The Dillon M134D Gatling Gun is the finest small caliber, defense suppression weapon available. It is a six barreled, electrically driven machine gun in service with the US and Allied Armed Forces.

Here is Richard “Mack” Machowicz from The Discovery Channel’s show Future Weapons giving the run down on the fastest gun on the planet. 3,000 rounds per minute is an awesome weapon!

Now, have you ever wondered what all those extra SUV in a Presidential or VIP motorcade are? You know the ones with blacked windows that no one gets in or out of. Wonder no more… They have a 6 barrel 7.62 mm or 308Win mini Dillon gun… which fires over 3,000 rounds per minute. The wipers need to be run to remove spent casings when the weapon is firing.The vehicle is also armor plated.

Here is my boy Jesse James putting a Dillon Gun to work on a car in the desert!

Oh, in case you thought I was kidding about the SUVs actually being equipped like this, here’s the proof:

And now here is how the pros do it from a moving chopper!

Related posts:

1. Newest Machine Gun Technology Obliterates Tanks
2. Christopher Walken, Weapon of Choice
3. Human Weapon Kicks Ass!

You know how people are always talking about Ft. Knox being really secure? Well, here is the civilian equivalent!

Iron Mountain Inc is a company specializing in data storage. The best known Iron Mountain storage facility is a high-security cave in a former limestone mine at Boyers, Pennsylvania near the city of Butler in the USA.

It has been in operation since 1950, and it is here that Bill Gates stores his Corbis photographic collection in a refrigerated cave 220 feet underground.

Related posts:

1. Iron Man Movie Trailer
2. Aerial Photos of Mount Ranier for Your Desktop Wallpaper
3. Cave With Bus Sized Crystals Found in Mexico

Windows security is sad. Although most of you have probably already read my article about using strong passwords, even the strongest passwords won’t keep your Windows login account from being penetrated. In fact, it takes only a couple of minutes to gain complete access to a Windows system using nothing more than a free CD ROM.

Now, if there is any good news – people are constantly locking themselves out of their personal laptops and home computers by forgetting the password. And recently I’ve had two different friends do this within a period of a couple of days. So you guys know how this works… when I start getting requests, I document the solution.

So, how easy could it be? Here are the instructions:

• Download the ophcrack CD. (Bad news, it’s 455 MB.)
• Burn it to a CD ROM. (ImgBurn is fantastic freeware for this purpose.)
• Put the CD in your machine and reboot it.

You should be able to follow any of the on screen instructions and have access to your computer again within minutes. Here is a little video demonstrating the process, though it’s highly unnecessary.

Related posts:

1. How I’d Hack Your Weak Passwords
2. The Worst Microsoft Advertisement EVER (Hint: Windows 386)
3. Windows Update for FireFox and Opera Users

Uugh. The Transportation and Security Administration (TSA) has really fulfilled their goal of making life for a billion travelers a year completely miserable. You know what TSA stands for?

• Thousands Standing Around
• Take Scissors Away
• Truly Stupid Activities

From the Washington Post:

Travelers and their advocates have long complained that lines are too long at many airports, that some security measures seem inconsistent and that security officers seem to be in short supply.

Others say that TSA officers seem to be doing little but hanging out at checkpoints, even when the lines grow.

Yeah, I’ll agree with all of that. Why is it that every time you travel you have to go through screening stations where there are extra TSA agents standing around – yet there are additional scanning machines sitting idle that they just refuse to turn on!

Grrr.

Also see The TSA Does It Again…

Related posts:

1. The TSA is Going to Photograph You Naked!!!
2. This Kid Knows How to Travel
3. Computing System Security Tutorial

Bruce Barber, from the Real Life Survival Guide, recently interviewed me via phone for a segment on Password Security. That segment will go live today on Connecticut Public Radio, so I’d like to welcome any visitors stopping by as a result.

For the rest of us that don’t happen to live in Connecticut, here is the interview as graciously provided by Bruce.
Real Life Survival Guide Interview

As further reading on the topic of password security, please see my complete article on How I’d Hack Your Weak Passwords. And if you are looking for the password manager I referred to called Roboform I created a short RoboForm Demonstration Video to get you started.

You’ll also find over 30 other related articles in the Security category.

