fundamental hardware vulnerabilities.

See the next section, Freeze Your Credit Reports, for more on the Equifax fiasco.

The hardware vulnerabilities are both harder to describe and harder to fix. Most techies are of the opinion that there really isn't anyone to blame for either of these vulnerabilities. They've existed for years and it's only in the last year or so that White Hat Hackers (AKA The Good Guys®) found them.

  • Meltdown: This hardware vulnerability affects essentially every CPU chip manufactured by Intel ... since 1995! (This positivley boggles my mind.) The problem is with the chip, so, yes, this includes Windows, Macs and Linux machines.
  • Spectre: This hardware vulnerability affects essentially every chip manufactured by Intel, AMD, or ARM since 2010. You may not be familiar with ARM, but if you have a tablet or a cell phone manufactured by anyone then it's about 99.9999% certain it's using an ARM chip. I've seen estimates that say as many as 2+ billion devices may be vulnerable to Spectre.

Both of these vulnerabilities allow for something called a Side-Channel Vulnerability. This is sort of like someone discovering there is a peephole into the girl's shower room at school. Only this is a peephole into the operating system's private memory. Translation: a successful exploit of either of these vulnerabilities will give the Bad Guy unfettered read access to anything on the machine.

The good news is that there is a "workaround" for Meltdown. A workaround is not a fix, but it's a way of doing things that make the peephole not work anywhere near as well as it could. The bad news is that the workaround slows down your computer. For a normal user with an over-powered desktop or laptop, you'll probably not notice it at all. For servers, especially those running heavy-weight database software (which does lots of heavy file I/O), the slowdown can be anywhere from 20% to 35%. That means that companies will a) have to apply the patch to the OS, and b) buy/rent 20%-35% more servers. Alternatively they could switch to using servers based on AMD chips, which many companies already do anyway.

With Spectre there is good news and bad news. The good news is that it is a much more difficult vulnerability to exploit. The bad news is that the "fix" is to fundamentally rethink how modern CPUs (Central Processing Units) are designed and built. As we geeks say, this is a nontrivial problem. Translation: it may take a lot of time—at least months, quite possibly years—to come up with the new design. And then everyone will have to buy new hardware; we're talking trillions of dollars here. Yes, it really is that bad.

Meanwhile, make sure your security patches are up to date. :-)

Note: For the truly curious or masochistic in the audience I recommend starting with the announcement released on 1/4/2018 by US-CERT (Computer Emergency Readiness Team): TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance. It's very technical, but it basically says we need to go to the cyber equivalent of DEFCON 2.

And then you might want to go to Meltdown and Spectre: Vulnerabilities in modern computers leak passwords and sensitive data, where you can get information straight from the people who discovered these two Swamp Things.

Things You Can Do NOW!

Freeze Your Credit Reports

In early 2017 Equifax screwed the pooch on an epic scale. As a result of criminal negligence on their part (in this case, failure to apply available, critical security patches to their servers) the highly sensitive details on over 143 million Americans became avaliable to anyone who wanted to pay for them on the Dark Net.

In other words, the Bad Guys now know your name, your address (and all of your previous addresses), your driver's license number, your Social Security Number, and the full account numbers on every bank account and credit card you've ever had. It really doesn't get much worse than that.

Freezing your credit reports means telling the Big 3 — TransUnion, Experian, and (gag!) Equifax — that they can't release your data to anyone who asks for it. This means it will be a bit of a hassle getting a new credit card, or getting a mortgage, but you can always temporarily unfreeze the information and then refreeze it after you've done your thing. The important point here is that the Bad Guys can't open a new account in your name.

Although the freeze/unfreeze process is not free, the cost of not doing it can be ruinous. Maria and I are a) California residents and b) over 65, so State law says we get it for free. Your milage may vary. Check your own state laws on this.

But don't take my word on this, read what the U.S. Federal Trade Commision has to say about this. The Equifax Data Breach: What to Do.

And here is their Credit Freeze FAQ. Read it and DO IT!

Monitor Your Financial Accounts

Maria is borderline OCD on this point and it is because she is that she knew within hours that our primary credit card had been compromised for over $4,200 — $800+ at Tiffany's online store and $3,400+ at StubHub.