For the regulars around here, you really should stop by Bruce’s site and listen to his other interviews (he’s even got an RSS feed to subscribe to). There are a lot of great tips, and he is a true professional so these are high quality audio clips. Believe me, if it weren’t for the magic of Bruce’s editing prowess mine wouldn’t have been very good!

Related posts:

1. Hack Outlook Passwords in 10 Seconds Flat
2. How I’d Hack Your Weak Passwords
3. Tutorial: How-to Recover Windows Login Passwords

There is nothing like instilling a little fear, uncertainty, and doubt (FUD) to help sell a product… or a consulting service!

Some young guys in L.A. garnered some serious attention when they told ABC News that they could hack cell phones of the rich and famous. And this short video is the result of that claim.

Now, my only problem with this video is that they get everyone all worked up about the fantastic security risk, but then never actually define how the attack is taking place or what can be done to guard against it! Morons.

I can only assume that the vulnerability being exploited here is one called Bluesnarfing. It is an attack which utilizes the Bluetooth functionality of most new phones. This is the wireless function that allows you to wear that dorky earpiece and annoy everyone around you in the mall.

Luckily the UK’s TV show, The Real Hustle has a much better explanation of what is going on and how to prevent getting Blue-Jacked!

Related posts:

1. iPhone Get’s Punk’d at the Cell Phone Reunion
2. Scan Business Cards with Your Cell Phone
3. Don’t Talk on the Cell Phone While Driving

Folks, I was at the airport and I popped open my laptop to hop on the net and upon doing so I encountered a seriously sneaky bastard. Do you see anything wrong with the image below?

Well, hopefully you notice the little icon of a laptop beside the network entitled “Free Public WiFi”. This is NOT a free wireless access point, but instead a laptop computer that someone has configured to capture your personal data and rob you blind.

The way this scam works is that a criminal entices unwitting suspects to connect to the Internet through their computer. Meanwhile, they are running packet sniffing software to read every bit of unencrypted data passing through it. This includes every web page you visit, the e-mails you write, and even the instant messages you send.

Why would someone want to do this? Because if they listen to what you say long enough they are eventually going to capture a password or some personally identifying information that could prove useful to them.

Oh, and if that isn’t bad enough, once your laptop is connected to theirs, you have opened the door for them to scan all of the ports on your machine in the hopes of finding a security loophole. If they do find one, they could install a rootkit or some other malware on your machine, turning it into a mindless zombie under their control from now on.

So, the bottom line here is, don’t be randomly connecting to just any old network you see. You need to ensure that you are actually connecting to a wireless access point (you can even tell Windows to ONLY show WAPs), and that you have a software firewall installed (see my list of Top 50 Favorite Freeware for recommendations).

Edit: Thanks to Kim for pointing out that there were YouTube videos on this topic. I found these two which share a little more info. The first is from Chris Pirillo:

Next is from a local news channel:

Related posts:

1. The Scariest Thing on the Internet
2. Access Your PC From Anywhere (FREE!)
3. One More Reason not to Trust Bank Security

Folks, as you know by now whenever I come across security threats I like to share them. And this one is actually pretty pressing.

With a specially modified blank key and a small hammer – or even stick, 90% of home locks can be picked in a matter of seconds. The technique is called Lock Bumping, and the instructions are now all over the Internet.

Take a look at this news report, and then please take appropriate action to ensure that you are not vulnerable.

Related posts:

1. UN on Security Concerns Regarding ID Theft
2. BMW’s Laser Cut Key System Defeated… Easily
3. One More Reason not to Trust Bank Security

I keep wondering two things, why does the RIAA continue to persecute people, and more importantly why do people do stupid enough things to keep getting prosecuted?

That organization exists for the sole purpose of suing the pants off of people, but they can only do so when people leave plenty of evidence about their activity – namely hosting content on their computers and allowing others to download it. Most of the time it seems these foolish people aren’t even aware that what they are doing by running Kazaa, eMule, Gnutella, or some other file sharing application puts them at risk.

But why in the world would anyone share their music, movie or software collections via open, anonymous connections? Especially when there are other virtually risk-free alternatives? (By the way, know your rights if RIAA comes calling.)

Now, I’m not advocating that people steal stuff online.

When it comes to software there are plenty of freeware and open source alternatives for just about anything you could want to do. Long ago I published a list of My 51 Favorite Freeware Apps which I recommend and use on every machine I own. But if you are going to download some software or music online, then at least don’t be an idiot about it!

• Don’t use file-sharing applications! Many of them have all sorts of mal-ware built into them, and you will compromise your computer just by installing them! Not to mention the fact that by design they leave a great big open hole into your hard drive that people can put and take things in and out of. Don’t do it!
• Google is all you need. In many cases Google will serve up exactly what you are looking for. You just have to learn how to do a search correctly (see below).
• Usenet is a sure bet because it isn’t free. Everyone wants something for nothing. But didn’t your mama ever tell you that nothing in life is free? Well, Usenet has a cost – but it contains just about everything in the known digital universe.

**–WARNING!!–**

There are bad people out there looking to take over and control your computer and ruin your life. They use viruses, trojans and other mal-ware, so I don’t recommend you follow any of the instructions below. If you are going to do so, make sure that you have your anti-virus and firewall software up to date and activated. If you need recommendations for good ones see my freeware listing above.

You have been warned!!!

How to Bootleg Music using Google

It is pathetically simple to download just about any song you want using nothing more than Google. All you need to do is search using the terms “index of” along with the name of the song or artist. Using the quotes around “index of” helps narrow the results to directories that contain files.

For example, lets say you like the song Stacy’s Mom by Fountains of Wayne. Do a search on either “index of” stacy’s mom or “index of” fountains of wayne. Very quickly you’ll find some listings that look something like “Index of ./Music/” and guess what you’ll find in them.

It’s all there: The Beatles, Elvis, Pavarotti, Harry Potter audio books… whatever. Here, I’ve even built a custom little search form (with a few added improvements) to demonstrate. You may have to check several of the results because spammers try to capture some of the most common search terms with fake listings.

To use the search form replace “ENTER-SEARCH-TERMS” with your search terms inside the first set of quotes.

How to Bootleg Movies using Google

Feature length movies are a little more complex to search for, and there are not nearly as many posted in open directories on the web. Probably because they are about 200 times the size of a typical MP3. However, here is another custom search which will help you find it if it is there.

The same search method is often used to find free “porn”, “xxx”, “sex” and other illicit movies. To use the search form below replace “ENTER-SEARCH-TERMS” with your search terms inside the first set of quotes.

How to Bootleg Software using Google

Downloading illegal copies of music or movies may be wrong, but downloading software from an unknown source is just plain stupid. Hackers embed all kinds of nasty mal-ware in popular software and then distribute it freely around the net hoping people will install it – and the hidden payload. You can put your entire digital world at risk by downloading from untrusted sources.

Still, for those of you who run with scissors, here is a Google search box. Try “photoshop”, “partition magic” or “ethereal” etc. Just like above, replace “ENTER-SEARCH-TERMS” with your search terms inside the first set of quotes. And don’t forget how dangerous this software can be!

Bootleg ANYTHING on Usenet

Unlike the Web or file-sharing sites, Usenet is a global system of interconnected news servers run by private companies or organizations. Usenet is distributed among a large, constantly changing conglomeration of servers which store and forward messages to one another. (Here is everything you could want to know about them.)

Usenet is comprised of around 100,000 different “news groups”, each focused on a particular topic. Some of these news groups get hardly any traffic, while others are very, very busy. There are really cool, useful and perfectly moral newsgroups such as alt.crafts.blacksmithing, sci.engr.joining.welding or comp.infosystems.www.authoring.html. There are also morally questionable groups that contain software such as alt.binaries.warez, alt.binaries.warez.ibm-pc, or alt.binaries.multimedia.utilities; and groups that contain adult material such as alt.binaries.multimedia.erotica alt.binaries.pictures.erotica or alt.binaries.ijsklontje.

It is likely that your ISP is running news servers which you have access to for free; however, they are probably only carrying the newsgroups that don’t tend to have all of the attached photos, media and software in them. The reason is simple. The more attachments there are, the more data has to be stored. And your ISP doesn’t want to be the central repository of illegal content because it’s expensive to maintain the massive databases.

For this reason you will have to subscribe to a News service provider such as GigaNews at a cost of between $7 – $20 per month. They also offer a free 3 day trials. You will also need News Reader software. Although Outlook and Outlook Express come with free news readers built in, most people turn to outside software for this task because of the huge feature differential. The most popular newsreader is Forte Agent, which also offers a free trial.