I can't tell you how to do this because the details vary tremendously from site to site. You need to find out how to check the current balance and transaction list for every credit card you have and every other account (bank, brokerage, etc.) you can access online, even if you have never been there online before. If you have no idea where to start, call them and ask.

Why do you have to do this? Because Equifax, that's why.

Security Patches

This is another highly context dependent area.

... Need ... more ... words ...

Anti-virus Software

Backing Up Your Data

Long, Strong, and Unique Passwords

I'm not going to go into all of the issues surrounding passwords. Suffice it to say that they are a PITA (Pain In The Ass), but you gotta use them.

Most people suck at creating passwords, and the Bad Guys love that aspect of how people use them.

There are three attributes that all good passwords have in common:

  1. They are unique for every site. If one site gets hacked it doesn't automatically make you naked on all of the other sites you have accounts on.
  2. They are made up of a combination of lower case (a-z), upper case (A-Z), digits (0-9), and 'special' characters such as !@#$%^&*(){};:.,<>?/"'.
  3. They are loooong. Like at least 14 characters, but more is better.

The problem is creating and remembering a good password for each site.

The good news is that it is easy to come up with nearly unbreakable passwords that are different for each site you connect to. I have accounts on so many different websites I lost count a long, long time ago. Remember, I've been doing this since 1973, so ... I've had some practice.

Here's how you do it.

  1. Pick a favorite phrase or song lyric. Pick something that has somewhere between 8-10 words in it. For this example I'm going to use a Stephen Wright quote:

    I intend to live forever.... so far, so good

    But that's too long to type, so let's just use the first character in each word and, for now, ignore case and punctuation. This gives us the beginning of our base password: 'iitlfsfsg'. That's 9 characters long and trivial to remember, particularly if you practice it a few times. My base password is 10 characters long and I can type it in my sleep.
  2. Decide which character(s) to make upper case and which to replace with a number or special character. For example, "I1t1f.Sfsg". So I upper-cased the first charcter and the 's', put a period after "forever", and replaced the second 'i' and the 'l' with the numeral '1'. That means I have lower, upper, numbers, and special.

    Other common substitutions are '0' (that's a zero) for 'o', '5' for 's', and '7' for 't'. Flavor to taste.

  3. For each site add something from the site name to your base. For amazon.com I might have 'amI1t1f.Sfsg'. Now I'm up to 11 characters of apparent gibberish, except it's not to me!

    I know one person who puts the 'modifier' at the beginning if it starts with 'a' through 'm', and at the end if it's 'n' through 'z'. So he would have the above for Amazon, but Zappo might be 'I1t1f.Sfsgza'

  4. And for accounts that really matter, make it longer. This is where knowing how passwords are stored is useful. Passwords are not stored as 'clear text', they are stored as the result of a cryptographic hash. It's sort of like taking a bunch of fruits and throwing them into a blender and hitting pureé. What you end up with looks nothing like what you put it, but if you start with exactly the same ingredients (the same characters) you will get exactly the same result. What's important to know is that a cryptographic hash gives no indication of how 'close' you might be to the original. All you get is match / no match.

    So to make it longer ... just add some set number of periods; say 4. For Amazon that would give us 'amI1t1f.Sfsg....'. Using a tool to estimate how long it would take an attacker to 'brute force' guess this password using a multiple CPU botnet, it said it would take about 143 billion years to crack it. At which point I no longer care! :-)

  5. One special note: some sites have stupid, stupid programmers that only allow certain special characters. There's no good reason for this, so it must be simple stupidity. Anyway, for those sites pick some other 'allowed' special character — '!' or '_' or whatever — and replace each instance of '.' (or whatever your normal special character is) with the allowed one. So maybe Zappos doesn't like '.' but they allow '!'. So your password there might be 'zaI1t1f!Sfsg!!!!'

    Remembering this is a PITA, so for these stupid sites you can write down "Zappos !". It will make sense to you and no one else.

  Last modified: 2018.01.22 21:28 UTC                          © 2007-2013 TechBuddy.us
Designed by Coy Design Group | Hosted by WebFaction