Once you have the software and a news service provider it’s as simple as doing a search to find just about anything your evil little heart desires. The following sites run services that catalog everything posted on Usenet and will direct you to immediately download the results:

• NZBIndex.nl
• newzBin
• Yabse

Forte Inc. also maintains Agent’s Guide to Binaries for more information.

Summary

To finish up this article I’d just like to make a few comments.

• Please, I’m begging you not to lecture me about providing this information. I’ve posted articles on how to hack weak passwords, how to make cocaine, and how to make crack. I don’t do these things, and the criminals already know how! I’m providing the information so that regular honest people at least know what the heck is going on and how it’s being done.
• Don’t do anything that goes against your personal belief system. That means don’t murder people, steal stuff, hurt puppys, or be mean. If you do any of these things it is on you – not me! If you buy a kitchen knife and use it to carve up a human it doesn’t mean the person who made the knife is evil.
• There is such a thing as white hat, or “ethical”, hacking. Ethical hackers often uncover exploits in systems and then publish the information for the general public in order to draw attention and close security loop holes which otherwise would remain open. I consider providing this information the same thing. Like I said, it’s nothing the criminals don’t already know.

In summary, I’m just the reporter.

Related posts:

1. Check Your Site’s Digg Saturation Level
2. Google E-mails News Alerts
3. Google Search is Screwed Up

A Canadian named Troy Hurtubise, invented a superhuman body suit specifically designed to be worn by troops and police officers which he claims is capable of stopping a range of weapons fire, blades and even shrapnel from IEDs.

This isn’t Troy’s first dance either. He previously invented a suit which was intended to be able to survive a bear attack, and even made a video of it.

Here is a short take from the Project Grizzly video:

The Hamilton Spectator had the following to say about the new suit:

The grizzly man is back, and this time he’s ready to take on bullets and bombs.

Troy Hurtubise, the Hamilton-born inventor who became famous for his bulky bear-protection suit by standing in front of a moving vehicle to prove it worked, has now created a much slimmer suit that he hopes will soon be protecting Canadian soldiers in Afghanistan and U.S. soldiers in Iraq.

He has spent two years and $15,000 in the lab out back of his house in North Bay, designing and building a practical, lightweight and affordable shell to stave off bullets, explosives, knives and clubs. He calls it the Trojan and describes it as the “first ballistic, full exoskeleton body suit of armour.”

And here is a short video of The Trojan body suit:

Unfortunately development of this suit has driven Troy into bankruptcy and earlier this year he tried to sell the suit on eBay, but the reserve was not met.

Related posts:

1. Armor Holding’s Liquid Armor Invincibility Suit
2. Would You Fall for a Trojan Horse?
3. Mmmm, Coke! I Drink My Body Weight in Sugar Annually!

Here is a demonstration of how to open a padlock in 1 minute or less using nothing more than scissors and a coke can.

Related posts:

1. Chill A Coke In 2 Minutes!
2. How To Cheat A Coin Operated Washing Machine
3. Coke as a Health Drink?

Being the resident tech geek, I have been asked by at least 10 people now if they should upgrade to the newest Microsoft Windows variant, Vista. Now, everyone is different so I can’t provide a blanket ‘Yes’ or ‘No’, but I will say that I don’t personally recommend it, I’m not using it, and I don’t plan on ever doing so in the future.

There is a great Web site called Bad Vista which can give you tons of reasons not to adopt this operating system, but I’m just going to stick to three primary ones for now:

• What I do in the privacy of my own home, on the privacy of my own computer is none of Microsoft’s business. But for some reason, the most powerful software company on Earth has let media companies push it to add in all sorts of “Digital Rights Management” crap. This will cause several problems:
1. Let’s say you buy a movie on BlueRay disc, but want to take it to Mom’s house and play it back on her DVD player. Well, since a DVD player can’t play a BlueRay you slap it in your PC to convert it over, but wait! Vista says NO! It doesn’t matter that you legally own a copy of that content.
2. On the other hand, you invest in a bunch of HD DVDs, like Microsoft is pushing for their 360 gaming device, but in 3 years they are all obsolete because the new Super, Duper HD DVDs have been released, so you figure you’ll convert your legal copies of those to the new format, but again. NO! Microsoft ain’t gonna let you do it.
3. The cost associated with Windows DRM is absolutely astounding. Providing this protection incurs considerable costs in terms of system performance, system stability, technical support overhead, and hardware and software cost. These issues affect not only users of Vista but the entire PC industry, since the effects of the protection measures extend to cover all hardware and software that will ever come into contact with Vista, even if it’s not used directly with Vista.
• Multimedia performance under Vista is the worst of any modern operating system. Ever. And this is actually by design! So, even though people now watch TV online, have thousands of digital photos and even edit their home movies on their PC, Vista will actually do a worse job with all this than XP ever did.
1. Vista requires that any interface that provides high-quality output degrade the signal quality that passes through it if premium content is present. This is done through a “constrictor” that downgrades the signal to a much lower-quality one, then up-scales it again back to the original spec, but with a significant loss in quality.
2. Vista will silently modify displayed content under certain situations discernible only to Vista’s built-in content-protection subsystem. What happens currently is that Vista just refuses to play premium content rather than downgrading it.
3. If a copy protection weakness is found in a particular device (like your BRAND NEW ‘Vista Capable’ PC), it will have its signature revoked by Microsoft. This means a report of a compromise will cause all premium content ability for that device worldwide to be turned off until a fix can be found – rendering your expensive hardware completely useless just because Microsoft isn’t happy, and despite the fact that you don’t care about that ’security’ issue.
• Microsoft operating systems and software are getting more insecure and unreliable with every release. This is not because it’s “so hard” to design in security features, but because Microsoft is so interested in sticking their nose in every other aspect of your digital life that the real job of the OS takes a back seat.
1. Given the fact that Microsoft may push an “update” to you which disables your PC, people will disable updates in order to avoid this potential issue. The side-effect of this is PCs will become vulnerable to newly discovered malware, viruses, spyware, etc.
2. The massive DRM and other bloat in Vista will require more CPU, RAM, Video processing and other hardware. It has already been shown to run at least 10% slower than XP. It also unnecessarily utilizes more power at all times meaning increased energy consumption for every PC running it – further straining the electric grid.

So, in short. If a PC manufacturer were to send me a brand new top-of-the line computer for free and it came with Vista I would either re-format the hard drive and install XP, or refuse the system altogether. And that’s not an exaggeration. Just try me…

But worse than that, considering that eventually XP will simply be outdated I’ll have no choice but to migrate to a new operating system within the next few years. And that system will be Linux.

If you really want to read a complete analysis of why Vista sucks like nothing has ever sucked before, fall asleep reading this.

EDIT: This info added 3/30/2007
This just in. More evidence that Vista is unbelievably insecure:

In what could be the most embarrassing exploit to impact Windows Vista since its commercial launch in January, security engineers at McAfee’s Avert Labs confirmed today – and posted the video to prove – that the operating system can be caused to enter an interminable crash-restart-crash loop, by means of a buffer overflow triggered by nothing more than a malformed animated cursor file.

And here is the video demonstrating how simply looking at an animated icon can freakin freeze up your system Mr. Biggelsworth…

Related posts:

1. Live from the Microsoft Worldwide Partner Conference
2. Lets Be Clear, Microsoft IS Predatory. Here’s the Proof
3. The Worst Microsoft Advertisement EVER (Hint: Windows 386)

That’s right. I hate to tell you folks, but if you give me 10 seconds alone with your computer I’ll not only get your user name and passwords to every mail box you have set up in Outlook and Outlook Express, but I’ll also be able to see every single login you have saved in your Internet Explorer auto-complete settings.

And I’ll do it all with this tiny little application. Don’t believe it? Fine, download it, unzip it and launch it. You’ll be instantly staring at all of the passwords you’ve ever told Microsoft to remember for you.

If that doesn’t make you paranoid… well, you just aren’t alive. So, what can you do about it?

1. Take my previously stated advice of using RoboForm to remember all your passwords.
2. Don’t ever, ever, ever allow Internet Explorer to save a password. You also can’t allow Outlook to save a password.
3. Immediately download and use a system cleaning utility to erase all that data.
4. Strengthen all of your passwords!
5. Switch to FireFox or Opera as your main Web browser.
6. Switch to Thunderbird for mail reading.

I know I’m beginning to sound like a broken record to my regular readers when it comes to security paranoia, but I’d rather you be safe than sorry. And hey… at least One Man is looking out for you. :-)

Related posts:

1. How I’d Hack Your Weak Passwords
2. Tutorial: How-to Recover Windows Login Passwords
3. Protect Your Privacy, Delete Internet Usage Tracks

If you invited me to try and crack your password, you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think, then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)

One of the simplest ways to gain access to your information is through the use of a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org has a list of the Top 10 FREE Password Crackers right here.

So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus, wwwhack, or THC Hydra on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post to remedy that problem.)

And how fast could this be done? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.

Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.

Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.

Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?

Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.

Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ‘0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link.
7. Once you’ve thought of a password, try Microsoft’s password strength tester to find out how secure it is.

EDIT: By request I’ve created a short RoboForm Demonstration video. It ain’t great, but I guess it’s better than nothing. Hope it helps…

Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.

Please, be safe. It’s a jungle out there.

EDIT: You might also want to listen to my interview on Connecticut Public Radio about password security.

Related posts:

1. Hack Outlook Passwords in 10 Seconds Flat
2. Tutorial: How-to Recover Windows Login Passwords
3. John P on Connecticut Public Radio

In the recent past I’ve done a lot of harping on the security woes of financial institutions (see here, here, and here) so when I saw this announcement I was both extremely happy and a little disappointed at the same time.

PayPal is about to issue SecureID cards to all business clients in order to provide further account security. Now this is what I’m always talking about when I speak of defense in depth! PayPal will combine layers of security, in this case something I have (SecureID password generator), with something I know (my username/password combo) to ensure it’s actually me accessing the site.

In fact RSA, the company that makes the SecureID platform, has has no reported case of a security breach in 15 years! So, I’m very happy to see PayPal leading the field in implementing this security mechanism. Now I just hope that the real financial institutions like Smith Barney, Bank of America and others will follow suit.

By Joris Evers, Staff Writer, via CNET News.com:

eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle on data-thieving phishing scams.

“If a fraudulent party somehow got hold of a person’s username and password, they still wouldn’t be able to get into the account because they don’t have the six-digit code,” Sara Bettencourt, a PayPal spokeswoman, said by phone Thursday. “This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection.”

PayPal Security Key The “PayPal Security Key” will cost $5 for personal PayPal accounts, but will be free for business accounts, Bettencourt said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she said. As of September 30, there were nearly 123 million PayPal accounts, eBay has said.

PayPal users in the U.S., Germany and Australia will be able to sign up for the trial through a special Web site, Bettencourt said. “Based on the response, we look forward to eventually rolling it out in other countries,” she said.

The password-generating device is based on technology from VeriSign, with which eBay entered into a security partnership in 2005. Such key fobs are also used for added security by large corporations for access to corporate resources, and some banks and brokerage firms offer them to clients with a high net worth. Other companies that supply the password gadgets include RSA and Vasco.

eBay and PayPal are common phishing targets. These prevalent scams typically use fraudulent Web sites made to look like legitimate sites and spam e-mail to trick people into giving up their personal information such as login names and passwords.

In a recent survey of Google’s public blacklist of phishing sites, security researcher Michael Sutton found that nearly half of all the active phishing sites targeted either eBay or PayPal. The Google blacklist is used in Google’s Toolbar for Firefox and the Firefox 2.0 browser.

Related posts:

1. The PayPal Fee Calculator
2. Smith Barney Forces Clients to Change Login Names
3. Free Web Site Monitoring

There are a lot of people that have migrated to alternative Web browsers such as Firefox and Opera; the problem is, for most people, it’s been impossible to fully abandon IE because it’s the only option they have to get Windows Updates.

But, if you really despise IE and wish you never had to open it again (or if it just isn’t working), have I got news for you… Using either Opera or Firefox you can head over to WindizUpdate and get your system updated from a source other than Microsoft.

Here are 10 reasons this site is superior to Microsoft’s:

• It doesn’t install Microsoft Active X spyware plugins on your PC.
• It doesn’t make you install the Windows Validation crap, and even works if your install is not valid.
• No personally identifiable information is collected from your computer.
• If an update has been superseded by a newer one, it will not ask you to install the older one.
• WindizUpdate will find more security patches needed for your O/S than the “other” website.
• It will not nag you to install patches for software you don’t have installed.
• Works on Windows versions no longer supported by Microsoft like NT 4.0 and Windows 95.
• Integrated download manager with error detection lets you can cancel and resume downloads at any time.
• On my machine its a lot faster than Microsoft’s update.
• Upgrading to the latest version of Internet Explorer is not considered a Critical Update!

If you don’t yet have Firefox I highly recommend that you visit my Google Pack page and download it.

Even if you want to stick with IE it’s good to have a backup browser – and every machine should have Firefox installed. Trust me, the minute your IE isn’t working and you don’t have an alternative you’ll be wishing you had downloaded it…

If you don’t yet have Opera, you might want to check out my Top Freeware page. I find Opera to be the best and fastest browser, but it doesn’t have quite the name recognition of Firefox or IE.

Related posts:

1. Tutorial: How-to Recover Windows Login Passwords
2. My 51 Favorite Freeware Apps for Windows
3. The Worst Microsoft Advertisement EVER (Hint: Windows 386)

Here’s a question I received from a reader:

Can you recommend a good hard drive sweeper? I need to clean up my PC at work… been surfing the net a little too much.

Well yes. Yes I can…

There are lots of good reasons to clean up your computer’s hard drive and usage tracks:

• If a hacker ever gained access to your machine, some of your juiciest information is stored in your Web browsers cache. There is enough in almost every browser on earth to engineer a social breach. In other words a hacker could gain access to your personal data and then use it to pose as you.
• You may be working in an environment where your boss frowns on Internet use, even though it actually helps you do your job. In these cases you need to clean up after yourself because any third grader can see what you’ve been doing the moment you log off the machine.
• Finally, you might be doing something morally or ethically “challenged”. Need I say more?

If someone was going to do a forensic analysis of your machine to determine what you’ve been up to, you can bet they are going to start with the following areas:

• Temporary Internet files, Web site cookies, browser history, and index.dat
• Typed URL history
• Saved passwords and form auto-complete information stored in your browser
• Recent Documents
• Usage history of: Start/Run, Search
• Temporary directories on the hard drive
• Items contained within the Windows Registry
• Deleted items contents
• Media player history

And that’s not all… So you can see how it would be difficult to keep all of your private information protected, given that it’s scattered all over your machine in places you’ve never even heard of.

Here’s what you can do about it. First, use one (or more) of the following tools to automatically erase all of the things on the list above. And by the way, all three of these offer Secure File Deletion, which makes the deletions unrecoverable:

1. Clean Cache – Looks like this domain is gone. Thanks to John Williams for catching this for me!
2. CCleaner
3. Privacy Eraser

After you delete all of that stuff, you’re going to notice that Web sites which you used to go that recognized you don’t anymore. This is because the cookies have been deleted. Also, any of your saved passwords are gone, and that might make things a little less convenient. Don’t worry… you didn’t think The Man would leave you inconvenienced did you?

Now what you need in order to have a safe, secure and pleasant browsing experience is RoboForm. This is a little program which builds it’s self into Internet Explorer, Avant Browser or Firefox and which saves all of your login data to your favorite sites, but does so in an encrypted format so it can’t be snooped!

You can read more about RoboForm on my previous post about protecting your digital secrets. If you have a Pocket PC or Palm Pilot RoboForm will even sync all of your data to it so you can take it all with you everywhere you go. If you’d like to download it without having to navigate their web site here is the direct download link.

You should also review my article entitled How I’d Hack Your Weak Passwords.

Be safe.

Related posts:

1. Protect Your Digital Secrets
2. Hack Outlook Passwords in 10 Seconds Flat
3. Disposable Phone Numbers May Protect Your Privacy

According to the Epoch Times, in five years, the U.S. government will cease to use SHA-1 (Secure Hash Algorithm) and convert to a new and more advanced “hash” algorithm, according to the article “Security Cracked!” from New Scientist.

The reason for this change is that associate professor Wang Xiaoyun of Beijing’s Tsinghua University and Shandong University of Technology, and her associates, have already cracked SHA-1. This marks the fifth straight encryption method that Xiaoyun’s team has broken (SHA-1, MD5, HAVAL-128, MD4, and RIPEMD).

What does this mean for the rest of us?

Well, MD5 and SHA-1 are the two most extensively used hash algorithms in the world. These two main algorithms currently underpin many digital signature and other security schemes in use throughout the international community.

They are widely used in banking, securities, and e-commerce. In fact, SHA-1 has been recognized as the cornerstone for modern Internet security.

For example, whenever you login to your online bank account, or make a purchase from Amazon.com they tell you not to worry because “This transaction is protected by Secure Socket Layer Encryption”; well, guess what… That’s an SHA-1 encrypted session.

And if your company has set you up with a laptop and a VPN connection back to the corporate LAN, guess what? Yep, that’s an IPsec connection powered by SHA-1.

According to Bruce Schneier, who warned that this was coming 2 years ago:

For the average Internet user, this news is not a cause for panic. No one is going to be breaking digital signatures or reading encrypted messages anytime soon. The electronic world is no less secure after these announcements than it was before.

But there’s an old saying inside the NSA: “Attacks always get better; they never get worse.” Just as this week’s attack builds on other papers describing attacks against simplified versions of SHA-1, SHA-0, MD4, and MD5, other researchers will build on this result. The attack against SHA-1 will continue to improve, as others read about it and develop faster tricks, optimizations, etc. And Moore’s Law will continue to march forward, making even the existing attack faster and more affordable.

Jon Callas, PGP’s CTO, put it best: “It’s time to walk, but not run, to the fire exits. You don’t see smoke, but the fire alarms have gone off.”

All of this demonstrates why I keep repeatedly commenting on the lack of defense in depth at our financial institutions.

If banks and investment firms would implement an additional layer of protection beyond the simple password or challenge Q&A and move to something such as Secure ID tokens, it wouldn’t matter nearly as much if a password was compromised because without the correct random code to go along with it a hacker would still be out of luck.

Here is a great little video to explain what I’m talking about.

Related posts:

1. Online Banking Still Not Secure!
2. Protect Your Digital Secrets
3. Hack Outlook Passwords in 10 Seconds Flat

Imagine a knock on the door after you have been on the Internet, blogging, and the next moment you are under arrest. Amnesty International launched a campaign in defence of Internet bloggers in many countries – including China, Tunisia and Iran who have been arrested for expressing views which have upset their governments.

But how have they been tracked down? It turns out that they have been turned in by major Internet providers such as Yahoo and Microsoft, who have supplied foreign governments with the information they need to pursue them.

Related posts:

1. Egyptian Blogger Jailed for Insulting Islam
2. O.J. Goes to Jail for 9+ Years on Las Vegas Robbery Charges
3. Pollution Kills 750,000 Chinese Each Year

Smith Barney recently began forcing it’s clients to change their Web login in what is claimed to be a “security enhancement” maneuver. This applies to every client in the US that has a joint account (ie- married couples).

They are forcing this change in conjunction with the requirement of adding challenge questions and answers to each account, but they don’t list the reason for inconveniencing what must be hundreds of thousands, or millions, of clients. In fact, they claim:

Today Smith Barney’s nearly 12,400 Financial Consultants serve more than 7.5 million client accounts representing nearly $900 billion in client assets.

I have to assume that at least half of their clients have linked accounts so, as far as I am aware, that would make this the biggest forced user name change in Internet history.

Beginning sometime in the last few days, when clients attempt to log into their account they are forced to select a new user name. The system absolutely will not allow you to select your current user name, or any of the millions of other user names already in use – even if they are being forcibly abandoned by this change.

Next, clients are prompted to give at least 4 challenge answers to a set of predetermined questions. As I’ve stated previously, this does not provide real added security, only inconvenience for U.S. clients. Meanwhile Citibank, Smith Barney’s parent, is developing advanced biometric security mechanisms for India’s poor.

Smith Barney’s Client Security page states:

You can customize your User Name and Password the first time you sign on Smith Barney Access and change them whenever you like.

Since I was forced to change my user name I attempted to log in and change it back to the original – but the system wouldn’t let me. It just gives a cryptic error stating “Choose another username”.

Related posts:

1. PayPal to Offer Password Key Fobs to Users
2. AT&T CallVantage Drops Rates – But Not For Existing Clients!
3. WordCamp Dallas 2008: Chris Smith on SEO for Bloggers